REBlog
October 19th, 2007, 20:57
Greg Hoglund recently wrote on his website ("http://www.rootkit.com/blog.php?newsid=358") about the game World of Warcraft searching for rogue DLLs in its own process space in order to catch code injected for cheating. This parallels an anti-debugging trick that can be found in malware. Malware authors don't want virus analysts poking around in their malware's process space, so malware will sometimes search for rogue DLLs that an analyst might be using for unpacking, information logging, etc.
You could try to hide your DLL by intercepting calls to Module32First(...)/Module32Next(...) API calls, though this is a more complex solution than is necessary. Quite simply, you could just not use a DLL at all. Here's how:
VirtualAllocEx(...) into the taget process's address space.
WriteProcessMemory(...) your relocatable code into the newly allocated memory.
CreateRemoteThread(...) to run the code you injected.
You now have your code injected into the target process, but since you didn't use a DLL, the Module32First(...) and Module32Next(...) API functions can't be used to detect you. For further implementation details, check http://search.msn.com/results.aspx?q=VirtualAllocEx+WriteProcessMemory+CreateRemoteThread
Of course there are still loads of ways to detect the above trick (such as searching for rogue threads), but this raises the bar a bit.
http://malwareanalysis.com/CommunityServer/blogs/geffner/archive/2005/10/15/7.aspx
You could try to hide your DLL by intercepting calls to Module32First(...)/Module32Next(...) API calls, though this is a more complex solution than is necessary. Quite simply, you could just not use a DLL at all. Here's how:
VirtualAllocEx(...) into the taget process's address space.
WriteProcessMemory(...) your relocatable code into the newly allocated memory.
CreateRemoteThread(...) to run the code you injected.
You now have your code injected into the target process, but since you didn't use a DLL, the Module32First(...) and Module32Next(...) API functions can't be used to detect you. For further implementation details, check http://search.msn.com/results.aspx?q=VirtualAllocEx+WriteProcessMemory+CreateRemoteThread
Of course there are still loads of ways to detect the above trick (such as searching for rogue threads), but this raises the bar a bit.
http://malwareanalysis.com/CommunityServer/blogs/geffner/archive/2005/10/15/7.aspx