Cheat Engine

[&Vage]

Can I prevent dlls from being injected into my process?

[Slugsnack]

traverse module list and check for what is in there ?

http://msdn.microsoft.com/en-us/library/ms686849(VS.85).aspx

[BanMe]

there are several methods which have been used in the past to this all have there weakness's

http://www.rootkit.com/blog.php?newsid=640

another method put forth is to travers the PEB find the LoaderLock and pass that handle to RtlEnterCriticalSection.. but that method is i guess controversial and not work mentioning,though it is available on rootkit.com if your interested.

still yet another method would be to hook LdrLoadDll and compare name against list of dll's.. NtCreateSection and again check file name by file handle..im sure theres more hooks you could use..
but failing a hooking method(cause of vista) detection is pretty straight forward..you could use Module32First and Module32Next or ZwQueryInformationProcess and traverse the list's (although this is suseptable to PEB module hiding)its unlikly you will expience that, and detection is pretty simple though none to effective i suppose..

kind regards BanMe..

[rapion124]

Just hook LdrLoadDll and check the DLL name. Create a white-list of all the libraries your application will load normally. If the newly loaded DLL is not on that white-list, just return FALSE and set an error like ERROR_ACCESS_DENIED.

[&Vage]

I hooked ZwOpenProcess via r0... Do I hook LdrLoadDll via r3 or r0?

[dnsi0]

Hook LoadLibrary.

[Slugsnack]

is ldrloaddll a r3 or r0 api..

[rapion124]

LdrLoadDll is ring3. It's exported by ntdll.dll.

[&Vage]

[BanMe]

lets see why dnsio's advice is bad..(pls no offense) just using what you said as stepping stone to explain the matter at hand...:]

lets say you Hook LoadLibraryA...

LoadLibraryA converts the ascii to unicode and calls LoadLibraryW..
so LoadLibraryA is bad, because calling LoadLibraryW directly bypass's you hook.. in fact hooking any ascii function with a unicode counterpart is bad (including Ex functions)..so now were onto LoadLibraryW..which internally calls LoadLibraryExW so hooking LoadLibraryW is not to secure either.. so we must dig deeper into LoadLibraryExW to find a focus point for all (calls) to LoadLibrary(A/W(Ex(A/W)) and this leads us to LdrLoadDll inside LoadLibraryExW.. and this is the reason why i suggested using it..though im sure its probally under a different guise in other Windows versions it should be easily found if one looks

regards BanMe

[dnsi0]

[Stylo]

hooking api can be done in you're program or is it must done in kernel mode driver?
cuz i know that you can load the api address into your program and force the api call to jump to some code in your program but it doesn't block it from using it ?!

[BanMe]

Hooking or Code redirection comes in many forms especially in usermode
,something like this should be done in usermode..in the "program" itself without the need of a kernelmode driver.. sadly as i am saying this i will tell you its not a full proof method one can load a dll without calling LdrLoadDll..(im pretty sure its not called with ManuelMapping..pls correct me if im wrong) also one can still hook hop it with a detection schema and generalized hook hopping code..so i say if your on XP or lower hook LdrLoadDll NtCreateSection BaseThreadStartThunk(or LdrInitializeThunk) and this should be a somewhat decent tactic to employ..did a lil more digging with symbols loaded and could even going a few steps Further by hooking LdrpLoadDll LdrpMapDll and the ones that looks the most interesting to me LdrpCheckForLoadedDll and LdrpRunInitializationRoutines

regards BanMe

oh forgot about the OP ...
yes sensa just in your process... ;}

[&Vage]

Ok, so I hooked ZwOpenProcess since you must get the handle of a process to DllInject; CreateRemoteThread, WriteProcessMemory... Correct? But now it also blocks sound for that application

[BanMe]

... im lost.. why would you hook ZwOpenProcess to get a handle to the process? i dont picture the Process calling OpenProcess on itself sorry..
if your in the process(be it Dll injection or thread Injection or w/e) you can use a pseudo handle returned GetCurrent Process.. my guess if that you are trying to gloablly hook ZwOpenProcess to prevent the use OpenProcess on your PID.. DarkByte gave example on how to bypass such a move on this site infact.. though i cant remember where i can remember how he said to bypass something like this..pass in a xor PID,0x1337 then somewhere after function prolog place and your hook (for integrity checking if you implement it..) place another hook to rexor the PID back to targeted Process..and to be honest i have no clue about your sound..(maybe its unplugged)

regards BanMe