[Source] Anti DLL Injection

**eBoxEvo** · 10-08-11

Code:

#include <windows.h>

DWORD g_dwLoadLibraryAJMP;

/* HOOK FUNCTION */

DWORD WINAPI jumphook( DWORD AddressToPerformJump, DWORD AddressOfMyFunction, DWORD LenghOfTheAreaToPerformTheJump	)
{
	if( LenghOfTheAreaToPerformTheJump < 5 )
		return 0;

	DWORD RelativeJump, 
		  NextInstructionAddress,
		  Flag;

	if ( ! VirtualProtect((LPVOID)AddressToPerformJump, LenghOfTheAreaToPerformTheJump, PAGE_EXECUTE_READWRITE, &Flag) )
		return 0;

	NextInstructionAddress = AddressToPerformJump + LenghOfTheAreaToPerformTheJump;

	*(BYTE*)AddressToPerformJump = 0xE9;

	for( DWORD i = 5; i < LenghOfTheAreaToPerformTheJump; i++)
		*(BYTE*)(AddressToPerformJump+i) = 0x90;

	RelativeJump = AddressOfMyFunction - AddressToPerformJump - 0x5;

	*(DWORD*)(AddressToPerformJump + 0x1) = RelativeJump;

	VirtualProtect((LPVOID)AddressToPerformJump, LenghOfTheAreaToPerformTheJump, Flag, &Flag);

	return NextInstructionAddress; 
}

/* END HOOK FUNCTION */

HMODULE WINAPI hLoadLibraryA( LPCSTR lpLibFileName )
{	
	__asm
	{
		mov eax, dword ptr ss:[esp + 0x18]
		cmp dword ptr ds:[eax-0x12], 0x8B55FF8B
		je erro
	}
	

	if( lpLibFileName )
	{
		if( !strcmp( lpLibFileName, "twain_32.dll" ) )
			__asm jmp g_dwLoadLibraryAJMP
	}			

	return LoadLibraryExA( lpLibFileName, 0, 0 );

erro:

	/* dll injetada */


	ExitProcess( 0 );

	return 0;
}

void ZPerformHooks()
{
	g_dwLoadLibraryAJMP = (DWORD)GetModuleHandle( "kernel32" ) + 0x6E2A1;

	jumphook( (DWORD)LoadLibraryA, (DWORD)&hLoadLibraryA, 57 );
}

**MentaL**

**Forean** · 10-08-11

Details such as 07, 08, and such?

**Joe9099** · 10-08-11

I don't think it wud matter what version of gunz you have, anti dll injection checks the process instead of the runnable I THINK, though im not 100% sure, so yea lol w/e ...

**Rotana** · 10-08-11

i'm 99,99% sure this can be used on all versions. This will block LoadLiberyA.
But its easy to bypass for advance people.

**Forean** · 10-08-11

Originally Posted by Rotana

i'm 99,99% sure this can be used on all versions. This will block LoadLiberyA.
But its easy to bypass for advance people.

Wouldn't blocking LoadLibraryA be a bad thing? Since other dlls use it?

or couldn't you change it to be a different one?

**adz28** · 10-08-11

Like kernel blocking, i guess youre right, this would crash the game, i guess.

**Rotana** · 10-08-11

After this dll is loaded it will block the fuction for the process.
Other dlls such as fmod.dll must be loaded first then inject this to prevent errors.

So you can bypass it by hook your hack/addon on fmod or an d3d9.dll

**steven1234** · 10-08-11

md5 check them lol thanks for this

**eBoxEvo** · 10-08-11

Originally Posted by ForeanXz

Details such as 07, 08, and such?

works on 07 & 08.

**Touchwise** · 10-08-11

Nice but you shouldn't use it as your whole antihack...
Atleast put a MD5 check on it and well with some extra work on this this could grow out to something

**xuxero** · 10-08-11

Nice (Y)

**espanish** · 11-08-11

LOL This is my code, of my guard named Condom Guard, how this will appear here. o_o

**mhmd135** · 11-08-11

does it block dlls like fmod.dll and other ?

**dacharles** · 11-08-11

and what is this?

Code:

mov eax, dword ptr ss:[esp + 0x18]
cmp dword ptr ds:[eax-0x12], 0x8B55FF8B

why he compares that? what is on eax-0x12?

**OJuice** · 19-08-11

great release thanks =)

[Source] Anti DLL Injection

Thread Tools

[Source] Anti DLL Injection

Re: [Source] Anti DLL Injection

Re: [Source] Anti DLL Injection

Re: [Source] Anti DLL Injection

Re: [Source] Anti DLL Injection

Re: [Source] Anti DLL Injection

Re: [Source] Anti DLL Injection

Re: [Source] Anti DLL Injection

Re: [Source] Anti DLL Injection

Re: [Source] Anti DLL Injection

Re: [Source] Anti DLL Injection

Re: [Source] Anti DLL Injection

Re: [Source] Anti DLL Injection

Re: [Source] Anti DLL Injection

Re: [Source] Anti DLL Injection

Advertisement