Detect or prevent DLL injections (eg via CreateRemoteThread)

Question

I am looking for a c# method to add to my winforms app which can either:

a. Detect any loaded modules/dlls that shouldnt be there. Or,

b. (Preferably) totally prevent a dll injection. I've reviewed this article which is helpful, but doesnt provide the actual code to defend against CreateRemoteThread, SetWindowsHookEx or Code Cave.

EDIT

I was thinking of a background thread running code like the following. I am quite new to the topic so please excuse my naivety

    var trustedModules = new[] {"kernel32.dll", "user32.dll", "etc"};

    var intrusionDetected =
        Process.GetCurrentProcess()
            .Modules.Cast<ProcessModule>()
            .Any(module => !trustedModules.Contains(module.FileName.ToLowerInvariant()));

    if (intrusionDetected)
    {
        // do something
    }

Well the problem about C# is that you can just reflect the application and remove all your checks, even if you obfuscate it then it's fairly easy to get rid of any "security" like that. — Bauss, Aug 16 '15 at 12:00
@Bauss. Thanks for your comment and I 100% agree and understand. I would still like to add as many safeguards as possible even if they can be bypassed. — David, Aug 16 '15 at 12:02
One simple roadblock you can add is to change the permissions on your process. — Harry Johnston, Aug 16 '15 at 21:02
@HarryJohnston Please can you elaborate on that.. How do you change process permissions? — David, Aug 16 '15 at 21:05
There's [C code here](http://stackoverflow.com/a/10575889/886887). Should be relatively straightforward to port to C#. That question was about preventing the process from being terminated, but it should also prevent thread injection. (Of course the attacker can change the permissions back, once they've realized they need to do so.) — Harry Johnston, Aug 16 '15 at 21:10
Building your "trusted modules" list will not be so easy. You have to account for antivirus software, possibly Explorer extensions (in open/save dialogs), future Windows components/dependencies, etc. — nobody, Aug 20 '15 at 02:14

score 7 · Accepted Answer · answered Aug 16 '15 at 18:10

For A, there is no easy way to do this. It is esssentially a cat-and-mouse game between detection versus obfusication techniques. Documenting them all is way outside the scope of an SO answer. To get you started, you will want to research various techniques to:

Monitor thread creation (hard on a managed application with the CLR framework potentially creating threads behind your back).
Monitor changes to the PEB (includes watching for loaded modules).
Scan your address space for unexpected memory pages marked with page Execute.
Employ debugger detection techniques (not just calling Debbugger.IsAttached)
Use code signing and encryption to help prevent static modifications or replacments to your binaries.
Don't run if the OS is in "Test mode" (which allows unsigned drivers to run).

And then without any kind of server component, or a dynamic challenge response system, just be aware that all of your protections can be defeated given enough time.

The short answer on B is that code injection is explicitly supported by the Windows operation system, so there isn't any simple method that you can add to your program to prevent it.

score 1 · Answer 2 · answered Aug 20 '17 at 14:35

Why not hook LoadLibrary ?... Also you can find out Open Handles of application using ntdll.dll undocumented API's or check path of load modules to prevent hooks that works by placing DLL file in you application root path.

I recommend you browse communities that talk about how to create undetectable cheats for games. So you can find what the ways they follow to make hacks undetectable or how anti-cheats like VAC works. Anyway you can't protect 100% your application from dll injection or other bad things.

Detect or prevent DLL injections (eg via CreateRemoteThread)

2 Answers2