[C++] Dll Injection Protection

WarXWar · 05/23/2015, 15:36

C++ SOURCE:

How to do?

In the clientside:

Code:

from ctypes import windll;
import os;
if windll.kernel32.GetModuleHandleA("AntiHack.dll") == 0:
 windll.kernel32.LoadLibraryA("AntiHack.dll");
 if windll.kernel32.GetModuleHandleA("AntiHack.dll") == 0: os._exit(0);

I don't have the module ctypes:

.

_asm · 05/24/2015, 16:38

You'll need to make your post visible for everyone else nobody will be able to help you.
And btw isn't this the wrong place for asking such questions?

Mi4uric3 · 05/24/2015, 16:52

Quote:

Originally Posted by _asm

You'll need to make your post visible for everyone else nobody will be able to help you.
And btw isn't this the wrong place for asking such questions?

Where did he ask any questions? This is a release thread.

_asm · 05/24/2015, 17:00

Oops.. I thought he was asking for help "how to do?"

I'm sry...

Nick · 05/25/2015, 00:15

->

Quote:

Originally Posted by Section Rules

Threads without a virus scan are beeing closed but opened on request once a virus scan is available.

Therefore, scan the file and add the result to the topic, please.

Greetings

Computerfreek · 05/25/2015, 12:35

Hier, da ist dein Scan:

An sich clean, nur irritiert mich der Import der Winsock32 DLL, die wird normalerweise nur für Networking gebraucht was hier eigentlich nicht vorhanden sein sollte.
Ich hab die Datei auch mal bei Avira zur Analyse eingereicht. Das Ergebnis wird hier zu finden sein, sobald diese abgeschlossen ist:

LibraryOfWonderland · 06/04/2015, 15:28

is it working?

stunthacker · 06/12/2015, 04:00

is this supposed to stop dll injection? or what? stopping some one from injecting code or a dll will be a really hard thing to do,the code can be injected before any thing else

WarXWar · 06/13/2015, 15:26

Code:

// dllmain.cpp | Protezione per Client Metin2 contro le Injections di alcune Hack.

#include "stdafx.h"
#include <windows.h>
#include <iostream>
#include <string>
#include <fstream>
#include <tlhelp32.h>
#include <shellapi.h>
#include <winsock2.h>
#include <detours.h>
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "detours.lib")

using namespace std;

// CONFIGURAZIONE

char *indirizzo_ip="5.135.216.193";
wchar_t *Launcher=L"OverKill.exe";
wchar_t *Argument=L"--Start";

long crc[]={
-1982651409, -776276586, 300965008, -987425146, -1020123781, 788909682, 
-2060589118, -1551825781, -1944915785, -368720392, -826207030, 1140340929, 
-771419281, -1752318991, 578798025, 2036887976, 890437574, 510542828, 
-1791860780, -947847671, 1097594834, -1998392128, -178110029, 1953047600, 
1301328157, 2029112070, -1333777692, -1721593028, 1347562111, 811390021, 
1430524761, -981431290, -548174890, -504385778, 
};

unsigned int porte_fake[]={11002, 13000, 13010}; 
// QUELLE CHE POTREBBE VEDERLE DECRIPTANDO ROOT

unsigned int porte_vere[]={11002, 13000, 13010}; 
// LE VERE PORTE CHE NON SI VEDANO A MENO CHE NON SI REVERSA LA PROTEZIONE

typedef struct _LSA_UNICODE_STRING {
  USHORT Length;
  USHORT MaximumLength;
  PWSTR  Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;

BOOL (__stdcall *_AllocConsole)(void);

BOOL __stdcall HookAllocConsole(void) {
	return FALSE;
}

int (__stdcall *_connect)(SOCKET, const struct sockaddr*, int);

int __stdcall _connectHook(SOCKET s, const struct sockaddr*name, int namelen){
        unsigned int porta=ntohs((*(unsigned int*)name->sa_data));
		if (porta == porte_fake[0]) porta=porte_vere[0];
		if (porta == porte_fake[1]) porta=porte_vere[1];
		if (porta == porte_fake[2]) porta=porte_vere[1];
        sockaddr_in *coso=(sockaddr_in*)name;
        coso->sin_addr.S_un.S_addr=inet_addr(indirizzo_ip);
        coso->sin_port=htons(porta);
    return _connect(s, name, namelen);
}

long CRCFILE(std::string Filename) {
	FILE *f;
	if ((f=fopen(Filename.c_str(), "rb")) == NULL) {
		return 0;
	}
	unsigned long size;
	fseek(f, 0, SEEK_END);
	size=ftell(f);
	fseek(f, 0, SEEK_SET);
	unsigned char *File=new (std::nothrow) unsigned char[size];
	fread(File, 1, size, f);
	fclose(f);
	unsigned long crc[256];
	for (unsigned int i=0; i<=0xFF; i++) {
		unsigned long coso=0;
		unsigned long I=i;
		for (unsigned int b=1; b<9; b++) {
			if (I & 1) coso |= 1 << (8-b);
			I >>= 1;
		}
		crc[i]=coso << 24;
		for (unsigned int c=0; c<8; c++) crc[i]=(crc[i] << 1) ^ (crc[i] & (1 << 31) ? 0x04c11db7 : 0);
		unsigned long coso2=0;
		unsigned long Ii=crc[i];
		for (unsigned int d=1; d<33; d++) {
			if (Ii & 1) coso2 |= 1 << (32-d);
			Ii >>= 1;
		}		
		crc[i]=coso2;
	}
	unsigned long Crc=0xffffffff;
	for (unsigned int i=0; i<size; i++) Crc=(Crc >> 8) ^ crc[(Crc & 0xFF) ^ File[i]];
	delete [] File;
	return Crc^0xffffffff;
}

long CRCFILEW(std::wstring Filename) {
	FILE *f;
	if ((f=_wfopen(Filename.c_str(), L"rb")) == NULL) {
		return 0;
	}
	unsigned long size;
	fseek(f, 0, SEEK_END);
	size=ftell(f);
	fseek(f, 0, SEEK_SET);
	unsigned char *File=new (std::nothrow) unsigned char[size];
	fread(File, 1, size, f);
	fclose(f);
	unsigned long crc[256];
	for (unsigned int i=0; i<=0xFF; i++) {
		unsigned long coso=0;
		unsigned long I=i;
		for (unsigned int b=1; b<9; b++) {
			if (I & 1) coso |= 1 << (8-b);
			I >>= 1;
		}
		crc[i]=coso << 24;
		for (unsigned int c=0; c<8; c++) crc[i]=(crc[i] << 1) ^ (crc[i] & (1 << 31) ? 0x04c11db7 : 0);
		unsigned long coso2=0;
		unsigned long Ii=crc[i];
		for (unsigned int d=1; d<33; d++) {
			if (Ii & 1) coso2 |= 1 << (32-d);
			Ii >>= 1;
		}		
		crc[i]=coso2;
	}
	unsigned long Crc=0xffffffff;
	for (unsigned int i=0; i<size; i++) Crc=(Crc >> 8) ^ crc[(Crc & 0xFF) ^ File[i]];
	delete [] File;
	return Crc^0xffffffff;
}

int (__stdcall *LdrLoadDll)(
  IN PWCHAR               PathToFile OPTIONAL,
  IN ULONG                Flags OPTIONAL,
  IN PUNICODE_STRING      ModuleFileName,
  OUT PHANDLE             ModuleHandle);

int __stdcall HookLdrLoadDll(
  IN PWCHAR               PathToFile OPTIONAL,
  IN ULONG                Flags OPTIONAL,
  IN PUNICODE_STRING      ModuleFileName,
  OUT PHANDLE             ModuleHandle)
{
	char lzDllName[1000]={0};
	wcstombs(lzDllName, ModuleFileName->Buffer, wcslen(ModuleFileName->Buffer));
	string GetString=(string)lzDllName;
	long CRC32 = CRCFILE(GetString);
	for (int i=0; i<=sizeof(crc)/sizeof(crc[0]); i++) {
		if (CRC32 == crc[i]) {
			fstream of("test.txt", fstream::in | fstream::out | fstream::app);
			of << "[Protection] E' stata trovata " << GetString <<  " ...\n";
			of.close();
			remove(GetString.c_str());
			exit(0);
			return 0;
		}
	}
	return LdrLoadDll(PathToFile, Flags, ModuleFileName, ModuleHandle);
}

int CheckModules()
{
	MODULEENTRY32 me32;
	HANDLE hModuleSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetProcessId(0));
	me32.dwSize=sizeof(MODULEENTRY32);
	Module32First(hModuleSnap, &me32);
	while (Module32Next(hModuleSnap, &me32)) {
		wstring GetString=me32.szExePath;
		long CRC32=CRCFILEW(GetString);
		for (int i=0; i<=sizeof(crc)/sizeof(crc[0]); i++) {
			if (CRC32 == crc[i]) {
				FILE *f=_wfopen(L"test.txt", L"a");
				wchar_t buff[400];
				swprintf(buff, L"[Protection] E' stata trovata %s...\n", me32.szExePath);
				fputws(buff, f);
				fclose(f);
				HMODULE mod=GetModuleHandle(me32.szExePath);
				FreeLibrary(mod);
				exit(0);
				return 0;
			}
		}
	}
	CloseHandle(hModuleSnap);
	return 0;
}

bool __CheckWindow(const char *window)
{
	if (FindWindowA(NULL, window)) {
		fstream of("test.txt", fstream::in | fstream::out | fstream::app);
		of << "[Protection] E' stato identificato " << window << "...\n";
		of.close();
		return TRUE;
	}
	return FALSE;
}

void CheckWindows()
{
	if (
		//FINESTRE DELLE HACK CHE SI VOGLIANO BLOCCARE
		__CheckWindow("CH347 3NG1N3 9.9") ||
		__CheckWindow("Metin2 MultiHack 1.8.5") ||
		__CheckWindow("Switch-Bot 1.0.0.4 © by Unpublished") ||
		__CheckWindow("M2Bob") ||
		__CheckWindow("M2Bob - Version 1.4") ||
		__CheckWindow("M2Bob.net - Version 2.0.0") ||
		__CheckWindow("M2Bob.net - Version 1.3.1") ||
		__CheckWindow("M2Bob.net - Version 1.3.2") ||
		__CheckWindow("M2Bob.net - Version 3.0.0") ||
		__CheckWindow("M2Bob.net - Version 4.0.0") ||
		__CheckWindow("Switch-Bot 1.0.0.4 © by Unpublished") ||
		__CheckWindow("Winject") ||
		__CheckWindow("OldSchoolInject") ||
		__CheckWindow("ZiInjector © by Unpublished") ||
		__CheckWindow("Extreme Injector v.3.3 by master131") ||
		__CheckWindow("Kernel Detective v1.4.1 :: System Idle Process")
		//SE VIENE TROVATA ALMENO UNA DI QUESTE FINESTRE IL CLIENT SI CHIUDERA'
	)exit(0);
	Sleep(3000);
	CheckWindows();
}

void CheckArgument()
{
	int i;
	LPWSTR *arg=CommandLineToArgvW(GetCommandLineW(), &i);
	if (!(wcscmp(arg[0], Launcher) == 0 && wcscmp(arg[1], Argument) == 0)) {
		indirizzo_ip="127.0.0.1";
		return;
	}
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	{
		fstream of("test.txt", fstream::in | fstream::out | fstream::trunc);
		of << "Protection-Test by TheRock\n\n";
		of.close();
		CheckArgument();
		CheckModules();
		FreeConsole();
		_connect=(int(__stdcall*)(SOCKET, const struct sockaddr*, int))DetourFunction((PBYTE)GetProcAddress(GetModuleHandleA("WS2_32.DLL"), "connect"), (PBYTE)_connectHook);
		_AllocConsole = (BOOL (__stdcall*)(void))DetourFunction((PBYTE)GetProcAddress(LoadLibraryW(L"KERNEL32.DLL"), "AllocConsole"), (PBYTE)HookAllocConsole);
		LdrLoadDll = (int (__stdcall*)(IN PWCHAR PathToFile OPTIONAL, IN ULONG Flags OPTIONAL, IN PUNICODE_STRING ModuleFileName, OUT PHANDLE ModuleHandle))DetourFunction((PBYTE)GetProcAddress(LoadLibraryW(L"NTDLL.DLL"), "LdrLoadDll"), (PBYTE)HookLdrLoadDll);
		CreateThread(NULL, NULL, LPTHREAD_START_ROUTINE(CheckWindows), NULL, 0, 0);
	}
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

~~dreamfancyy~~ · 06/19/2015, 22:37

I do not understand. What exactly is this work? What does it do?

Yavuz Karasu · 06/19/2015, 22:52

Quote:

Originally Posted by dreamfancyy

I do not understand. What exactly is this work? What does it do?

I understand that so:

If you want to Inject metin2client.bin, Hackshield will detected the injection or hackshield will detect the hacks you are using at the moment

and dll injection will protect your injection from hackshild also you will get no report message from hackshiled. Do you know what happens when you inject metin2client.bin ?

Mi4uric3 · 06/19/2015, 23:33

Quote:

Originally Posted by Kirmizi Beyaz

and dll injection will protect your injection from hackshild also you will get no report message from hackshiled. Do you know what happens when you inject metin2client.bin ?

That's totally the opposite of what this does.

zaaa23 · 06/20/2015, 04:29

Quote:
Originally Posted by WarXWar
C++ SOURCE:

How to do?

In the clientside:
Code:
from ctypes import windll;
import os;
if windll.kernel32.GetModuleHandleA("AntiHack.dll") == 0:
 windll.kernel32.LoadLibraryA("AntiHack.dll");
 if windll.kernel32.GetModuleHandleA("AntiHack.dll") == 0: os._exit(0);
I don't have the module ctypes: .

thanks for sharing but not compiled

Blaconix · 06/20/2015, 15:10

Nice release. It works.

Yavuz Karasu · 06/27/2015, 23:45

Quote:

Originally Posted by Mi4uric3

That's totally the opposite of what this does.

Ok, sorry then

.

I need more knowledge about dll injection