[C++] Dll Injection Protection

05/23/2015 15:36 WarXWar#1
C++ SOURCE: [Only registered and activated users can see links. Click Here To Register...]

How to do?

In the clientside:

Code:
from ctypes import windll;
import os;
if windll.kernel32.GetModuleHandleA("AntiHack.dll") == 0:
 windll.kernel32.LoadLibraryA("AntiHack.dll");
 if windll.kernel32.GetModuleHandleA("AntiHack.dll") == 0: os._exit(0);
I don't have the module ctypes: [Only registered and activated users can see links. Click Here To Register...].
05/24/2015 16:38 _asm#2
You'll need to make your post visible for everyone else nobody will be able to help you.
And btw isn't this the wrong place for asking such questions?
05/24/2015 16:52 Mi4uric3#3
Quote:
Originally Posted by _asm View Post
You'll need to make your post visible for everyone else nobody will be able to help you.
And btw isn't this the wrong place for asking such questions?
Where did he ask any questions? This is a release thread.
05/24/2015 17:00 _asm#4
Oops.. I thought he was asking for help "how to do?" :o
I'm sry...
05/25/2015 00:15 Nick#5
-> [Only registered and activated users can see links. Click Here To Register...]

Quote:
Originally Posted by Section Rules
Threads without a virus scan are beeing closed but opened on request once a virus scan is available.
Therefore, scan the file and add the result to the topic, please.

Greetings
05/25/2015 12:35 Computerfreek#6
Hier, da ist dein Scan: [Only registered and activated users can see links. Click Here To Register...]

An sich clean, nur irritiert mich der Import der Winsock32 DLL, die wird normalerweise nur für Networking gebraucht was hier eigentlich nicht vorhanden sein sollte.
Ich hab die Datei auch mal bei Avira zur Analyse eingereicht. Das Ergebnis wird hier zu finden sein, sobald diese abgeschlossen ist: [Only registered and activated users can see links. Click Here To Register...]
06/04/2015 15:28 LibraryOfWonderland#7
is it working? :o
06/12/2015 04:00 stunthacker#8
is this supposed to stop dll injection? or what? stopping some one from injecting code or a dll will be a really hard thing to do,the code can be injected before any thing else
06/13/2015 15:26 WarXWar#9
Code:
// dllmain.cpp | Protezione per Client Metin2 contro le Injections di alcune Hack.

#include "stdafx.h"
#include <windows.h>
#include <iostream>
#include <string>
#include <fstream>
#include <tlhelp32.h>
#include <shellapi.h>
#include <winsock2.h>
#include <detours.h>
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "detours.lib")

using namespace std;

// CONFIGURAZIONE

char *indirizzo_ip="5.135.216.193";
wchar_t *Launcher=L"OverKill.exe";
wchar_t *Argument=L"--Start";

long crc[]={
-1982651409, -776276586, 300965008, -987425146, -1020123781, 788909682, 
-2060589118, -1551825781, -1944915785, -368720392, -826207030, 1140340929, 
-771419281, -1752318991, 578798025, 2036887976, 890437574, 510542828, 
-1791860780, -947847671, 1097594834, -1998392128, -178110029, 1953047600, 
1301328157, 2029112070, -1333777692, -1721593028, 1347562111, 811390021, 
1430524761, -981431290, -548174890, -504385778, 
};

unsigned int porte_fake[]={11002, 13000, 13010}; 
// QUELLE CHE POTREBBE VEDERLE DECRIPTANDO ROOT

unsigned int porte_vere[]={11002, 13000, 13010}; 
// LE VERE PORTE CHE NON SI VEDANO A MENO CHE NON SI REVERSA LA PROTEZIONE

typedef struct _LSA_UNICODE_STRING {
  USHORT Length;
  USHORT MaximumLength;
  PWSTR  Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;

BOOL (__stdcall *_AllocConsole)(void);

BOOL __stdcall HookAllocConsole(void) {
	return FALSE;
}

int (__stdcall *_connect)(SOCKET, const struct sockaddr*, int);

int __stdcall _connectHook(SOCKET s, const struct sockaddr*name, int namelen){
        unsigned int porta=ntohs((*(unsigned int*)name->sa_data));
		if (porta == porte_fake[0]) porta=porte_vere[0];
		if (porta == porte_fake[1]) porta=porte_vere[1];
		if (porta == porte_fake[2]) porta=porte_vere[1];
        sockaddr_in *coso=(sockaddr_in*)name;
        coso->sin_addr.S_un.S_addr=inet_addr(indirizzo_ip);
        coso->sin_port=htons(porta);
    return _connect(s, name, namelen);
}

long CRCFILE(std::string Filename) {
	FILE *f;
	if ((f=fopen(Filename.c_str(), "rb")) == NULL) {
		return 0;
	}
	unsigned long size;
	fseek(f, 0, SEEK_END);
	size=ftell(f);
	fseek(f, 0, SEEK_SET);
	unsigned char *File=new (std::nothrow) unsigned char[size];
	fread(File, 1, size, f);
	fclose(f);
	unsigned long crc[256];
	for (unsigned int i=0; i<=0xFF; i++) {
		unsigned long coso=0;
		unsigned long I=i;
		for (unsigned int b=1; b<9; b++) {
			if (I & 1) coso |= 1 << (8-b);
			I >>= 1;
		}
		crc[i]=coso << 24;
		for (unsigned int c=0; c<8; c++) crc[i]=(crc[i] << 1) ^ (crc[i] & (1 << 31) ? 0x04c11db7 : 0);
		unsigned long coso2=0;
		unsigned long Ii=crc[i];
		for (unsigned int d=1; d<33; d++) {
			if (Ii & 1) coso2 |= 1 << (32-d);
			Ii >>= 1;
		}		
		crc[i]=coso2;
	}
	unsigned long Crc=0xffffffff;
	for (unsigned int i=0; i<size; i++) Crc=(Crc >> 8) ^ crc[(Crc & 0xFF) ^ File[i]];
	delete [] File;
	return Crc^0xffffffff;
}

long CRCFILEW(std::wstring Filename) {
	FILE *f;
	if ((f=_wfopen(Filename.c_str(), L"rb")) == NULL) {
		return 0;
	}
	unsigned long size;
	fseek(f, 0, SEEK_END);
	size=ftell(f);
	fseek(f, 0, SEEK_SET);
	unsigned char *File=new (std::nothrow) unsigned char[size];
	fread(File, 1, size, f);
	fclose(f);
	unsigned long crc[256];
	for (unsigned int i=0; i<=0xFF; i++) {
		unsigned long coso=0;
		unsigned long I=i;
		for (unsigned int b=1; b<9; b++) {
			if (I & 1) coso |= 1 << (8-b);
			I >>= 1;
		}
		crc[i]=coso << 24;
		for (unsigned int c=0; c<8; c++) crc[i]=(crc[i] << 1) ^ (crc[i] & (1 << 31) ? 0x04c11db7 : 0);
		unsigned long coso2=0;
		unsigned long Ii=crc[i];
		for (unsigned int d=1; d<33; d++) {
			if (Ii & 1) coso2 |= 1 << (32-d);
			Ii >>= 1;
		}		
		crc[i]=coso2;
	}
	unsigned long Crc=0xffffffff;
	for (unsigned int i=0; i<size; i++) Crc=(Crc >> 8) ^ crc[(Crc & 0xFF) ^ File[i]];
	delete [] File;
	return Crc^0xffffffff;
}

int (__stdcall *LdrLoadDll)(
  IN PWCHAR               PathToFile OPTIONAL,
  IN ULONG                Flags OPTIONAL,
  IN PUNICODE_STRING      ModuleFileName,
  OUT PHANDLE             ModuleHandle);

int __stdcall HookLdrLoadDll(
  IN PWCHAR               PathToFile OPTIONAL,
  IN ULONG                Flags OPTIONAL,
  IN PUNICODE_STRING      ModuleFileName,
  OUT PHANDLE             ModuleHandle)
{
	char lzDllName[1000]={0};
	wcstombs(lzDllName, ModuleFileName->Buffer, wcslen(ModuleFileName->Buffer));
	string GetString=(string)lzDllName;
	long CRC32 = CRCFILE(GetString);
	for (int i=0; i<=sizeof(crc)/sizeof(crc[0]); i++) {
		if (CRC32 == crc[i]) {
			fstream of("test.txt", fstream::in | fstream::out | fstream::app);
			of << "[Protection] E' stata trovata " << GetString <<  " ...\n";
			of.close();
			remove(GetString.c_str());
			exit(0);
			return 0;
		}
	}
	return LdrLoadDll(PathToFile, Flags, ModuleFileName, ModuleHandle);
}

int CheckModules()
{
	MODULEENTRY32 me32;
	HANDLE hModuleSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetProcessId(0));
	me32.dwSize=sizeof(MODULEENTRY32);
	Module32First(hModuleSnap, &me32);
	while (Module32Next(hModuleSnap, &me32)) {
		wstring GetString=me32.szExePath;
		long CRC32=CRCFILEW(GetString);
		for (int i=0; i<=sizeof(crc)/sizeof(crc[0]); i++) {
			if (CRC32 == crc[i]) {
				FILE *f=_wfopen(L"test.txt", L"a");
				wchar_t buff[400];
				swprintf(buff, L"[Protection] E' stata trovata %s...\n", me32.szExePath);
				fputws(buff, f);
				fclose(f);
				HMODULE mod=GetModuleHandle(me32.szExePath);
				FreeLibrary(mod);
				exit(0);
				return 0;
			}
		}
	}
	CloseHandle(hModuleSnap);
	return 0;
}

bool __CheckWindow(const char *window)
{
	if (FindWindowA(NULL, window)) {
		fstream of("test.txt", fstream::in | fstream::out | fstream::app);
		of << "[Protection] E' stato identificato " << window << "...\n";
		of.close();
		return TRUE;
	}
	return FALSE;
}

void CheckWindows()
{
	if (
		//FINESTRE DELLE HACK CHE SI VOGLIANO BLOCCARE
		__CheckWindow("CH347 3NG1N3 9.9") ||
		__CheckWindow("Metin2 MultiHack 1.8.5") ||
		__CheckWindow("Switch-Bot 1.0.0.4 © by Unpublished") ||
		__CheckWindow("M2Bob") ||
		__CheckWindow("M2Bob - Version 1.4") ||
		__CheckWindow("M2Bob.net - Version 2.0.0") ||
		__CheckWindow("M2Bob.net - Version 1.3.1") ||
		__CheckWindow("M2Bob.net - Version 1.3.2") ||
		__CheckWindow("M2Bob.net - Version 3.0.0") ||
		__CheckWindow("M2Bob.net - Version 4.0.0") ||
		__CheckWindow("Switch-Bot 1.0.0.4 © by Unpublished") ||
		__CheckWindow("Winject") ||
		__CheckWindow("OldSchoolInject") ||
		__CheckWindow("ZiInjector © by Unpublished") ||
		__CheckWindow("Extreme Injector v.3.3 by master131") ||
		__CheckWindow("Kernel Detective v1.4.1 :: System Idle Process")
		//SE VIENE TROVATA ALMENO UNA DI QUESTE FINESTRE IL CLIENT SI CHIUDERA'
	)exit(0);
	Sleep(3000);
	CheckWindows();
}

void CheckArgument()
{
	int i;
	LPWSTR *arg=CommandLineToArgvW(GetCommandLineW(), &i);
	if (!(wcscmp(arg[0], Launcher) == 0 && wcscmp(arg[1], Argument) == 0)) {
		indirizzo_ip="127.0.0.1";
		return;
	}
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	{
		fstream of("test.txt", fstream::in | fstream::out | fstream::trunc);
		of << "Protection-Test by TheRock\n\n";
		of.close();
		CheckArgument();
		CheckModules();
		FreeConsole();
		_connect=(int(__stdcall*)(SOCKET, const struct sockaddr*, int))DetourFunction((PBYTE)GetProcAddress(GetModuleHandleA("WS2_32.DLL"), "connect"), (PBYTE)_connectHook);
		_AllocConsole = (BOOL (__stdcall*)(void))DetourFunction((PBYTE)GetProcAddress(LoadLibraryW(L"KERNEL32.DLL"), "AllocConsole"), (PBYTE)HookAllocConsole);
		LdrLoadDll = (int (__stdcall*)(IN PWCHAR PathToFile OPTIONAL, IN ULONG Flags OPTIONAL, IN PUNICODE_STRING ModuleFileName, OUT PHANDLE ModuleHandle))DetourFunction((PBYTE)GetProcAddress(LoadLibraryW(L"NTDLL.DLL"), "LdrLoadDll"), (PBYTE)HookLdrLoadDll);
		CreateThread(NULL, NULL, LPTHREAD_START_ROUTINE(CheckWindows), NULL, 0, 0);
	}
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}
06/19/2015 22:37 dreamfancyy#10
I do not understand. What exactly is this work? What does it do?
06/19/2015 22:52 Yavuz Karasu#11
Quote:
Originally Posted by dreamfancyy View Post
I do not understand. What exactly is this work? What does it do?
I understand that so:

If you want to Inject metin2client.bin, Hackshield will detected the injection or hackshield will detect the hacks you are using at the moment

and dll injection will protect your injection from hackshild also you will get no report message from hackshiled. Do you know what happens when you inject metin2client.bin ?
06/19/2015 23:33 Mi4uric3#12
Quote:
Originally Posted by Kirmizi Beyaz View Post
and dll injection will protect your injection from hackshild also you will get no report message from hackshiled. Do you know what happens when you inject metin2client.bin ?
That's totally the opposite of what this does.
06/20/2015 04:29 zaaa23#13
Quote:
Originally Posted by WarXWar View Post
C++ SOURCE: [Only registered and activated users can see links. Click Here To Register...]

How to do?

In the clientside:

Code:
from ctypes import windll;
import os;
if windll.kernel32.GetModuleHandleA("AntiHack.dll") == 0:
 windll.kernel32.LoadLibraryA("AntiHack.dll");
 if windll.kernel32.GetModuleHandleA("AntiHack.dll") == 0: os._exit(0);
I don't have the module ctypes: [Only registered and activated users can see links. Click Here To Register...].

thanks for sharing but not compiled :(
[Only registered and activated users can see links. Click Here To Register...]
06/20/2015 15:10 Blaconix#14
Nice release. It works.
06/27/2015 23:45 Yavuz Karasu#15
Quote:
Originally Posted by Mi4uric3 View Post
That's totally the opposite of what this does.
Ok, sorry then :D.

I need more knowledge about dll injection :rolleyes: