• Welcome to ForumKorner!
    Join today and become a part of the community.

Basic Anti-Dll Injection VB.Net

Killpot

Member
Reputation
0
[font=Roboto, sans-serif]Yo.[/font]

[font=Roboto, sans-serif]OG. Source from Scripter4Ever, however I've updated it to VB.Net standards and cleaned it up.[/font]



Code:
<DllImport("kernel32", CharSet:=CharSet.Auto, SetLastError:=True)>
   Private Shared Function GetProcAddress(
           ByVal ModuleHandle As IntPtr,
           ByVal ProcName As String) As IntPtr
   End Function 

<DllImport("kernel32", CharSet:=CharSet.Auto, SetLastError:=True)>
    Private Shared Function GetModuleHandle(
            [SIZE=3][font=Monaco, Consolas, Courier, monospace]ByVal lpModuleName[/font][/SIZE][SIZE=3][font=Monaco, Consolas, Courier, monospace] As String[/font][/SIZE]) As IntPtr
    End Function 

<DllImport("kernel32", CharSet:=CharSet.Auto, SetLastError:=True)>
    Private Shared Function WriteProcessMemory(
            ByVal hProcess As IntPtr,
           ByVal lpBaseAddress As IntPtr, 
           ByVal lpBuffer As Byte(),
           ByVal nSize As UInteger,
            ByRef lpNumberOfBytesWritten As UInt32) As Boolean
    End Function 

   Public Sub AntiDll()     
     Dim LoadLibraryA As IntPtr = CType(GetProcAddress(CInt(GetModuleHandle("kernel32")), "LoadLibraryA"), IntPtr)
     Dim LoadLibraryW As IntPtr = CType(GetProcAddress(CInt(GetModuleHandle("kernel32")), "LoadLibraryW"), IntPtr)
      If LoadLibraryA <> IntPtr.Zero Then WriteProcessMemory(Process.GetCurrentProcess.Handle, LoadLibraryA, New Byte() {&HC2, &H4, &H0, &H90}, 4, 0)
      If LoadLibraryW <> IntPtr.Zero Then WriteProcessMemory(Process.GetCurrentProcess.Handle, LoadLibraryW, New Byte() {&HC2, &H4, &H0, &H90}, 4, 0)
    End Sub



[font=Roboto, sans-serif]This, is what either of LoadLibrary entry points look like before execution of the code: [/font]
[font=Roboto, sans-serif]
UO4ZsTz.png
[/font]


[font=Roboto, sans-serif]This is what it looks like after:[/font]
[font=Roboto, sans-serif]
qWjABXu.png
[/font]


[font=Roboto, sans-serif]The first statement of LoadLibrary was just replaced by a return statement, causing any dll injector using LoadLibrary to fail (because when LoadLibrary is being called, it just returns without loading the actual dll into the process).[/font]

[font=Roboto, sans-serif]Hope you guys enjoy, I wouldn't rely on this too much though as it'd be fairly easy to reverse, but none the less it gets the concept across.[/font]
 
Top