简体繁体 English

防止来自Dll C ++的Dll注入

[英]Prevent Dll injection from an Dll C++

原文 2012-02-26 03:46:21 4 2 c++/ dll/ hook/ code-injection

I have some doubts about anti dll injection in C++. 我对C ++中的反dll注入有些怀疑。 I have a game C++ based, Im having problems with hackers with dll injection. 我有一个基于C ++的游戏，我有黑客注入DLL的问题。 Then i need to prevent it. 然后我需要阻止它。

I find notify hook there from there: 我从那里找到通知钩子：

MSDN - Notification Hooks MSDN - 通知挂钩

But i dont have idea how to use it. 但我不知道如何使用它。

Its is possible notify hook to prevent dll injection? 有可能通知挂钩以防止dll注入？

How its possible? 怎么可能？ (With and example better). （有更好的例子）。

Can be from dll? 可以从dll？ (With example better). （以更好的例子）。

Thanks for read that post. 感谢您阅读该帖子。

PS: sorry for my english. PS：对不起我的英语。

2 个解决方案

Forget it, unless you do very sophisticated things, it's not going to work. 算了，除非你做的很复杂，否则它不会起作用。 By sophisticated I mean something like the code obfuscation, anti-debugging technology used in Skype. 通过复杂，我的意思是像Skype中使用的代码混淆，反调试技术。 Just look at this talk . 看看这个话题。

You can spend a ton of time on trying to prevent DLL injection, in the end somebody will spend less time than you and circumvent your protection. 您可以花费大量时间来尝试防止DLL注入，最终有人会花费比您更少的时间并绕过您的保护。 I think the time would be better invested in an architecture that's more secure and tamperproof (ie calculating scores on the server, etc). 我认为时间会更好地投入到更安全和防篡改的架构中（即在服务器上计算分数等）。

It's a cat and mouse game you can't win. 这是一场你无法赢得的猫捉老鼠游戏。

This question is old but I will briefly answer it in better form for anyone who does happen to stumble upon it magically after a proper response. 这个问题已经很久了，但我会以更好的形式简要回答一下，如果碰巧在经过适当的回应后偶然发现了它，那么这个问题就会发生。

You cannot fully prevent code injection from within your own process, but you can try to do some tricks without interception of other processes. 您不能完全阻止在您自己的进程中注入代码，但您可以尝试在不截取其他进程的情况下执行一些技巧。 It is not recommended because you need to have experience and knowledge with lower-level tasks, especially to get it working properly and not prevent functionality of your own software, however... 不建议使用，因为您需要具有较低级别任务的经验和知识，尤其是为了使其正常工作而不是阻止您自己软件的功能，但是......

Asynchronous Procedure Calls (APC) is an implementation from the Windows Kernel. 异步过程调用（APC）是Windows内核的一种实现。 It is primarily used for code injection into other running processes, Windows uses it a lot itself for a variety of things such as notifications being sent to specific processes. 它主要用于代码注入到其他正在运行的进程中，Windows会自动使用它来处理各种事情，例如发送到特定进程的通知。 When a user-mode process calls QueueUserApc (KERNEL32), NtQueueApcThread (NTDLL) will be invoked. 当用户模式进程调用QueueUserApc（KERNEL32）时，将调用NtQueueApcThread（NTDLL）。 NtQueueApcThread (NTDLL) will perform a system call which will cause NtQueueApcThread (NTOSKRNL) to be invoked, which is not exported by NTOSKRNL - for anyone wondering, NTOSKRNL is the Windows Kernel, and a system-call is nothing more than a transition from user-mode to kernel-mode since the Native API System Routines exist in kernel-mode memory, NTDLL routines for NTAPI are system call stubs which direct control up to the Windows Kernel. NtQueueApcThread（NTDLL）将执行一个系统调用，该调用将导致调用NtQueueApcThread（NTOSKRNL），NTOSKRNL不会将其导出 - 对于任何想知道的人来说，NTOSKRNL是Windows内核，而系统调用只不过是来自用户的转换 - 模式到内核模式，因为Native API系统例程存在于内核模式内存中，NTAPL的NTDLL例程是系统调用存根，它直接控制到Windows内核。 When NtQueueApcThread (NTOSKRNL) is called, it'll use KeInitializeApc and KeInsertQueueApc (both do happen to be exported by NTOSKNL). 当调用NtQueueApcThread（NTOSKRNL）时，它将使用KeInitializeApc和KeInsertQueueApc（两者都碰巧由NTOSKNL导出）。 When the APC is actually issued to the targeted process, KiUserApcDispatcher (NTDLL) will be locally called within the process, unless the APC is performed in a more extensive manner to bypass this activity (99% of the time it will not be prevented). 当APC实际发布到目标进程时，KiUserApcDispatcher（NTDLL）将在进程内进行本地调用，除非以更广泛的方式执行APC以绕过此活动（99％的时间不会阻止它）。 This means that you have an oppertunity to intercept this behavior and prevent APC injection into your own process with one single local hook in your own process, via byte-patching (also known as "inline hooking") KiUserApcDispatcher, exported by NTDLL. 这意味着您有机会拦截此行为，并通过NTDLL导出的字节修补（也称为“内联挂钩”）KiUserApcDispatcher，在您自己的进程中使用一个本地挂钩阻止APC注入您自己的进程。 The only problem which you will face is that it is undocumented and this is not officially supported by Microsoft; 您将面临的唯一问题是它没有文档，这不是微软正式支持的; you'll need to figure out how the parameters work and how to prevent the callback routine from blocking off genuine requests which are needed to provide functionality for your own software. 您需要弄清楚参数的工作原理以及如何防止回调例程阻止为您自己的软件提供功能所需的正版请求。 This will however include prevention of kernel-mode APC injection, not just user-mode attacks. 然而，这将包括防止内核模式APC注入，而不仅仅是用户模式攻击。

There are many ways to inject code into a process, and APC is simply one of them. 将代码注入流程有很多种方法，而APC就是其中之一。 Another common method would be through remote thread creation. 另一种常见方法是通过远程线程创建。 When a user-mode process attacks another process via remote thread creation, it'll typically call CreateRemoteThread (KERNEL32). 当用户模式进程通过远程线程创建攻击另一个进程时，它通常会调用CreateRemoteThread（KERNEL32）。 This will lead down to RtlCreateUserThread (NTDLL), and RtlCreateUserThread will call NtCreateThreadEx (NTDLL). 这将导致RtlCreateUserThread（NTDLL），RtlCreateUserThread将调用NtCreateThreadEx（NTDLL）。 NTDLL will perform a system call and then NtCreateThreadEx (non-exported routine from the Windows Kernel) will be invoked in kernel-mode memory. NTDLL将执行系统调用，然后将在内核模式内存中调用NtCreateThreadEx（来自Windows内核的非导出例程）。 In the end, the targeted process will have LdrInitializeThunk locally invoked, and RtlUserThreadStart will also be invoked locally. 最后，目标进程将在本地调用LdrInitializeThunk，并且还将在本地调用RtlUserThreadStart。 Both of these routines are exported by NTDLL. 这两个例程都由NTDLL导出。 This is a same scenario as with APC... You can patch LdrInitializeThunk locally, however you must do it properly to prevent genuine functionality within your own software. 这与APC的情况相同......您可以在本地修补LdrInitializeThunk，但必须正确执行以防止您自己的软件中的正版功能。

These two techniques are not full-proof, there is no "full-proof" solution. 这两种技术都不是全面的，没有“全面证明”的解决方案。 There are many ways to inject code into a process, and there are very sophisticated methods to bypass said solutions from myself. 有很多方法可以将代码注入到流程中，并且有非常复杂的方法可以绕过我自己的解决方案。 Anti-Virus software has been battling anti-RCE/self-protection for as long as I can remember, as has Anti-Cheat systems. 反病毒软件一直在与反RCE /自我保护作斗争，只要我记得，反作弊系统。 You should look into kernel-mode device driver development as well, it'll allow you to register kernel-mode callbacks which can help you out. 您还应该研究内核模式设备驱动程序开发，它将允许您注册可以帮助您的内核模式回调。

The first callback you should look into is ObRegisterCallbacks . 你应该研究的第一个回调是ObRegisterCallbacks 。 It allows you to receive a Pre-operation callback notification whenever NtOpenProcess is called from the Windows Kernel. 它允许您在从Windows内核调用NtOpenProcess时接收预操作回调通知。 This means that user-mode processes will also trigger it, since NtOpenProcess ends up being called in kernel-mode after NTDLL makes the system-call. 这意味着用户模式进程也会触发它，因为在NTDLL进行系统调用之后，NtOpenProcess最终会在内核模式中被调用。 I cannot remember specifically if the callback APIs are triggered in the NtOpenProcess stub itself or if it goes deeper into Ob* kernel-mode only routines, but you can check at ease with WinDbg with remote kernel debugging, or Interactive Disassembler (target ntoskrnl.exe and use the symbolic links provided by Microsoft). 我不记得具体是否在NtOpenProcess存根本身中触发了回调API，或者它是否更深入到Ob *仅内核模式例程，但您可以使用WinDbg轻松检查远程内核调试，或者交互式反汇编程序（目标ntoskrnl.exe）并使用Microsoft提供的符号链接。 ObRegisterCallbacks supports notifications for both handle creation & duplication for the process and the processes' threads, you can strip access rights you don't want permitted for the requested handle. ObRegisterCallbacks支持进程和进程线程的句柄创建和复制通知，您可以删除不希望为请求的句柄允许的访问权限。

The second callback you should look into would be PsSetCreateThreadNotifyRoutineEx . 你应该研究的第二个回调是PsSetCreateThreadNotifyRoutineEx 。 This callback routine will allow you to receive a notification whenever a new thread creation occurs on the system; 此回调例程将允许您在系统上发生新线程时接收通知; you can filter it out for your own process and if a rogue thread is created, terminate the thread. 您可以为自己的进程筛选出来，如果创建了一个流氓线程，则终止该线程。

The third callback you should look into would be PsSetLoadImageNotifyRoutineEx . 你应该研究的第三个回调是PsSetLoadImageNotifyRoutineEx 。 This callback will provide a notification whenever a new module is loaded into a process; 每当新模块加载到进程中时，此回调将提供通知; once again, you can filter for your own process. 再次，您可以筛选自己的过程。 If you detect a rogue module, you can attempt to have your process call LdrUnloadDll (NTDLL) targeting the base address of the newly loaded image, however the reference count for the module needs to be 0 for it to be unloaded. 如果检测到流氓模块，则可以尝试让进程调用LdrUnloadDll（NTDLL）作为新加载映像的基址，但是模块的引用计数需要为0才能卸载。 In that case, you can try "hacky" methods like calling NtUnmapViewOfSection/NtFreeVirtualMemory. 在这种情况下，您可以尝试“hacky”方法，如调用NtUnmapViewOfSection / NtFreeVirtualMemory。 Bear in mind, if you mess up the rogue loaded module and it has set memory byte patches to redirect execution flow to its own routines, unless you restore them, your process will crash when they are referenced. 请记住，如果你弄乱了流氓加载的模块并且它设置了内存字节补丁以将执行流重定向到它自己的例程，除非你恢复它们，你的进程在被引用时会崩溃。

These are some ideas, commonly the ones typically used. 这些是一些想法，通常是通常使用的想法。 Kernel-Mode callbacks are very popular among security software and anti-cheat software. 内核模式回调在安全软件和反作弊软件中非常流行。 As for thread creation, you'll be interested in mitigating this as much as possible -> if you only look for rogue DLL loads then you'll miss out on reflective DLL loading. 至于线程创建，你会有兴趣尽可能地减少这个 - >如果你只是寻找流氓DLL加载，那么你将错过反射DLL加载。 Also remember of the other code injection methods, like thread hijacking, shared window memory exploitation with ROP chain call exploitation, DLL patching on-disk, etc. 还要记住其他代码注入方法，如线程劫持，利用ROP链调用利用的共享窗口内存利用，磁盘上的DLL修补等。