DLL process blacklist security

Page 1 of 1

9 Replies - 409 Views - Last Post: 03 December 2012 - 08:30 AM Rate Topic: -----

#1 Nuckelavee  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 02-December 12

DLL process blacklist security

Posted 02 December 2012 - 02:24 AM

Hi there!, Ive been a scripter for a few years now, but im not much of a coder[Delphi/C++/C#].

Ive been trying to make a DLL that runs along a certain Exe and stays opened until its closed, the DLL will monitor for specific blacklist of processes every 300ms or so and if found any process in the blacklist it would crash/exit the current exe its running along with.

I poked around for some useful DLL Code/Examples, but so far i havent made any good progress.

Process[] runningProcesses = Process.GetProcesses();
foreach (Process process in runningProcesses)
{
    // now check the modules of the process
    foreach (ProcessModule module in process.Modules)
    {
        if (module.FileName.Equals("MyProcess.exe"))
        {
            process.Kill();
        }
    }
}


If you guys would be so kind to point me in some useful direction or even better share a working example of what im looking for it would be greatly appreciated. Thanks!

Note: the DLL has to be "injection compatible" since i dont own the original SRC of the exe im trying to protect.

Is This A Good Question/Topic? 0
  • +

Replies To: DLL process blacklist security

#2 tlhIn`toq  Icon User is online

  • Please show what you have already tried when asking a question.
  • member icon

Reputation: 5437
  • View blog
  • Posts: 11,667
  • Joined: 02-June 10

Re: DLL process blacklist security

Posted 02 December 2012 - 08:37 AM

Honestly it sounds more like you're trying to un-protect the program you don't have the source for - by killing the process that is watchdogging/validating that exe.

Can you give us a better/fuller explanation of the the process you are trying to kill and the exe you are trying to protect it from - so we don't close this thread?
Was This Post Helpful? 0
  • +
  • -

#3 Nuckelavee  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 02-December 12

Re: DLL process blacklist security

Posted 02 December 2012 - 03:33 PM

Yeah, when you think about it it actually sounds a bit suspicious, im tryin to protect a client side against packet sniffers ive recurred to some other options like encrypters, obfuscators, packers, and such with no luck i can still capture and re-send packets thru the client, someone told me that the only option was encryption/decryption but that sounds a whole lot more work than injecting a simple dll into the exe to protect it.

so im leaning more to the dll since it seems to be simpler and cleaner.

the process im tryin to kill is any debugging, packet sniffing or any other kind of packet hacking related software, thats why i said "blacklist" so i would have to capture a small process/dlls list of potential threats. that will be checked upon launching and while launched.

If you are so kind to share a simple example i believe im able to finish or modify the rest of it to my needs.

i kind of understand this code but its lacking a looping timer and a blacklist input and im pretty new to c#..

Process[] runningProcesses = Process.GetProcesses();

foreach (Process process in runningProcesses)

{

    // now check the modules of the process

    foreach (ProcessModule module in process.Modules)

    {

        if (module.FileName.Equals("MyProcess.exe"))

        {

            process.Kill();

        }

    }

}


Was This Post Helpful? 0
  • +
  • -

#4 tlhIn`toq  Icon User is online

  • Please show what you have already tried when asking a question.
  • member icon

Reputation: 5437
  • View blog
  • Posts: 11,667
  • Joined: 02-June 10

Re: DLL process blacklist security

Posted 02 December 2012 - 05:51 PM

Quote

its lacking a looping timer and a blacklist input

"looping" and "timer" are separate things. No such thing as a "looping timer". You can have a timer that you don't stop, and therefore it keeps raising its .Tick event every x milliseconds. So i guess you could think of it as a loop though that's confusing terminology.

Timers are pretty straight forward.:
http://msdn.microsof...mers.timer.aspx

'A blacklist input' ?? Eh. I would expect a List<string> of the process names would do. Just iterate through it.
http://msdn.microsof...y/6sh2ey19.aspx

This post has been edited by tlhIn`toq: 02 December 2012 - 05:51 PM

Was This Post Helpful? 0
  • +
  • -

#5 Skydiver  Icon User is online

  • Code herder
  • member icon

Reputation: 3479
  • View blog
  • Posts: 10,724
  • Joined: 05-May 12

Re: DLL process blacklist security

Posted 02 December 2012 - 05:59 PM

Consider what happens if somebody is running Visual Studio or some other debugger to debug some other process, but not the process your are trying to protect. That means that your process is going to be killed by your injected DLL for no reason at all.

All so Also consider the case when the process your are trying to protect is already hosting the CLR. A process can only host one version of the CLR. If the DLL that you are going to inject is written in C#, it will also have to host the CLR. You'll have to figure out how to negotiate which version of the CLR will be active within that process.

And lastly, injecting your DLL does nothing to protect against sniffers that run as device drivers, or any packet sniffers running on another machine on the same network, but not on the same machine.

The correct way to protect the communication is to encrypt the data, not some band aid solution that you have like killing other processes.

I remember how pissed off I was when a version of Turbo Tax used to run on my home machine that had Visual Studio installed. Really? I can't compute my taxes on a machine that I do my development on? Geez.

This post has been edited by tlhIn`toq: 02 December 2012 - 06:03 PM

Was This Post Helpful? 2
  • +
  • -

#6 Nuckelavee  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 02-December 12

Re: DLL process blacklist security

Posted 02 December 2012 - 08:26 PM

Quote

Consider what happens if somebody is running Visual Studio or some other debugger to debug some other process, but not the process your are trying to protect. That means that your process is going to be killed by your injected DLL for no reason at all.


Actually im not very worried about debuggers since i run my executables under Winlicense/Themida encryption, what im really worried about is packet sniffers and some packet related software mainly because they could completely screw up my server-side.

Quote

The correct way to protect the communication is to encrypt the data, not some band aid solution that you have like killing other processes.


Im aware of this, but it has to be considered that this "process killer" would be only active during the protected program's execution and people would be warned beforehand of this "protection measurements" so theres no accusations or problems whatsoever..

Quote

I remember how pissed off I was when a version of Turbo Tax used to run on my home machine that had Visual Studio installed. Really? I can't compute my taxes on a machine that I do my development on?


Fortunately the public im directing this software to its not very advanced (coding wise), so there is no "development" going on on their pcs, if any one of these people have a debugging/packet editor is most likely they are trying to screw up with my application/server-side.
Was This Post Helpful? 0
  • +
  • -

#7 Momerath  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 1010
  • View blog
  • Posts: 2,444
  • Joined: 04-October 09

Re: DLL process blacklist security

Posted 03 December 2012 - 01:08 AM

Anyone who has the knowledge on how to run a packet sniffer will just do it on another machine, making all your protections worthless. It's easier to encrypt the data than it is to inject a C# DLL into unmanaged code.
Was This Post Helpful? 2
  • +
  • -

#8 Nuckelavee  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 02-December 12

Re: DLL process blacklist security

Posted 03 December 2012 - 02:12 AM

Quote

Anyone who has the knowledge on how to run a packet sniffer will just do it on another machine, making all your protections worthless. It's easier to encrypt the data than it is to inject a C# DLL into unmanaged code.


Have you tried out Winsock Packet Editor? its usage is as easy as clicking "capture" and "send", its that kind of people that concerns me about my server-side security.

Perhaps i havent explained myself very well, the DLL that im trying to make goes along with every copy of the Client-Side, so no matter how its ran or where its ran if a packet editor is loaded in the system it will prevent my application to be executed in the current machine. also if the dll is not in the application's directory the program wont start.

Worry not about the injecting part, i've done it before a few times with no problems whatsoever its kind of the same process some retarded people use to infect exe's with trojans and other forms of malware/spyware of course im using that method as a form of protection for my client-side.
Was This Post Helpful? 0
  • +
  • -

#9 Skydiver  Icon User is online

  • Code herder
  • member icon

Reputation: 3479
  • View blog
  • Posts: 10,724
  • Joined: 05-May 12

Re: DLL process blacklist security

Posted 03 December 2012 - 05:58 AM

Putting protection on the client is the incorrect way to institute server-side security. Stop and think about it. What's to prevent somebody from spoofing your server instead of hacking your client?
Was This Post Helpful? 1
  • +
  • -

#10 tlhIn`toq  Icon User is online

  • Please show what you have already tried when asking a question.
  • member icon

Reputation: 5437
  • View blog
  • Posts: 11,667
  • Joined: 02-June 10

Re: DLL process blacklist security

Posted 03 December 2012 - 08:30 AM

Enough talking to the wind. The OP came here asking for advice. Numerous people have given advice that the OP doesn't want to hear. He's going to do it the way he wants despite hearing from several senior coders that its easier and better to do it the right way. Live and learn. We're not going to detail how to do it wrong because that just leads to other readers saying "They said to do it this way." Meaning this thread is going no where and helping no one.
Was This Post Helpful? 2
  • +
  • -

Page 1 of 1