防止DLL注入不成功
http://www.rohitab.com/discuss/index.php?showtopic=29440
A very simple way how to protect our prog. from being injected by a dll... There are other ways too (for example a a ssdt hook (LdrLoadLibrary, RtlCreateUserThread...), or something...).
code:
CODE// ANTI DLL INJECTION by _FIL73R_
#include <windows.h>
BOOLEAN BlockAPI (HANDLE,CHAR *,CHAR *);
void AntiInject ();
/****************/
main()
{
CreateThread (0,0, (LPTHREAD_START_ROUTINE)AntiInject, 0, 0, 0);
while (TRUE); // loop forever... now to try and inject
}
/****************/
void AntiInject ()
{
HANDLE hProc = GetCurrentProcess();
while (TRUE) {
BlockAPI(hProc, "NTDLL.DLL", "LdrLoadDll");
Sleep (100);
}
}
BOOLEAN BlockAPI (HANDLE hProcess, CHAR *libName, CHAR *apiName)
{
CHAR pRet[]={0xC3};
HINSTANCE hLib = NULL;
VOID *pAddr = NULL;
BOOL bRet = FALSE;
DWORD dwRet = 0;
hLib = LoadLibrary (libName);
if (hLib) {
pAddr = (VOID*)GetProcAddress (hLib, apiName);
if (pAddr) {
if (WriteProcessMemory (hProcess,
(LPVOID)pAddr,
(LPCVOID)pRet,
sizeof (pRet),
&dwRet )) {
if (dwRet) {
bRet = TRUE;
}
}
}
FreeLibrary (hLib);
}
return bRet;
}
这是网上找来的,但是我用建立远程线程对其注入DLL,照样能注入啊。它的意思 是不是改成Ntdll.dll的导出函数LdrLoadDll的函数头字节为0x3c,导致调用LoadLibrary和LoadLibraryEx失败啊。