LoadLibrary

[gazettefan]

hello there guys, i'm having this trouble you see, i need to make an anti dll injection so i tried all stuff in the world, even a new function AddSecureMemoryCacheCallback, but i ended up detouring loadlibrary, yeah don't blame me, my function is:

Code:

const unsigned long kerneladdress = 0x7c801d7b;
int sinject=0;
CDetour Kernel__Detour;
bool __stdcall Kernel__Hook(){
	if(sinject < 1) {
		sinject++;
		Kernel__Detour.Ret(false); //prevents my own dll from not being injected
	}
	//MessageBoxA(0,"a","c",MB_OK);
	Kernel__Detour.Ret(false);

return 0;

void startdetours(HINSTANCE bModule)
{
Kernel__Detour.Detour((unsigned char*)kerneladdress,(unsigned char*)Kernel__Hook,true);
Kernel__Detour.Apply();

return 1;
}

dllmain... //dll entrypoint stuff
dllattach:
startdetours(hModule);
return true;

this is a valid function and returns false for any calling dll, so that injection fails,
that address is from loadlibrarya, i thought of detouring createthreadex but in the end it was a bad idea.

what happens is that the process(theduel) crashes because i call the detouring too early, before the process has loaded a lot of another modules and another stuff which doesn't matter, if i change it to:

Code:

CreateThread(0,0,(LPTHREAD_START_ROUTINE)startdetours,hModule,0,0);
//now injection will be completed without calling the function at injection time

and add

Code:

Sleep(12000);//time enough to the game start

It would work perfectly, the problem is that people still can inject dll's when game is starting.

ok now for another big problem, I've been programming my own client for my own server now, and i've done a lot of things althought i could not handle to change ZChatOuput color,

any inputing color i do it still displays on orange,
i even tried:

Code:

DWORD ncolor = D3DCOLOR_ARGB(255, 0, 0, 0);
	printf("%x\n",ncolor); //shows 0xff000000
ZChatOutput("balablab",2,0,ncolor);
//or
ZChatOutput("balablab",2,0,0xff000000);

or tried the MCOLOR struct i saw in gunz dumps

Code:

struct MCOLOR {
BYTE A;
BYTE R;
BYTE G;
BYTE B;
}


void ZChatOutput(char* msg,int btype,int loc,MCOLOR color)
{
		__asm
		{
			MOV EAX, ZChatOutputAddress
			PUSH color
			PUSH loc
			PUSH btype
			PUSH msg
			CALL EAX
		}
}

void blablabla() {
MCOLOR mclr;
mclr.A = 255;
mclr.R = 0;
mclr.G = 0;
mclr.B = 0;
ZChatOutput("const char",2,0,mclr);
}

but WHATEVER I DO, it still display orange, wth is wrong with gunz?
how can i change zchatoutput color? @_@
I'm using 2007 client

thank for anyone who can help me!

[MentaL]

[Phoenix]

Thread moved to Gunz Online - MMORPG Developments - RaGEZONE forums.

[Incognitos]

1) Can't think of anything off the top of my head. Attempt to check how many DLL's are being loaded first via LoadLibrary but be warned the entire thing can be bypassed just by a simple JNE change.

2) Try this

Code:

struct MCOLOR
{
     char r;
     char g;
     char b;
     char a; //note the location of this 4th char
};

void ZChatOutput(const char* szMessage, MCOLOR& msgColor)
{
    __asm
    {
        MOV EAX, ulZChatOutputAddress
        PUSH msgColor
        PUSH 0
        PUSH 0
        PUSH szMessage
        CALL EAX
    }
}

void OnActivate(void)
{
    MCOLOR msgColor;
    msgColor.r = 0;
    msgColor.g = 255;
    msgColor.b = 0;
    msgColor.a = 255;
    ZChatOutput("Hello, World!", msgColor);
}

I'm sorry if I am wrong I am new to this whole game.

[gazettefan]

1) Can't think of anything off the top of my head. Attempt to check how many DLL's are being loaded first via LoadLibrary but be warned the entire thing can be bypassed just by a simple JNE change.

2) Try this

Code:

struct MCOLOR
{
     char r;
     char g;
     char b;
     char a; //note the location of this 4th char
};

void ZChatOutput(const char* szMessage, MCOLOR& msgColor)
{
    __asm
    {
        MOV EAX, ulZChatOutputAddress
        PUSH msgColor
        PUSH 0
        PUSH 0
        PUSH szMessage
        CALL EAX
    }
}

void OnActivate(void)
{
    MCOLOR msgColor;
    msgColor.r = 0;
    msgColor.g = 255;
    msgColor.b = 0;
    msgColor.a = 255;
    ZChatOutput("Hello, World!", msgColor);
}

I'm sorry if I am wrong I am new to this whole game.

the OnActivate didn't work, but counting how many dll's are inject was great idea! (since system dll's do not count), and yes I know about that, I'll think of a better idea to implement dll injection detect.
thank you!

[ThePhailure772]

No matter what you do, you can't stop dll injection.

[gazettefan]

Yes you're right, but adding protections is always good, btw i was doing an foolish mistake, when we detour something we must use full parameters at the function so the correct code is:

Code:

CDetour KernelDetour;
bool __stdcall KernelHook(char *dwLibrary){

if(strcmp("alloweddll.dll",dwLibrary)) != 0)
  return(false);

}

It was simple as that =D

[ThePhailure772]

Yes you're right, but adding protections is always good, btw i was doing an foolish mistake, when we detour something we must use full parameters at the function so the correct code is:

Code:

CDetour KernelDetour;
bool __stdcall KernelHook(char *dwLibrary){

if(strcmp("alloweddll.dll",dwLibrary)) != 0)
  return(false);

}

It was simple as that =D

What happens if I open your protection in olly and just rename my module to a white listed one?

[gazettefan]

Then you would have bypassed a simple function.

You know yourself, that there are hundreds of ways you can do to block something, maybe all of them can bypassed, but because they can I will not use them?

I did a lotof things like check module base address, you can get the returning address from the called function in this case loadlibrary to know it it has been loaded by outside, and blah blah blah

Whats the point of your question?

I mean, http://forum.ragezone.com/5861003-post11.html
I made up the topic to get help, and then wth @your posts?

[ThePhailure772]

Then you would have bypassed a simple function.

You know yourself, that there are hundreds of ways you can do to block something, maybe all of them can bypassed, but because they can I will not use them?

I did a lotof things like check module base address, you can get the returning address from the called function in this case loadlibrary to know it it has been loaded by outside, and blah blah blah

Whats the point of your question?

I mean, http://forum.ragezone.com/5861003-post11.html
I made up the topic to get help, and then wth @your posts?

hello there guys, i'm having this trouble you see, i need to make an anti dll injection so i tried all stuff in the world, even a new function AddSecureMemoryCacheCallback, but i ended up detouring loadlibrary, yeah don't blame me, my function is:

I'm simply stating a fact that you can't block DLL injection so this is a waste of time. Why not look into more advanced techniques like removing the entire code section and accessing a dynamically constructed one?