-1

I want know what are the possible solutions to bypass a dll injection made by a rootkit everytime that any process is executed (where is used a global hook on WH_CALLWNDPROC message to detect this)?

enter image description here

Based in my case and also in this answer, i already know (and tested) of two alternatives that works 100% to bypass this, are they::

1. UnhookWindowsHookEx

2. Execute my process via other process, with flag DEBUG_ONLY_THIS_PROCESS using CreateProcess, to receive notifications of DLL loading, when this is detected i take the EntryPoint of dll and write something to that, then the dll is unloaded.

3. Other possible solution could be TLS callback like was said on answer linked above, but i don't know how implement (in code) to this purpose of anti dll injection. Someone know and could give a code example?

Thank you in advance by any suggestion/or others alternatives to bypass this way of dll injection.

EDITION:

I think that the 3rd possible solution enumerated above seems deserve a attention. Then I'm searching by a answer with a code example about this: "A process can host a TLS callback, and then it will receive notifications of thread creation. That can intercept thread creation such as what is produced by CreateRemoteThread. If the thread start address is LoadLibrary(), then you have a good indication that someone is about to force-load a DLL." And then block the dll injection.

  • Keep in mind `UnhookWindowsHookEx` itself can be detoured and replaced by a hostile injectee, along with most other APIs & user-mode functions. –  Nov 17 '18 at 01:13
  • What's the question here, how to un-pwn a pwned machine? That's not going to happen. – IInspectable Nov 17 '18 at 17:09
  • @IInspectable, The question is: Someone have other possible solution to bypass this or in negative case, could give a code example about **TLS** callback to protect against dll injetion? –  Nov 17 '18 at 18:45
  • Consider putting a [bounty](https://stackoverflow.com/help/bounty), I don't think bumping is giving you your desired outcome. – Sertac Akyuz Nov 19 '18 at 12:57
  • if you want example how implement TLS in c++ ask separate question exactly for this or change current – RbMm Nov 20 '18 at 07:51
  • @RbMm, is done. –  Nov 22 '18 at 12:04
  • 1
    note that tls callbacks called only on create new thread (not including loader working threads in win 10), this not give exactly dll load notification. also dll can be injected without create new thread too (say via apc).general answer about tls implementation - https://stackoverflow.com/questions/14538159/about-tls-callback-in-windows/36891752#36891752. however can be and more simply – RbMm Nov 22 '18 at 13:00
  • @RbMm, then how tls callback could be more simply to detect `CreateRmoteThread` or `LoadLibray`? –  Nov 22 '18 at 14:31
  • 1
    tls callback not detect dll load. if you use *c++* runtime - code is next https://pastebin.com/PrYZCQFp – RbMm Nov 22 '18 at 15:38
  • @RbMm, then **tls** callback not is a efficient solution and not must be recommended. Thank you very much by yours comments :-) –  Nov 22 '18 at 17:06
  • if you want monitor dll load - you need [`LdrRegisterDllNotification`](https://learn.microsoft.com/en-us/windows/desktop/devnotes/ldrregisterdllnotification) but of course callback will be called only if dll will be load normal way (via `LdrLoadDll` ) and anyway what is "inject" - undefined. this is not a clear concept – RbMm Nov 22 '18 at 18:08
  • @RbMm, *tls* callback can is able to bypass anything made inside **CreateProcess** (made by [`PsSetCreateProcessNotifyRoutine `](https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetcreateprocessnotifyroutine)) notification routine callback in kernel mode (like a dll injection for example? –  Nov 27 '18 at 12:44
  • i dont understand question. tls callback called on thread create/exit thread and start /exit process. how this related to call `CreateProcess` ?! . and how this related to kernel mode notify on process create ? – RbMm Nov 27 '18 at 12:49
  • @RbMm, exists rootkit's that call some routine of dll injection inside `PsSetCreateProcessNotifyRoutineEx` when they detect process creation, then if I (in ring 3) use a tls callback where is executed a inline hook in `LdrLoadDll` api for example, this will be able to bypass the dll injection of rootkit (since that he used `LdrLoadDll` function to this)? –  Nov 27 '18 at 12:56
  • @RbMm, for example, see in [**this article**](https://malwaretips.com/threads/developing-your-own-anti-exe-c-device-driver-development.64043/) *PsCreateProcessNotifyEx_CB* routine. Several rootkit's executes some dll injection inside this callback. I hope that you can understand better now :-) –  Nov 27 '18 at 13:06
  • [Here](http://www.rohitab.com/discuss/topic/40737-inject-dll-from-kernel-mode/) is a code that a rootkit could use to inject dll in kernel mode and call the routine inside *PsCreateProcessNotifyEx_CB*. This linked code uses `LdrLoadDll`, then i back to my previous question: - `tls callback in ring 3 application executing a inline hook against LdrLoadDl api is able to prevent this type of injection (PsCreateProcessNotifyEx_CB + LdrLoadDll) in kernel mode?` –  Nov 27 '18 at 14:13

1 Answers1

0

I think it's unnecessary to keep finding different alternatives, instead, use the alternatives you have already found, such as UnhookWindowsHookEx. If you want, just try out the TLS callback anyway.

LukeyBear
  • 88
  • 5
  • Based on comments of @RbMm. **tls** callback not is a solution. Seems that only the items **1** and **2** (see in my question above). –  Nov 27 '18 at 01:55