Jump to content

Injection Checker


alextoti99

Recommended Posts

Here is a code that checks if there are injected dlls in your program.

Its hidden, nth wont pop up when you use it!

To edit it: CloakDll("notepad.exe", "kernel32.dll");

CloakDll("notepad.exe", "kernel32.dll");
edit the notepad.exe to your game name
and kernel32.dll to the dll you wanna check

also you can add more CloakDll wiht other dlls so it will be checking for all the dlls you know
#define _CRT_NONSTDC_NO_WARNINGS
#include <windows.h>
#include <winnt.h>
#include <tlhelp32.h>
#include <shlwapi.h>

#pragma comment(lib, "shlwapi.lib")

#define UPPERCASE(x) if((x) >= 'a' && (x) <= 'z') (x) -= 'a' - 'A'
#define UNLINK(x) (x).Blink->Flink = (x).Flink; \
    (x).Flink->Blink = (x).Blink;

#pragma pack(push, 1)

typedef struct _UNICODE_STRING {
	USHORT  Length;
	USHORT  MaximumLength;
	PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _ModuleInfoNode
{
	LIST_ENTRY LoadOrder;
	LIST_ENTRY InitOrder;
	LIST_ENTRY MemoryOrder;
	HMODULE baseAddress;        //  Base address AKA module handle
	unsigned long entryPoint;
	unsigned int size;          //  Size of the modules image
	UNICODE_STRING fullPath;
	UNICODE_STRING name;
	unsigned long flags;
	unsigned short LoadCount;
	unsigned short TlsIndex;
	LIST_ENTRY HashTable;   //  A linked list of any other modules that have the same first letter
	unsigned long timestamp;
} ModuleInfoNode, *pModuleInfoNode;

typedef struct _ProcessModuleInfo
{
	unsigned int size;          //  Size of a ModuleInfo node?
	unsigned int initialized;
	HANDLE SsHandle;
	LIST_ENTRY LoadOrder;
	LIST_ENTRY InitOrder;
	LIST_ENTRY MemoryOrder;
} ProcessModuleInfo, *pProcessModuleInfo;


#pragma pack(pop)

bool CloakDll_stub(HMODULE);
void CD_stubend();

bool CloakDll(char *, char *);
unsigned long GetProcessIdFromProcname(char *);
HMODULE GetRemoteModuleHandle(unsigned long, char *);


int _stdcall wWinMain(HINSTANCE hInst, HINSTANCE prevInst, LPWSTR szCmdLine, int nCmdShow)
{
	CloakDll("notepad.exe", "kernel32.dll");
	return 0;
}

bool CloakDll(char *process, char *dllName)
{
	PathStripPath(dllName);

	unsigned long procId;
	procId = GetProcessIdFromProcname(process);
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procId);

	//  Calculate the length of the stub by subtracting it's address
	//  from the beginning of the function directly ahead of it.
	//
	//  NOTE: If the compiler compiles the functions in a different
	//  order than they appear in the code, this will not work as
	//  it's supposed to.  However, most compilers won't do that.
	unsigned int stubLen = (unsigned long)CD_stubend - (unsigned long)CloakDll_stub;

	//  Allocate space for the CloakDll_stub function
	void *stubAddress = VirtualAllocEx(hProcess,
		NULL,
		stubLen,
		MEM_RESERVE | MEM_COMMIT,
		PAGE_EXECUTE_READWRITE);

	//  Write the stub's code to the page we allocated for it
	WriteProcessMemory(hProcess, stubAddress, CloakDll_stub, stubLen, NULL);

	HMODULE hMod = GetRemoteModuleHandle(procId, dllName);

	//  Create a thread in the remote process to execute our code
	CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)stubAddress, hMod, 0, NULL);

	//  Clean up after ourselves, so as to leave as little impact as possible
	//  on the remote process
	VirtualFreeEx(hProcess, stubAddress, stubLen, MEM_RELEASE);
	return true;
}

bool CloakDll_stub(HMODULE hMod)
{
	ProcessModuleInfo *pmInfo;
	ModuleInfoNode *module;

	_asm
	{
		mov eax, fs:[18h]       // TEB
		mov eax, [eax + 30h]    // PEB
			mov eax, [eax + 0Ch]    // PROCESS_MODULE_INFO
			mov pmInfo, eax
	}

	module = (ModuleInfoNode *)(pmInfo->LoadOrder.Flink);

	while (module->baseAddress && module->baseAddress != hMod)
		module = (ModuleInfoNode *)(module->LoadOrder.Flink);

	if (!module->baseAddress)
		return false;

	//  Remove the module entry from the list here
	/////////////////////////////////////////////////// 
	//  Unlink from the load order list
	UNLINK(module->LoadOrder);
	//  Unlink from the init order list
	UNLINK(module->InitOrder);
	//  Unlink from the memory order list
	UNLINK(module->MemoryOrder);
	//  Unlink from the hash table
	UNLINK(module->HashTable);

	//  Erase all traces that it was ever there
	///////////////////////////////////////////////////

	//  This code will pretty much always be optimized into a rep stosb/stosd pair
	//  so it shouldn't cause problems for relocation.
	//  Zero out the module name
	memset(module->fullPath.Buffer, 0, module->fullPath.Length);
	//  Zero out the memory of this module's node
	memset(module, 0, sizeof(ModuleInfoNode));

	return true;
}

__declspec(naked) void CD_stubend() { }

unsigned long GetProcessIdFromProcname(char *procName)
{
	PROCESSENTRY32 pe;
	HANDLE thSnapshot;
	BOOL retval, ProcFound = false;

	thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

	if (thSnapshot == INVALID_HANDLE_VALUE)
	{
		MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL);
		return false;
	}

	pe.dwSize = sizeof(PROCESSENTRY32);

	retval = Process32First(thSnapshot, &pe);

	while (retval)
	{
		if (StrStrI(pe.szExeFile, procName))
		{
			ProcFound = true;
			break;
		}

		retval = Process32Next(thSnapshot, &pe);
		pe.dwSize = sizeof(PROCESSENTRY32);
	}

	return pe.th32ProcessID;
}

HMODULE GetRemoteModuleHandle(unsigned long pId, char *module)
{
	MODULEENTRY32 modEntry;
	HANDLE tlh = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pId);

	modEntry.dwSize = sizeof(MODULEENTRY32);
	Module32First(tlh, &modEntry);

	do
	{
		if (!stricmp(modEntry.szModule, module))
			return modEntry.hModule;
		modEntry.dwSize = sizeof(MODULEENTRY32);
	} while (Module32Next(tlh, &modEntry));

	return NULL;
}

Β 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...