Possible Anti-DLL

Questions, downloads, issues related to plugins for Enigma Protector
Etroplus
Posts: 2
Joined: Fri Sep 02, 2011 6:32 am

Possible Anti-DLL

Post by Etroplus »

Code: Select all

function BlockAPI(hProcess : THANDLE; libName, apiName : PAnsiChar) : Boolean;
var
  pRet : Char;
  hLib : THandle;
  pAddr : Pointer;
  dwRet : DWORD;
begin
  pRet := #$C3;
  //hLib := nil;
  Result := False;
  hLib := LoadLibrary(libName);
  if hLib > 0 then
  begin
    pAddr := GetProcAddress(hLib, apiName);
    if pAddr <> nil then
    begin
      if WriteProcessMemory(hProcess, pAddr, @pRet, SizeOf(pRet), dwRet) then
        if dwRet > 0 then
          Result := True;
    end;
    FreeLibrary(hLib);
  end;
end;

procedure AntiInject;
var
  hProc : THANDLE;
begin
  hProc := GetCurrentProcess;
  while True do
  begin
    BlockAPI(hProc, 'NTDLL.DLL', 'LdrLoadDll');
    Sleep (100);
  end;
end;


procedure AntiInject2;
var
  hProc : THnadle;
begin
  hProc := FindWindow(nil, 'Gunz');

  while True do
  begin
    BlockAPI(hProc, 'NTDLL.DLL', 'LdrLoadDll');
    Sleep (100);
  end;
end; 
Enigma
Site Admin
Posts: 2939
Joined: Wed Aug 20, 2008 2:24 pm

Re: Possible Anti-DLL

Post by Enigma »

Hi, this is possible, but this does not handle all the possible ways for dll injection. Moreover, I recommend to modify this code so:

Code: Select all

function BlockAPI(hProcess : THANDLE; libName, apiName : PAnsiChar; ParamsCount : byte) : Boolean;
var
  pRet : Char;
  hLib : THandle;
  pAddr : Pointer;
  dwRet : array [0..2] of byte;
begin
  Result := False;
  hLib := LoadLibrary(libName);
  if hLib > 0 then
  begin
    pAddr := GetProcAddress(hLib, apiName);
    if pAddr <> nil then
    begin
      if ParamCount = 0 then
      begin
        dwRet[0] := $C3;
        Result := WriteProcessMemory(hProcess, pAddr, @pRet, 1, dwRet);
      end else
      begin
        dwRet[0] := $C2;
        dwRet[1] := ParamsCount * 4;
        dwRet[2] := 0;
        Result := WriteProcessMemory(hProcess, pAddr, @pRet, 3, dwRet);
      end;
    end;
    FreeLibrary(hLib);
  end;
end;

procedure AntiInject;
var
  hProc : THANDLE;
begin
  hProc := GetCurrentProcess;
  while True do
  begin
    BlockAPI(hProc, 'NTDLL.DLL', 'LdrLoadDll', 4);
    Sleep (100);
  end;
end;


procedure AntiInject2;
var
  hProc : THnadle;
begin
  hProc := FindWindow(nil, 'Gunz');
  while True do
  begin
    BlockAPI(hProc, 'NTDLL.DLL', 'LdrLoadDll', 4);
    Sleep (100);
  end;
end;
0xFFFFFFF
Posts: 1
Joined: Sun Apr 08, 2012 6:07 pm

Re: Possible Anti-DLL

Post by 0xFFFFFFF »

how i can translate this code for C/C++?
Sander
Posts: 1
Joined: Tue Apr 03, 2012 3:15 pm

Re: Possible Anti-DLL

Post by Sander »

how to use this ?
lolalexlol
Posts: 6
Joined: Mon Aug 06, 2012 3:41 pm

Re: Possible Anti-DLL

Post by lolalexlol »

yes how can i use this?
Enigma
Site Admin
Posts: 2939
Joined: Wed Aug 20, 2008 2:24 pm

Re: Possible Anti-DLL

Post by Enigma »

Compile it using Delphi into DLL and use in plugins.
lolalexlol
Posts: 6
Joined: Mon Aug 06, 2012 3:41 pm

Re: Possible Anti-DLL

Post by lolalexlol »

ok but i saw this line hProc := FindWindow(nil, 'Gunz'); i have to replace 'Gunz' witch my window name? e.g if i wana put this on Notepad i must put like this hProc := FindWindow(nil, 'Notepad'); ?
Enigma
Site Admin
Posts: 2939
Joined: Wed Aug 20, 2008 2:24 pm

Re: Possible Anti-DLL

Post by Enigma »

lolalexlol wrote:ok but i saw this line hProc := FindWindow(nil, 'Gunz'); i have to replace 'Gunz' witch my window name? e.g if i wana put this on Notepad i must put like this hProc := FindWindow(nil, 'Notepad'); ?
Yes, this is possible and your code is correct. Only note, FindWindow searches for a exact match of the Window Text which is not always known. So if the window text will be 'Notepad1', your check will fail.
johndoe
Posts: 25
Joined: Fri Feb 17, 2012 10:34 pm

Re: Possible Anti-DLL

Post by johndoe »

Error:
types of actual and formal var parameters must be identical
line:
Result := WriteProcessMemory(hProcess, pAddr, @pRet, 1, dwRet);
Help-me? :/
Enigma
Site Admin
Posts: 2939
Joined: Wed Aug 20, 2008 2:24 pm

Re: Possible Anti-DLL

Post by Enigma »

Seems should be like this:

Code: Select all

function BlockAPI(hProcess : THANDLE; libName, apiName : PAnsiChar; ParamsCount : byte) : Boolean;
var
  pRet : Char;
  hLib : THandle;
  pAddr : Pointer;
  dwRet : array [0..2] of byte;
  dwtmp : Cardinal;
begin
  Result := False;
  hLib := LoadLibrary(libName);
  if hLib > 0 then
  begin
    pAddr := GetProcAddress(hLib, apiName);
    if pAddr <> nil then
    begin
      if ParamCount = 0 then
      begin
        dwRet[0] := $C3;
        Result := WriteProcessMemory(hProcess, pAddr, @pRet, 1, dwtmp);
      end else
      begin
        dwRet[0] := $C2;
        dwRet[1] := ParamsCount * 4;
        dwRet[2] := 0;
        Result := WriteProcessMemory(hProcess, pAddr, @pRet, 3, dwtmp);
      end;
    end;
    FreeLibrary(hLib);
  end;
end;
Post Reply