DLL Hiding

[nitrogrlie]

Here is some code originally developed by Darawk that I tweaked to work with Win 7 and to be used as it's own loaded DLL that will successfully "cloak" a DLL of your choosing by unlinking it from four various DataLoader LIST_ENTRIES. Lots of credits to Darawk.

Code:

// This modification is based on Darawk's CloakDll instrumentation with
// some tweaks from me to get it working on Windows 7 and through the
// use of my own DLL

//              CloakDll - by Darawk
//        Featured @ www.RealmGX.com & www.Darawk.com
//
//   The purpose of CloakDll is to allow the user to hide any loaded
//   module from the windows API.  It works by accessing the modules
//   list stored in the PEB, and subsequently unlinking the module
//   in question from all 4 of the doubly-linked lists that it's a
//   node of.  It then zeroes out the structure and the path/file
//   name of the module in memory.  So that even if the memory where
//   the data about this module used to reside is scanned there will
//   still be no conclusive evidence of it's existence.  At present
//   there is only one weakness that I have found in this method.
//   I'll describe how it may still be possible to discover at least
//   that a module has been hidden, after a brief introduction to how
//   the GetModuleHandle function works.
//
//   *The following information is not documented by Microsoft.  This
//    information consists of my findings while reverse-engineering
//    these functions and some of them may be incorrect and/or
//    subject to change at any time(and is almost definitely different
//    in different versions of windows, and maybe even in different
//    service packs).  I've tried to make my code as version independant
//    as possible but certain parts of it may not work on older versions
//    of windows.  I've tested it on XP SP2 and there i'll guarantee
//    that it works, but on any other versions of windows, it's anyone's
//    guess.*
//
//   GetModuleHandle eventually calls GetModuleHandleExW, which in
//   turn accesses the native API function GetDllHandle, which calls
//   GetDllHandleEx.  And it's not until here, that we actually see
//   anything even begin to look up information about loaded modules.
//   Whenever GetModuleHandle is called, it saves the address of the
//   last ModuleInfoNode structure that it found in a global variable
//   inside of ntdll.  This global variable is the first thing
//   checked on all subsequent calls to GetModuleHandle.  If the
//   handle being requested is not the one that was requested the last
//   time GetDllHandleEx calls the LdrpCheckForLoadedDll function.
//   LdrpCheckForLoadedDll begins by converting the first letter of the
//   module name being requested to uppercase, decrementing it by 1 and
//   AND'ing it with 0x1F.  This effectively creates a 0-based index
//   beginning with the letter 'A'.  The purpose of this is so that
//   the module can first be looked up in a hash table.  The hash table
//   consists entirely of LIST_ENTRY structures.  One for each letter
//   'A' through 'Z'.  The LIST_ENTRY structure points to the first
//   and last modules loaded that begin with the letter assigned to
//   that entry in the hash table.  The Flink member being the first
//   loaded beginning with that letter, and the Blink member being the
//   last.  The code scans through this list until it finds the module
//   that it's looking for.  On the off-chance that it doesn't find it
//   there, or if the boolean argument UseLdrpHashTable is set to false
//   it will begin going through one of the other three lists.  If, at
//   this point it still doesn't find it, it will admit defeat and return
//   0 for the module handle.
//
//   Weakness:  The global variable inside ntdll that caches the pointer
//   to the last module looked up could be used to at least detect the
//   fact that a module has been hidden.  The LdrUnloadDll() function
//   will set this value to 0 when it unloads a module, so if the cache
//   variable points to an empty structure, the only logical conclusion
//   would be a hidden module somewhere in the process.  This could be
//   resolved by using the static address of this variable and simply
//   zeroing it out.  However, this would make the code specific to only
//   one version of windows.  You could also scan the address space of
//   ntdll for any occurences of the base address(aka module handle)
//   of the module you're hiding.  However, this would be slow and it
//   would clutter up the CloakDll_stub function, because it'd have to
//   all be done manually.  And i'd have to either use a static base
//   address for ntdll...which would probably work on most versions
//   of windows, however I really don't like using static addresses.
//   Or i'd have to manually locate it by writing my own unicode
//   string comparison code, to lookup ntdll in the list by it's name.
//   Realistically though anyone trying to detect this way would run
//   into the same problem.  That their code would not be version
//   independant.  So, it's unlikely to see any largescale deployment
//   of such a technique.  However, anyone who would like to solve
//   this problem themselves is perfectly free, and encouraged to do
//   so. 

#include <windows.h>
#include <winnt.h>
#include <tlhelp32.h>
#include <shlwapi.h>
#include <stdio.h>

#pragma comment(lib, "shlwapi.lib")

#define UPPERCASE(x) if((x) >= 'a' && (x) <= 'z') (x) -= 'a' - 'A'
#define UNLINK(x) (x).Blink->Flink = (x).Flink; \
	(x).Flink->Blink = (x).Blink;

#pragma pack(push, 1)
typedef struct _UNICODE_STRING {
  USHORT  Length;
  USHORT  MaximumLength;
  PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _ModuleInfoNode
{
	LIST_ENTRY LoadOrder;
	LIST_ENTRY InitOrder;
	LIST_ENTRY MemoryOrder;
	HMODULE baseAddress;		//	Base address AKA module handle
	unsigned long entryPoint;
	unsigned int size;			//	Size of the modules image
	UNICODE_STRING fullPath;
	UNICODE_STRING name;
	unsigned long flags;
	unsigned short LoadCount;
	unsigned short TlsIndex;
	LIST_ENTRY HashTable;	//	A linked list of any other modules that have the same first letter
	unsigned long timestamp;
} ModuleInfoNode, *pModuleInfoNode;

typedef struct _ProcessModuleInfo
{
	unsigned int size;			//	Size of a ModuleInfo node?
	unsigned int initialized;
	HANDLE SsHandle;
	LIST_ENTRY LoadOrder;
	LIST_ENTRY InitOrder;
	LIST_ENTRY MemoryOrder;
} ProcessModuleInfo, *pProcessModuleInfo;
#pragma pack(pop)

// Forward prototypes
void CloakDll( HMODULE hMod );
bool CloakModule( ModuleInfoNode * module );

// Globals
HMODULE hDLL = 0;

// Define the DLL's main function
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ulReason, LPVOID lpReserved) {
    // Get rid of compiler warnings since we do not use this parameter
    UNREFERENCED_PARAMETER(lpReserved);

	switch( ulReason ) {
    // If we are attaching to a process
	case DLL_PROCESS_ATTACH:
		//MessageBox(0, "DLL Locked and Loaded.", "DLL Injection Works!", 0);
		hDLL = hModule;
		break;
	case DLL_THREAD_ATTACH:
		break;
	case DLL_THREAD_DETACH:
		break;
	case DLL_PROCESS_DETACH:
		break;
    }

    return (TRUE);
}

extern "C" __declspec(dllexport) void Initialize() {
	DWORD ThreadID;
	CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&CloakDll, GetModuleHandle("GDI32.dll"), 0, &ThreadID);
}

void CloakDll(HMODULE hMod) {
	ProcessModuleInfo *pmInfo;
	ModuleInfoNode *module;

	_asm {
		mov eax, fs:[18h]		// TEB
		mov eax, [eax + 30h]	// PEB
		mov eax, [eax + 0Ch]	// PROCESS_MODULE_INFO
		mov pmInfo, eax
	}

	ModuleInfoNode* origModule = 0, *tohideModule = 0;

	module = (ModuleInfoNode *)(pmInfo->LoadOrder.Flink);
	while( module->baseAddress ) {
		if( module->baseAddress == hMod ) {
			tohideModule = module;
		} 
		else if ( module->baseAddress == hDLL ) {
			origModule = module;
		}
		module = (ModuleInfoNode *)(module->LoadOrder.Flink);
	}

	// Cloak the modules, if we found them, call return true/false but I don't check
	// not sure why you would necessarily want to
	CloakModule( origModule );
	CloakModule( tohideModule );

	// Check our work by printing all the modules for the PE we are injected
	FILE * file;
	file = fopen("C:\\Users\\Public\\Cloak.txt", "w");
	module = (ModuleInfoNode *)(pmInfo->LoadOrder.Flink);
	while(module->baseAddress) {
		fprintf(file, "Module: %S\n", module->fullPath.Buffer);
		fflush(file);
		module = (ModuleInfoNode *)(module->LoadOrder.Flink);
	}

	// Close our file handles
	fflush(file);
	fclose(file);

	// Exit our thread and free our DLL
	if( hDLL ) {
		__asm {
	      push -2
	      push 0
	      push hDLL
	      mov eax, TerminateThread
	      push eax
	      mov eax, FreeLibrary
	      jmp eax
	   	} 
	}
}

bool CloakModule( ModuleInfoNode * module ) {
	// Quick error checking in-case some module wasn't found
	if( module->baseAddress ) {
		//	Remove the module entry from the list here
		///////////////////////////////////////////////////	
		//	Unlink from the load order list
		UNLINK(module->LoadOrder);
		//	Unlink from the init order list
		UNLINK(module->InitOrder);
		//	Unlink from the memory order list
		UNLINK(module->MemoryOrder);
		//	Unlink from the hash table
		UNLINK(module->HashTable);

		//	This code will pretty much always be optimized into a rep stosb/stosd pair
		//	so it shouldn't cause problems for relocation.
		//	Zero out the module name
		DWORD oldProt;
		VirtualProtect(module->fullPath.Buffer, module->fullPath.Length, PAGE_READWRITE, &oldProt);
		memset(module->fullPath.Buffer, 0, module->fullPath.Length);
		VirtualProtect(module->fullPath.Buffer, module->fullPath.Length, oldProt, &oldProt);
		//	Zero out the memory of this module's node
		VirtualProtect(module, sizeof(ModuleInfoNode), PAGE_READWRITE, &oldProt);
		memset(module, 0, sizeof(ModuleInfoNode));	
		VirtualProtect(module, sizeof(ModuleInfoNode), oldProt, &oldProt);
		return true;
	}
	return false;
}

[Cypher]

This can be defeated by calling NtQueryVirtualMemory with MemorySectionName information class. Unlinking this way does nothing to protect the file mapping object stored in the kernel, the aforementioned API allows you retrieve the path to the file mapping, hence giving you the path to the DLL.

Also, Warden doesn't use the linked lists to detect DLLs, it uses VirtualQuery to enumerate all memory regions then uses data hashing.

In short:
This is useless unless you also hook NtQueryVirtualMemory to hide both your memory pages and your section object.

[nitrogrlie]

This can be defeated by calling NtQueryVirtualMemory with MemorySectionName information class. Unlinking this way does nothing to protect the file mapping object stored in the kernel, the aforementioned API allows you retrieve the path to the file mapping, hence giving you the path to the DLL.

Also, Warden doesn't use the linked lists to detect DLLs, it uses VirtualQuery to enumerate all memory regions then uses data hashing.

In short:
This is useless unless you also hook NtQueryVirtualMemory to hide both your memory pages and your section object.

Sorry Cypher, but this goes a little bit into things that I don't understand that fully. I understand what you are saying but a quick test showed otherwise.

For example, i added the code to check those memory regions:

Code:

MEMORY_BASIC_INFORMATION mbi;
	VirtualQuery(tohideModule->baseAddress, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
	SIZE_T retSize = VirtualQuery(origModule->baseAddress, &mbi, sizeof(MEMORY_BASIC_INFORMATION32));
	fprintf(file, "Size     : %d\n", retSize);
	fprintf(file, "BaseAddr : %p\n", mbi.BaseAddress);
	fprintf(file, "AllocBase: %p\n", mbi.AllocationBase);
	fprintf(file, "AllocProt: %08x\n", mbi.AllocationProtect);
	fprintf(file, "State    : %08x\n", mbi.State);

and it generated the following info:

Code:

Size     : 28
BaseAddr : 00000000
AllocBase: 00000000
AllocProt: 00000000
State    : 00010000

State 0x10000 means MEM_FREE, so how would Warden find info from this? Could you please explain why this is or am i doing something wrong? And be nice if possible, at this point I'll be learning.

[Cypher]

Sorry Cypher, but this goes a little bit into things that I don't understand that fully. I understand what you are saying but a quick test showed otherwise.

For example, i added the code to check those memory regions:

Code:

MEMORY_BASIC_INFORMATION mbi;
	VirtualQuery(tohideModule->baseAddress, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
	SIZE_T retSize = VirtualQuery(origModule->baseAddress, &mbi, sizeof(MEMORY_BASIC_INFORMATION32));
	fprintf(file, "Size     : %d\n", retSize);
	fprintf(file, "BaseAddr : %p\n", mbi.BaseAddress);
	fprintf(file, "AllocBase: %p\n", mbi.AllocationBase);
	fprintf(file, "AllocProt: %08x\n", mbi.AllocationProtect);
	fprintf(file, "State    : %08x\n", mbi.State);

and it generated the following info:

Code:

Size     : 28
BaseAddr : 00000000
AllocBase: 00000000
AllocProt: 00000000
State    : 00010000

State 0x10000 means MEM_FREE, so how would Warden find info from this? Could you please explain why this is or am i doing something wrong? And be nice if possible, at this point I'll be learning.

Unlinking the module wouldn't cause the memory to be marked as free. The VADs have nothing to do with whether the module is linked into the process or not.

Think about it, if the memory really was MEM_FREE, and that was without the data being modified by an API hook, then it would be impossible for any code to run. Because THERES NOTHING IN THE MEMORY!

You've ****ed up the test I'm sorry to say. It's as simple as that.

You MUST hook NtQueryVirtualMemory if you want to protect your memory from Warden scans.

If you send me your DLL (just a stripped down version that unlinks itself and does something like display a message box) I will write my own tool to find it if you want. Just to prove that you are indeed ****ing up the test.

However, I feel that should be unnecessary.

If you think about it, what you're describing is an obvious impossibility. (If you tried to execute code in memory marked as MEM_FREE an exception would be thrown and the process would crash)

[nitrogrlie]

I agree with you, there is no such things as completely undetectable. This is potentially possible from one application to another though. I did send you the whole DLL stripped down to a commented out MessageBox in the first code post. Copy/paste compile. The only thing missing is the DLL injector. Regarding me ****ing up the test, it's highly possible. I haven't used VirtualMemory() before today so chances are I am using it wrong. You seem to have knowledge on the topic so everything you can share I will gladly learn. For example, I though Nt* calls were for kernel-space only (although I might be confusing them witn Zw*). AFAIK, Warden cannot access kernel-space nor loads its own driver.

[Cypher]

The native API is available in usermode. It's just a thin wrapper around the kermode implementation.

Also, I think you've missed the point of my post.

I know for a fact you've ****ed up your test somehow. It is IMPOSSIBLE for the memory to be marked as free like that if you haven't hooked the API or manually changed the VADs.

At any rate, your code currently does not defend against Warden's DLL scanning functions, as they use the VADs not the module list in order to find modules.

Whilst they currently don't use the file mapping trick I outlined it's a very real possibility (VAC does it I think??).

Anyway, I'll reiterate my original point just to make sure we're clear.
Unless you hook NtQueryVirtualMemory and handle the MemoryBasicInformation (and 'optionally' MemorySectionName) class(es), this will NOT protect you from Warden.

[suicidity]

His original post, if I'm not mistaken, was an attempt to "Cloak" a DLL. Now I may be mistaken, but I don't see any claims against protection from Anti-Cheats..

So it's unclear why you're attacking him for that, it doesn't matter if it can protect from Anti-Cheats or not because that was not his intention. Rather if his code is broken, it would make more sense to point out where he might have made a mistake.

[Cypher]

His original post, if I'm not mistaken, was an attempt to "Cloak" a DLL. Now I may be mistaken, but I don't see any claims against protection from Anti-Cheats..

So it's unclear why you're attacking him for that, it doesn't matter if it can protect from Anti-Cheats or not because that was not his intention. Rather if his code is broken, it would make more sense to point out where he might have made a mistake.

Well, lets review:
1. He's posted this in a forum section dedicated to hacking games.
2. He's posted code designed to hide a module.
3. Module injection is very commonly used when writing cheats.
4. Anti-cheat software tries to detect modules in order to detect said cheats.

Now, I can not see any reason anyone would want to 'hide' a DLL unless they had something to hide from. Given that this section is based around games and anti-cheat software, the only logical conclusion is that he's trying to hide from anti-cheat software.

Seemed to me like a perfectly reasonable assumption to make.

Also, I DID point out where he made a mistake. Showing him that in order to "cloak" a DLL you need to implement some API hooks, otherwise its trivial to retrieve all the information he's trying to hide.

The original post said the purpose of the code is to hide stuff from the Windows API. Well, without hooking the API I mentioned, it's impossible to hide the module path, and it's impossible to hide the module VADs. With neither of those things being protected the original code is fairly pointless as a defence against... well... anything.

EDIT:

Also, just because I'm being honest and frank, doesn't mean I'm 'attacking' him, it just means I really cbf sugar coating it.

[nitrogrlie]

I know for a fact you've ****ed up your test somehow. It is IMPOSSIBLE for the memory to be marked as free like that if you haven't hooked the API or manually changed the VADs.

So I modified the checking code slightly and I'm still wondering why I get the results I get. The information is correct prior to the "UNLINK" and module memory zeroing. This is the code I use when injecting into Launcher.exe for WoW for testing purposes.

Here is the DLL code:

Code:

#include <windows.h>
#include <winnt.h>
#include <WinBase.h>
#include <tlhelp32.h>
#include <shlwapi.h>
#include <stdio.h>

#pragma comment(lib, "shlwapi.lib")

#define UPPERCASE(x) if((x) >= 'a' && (x) <= 'z') (x) -= 'a' - 'A'
#define UNLINK(x) (x).Blink->Flink = (x).Flink; \
	(x).Flink->Blink = (x).Blink;

#pragma pack(push, 1)
typedef struct _UNICODE_STRING {
  USHORT  Length;
  USHORT  MaximumLength;
  PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _ModuleInfoNode
{
	LIST_ENTRY LoadOrder;
	LIST_ENTRY InitOrder;
	LIST_ENTRY MemoryOrder;
	HMODULE baseAddress;		//	Base address AKA module handle
	unsigned long entryPoint;
	unsigned int size;			//	Size of the modules image
	UNICODE_STRING fullPath;
	UNICODE_STRING name;
	unsigned long flags;
	unsigned short LoadCount;
	unsigned short TlsIndex;
	LIST_ENTRY HashTable;	//	A linked list of any other modules that have the same first letter
	unsigned long timestamp;
} ModuleInfoNode, *pModuleInfoNode;

typedef struct _ProcessModuleInfo
{
	unsigned int size;			//	Size of a ModuleInfo node?
	unsigned int initialized;
	HANDLE SsHandle;
	LIST_ENTRY LoadOrder;
	LIST_ENTRY InitOrder;
	LIST_ENTRY MemoryOrder;
} ProcessModuleInfo, *pProcessModuleInfo;
#pragma pack(pop)

// Forward prototypes
void CloakDll( HMODULE hMod );
bool CloakModule( ModuleInfoNode * module );
void CheckModule(FILE * file, ModuleInfoNode * module);

// Globals
HMODULE hDLL = 0;

// Define the DLL's main function
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ulReason, LPVOID lpReserved) {
    // Get rid of compiler warnings since we do not use this parameter
    UNREFERENCED_PARAMETER(lpReserved);

	switch( ulReason ) {
    // If we are attaching to a process
	case DLL_PROCESS_ATTACH:
		//MessageBox(0, "DLL Locked and Loaded.", "DLL Injection Works!", 0);
		hDLL = hModule;
		break;
	case DLL_THREAD_ATTACH:
		break;
	case DLL_THREAD_DETACH:
		break;
	case DLL_PROCESS_DETACH:
		break;
    }

    return (TRUE);
}

extern "C" __declspec(dllexport) void Initialize() {
	DWORD ThreadID;
	CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&CloakDll, GetModuleHandle("GDI32.dll"), 0, &ThreadID);
}

void CloakDll(HMODULE hMod) {
	ProcessModuleInfo *pmInfo;
	ModuleInfoNode *module;

	_asm {
		mov eax, fs:[18h]		// TEB
		mov eax, [eax + 30h]	// PEB
		mov eax, [eax + 0Ch]	// PROCESS_MODULE_INFO
		mov pmInfo, eax
	}

	ModuleInfoNode* origModule = 0, *tohideModule = 0;

	module = (ModuleInfoNode *)(pmInfo->LoadOrder.Flink);
	while( module->baseAddress ) {
		if( module->baseAddress == hMod ) {
			tohideModule = module;
		} 
		else if ( module->baseAddress == hDLL ) {
			origModule = module;
		}
		module = (ModuleInfoNode *)(module->LoadOrder.Flink);
	}

	FILE * file;
	file = fopen("C:\\Users\\Public\\Cloak.txt", "w");
	module = (ModuleInfoNode *)(pmInfo->LoadOrder.Flink);
	
	// Check our Modules - should be there and fine
	CheckModule(file, origModule);
	CheckModule(file, tohideModule);

	// Cloak the modules, if we found them, call return true/false but I don't check
	// not sure why you would necessarily want to
	CloakModule( origModule );
	CloakModule( tohideModule );

	// Check our work by printing all the modules for the PE we are injected
	module = (ModuleInfoNode *)(pmInfo->LoadOrder.Flink);
	while(module->baseAddress) {
		fprintf(file, "Module: %S\n", module->fullPath.Buffer);
		fflush(file);
		module = (ModuleInfoNode *)(module->LoadOrder.Flink);
	}

	module = (ModuleInfoNode *)(pmInfo->LoadOrder.Flink);
	
	// Check our Modules
	CheckModule(file, origModule);
	CheckModule(file, tohideModule);

	// Close our file handles
	fflush(file);
	fclose(file);

	// Exit our thread and free our DLL
	if( hDLL ) {
		__asm {
	      push -2
	      push 0
	      push hDLL
	      mov eax, TerminateThread
	      push eax
	      mov eax, FreeLibrary
	      jmp eax
	   	} 
	}
}

bool CloakModule( ModuleInfoNode * module ) {
	// Quick error checking in-case some module wasn't found
	if( module->baseAddress ) {
		//	Remove the module entry from the list here
		///////////////////////////////////////////////////	
		//	Unlink from the load order list
		UNLINK(module->LoadOrder);
		//	Unlink from the init order list
		UNLINK(module->InitOrder);
		//	Unlink from the memory order list
		UNLINK(module->MemoryOrder);
		//	Unlink from the hash table
		UNLINK(module->HashTable);

		//	This code will pretty much always be optimized into a rep stosb/stosd pair
		//	so it shouldn't cause problems for relocation.
		//	Zero out the module name
		DWORD oldProt;
		VirtualProtect(module->fullPath.Buffer, module->fullPath.Length, PAGE_READWRITE, &oldProt);
		memset(module->fullPath.Buffer, 0, module->fullPath.Length);
		VirtualProtect(module->fullPath.Buffer, module->fullPath.Length, oldProt, &oldProt);
		//	Zero out the memory of this module's node
		VirtualProtect(module, sizeof(ModuleInfoNode), PAGE_READWRITE, &oldProt);
		memset(module, 0, sizeof(ModuleInfoNode));	
		VirtualProtect(module, sizeof(ModuleInfoNode), oldProt, &oldProt);
		return true;
	}
	return false;
}

void CheckModule(FILE * file, ModuleInfoNode * module){
	MEMORY_BASIC_INFORMATION mbi;
	DWORD oldProt;
	VirtualProtect(module->baseAddress, module->size, PAGE_READWRITE, &oldProt);
	SIZE_T retSize = VirtualQuery(module->baseAddress, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
	fprintf(file, "\n===================================================================\n");
	fprintf(file, "Checking Module: '%S'\n", module->fullPath.Buffer);
	fprintf(file, "Size           : %d\n", retSize);
	fprintf(file, "BaseAddr       : %p\n", mbi.BaseAddress);
	fprintf(file, "AllocBase      : %p\n", mbi.AllocationBase);
	fprintf(file, "AllocProt      : %08x\n", mbi.AllocationProtect);
	fprintf(file, "State          : %08x\n", mbi.State);
	fprintf(file, "RegionSize     : %d\n", mbi.RegionSize);
	fprintf(file, "Type           : %08x\n", mbi.Type);
	VirtualProtect(module->baseAddress, module->size, oldProt, &oldProt);
	fprintf(file, "\n");
}

Here are the results that get written to a file:

Code:

===================================================================
Checking Module: 'C:\Users\<name>\Documents\Visual Studio 10\Projects\SomeProject\Release\MyDLL.dll'
Size           : 28
BaseAddr       : 5EEE0000
AllocBase      : 5EEE0000
AllocProt      : 00000080
State          : 00001000
RegionSize     : 94208
Type           : 01000000


===================================================================
Checking Module: 'C:\Windows\syswow64\GDI32.dll'
Size           : 28
BaseAddr       : 75A90000
AllocBase      : 75A90000
AllocProt      : 00000080
State          : 00001000
RegionSize     : 4096
Type           : 01000000

Module: C:\Users\Public\Public Games\World of Warcraft\Launcher.exe
Module: C:\Windows\SysWOW64\ntdll.dll
Module: C:\Windows\syswow64\kernel32.dll
Module: C:\Windows\syswow64\KERNELBASE.dll
Module: C:\Windows\system32\iphlpapi.dll
Module: C:\Windows\syswow64\msvcrt.dll
Module: C:\Windows\syswow64\NSI.dll
Module: C:\Windows\system32\WINNSI.DLL
Module: C:\Windows\syswow64\RPCRT4.dll
Module: C:\Windows\syswow64\SspiCli.dll
Module: C:\Windows\syswow64\CRYPTBASE.dll
Module: C:\Windows\SysWOW64\sechost.dll
Module: C:\Windows\syswow64\USER32.dll
Module: C:\Windows\syswow64\LPK.dll
Module: C:\Windows\syswow64\USP10.dll
Module: C:\Windows\syswow64\ADVAPI32.dll
Module: C:\Windows\system32\MSIMG32.dll
Module: C:\Windows\syswow64\comdlg32.dll
Module: C:\Windows\syswow64\SHLWAPI.dll
Module: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\COMCTL32.dll
Module: C:\Windows\syswow64\SHELL32.dll
Module: C:\Windows\system32\WINSPOOL.DRV
Module: C:\Windows\system32\oledlg.dll
Module: C:\Windows\syswow64\ole32.dll
Module: C:\Windows\syswow64\OLEAUT32.dll
Module: C:\Windows\syswow64\WS2_32.dll
Module: C:\Windows\syswow64\WININET.dll
Module: C:\Windows\syswow64\Normaliz.dll
Module: C:\Windows\syswow64\urlmon.dll
Module: C:\Windows\syswow64\CRYPT32.dll
Module: C:\Windows\syswow64\MSASN1.dll
Module: C:\Windows\syswow64\iertutil.dll
Module: C:\Windows\system32\VERSION.dll
Module: C:\Windows\system32\apphelp.dll
Module: C:\Windows\AppPatch\AcLayers.DLL
Module: C:\Windows\system32\USERENV.dll
Module: C:\Windows\system32\profapi.dll
Module: C:\Windows\system32\MPR.dll
Module: C:\Windows\system32\IMM32.DLL
Module: C:\Windows\syswow64\MSCTF.dll
Module: C:\Windows\system32\uxtheme.dll
Module: C:\Windows\system32\CRYPTSP.dll
Module: C:\Windows\system32\rsaenh.dll
Module: C:\Windows\system32\asycfilt.dll
Module: C:\Windows\syswow64\SETUPAPI.dll
Module: C:\Windows\syswow64\CFGMGR32.dll
Module: C:\Windows\syswow64\DEVOBJ.dll
Module: C:\Windows\syswow64\CLBCatQ.DLL
Module: C:\Windows\system32\propsys.dll
Module: C:\Windows\system32\ntmarta.dll
Module: C:\Windows\syswow64\WLDAP32.dll
Module: C:\Windows\system32\dwmapi.dll
Module: C:\Windows\SysWOW64\ieframe.dll
Module: C:\Windows\syswow64\PSAPI.DLL
Module: C:\Windows\SysWOW64\OLEACC.dll
Module: C:\Windows\system32\LINKINFO.dll
Module: C:\Windows\system32\SXS.DLL
Module: C:\Windows\system32\dnsapi.DLL
Module: C:\Windows\system32\RASAPI32.dll
Module: C:\Windows\system32\rasman.dll
Module: C:\Windows\system32\rtutils.dll
Module: C:\Windows\system32\sensapi.dll
Module: C:\Windows\system32\NLAapi.dll
Module: C:\Windows\system32\rasadhlp.dll
Module: C:\Windows\System32\mswsock.dll
Module: C:\Windows\System32\winrnr.dll
Module: C:\Windows\system32\napinsp.dll
Module: C:\Windows\system32\pnrpnsp.dll
Module: C:\Windows\System32\wshtcpip.dll
Module: C:\Windows\System32\wship6.dll
Module: C:\Windows\system32\peerdist.dll
Module: C:\Windows\system32\AUTHZ.dll
Module: C:\Windows\System32\fwpuclnt.dll
Module: C:\Windows\system32\MLANG.dll
Module: C:\Windows\SysWOW64\mshtml.dll
Module: C:\Windows\SysWOW64\msls31.dll
Module: C:\Windows\system32\msimtf.dll
Module: C:\Windows\SysWOW64\jscript.dll
Module: C:\Windows\system32\RpcRtRemote.dll
Module: C:\Windows\SysWow64\Macromed\Flash\Flash10c.ocx
Module: C:\Windows\system32\WINMM.dll
Module: C:\Windows\system32\mscms.dll
Module: C:\Windows\system32\MMDevAPI.DLL
Module: C:\Windows\system32\wdmaud.drv
Module: C:\Windows\system32\ksuser.dll
Module: C:\Windows\system32\AVRT.dll
Module: C:\Windows\system32\AUDIOSES.DLL
Module: C:\Windows\system32\msacm32.drv
Module: C:\Windows\system32\MSACM32.dll
Module: C:\Windows\system32\midimap.dll
Module: C:\Windows\system32\MSVCR100D.dll

===================================================================
Checking Module: '(null)'
Size           : 28
BaseAddr       : 00000000
AllocBase      : 00000000
AllocProt      : 00000000
State          : 00010000
RegionSize     : 65536
Type           : 00000000


===================================================================
Checking Module: '(null)'
Size           : 28
BaseAddr       : 00000000
AllocBase      : 00000000
AllocProt      : 00000000
State          : 00010000
RegionSize     : 65536
Type           : 00000000

EDIT: and I should qualify that I'm not claiming this will defeat NtQueryVirtualMemory(), but it does take care of VirtualQuery()

EDIT # 2: I started playing with using NtQueryVirtualMemory() to detect the module here is the code I came up with:

Code:

void checkNtQueryVirtualMemory(FILE * file, ModuleInfoNode * module) {
	typedef enum _MEMORYINFOCLASS {
	    MemoryBasicInformation = 0,
		MemoryWorkingSetList,
		MemorySectionName,
		MemoryBasicVlmInformation
	} MEMORYINFOCLASS;

	// Messing with NtQueryVirtualMemory
	typedef NTSTATUS (WINAPI * NtQueryVirtualMemoryPtr) (
		HANDLE				ProcessHandle,
		PVOID				BaseAddress,
		MEMORYINFOCLASS 	MemoryBasicClass,
		PVOID				Buffer,
		ULONG				MemoryInformationLength,
		PULONG				ReturnLength
	);

	typedef struct {
		UNICODE_STRING SectionFileName;
		WCHAR NameBuffer[ANYSIZE_ARRAY];
	} MEMORY_SECTION_NAME, *PMEMORY_SECTION_NAME;


	NtQueryVirtualMemoryPtr NtQueryVirtualMemory;
	NTSTATUS ntStatus;
	HMODULE hNTDLL;
	MEMORY_BASIC_INFORMATION mbi;
	MEMORY_SECTION_NAME msn;
	
	hNTDLL = LoadLibraryA("ntdll.dll");
	NtQueryVirtualMemory = (NtQueryVirtualMemoryPtr)GetProcAddress(hNTDLL, "NtQueryVirtualMemory");
	ntStatus = NtQueryVirtualMemory(
		GetCurrentProcess(),
		module->baseAddress,
		MemoryBasicInformation,
		&mbi,
		sizeof(MEMORY_BASIC_INFORMATION),
		NULL
		);
	if( !ntStatus ) {
		fprintf(file, "\nNtQueryVirtualMemory - Memory Basic Information\n");
		fprintf(file, "===================================================================\n");
		fprintf(file, "Checking Module: '%S'\n", module->fullPath.Buffer);
		fprintf(file, "BaseAddr       : %p\n", mbi.BaseAddress);
		fprintf(file, "AllocBase      : %p\n", mbi.AllocationBase);
		fprintf(file, "AllocProt      : %08x\n", mbi.AllocationProtect);
		fprintf(file, "State          : %08x\n", mbi.State);
		fprintf(file, "RegionSize     : %d\n", mbi.RegionSize);
		fprintf(file, "Type           : %08x\n", mbi.Type);
	}

	NtQueryVirtualMemory = (NtQueryVirtualMemoryPtr)GetProcAddress(hNTDLL, "NtQueryVirtualMemory");
	ntStatus = NtQueryVirtualMemory(
		GetCurrentProcess(),
		module->baseAddress,
		MemorySectionName,
		&msn,
		sizeof(MEMORY_SECTION_NAME),
		NULL
		);

	fprintf(file, "ntStatus: 0x%08x\n", ntStatus);
	if( !ntStatus ) {
		fprintf(file, "\nNtQueryVirtualMemory - Memory Section Name\n");
		fprintf(file, "===================================================================\n");
		fprintf(file, "Name: '%S'\n", msn.SectionFileName.Buffer);
	}
}

For MemoryBasicInformation, it gives the same results as VirtualQuery(), which it should because isn't one the wrapper around the other?
For MemorySectionName I get a NT_ERROR, so not sure what I do wrong there. Ideas?
here is the Output from those:

Code:

NtQueryVirtualMemory - Memory Basic Information
===================================================================
Checking Module: '(null)'
BaseAddr       : 00000000
AllocBase      : 00000000
AllocProt      : 00000000
State          : 00010000
RegionSize     : 65536
Type           : 00000000
ntStatus: 0xc0000141

EDIT #3: I fixed MemorySectionName to work, wasn't setting a large enough structure. So the first time I run it, before UNLINK happens I get:

Code:

NtQueryVirtualMemory - Memory Section Name
===================================================================
Name: '\Device\HarddiskVolume2\Windows\SysWOW64\gdi32.dll'

After UNLINK I get a NTSTATUS error 0xc0000141, which is proper because according to ntstatus.h:

Code:

#define STATUS_INVALID_ADDRESS           ((NTSTATUS) 0xC0000141)

So looks like the UNLINK works just fine. Now, regarding the VAD (Virtual Address Descriptor), I've never looked at that stuff before, but from everything I've seen so far they require kernel-level access (usually via a driver). Does Warden use a driver?

[Cypher]

Hey.

Sorry for using confusing terminology. VADs are accessible from usermode, in fact, you've been using them a lot recently. Where do you think VirtualQuery gets its info?

I still stand by my original point, which is that you're "DOINITWRONG" somehow.

Sorry to be so "its so because i say it is", but I'm at a net cafe atm waiting for a dental appointment, however when I get home I"ll whip up some sample code for you.

After my dental appointment I'm going to the shops to pick up my copy of MW2, then I'm going rockclimbing with a friend. After all that, and once I get home and answer all the MSN messages I'm sure have built up over the last 24 hours, I'll be sure to jump back on and take care of this.

I have no idea why you're getting the results you are, but it should be interesting to find out why.

By the way, I gave your code a skim and noticed something. Check out the FreeLibraryAndExitThread API, it will fix the potential race condition in yoru code (and will allow you to get rid of that nasty inline ASM block).

Oh, I just remembered, I'll probably be releasing an updated version of my module hiding stuff designed to protect against the stuff I'm talking about, I'll be sure to do tests at the same time and code up some sample applications to prove the difference.

[BoogieManTM]

After my dental appointment I'm going to the shops to pick up my copy of MW2, then I'm going rockclimbing with a friend. After all that, and once I get home and answer all the MSN messages I'm sure have built up over the last 24 hours, I'll be sure to jump back on and take care of this.

Blah, how the hell do you get MW2 before us? no fair! P.S, I went to MSN you just to cause you a little more grief, but you're not online

[Cypher]

Blah, how the hell do you get MW2 before us? no fair! P.S, I went to MSN you just to cause you a little more grief, but you're not online

I'm not online?

****, that's not a good sign.

Sigh, I bet my net dropped out again. Piece of shit modem has been on the fritz the last few days. I've been hoping the problems will **** off but apparently not.

I'll order a new one when I get home.

Also, I'm quite late to the MW2 party as far as "foaming at the mouth FPS players" (another ZP reference) like myself go. I was actually gonna turn up to the midnight launch about 12 hours ago, but it clashed with a previous engagement.

Also, maybe you're getting it later because you're buying it online?

I know the Steam release date is the 12th, whilst retail date is the 10th.

Usually I buy on Steam, but for both the aforementioned reason, and for the fact that it's a lot more expensive (Activision are price gouging *******s when it comes to Australians buying games online), I'm not going to (it's a Steam game under the hood anyway though, so I don't lose any of the integration that I love).

P.S. **** Activision (and IW a bit too, but nowhere near as much as Activision).

EDIT:

Leaving the Net cafe now btw. Talk to you all soon.

[Cypher]

Hey, I'm gonna be too busy to write the tests tonight (got home late and just got my hands on MW2), however I thought of a way for you to check for yourself.

Download "VMMap" from Sysinternals. Inject your DLL into an application, cloak it, and make sure you DO NOT EJECT IT.

Then, run VMMap on the application you're injected into.

It should be able recover the path to your module, as well as its base, size, etc.

As an example, here's me uncovering WoWMimic's module. They are doing exactly what you are:
http://dl.dropbox.com/u/74751/Mimic/FileMapping.png

EDIT:

****ing hell. It's fully locked. I thought I'd at least be able to access single player. What a load of shit.

Sigh. I guess MW2 will have to wait for now. >_>

Let me know if what I suggested above works and proves my point and puts to rest your doubts. If not, I'll write up an app to prove it, but its really quite unnecessary.

P.S. Check out "ModuleShark" by DeepBlueSea. It will also be able to uncover your module.

One note though, both VMMap and ModuleShark run in an external process so even if you hook NtQueryVirtualMemory they'll still be able to see your module. That's fine though, as long as you hook NtQUeryVirtualMemory in WOWS PROCESS so Warden can't use it then you'll be safe.

EDIT2:

Horray, MM2 finally unlocked.

Afk for the next 8 hours.

[Cypher]

Bump.

Nitrogrlie:

Did you try what I suggested to prove my claims? (VMMap and ModuleShark)

[nitrogrlie]

Bump.

Nitrogrlie:

Did you try what I suggested to prove my claims? (VMMap and ModuleShark)

Sorry, I've just come back from vacation. 1 year anniversary with the wife. I'll give it a go sometime this week, but I might be preoccupied with kicking ass on MW2 this week.