Monday, March 21, 2011

Anti Dll Injection

Dll injection is a dangerous technique which has the purpose of executing code into another process space, which is potentially the behavior of a malware. To do it is quite simple, the most known way is opening the target process with OpenProcess(), getting a handle, using VirtualAllocEx() to allocate memory in the target process, WriteProcessMemory() to write dll's name into the target process and then calling CreateRemoteThread():

HANDLE WINAPI CreateRemoteThread(
  __in   HANDLE hProcess,
  __in   LPSECURITY_ATTRIBUTES lpThreadAttributes,
  __in   SIZE_T dwStackSize,
  __in   LPTHREAD_START_ROUTINE lpStartAddress,
  __in   LPVOID lpParameter,
  __in   DWORD dwCreationFlags,
  __out  LPDWORD lpThreadId

Monday, March 14, 2011

The Anti Attach

Well it's been a long time, but today i'm going to write about a feature that is very important when one wants to improve it's software security against reverse engineering.

The protection mecanism consists on hooking DbgUiRemoteBreakin from ntdll.dll, which is an API called IN TARGET PROCESS by most known debuggers when it attaches itself to a running process, then the idea of hooking it is to execute our own code instead of the breakpoint.

Here is the original DbgUiRemoteBreakin: