About modules

delphi package - easy access to kernel objects etc.

About modules

Postby pambol » Thu Aug 30, 2018 10:55 pm

How i can detect if a module was injected on process instead of main process loaded that using madkernel?
pambol
 
Posts: 29
Joined: Sat Jun 23, 2018 1:15 am

Re: About modules

Postby madshi » Fri Aug 31, 2018 4:58 am

You can't really detect that, at least not in any easy way. Injection usually works by e.g. creating a remote thread in a process and the remote thread simply calls LoadLibrary(). So the DLL appears to be loaded by your process.

I can only think of 2 possible things you could detect:

1) You can could check if the DLL is loaded dynamically or statically. If it's loaded dynamically, it was loaded by LoadLibrary. If it was loaded statically, that means probably it was loaded by the OS loader. However, some injection methods also make the DLL being loaded by the OS loader. So this is not really a reliable test.

2) You could try to hook LoadLibrary/LdrLoadDll and check if anyone is calling that within your process. That will detect some kind of injection, but not all. E.g. if the injection is done before your EXE has a chance to install the API hooks, you'll miss the injection. Or if the injection done in kernel land by making the hook dll appear statically linked, you will miss that, as well.

So I don't really have a good solution for you.

Maybe the only real way is to maintain a list which dlls are supposed to be loaded, and any dll which isn't in that list, and isn't also a Microsoft system dll, then could be considered "injected"? But there's a certain danger of false positives if you go that way. So again, no really good solution, either.
madshi
Site Admin
 
Posts: 9821
Joined: Sun Mar 21, 2004 5:25 pm

Re: About modules

Postby pambol » Fri Aug 31, 2018 11:05 pm

i've hooked RtlUserThreadStart to check threads start (used on inject too) but i think pfnStartAddr should show some address of loadlibrary no? but isn't what show.
pambol
 
Posts: 29
Joined: Sat Jun 23, 2018 1:15 am

Re: About modules

Postby madshi » Sat Sep 01, 2018 6:52 am

Starting the injection thread directly on LoadLibrary is one way to do it, another is to copy/write code into the process (VirtualAllocEx + WriteProcessMemory) and start the thread on the address of the allocated code. That code would then call LoadLibrary(Ex) or LdrLoadDll.
madshi
Site Admin
 
Posts: 9821
Joined: Sun Mar 21, 2004 5:25 pm

Re: About modules

Postby pambol » Sat Sep 01, 2018 10:02 pm

you know how i can retrieve if a module (dll) are relocated? i see on process hacker he detect any injection using this method.
pambol
 
Posts: 29
Joined: Sat Jun 23, 2018 1:15 am

Re: About modules

Postby madshi » Sun Sep 02, 2018 3:39 pm

That's easy, just compare the actual image base address (which is simple the module handle) to the "preferred" image base address, which is stored in the DLL header.
madshi
Site Admin
 
Posts: 9821
Joined: Sun Mar 21, 2004 5:25 pm


Return to madKernel

Who is online

Users browsing this forum: No registered users and 2 guests