Memory Protection

[listito]

Hello,

I'd like to protect my software against OpenProcess() or ReadProcess(), any known callbacks or interesting way to detect it?

any help is appreciated

[Coderess]

Hi,

I defended my application from OpenProcess(), using the driver,

hook at SSDT of service NtOpenProcess()

NTSTATUS NtOpenProcess (
    OUT PHANDLE ProcessHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes,
    IN PCLIENT_ID ClientId OPTIONAL)
{

The driver a better way of protecting although it is possible to remove the interception

in usermode

I'm sorry I did not see this

Edited February 28, 2010 by Coderess

[listito]

hi coderess,

I'm start thinking there is not a nice solution for this problem in usermode(hope be wrong about it), so, you got any way in mind for hooking sucessfully in kernelmode which works under vista, win7 and xp considering that syscall numbers are different?

[atom0s]

Any route you take will have disadvantages and drawbacks, along with not keeping you full secured since any patches you make can be fixed manually. If you still want to implement some ideas you can try:

- Hooking LoadLibraryA/LoadLibraryW to prevent false module loading based on a white list.

** Drawback: can be bypassed using Nt functions. (Examples: LdrLoadDll)

** Drawback: can be bypassed naming a module to a name on the whitelist.

- Hooking CreateRemoteThread to prevent common methods of injection.

** Drawback: can be bypassed using Nt functions. (Examples: NtCreateThread / LdrInitializeThunk)

** Drawback: can still inject with other methods.

- Hooking WriteProcessMemory/ReadProcessMemory to prevent writing and reading of your memory.

** Drawback: can be bypassed with Nt functions. (Examples: NtReadVirtualMemory / NtWriteVirtualMemory)

** Drawback: some internal CRT methods use ReadProcessMemory and may cause issues depending on your hook.

Pretty much any user mode approach you take will have an Nt underlying function that can be used to bypass stuff like these API hooks. They will keep the less-advanced out but it will only take 1 person to create a bypass for everyone to gain access.

I'd suggest going with a driver for better protection as Coderess was getting into. You will have more security with it, not to say it will be flawless or impossible to bypass though.

Overall either way you go there will be flaws and such, it's up to you which method to choose though.

[listito]

Hello atom0s,

Can you tell me how to hook ReadProcessMemory()? I mean, i've done a couple of things including hooking LdrLoadDll, but ReadProcessMemory() is called out from malicious program, not into mine, does it generate any callbacks?

[atom0s]

Hello atom0s,

Can you tell me how to hook ReadProcessMemory()? I mean, i've done a couple of things including hooking LdrLoadDll, but ReadProcessMemory() is called out from malicious program, not into mine, does it generate any callbacks?

There isn't a clean method of doing it as far as I know, I've never dove into doing something as extreme as system wide hooks. I've seen system wide hooks done for various things but I don't think there is a simple and clean method to accomplish the task in usermode. I think you will need to go into kernel layer hooking to accomplish it in a more 'proper' and elegant way.

Some things I've seen in some processes will inject a hook into all running processes, such as TeamViewer does if you are familiar with that program. It injects a module TV.dll into all running processes when you connect someone so it can properly render the screen and its windows to the viewer. (In their case they hook window messages using SetWindowsHookEx.) But similar could be done for API hooks, but this method is a bit more extreme. I've seen this done for clipboard data as well to share across machines and such.

Doing something like this can and most likely will raise flags with various virus scanners. Along with that you can trigger red flags with other applications that can cause a user to get banned from a service such as a game cheat protection can be triggered because of your hook.

Other methods could be editing the IAT of a process that imports ReadProcessMemory, again this is invasive and can trigger other unwanted results, this also wont work on processes that import API using GetProcAddress, which would involve another hook and such, all of which can be prevented by the user too.

As said above, pretty much any idea you come up with will have downsides and limitations. No one idea will solve your issues for protection, and no idea will ever be 100% secure and unbeatable. You will have to mix and match what suites your needs best, as well as implement different ideas of your own to help with the security.

Can I ask, what is this idea for?

[listito]

atom0s,

Thanks for help, I'm trying to develop some protection against cheaters of one online game, not too much strong protection, but i believe 99,9% of game users will be filtered for sure, anti attach,debug, and dll injection are done, the only thing that remains and i'd like to block is the god damn ReadProcessMemory() or Openprocess().

I've tried to protect my client denying privileges with setkernelobjectsecurity() and it works well against Openprocess() but Cheat Engine in particular seems to change acess tokens, what's a crap, that shouldn't be done at all considering that is a tool that was made for noobs.

The code will be injected in asm, which will increase sec. against dummy reverse engineers, but not to the good ones, i believe the good ones do not care about gaming, so I want to mess with kernelmode protection in the future but not now, perhaps, do anyone know any way to find out callbacks generated by functions?

[atom0s]

atom0s,

Thanks for help, I'm trying to develop some protection against cheaters of one online game, not too much strong protection, but i believe 99,9% of game users will be filtered for sure, anti attach,debug, and dll injection are done, the only thing that remains and i'd like to block is the god damn ReadProcessMemory() or Openprocess().

I've tried to protect my client denying privileges with setkernelobjectsecurity() and it works well against Openprocess() but Cheat Engine in particular seems to change acess tokens, what's a crap, that shouldn't be done at all considering that is a tool that was made for noobs.

The code will be injected in asm, which will increase sec. against dummy reverse engineers, but not to the good ones, i believe the good ones do not care about gaming, so I want to mess with kernelmode protection in the future but not now, perhaps, do anyone know any way to find out callbacks generated by functions?

You can prevent users from obtaining a handle with OpenProcess by using SetSecurityInfo, Blizzard has used this protection method in the past for games such as Warcraft 3. It's not a huge increase in security because a simple hex patch can make the API useless, but if it will prevent OpenProcess from working. Which in turn will stop ReadProcessMemory from working too since you need a valid handle.

[h4sh3m]

following source can help you to hook any api :

Magic Api Hook