How do I prevent DLL injection

Clark Gaebel picture Clark Gaebel · May 15, 2009 · Viewed 38.2k times · Source

So the other day, I saw this:

http://www.edgeofnowhere.cc/viewtopic.php?p=2483118

and it goes over three different methods of DLL injection. How would I prevent these from the process? Or at a bare minimum, how do I prevent the first one?

I was thinking maybe a Ring 0 driver might be the only way to stop all three, but I'd like to see what the community thinks.

Answer

Cthulhon picture Cthulhon · May 15, 2009

The best technical solution would be to do something that causes the loader code to not be able to run properly after your process initializes. One way of doing this is by taking the NT loader lock, which will effectively prevent any loader action from taking place. Other options include patching the loader code directly in memory to make calls to LoadLibrary fail for the attacker (e.g. insert an int3 breakpoint and self-debug to handle expected cases)..

But speaking as a hacker (one who admins the site you linked to, in fact), you're not going to ever stop people from getting code into your process, one way or another. LoadLibrary just happens to be a handy shortcut, but there are tons of different ways to load code manually that you could never hope to stop entirely, short of some extremely involved ring0 code. And even if you do go to ring0, the hackers will be right there beside you.

Also, there are plenty of legitimate uses for DLL injection. Theme programs, accessibility tools, and various programs that extend OS functionality can all potentially use DLL injection to give added functionality to any program.