Jason Geffner (JasonGeffner) <jasongefmicrosoftcom>

Saturday, October 15 2005 21:30.00 CDT

Greg Hoglund recently wrote on his website about the game World of Warcraft searching for rogue DLLs in its own process space in order to catch code injected for cheating. This parallels an anti-debugging trick that can be found in malware. Malware authors dont want virus analysts poking around in their malwares process space, so malware will sometimes search for rogue DLLs that an analyst might be using for unpacking, information logging, etc.

You could try to hide your DLL by intercepting calls to Module32First(...)/Module32Next(...) API calls, though this is a more complex solution than is necessary. Quite simply, you could just not use a DLL at all. Heres how:

1. VirtualAllocEx(...) into the taget processs address space.
   
2. WriteProcessMemory(...) your relocatable code into the newly allocated memory.
   
3. CreateRemoteThread(...) to run the code you injected.

You now have your code injected into the target process, but since you didnt use a DLL, the Module32First(...) and Module32Next(...) API functions cant be used to detect you. For further implementation details, check http://search.msn.com/results.aspx?q=VirtualAllocEx+WriteProcessMemory+CreateRemoteThread

Of course there are still loads of ways to detect the above trick (such as searching for rogue threads), but this raises the bar a bit.