Process-Injection-Guard is a DLL file intended to be injected into a process to then detect if foreign intruders are injecting malicious code into it's process. The intention is to study how anti-cheat/anti-virus works on a basic scale.
The tool consists of two core features:
- Function hooks (detects injections)
- hooks
LoadLibraryAandRtlGetFullPathName_U, known functions injectors are using.
- hooks
- Signature scanners (detects malicious sigs)
- scan through the
PEB's module list - scan suspect memory regions (
PAGE_EXECUTE_READWRITE) to detect hacks injected through theManual Mapinjection technique.
- scan through the
Console options once injected into a target process:
- IDE: Visual Studio 2019 (x86 project).
- OS: Windows 10, version 1909.
- Compile the source code
- Run it one time - a folder and a
config.inifile should be created on your desktop. - Navigate to
Desktop/Detection/config.ini. - Fill in info about which signatures to scan for (e.g.:
4D5A90,4d5a90,4d??90) - Fill in info about which modules you wish to scan through. If left blank, it scans through all visible modules.
- Run it and choose appropriate console options.
Injector link: https://www.unknowncheats.me/forum/downloads.php?do=file&id=21570
Injector link: https://www.cheatengine.org/
Injector link: https://www.unknowncheats.me/forum/downloads.php?do=file&id=578
Injector link: https://www.unknowncheats.me/forum/downloads.php?do=file&id=23686
- Function hooks
RtlGetFullPathName_Uproved effective when monitoring injections.LoadLibraryA, not so much.
- Signature scanners
- Many injectors avoid revealing information about their payload in the
PEB, hence scanning thePEBseems meaningless. Scanning in suspect memory regions proved more useful. We could catch Extreme injector's hidden payload this way. This was not the case against Xenos injector, however.
- Many injectors avoid revealing information about their payload in the
- Trampoline hook: jbremer, guidedhacking.com, RtlGetFullPathName_U, doxygen.reactos.org
- Signature scanner: MEMORY_BASIC_INFORMATION, Protection Constants, VirtualQuery, bricata.com, guidedhacking.com