Enigma Protector x86: Check Injected DLL

[Enigma]

This plugin checks all the modules of the current process and searches for unallowed modules.

This can be one of the ways to check injected dlls. Method is working if the name of injected dll is known.

Attached is the source of plugin written in Delphi. To adapt plugin for own needs you need to modify the array UNALLOWED_MODULES and replace it with the names of your unallowed dlls. Then compile plugin.

[P4ulo]

Hi Enigma,
Blocking dll names is easy to cheat... just rename the file name...
Is possible block DLL INJECTION METHODS? Like, some api's or functions used to inject...

[Enigma]

Hi P4ulo,

Blocking dll names is easy to cheat... just rename the file name...Is possible block DLL INJECTION METHODS? Like, some api's or functions used to inject...

Yes, frustrating but I agree. But this method is working very well not non advanced users. Imagine you want to cheat program and you renamed this dll, but you have not only rename it itself, but also rename name of this dll in the process that hooks it. Usual users will not be able to do this.

There are other ways to avoid injection:
1. Disable remote call in protected application. This is dangerous and may damage workability of protected file
2. Probably better solution - check injected module by a signature, and not by a name. Need to enumerate all modules, and for example, search in each module some string that mainly belongs to only unallowed dll/module. If the signature/string is found, then the process is injected.
3. Another way - disable LdrLoadDll, but this way will also not help if file is renamed, moreover, I know the injection method that works around LdrLoadDll.
4. I'm not sure if this way exists, but probably it is possible somehow disallow injecting any dll into process by granted or removing process permissions...

Finally, it is better to use simple way that I have made. Because if advanced cracker will want to cheat - he will do it, not a deal.

[mage200]

please can you upload bin file i soo noob i cant find my brain work with vb6 heaven XD

[Enigma]

please can you upload bin file i soo noob i cant find my brain work with vb6 heaven XD

You have to know the name of the file you would like to test if it is injected. What dll you want to check?

[mage200]

can you upload the compiled dll file please

[Enigma]

I have to know the name of the dll that you want to check before compilation.

If I compile it now then it will do nothing. This plugin checks if some dll is injected, you have to know what is the name of dll.

[mage200]

i need block all gunz dll hacks
its anti hack for gunz
EDIT: i mean anti inject with injector

[Sh4DoVV]

Hi friends
I write a plugin for anti dll injection
i upload my protected file , please test it for dll injecting and report bugs
Dwonload Link :

notepad_protected.rar

Go0d luck

[Enigma]

HI,

This is a plugin that Sh4DoVV developed is for preventing of injecting of DLL files into protected process. This technique (dll injection) is used by game cheaters to cheat the online MMORPG games.

Sh4DoVV, as far as I understand, posted this protected example just for people who are interesting of this plugin and who want to use it.

ANTI DLL INJECTION is DONE - it is commercial plugin and requires payment! I think it is very useful for game developers! If somebody are interesting in this plugin, please contact to Sh4DoVV in this thread or using PM!

Move discussions to http://forum.enigmaprotector.com/viewto ... =26&t=1506