├── .gitattributes
├── .gitignore
├── DLLInjectionDetector.sln
├── DLLInjectionDetector
    ├── DLLCheck.cpp
    ├── DLLInjectionDetector.vcxproj
    ├── DLLInjectionDetector.vcxproj.filters
    ├── ThreadCheck.cpp
    ├── ThreadEnumerator.cpp
    ├── ThreadEnumerator.h
    ├── Utils.cpp
    ├── Utils.h
    ├── main.cpp
    └── main.h
└── README.md


/.gitattributes:
--------------------------------------------------------------------------------
 1 | # Auto detect text files and perform LF normalization
 2 | * text=auto
 3 | 
 4 | # Custom for Visual Studio
 5 | *.cs     diff=csharp
 6 | 
 7 | # Standard to msysgit
 8 | *.doc	 diff=astextplain
 9 | *.DOC	 diff=astextplain
10 | *.docx diff=astextplain
11 | *.DOCX diff=astextplain
12 | *.dot  diff=astextplain
13 | *.DOT  diff=astextplain
14 | *.pdf  diff=astextplain
15 | *.PDF	 diff=astextplain
16 | *.rtf	 diff=astextplain
17 | *.RTF	 diff=astextplain
18 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Windows image file caches
 2 | Thumbs.db
 3 | ehthumbs.db
 4 | 
 5 | # Folder config file
 6 | Desktop.ini
 7 | 
 8 | # Recycle Bin used on file shares
 9 | $RECYCLE.BIN/
10 | 
11 | # Windows Installer files
12 | *.cab
13 | *.msi
14 | *.msm
15 | *.msp
16 | 
17 | # Windows shortcuts
18 | *.lnk
19 | 
20 | # =========================
21 | # Operating System Files
22 | # =========================
23 | 
24 | # OSX
25 | # =========================
26 | 
27 | .DS_Store
28 | .AppleDouble
29 | .LSOverride
30 | 
31 | # Thumbnails
32 | ._*
33 | 
34 | # Files that might appear in the root of a volume
35 | .DocumentRevisions-V100
36 | .fseventsd
37 | .Spotlight-V100
38 | .TemporaryItems
39 | .Trashes
40 | .VolumeIcon.icns
41 | 
42 | # Directories potentially created on remote AFP share
43 | .AppleDB
44 | .AppleDesktop
45 | Network Trash Folder
46 | Temporary Items
47 | .apdisk
48 | 


--------------------------------------------------------------------------------
/DLLInjectionDetector.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 15
 4 | VisualStudioVersion = 15.0.26430.6
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DLLInjectionDetector", "DLLInjectionDetector\DLLInjectionDetector.vcxproj", "{D367ECAB-C83A-4B75-9B75-41F783C06265}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{D367ECAB-C83A-4B75-9B75-41F783C06265}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{D367ECAB-C83A-4B75-9B75-41F783C06265}.Debug|x64.Build.0 = Debug|x64
18 | 		{D367ECAB-C83A-4B75-9B75-41F783C06265}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{D367ECAB-C83A-4B75-9B75-41F783C06265}.Debug|x86.Build.0 = Debug|Win32
20 | 		{D367ECAB-C83A-4B75-9B75-41F783C06265}.Release|x64.ActiveCfg = Release|x64
21 | 		{D367ECAB-C83A-4B75-9B75-41F783C06265}.Release|x64.Build.0 = Release|x64
22 | 		{D367ECAB-C83A-4B75-9B75-41F783C06265}.Release|x86.ActiveCfg = Release|Win32
23 | 		{D367ECAB-C83A-4B75-9B75-41F783C06265}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | EndGlobal
29 | 


--------------------------------------------------------------------------------
/DLLInjectionDetector/DLLCheck.cpp:
--------------------------------------------------------------------------------
 1 | #include "main.h"
 2 | #include "Utils.h"
 3 | 
 4 | typedef ULONG(NTAPI* RtlGetFullPathName_U)(PCWSTR FileName, ULONG Size, PWSTR Buffer, PWSTR* ShortName);
 5 | static RtlGetFullPathName_U RtlGetFullPathName_U_ = nullptr;
 6 | 
 7 | ULONG NTAPI RtlGetFullPathName_U_t(PCWSTR FileName, ULONG Size, PWSTR Buffer, PWSTR* ShortName)
 8 | {
 9 | 	printf("RtlGetFullPathName_U_t -> %ls - %u\n", FileName, Size);
10 | 
11 | 	auto pModuleBase = CUtils::GetModuleAddressFromName(FileName);
12 | 	if (pModuleBase)
13 | 		printf("Injected dll detected! Base: %p\n", pModuleBase);
14 | 
15 | 	return RtlGetFullPathName_U_(FileName, Size, Buffer, ShortName);
16 | }
17 | 
18 | void InitializeDLLCheck()
19 | {
20 | 	auto hNtdll = LoadLibraryA("ntdll.dll");
21 | 	printf("hNtdll: %p\n", hNtdll);
22 | 	assert(hNtdll);
23 | 
24 | 	auto RtlGetFullPathName_U_o = reinterpret_cast<RtlGetFullPathName_U>(GetProcAddress(hNtdll, "RtlGetFullPathName_U"));
25 | 	printf("RtlGetFullPathName_U: %p\n", RtlGetFullPathName_U_o);
26 | 	assert(RtlGetFullPathName_U_o);
27 | 
28 | 	RtlGetFullPathName_U_ = reinterpret_cast<RtlGetFullPathName_U>(CUtils::DetourFunc(reinterpret_cast<PBYTE>(RtlGetFullPathName_U_o), reinterpret_cast<PBYTE>(RtlGetFullPathName_U_t), 5));
29 | 	printf("RtlGetFullPathName_U(detour): %p\n", RtlGetFullPathName_U_);
30 | 
31 | 	DWORD dwOld = 0;
32 | 	auto bProtectRet = VirtualProtect(RtlGetFullPathName_U_, 5, PAGE_EXECUTE_READWRITE, &dwOld);
33 | 	assert(bProtectRet);
34 | }


--------------------------------------------------------------------------------
/DLLInjectionDetector/DLLInjectionDetector.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>15.0</VCProjectVersion>
 23 |     <ProjectGuid>{D367ECAB-C83A-4B75-9B75-41F783C06265}</ProjectGuid>
 24 |     <Keyword>Win32Proj</Keyword>
 25 |     <RootNamespace>DLLInjectionDetector</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0.15063.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v141_xp</PlatformToolset>
 33 |     <CharacterSet>MultiByte</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v141_xp</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>MultiByte</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v141</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v141</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 77 |     <LinkIncremental>true</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 80 |     <LinkIncremental>false</LinkIncremental>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <ClCompile>
 87 |       <PrecompiledHeader>
 88 |       </PrecompiledHeader>
 89 |       <WarningLevel>Level3</WarningLevel>
 90 |       <Optimization>Disabled</Optimization>
 91 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 92 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
 93 |     </ClCompile>
 94 |     <Link>
 95 |       <SubSystem>Console</SubSystem>
 96 |     </Link>
 97 |   </ItemDefinitionGroup>
 98 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 99 |     <ClCompile>
100 |       <PrecompiledHeader>
101 |       </PrecompiledHeader>
102 |       <WarningLevel>Level3</WarningLevel>
103 |       <Optimization>Disabled</Optimization>
104 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
105 |     </ClCompile>
106 |     <Link>
107 |       <SubSystem>Console</SubSystem>
108 |     </Link>
109 |   </ItemDefinitionGroup>
110 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
111 |     <ClCompile>
112 |       <WarningLevel>Level3</WarningLevel>
113 |       <PrecompiledHeader>
114 |       </PrecompiledHeader>
115 |       <Optimization>MaxSpeed</Optimization>
116 |       <FunctionLevelLinking>true</FunctionLevelLinking>
117 |       <IntrinsicFunctions>true</IntrinsicFunctions>
118 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
119 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
120 |     </ClCompile>
121 |     <Link>
122 |       <SubSystem>Console</SubSystem>
123 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
124 |       <OptimizeReferences>true</OptimizeReferences>
125 |     </Link>
126 |   </ItemDefinitionGroup>
127 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
128 |     <ClCompile>
129 |       <WarningLevel>Level3</WarningLevel>
130 |       <PrecompiledHeader>
131 |       </PrecompiledHeader>
132 |       <Optimization>MaxSpeed</Optimization>
133 |       <FunctionLevelLinking>true</FunctionLevelLinking>
134 |       <IntrinsicFunctions>true</IntrinsicFunctions>
135 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
136 |     </ClCompile>
137 |     <Link>
138 |       <SubSystem>Console</SubSystem>
139 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
140 |       <OptimizeReferences>true</OptimizeReferences>
141 |     </Link>
142 |   </ItemDefinitionGroup>
143 |   <ItemGroup>
144 |     <ClInclude Include="main.h" />
145 |     <ClInclude Include="ThreadEnumerator.h" />
146 |     <ClInclude Include="Utils.h" />
147 |   </ItemGroup>
148 |   <ItemGroup>
149 |     <ClCompile Include="DLLCheck.cpp" />
150 |     <ClCompile Include="main.cpp" />
151 |     <ClCompile Include="ThreadCheck.cpp" />
152 |     <ClCompile Include="ThreadEnumerator.cpp" />
153 |     <ClCompile Include="Utils.cpp" />
154 |   </ItemGroup>
155 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
156 |   <ImportGroup Label="ExtensionTargets">
157 |   </ImportGroup>
158 | </Project>


--------------------------------------------------------------------------------
/DLLInjectionDetector/DLLInjectionDetector.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |   </ItemGroup>
13 |   <ItemGroup>
14 |     <ClCompile Include="main.cpp">
15 |       <Filter>Source Files</Filter>
16 |     </ClCompile>
17 |     <ClCompile Include="Utils.cpp">
18 |       <Filter>Source Files</Filter>
19 |     </ClCompile>
20 |     <ClCompile Include="DLLCheck.cpp">
21 |       <Filter>Source Files</Filter>
22 |     </ClCompile>
23 |     <ClCompile Include="ThreadCheck.cpp">
24 |       <Filter>Source Files</Filter>
25 |     </ClCompile>
26 |     <ClCompile Include="ThreadEnumerator.cpp">
27 |       <Filter>Source Files</Filter>
28 |     </ClCompile>
29 |   </ItemGroup>
30 |   <ItemGroup>
31 |     <ClInclude Include="Utils.h">
32 |       <Filter>Header Files</Filter>
33 |     </ClInclude>
34 |     <ClInclude Include="main.h">
35 |       <Filter>Header Files</Filter>
36 |     </ClInclude>
37 |     <ClInclude Include="ThreadEnumerator.h">
38 |       <Filter>Source Files</Filter>
39 |     </ClInclude>
40 |   </ItemGroup>
41 | </Project>


--------------------------------------------------------------------------------
/DLLInjectionDetector/ThreadCheck.cpp:
--------------------------------------------------------------------------------
  1 | #include "main.h"
  2 | #include "Utils.h"
  3 | 
  4 | typedef void(*LdrInitializeThunk)(PCONTEXT NormalContext, PVOID SystemArgument1, PVOID SystemArgument2);
  5 | static LdrInitializeThunk LdrInitializeThunk_ = nullptr;
  6 | 
  7 | 
  8 | typedef NTSTATUS(WINAPI* lpNtQueryInformationThread)(HANDLE, LONG, PVOID, ULONG, PULONG);
  9 | void LdrInitializeThunk_t(PCONTEXT NormalContext, PVOID SystemArgument1, PVOID SystemArgument2)
 10 | {
 11 | 	auto GetThreadStartAddress = [](HANDLE hThread) -> DWORD {
 12 | 		auto NtQueryInformationThread = (lpNtQueryInformationThread)GetProcAddress(LoadLibraryA("ntdll"), "NtQueryInformationThread");
 13 | 		assert(NtQueryInformationThread);
 14 | 
 15 | 		DWORD dwCurrentThreadAddress = 0;
 16 | 		NtQueryInformationThread(hThread, 9 /* ThreadQuerySetWin32StartAddress */, &dwCurrentThreadAddress, sizeof(dwCurrentThreadAddress), NULL);
 17 | 		return dwCurrentThreadAddress;
 18 | 	};
 19 | 
 20 | 	auto dwStartAddress = GetThreadStartAddress(NtCurrentThread);
 21 | 	printf("[*] A thread attached to process! Start address: %p\n", (void*)dwStartAddress);
 22 | 
 23 | 	auto dwThreadId = GetThreadId(NtCurrentThread);
 24 | 	printf("\t* Thread: %u - Suspended: %d\n", dwThreadId, CUtils::IsSuspendedThread(dwThreadId));
 25 | 
 26 | 	CONTEXT ctx = { 0 };
 27 | 	ctx.ContextFlags = CONTEXT_ALL;
 28 | 	if (GetThreadContext(NtCurrentThread, &ctx))
 29 | 	{
 30 | 		auto bHasDebugRegister = (ctx.Dr0 || ctx.Dr1 || ctx.Dr2 || ctx.Dr3 || ctx.Dr7);
 31 | 		printf("\t* Context; Has debug register: %d Eip: %p Eax: %p\n", bHasDebugRegister, (void*)ctx.Eip, (void*)ctx.Eax);
 32 | 	}
 33 | 
 34 | 	MODULEINFO user32ModInfo = { 0 };
 35 | 	if (GetModuleInformation(NtCurrentProcess, LoadLibraryA("user32"), &user32ModInfo, sizeof(user32ModInfo)))
 36 | 	{
 37 | 		DWORD dwUser32Low = (DWORD)user32ModInfo.lpBaseOfDll;
 38 | 		DWORD dwUser32Hi = (DWORD)user32ModInfo.lpBaseOfDll + user32ModInfo.SizeOfImage;
 39 | 		if (dwStartAddress >= dwUser32Low && dwStartAddress <= dwUser32Hi)
 40 | 			printf("# WARNING # dwStartAddress in User32.dll\n");
 41 | 	}
 42 | 
 43 | 	if (dwStartAddress == (DWORD)LoadLibraryA)
 44 | 		printf("# WARNING # dwStartAddress == LoadLibraryA\n");
 45 | 
 46 | 	else if (dwStartAddress == (DWORD)LoadLibraryW)
 47 | 		printf("# WARNING # dwStartAddress == LoadLibraryW\n");
 48 | 
 49 | 	else if (dwStartAddress == (DWORD)LoadLibraryExA)
 50 | 		printf("# WARNING # dwStartAddress == LoadLibraryExA\n");
 51 | 
 52 | 	else if (dwStartAddress == (DWORD)LoadLibraryExW)
 53 | 		printf("# WARNING # dwStartAddress == LoadLibraryExW\n");
 54 | 
 55 | 	else if (dwStartAddress == (DWORD)GetProcAddress(LoadLibraryA("ntdll"), "RtlUserThreadStart"))
 56 | 		printf("# WARNING # dwStartAddress == RtlUserThreadStart\n");
 57 | 
 58 | 	else if (dwStartAddress == (DWORD)GetProcAddress(LoadLibraryA("ntdll"), "NtCreateThread"))
 59 | 		printf("# WARNING # dwStartAddress == NtCreateThread\n");
 60 | 
 61 | 	else if (dwStartAddress == (DWORD)GetProcAddress(LoadLibraryA("ntdll"), "NtCreateThreadEx"))
 62 | 		printf("# WARNING # dwStartAddress == NtCreateThreadEx\n");
 63 | 
 64 | 	else if (dwStartAddress == (DWORD)GetProcAddress(LoadLibraryA("ntdll"), "RtlCreateUserThread"))
 65 | 		printf("# WARNING # dwStartAddress == RtlCreateUserThread\n");
 66 | 
 67 | 	MEMORY_BASIC_INFORMATION mbi = { 0 };
 68 | 	if (VirtualQuery((LPCVOID)dwStartAddress, &mbi, sizeof(mbi)))
 69 | 	{
 70 | 		if (mbi.Type != MEM_IMAGE)
 71 | 			printf("# WARNING # mbi.Type != MEM_IMAGE\n");
 72 | 
 73 | 		if (dwStartAddress == (DWORD)mbi.AllocationBase)
 74 | 			printf("# WARNING # dwStartAddress == mbi.AllocationBase\n");
 75 | 	}
 76 | 
 77 | 	if (CUtils::IsLoadedAddress(dwStartAddress))
 78 | 		printf("# WARNING # IsLoadedAddress(dwStartAddress)\n");
 79 | 
 80 | 	if (CUtils::GetThreadOwnerProcessId(dwThreadId) != GetCurrentProcessId())
 81 | 		printf("# WARNING # GetThreadOwnerProcessId(dwThreadId) != GetCurrentProcessId()\n");
 82 | 
 83 | 	IMAGE_SECTION_HEADER * pCurrentSecHdr = (IMAGE_SECTION_HEADER*)dwStartAddress;
 84 | 	if (pCurrentSecHdr)
 85 | 	{
 86 | 		BOOL IsMonitored =
 87 | 			(pCurrentSecHdr->Characteristics & IMAGE_SCN_MEM_EXECUTE) && (pCurrentSecHdr->Characteristics & IMAGE_SCN_MEM_READ) &&
 88 | 			(pCurrentSecHdr->Characteristics & IMAGE_SCN_CNT_CODE) && !(pCurrentSecHdr->Characteristics & IMAGE_SCN_MEM_DISCARDABLE);
 89 | 
 90 | 		if (IsMonitored)
 91 | 			printf("# WARNING # Remote code execution!\n");
 92 | 	}
 93 | 
 94 | 	return LdrInitializeThunk_(NormalContext, SystemArgument1, SystemArgument2);
 95 | }
 96 | 
 97 | void InitializeThreadCheck()
 98 | {
 99 | 	auto hNtdll = LoadLibraryA("ntdll.dll");
100 | 	printf("hNtdll: %p\n", hNtdll);
101 | 	assert(hNtdll);
102 | 
103 | 	auto LdrInitializeThunk_o = reinterpret_cast<LdrInitializeThunk>(GetProcAddress(hNtdll, "LdrInitializeThunk"));
104 | 	printf("LdrInitializeThunk: %p\n", LdrInitializeThunk_o);
105 | 	assert(LdrInitializeThunk_o);
106 | 
107 | 	LdrInitializeThunk_ = reinterpret_cast<LdrInitializeThunk>(CUtils::DetourFunc(reinterpret_cast<PBYTE>(LdrInitializeThunk_o), reinterpret_cast<PBYTE>(LdrInitializeThunk_t), 5));
108 | 	printf("LdrInitializeThunk(detour): %p\n", LdrInitializeThunk_);
109 | 
110 | 	DWORD dwOld = 0;
111 | 	auto bProtectRet = VirtualProtect(LdrInitializeThunk_, 5, PAGE_EXECUTE_READWRITE, &dwOld);
112 | 	assert(bProtectRet);
113 | }
114 | 
115 | 


--------------------------------------------------------------------------------
/DLLInjectionDetector/ThreadEnumerator.cpp:
--------------------------------------------------------------------------------
  1 | #include "main.h"
  2 | #include "ThreadEnumerator.h"
  3 | #include "Utils.h"
  4 | 
  5 | CThreadEnumerator::CThreadEnumerator(DWORD dwProcessId) :
  6 | 	m_dwProcessId(dwProcessId)
  7 | {
  8 | 	m_Cap = InitializeQuery();
  9 | }
 10 | 
 11 | CThreadEnumerator::~CThreadEnumerator()
 12 | {
 13 | 	m_dwProcessId = 0;
 14 | 
 15 | 	if (m_Cap)
 16 | 		free(m_Cap);
 17 | 	m_Cap = nullptr;
 18 | }
 19 | 
 20 | BYTE * CThreadEnumerator::InitializeQuery()
 21 | {
 22 | 	typedef NTSTATUS(NTAPI* lpNtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
 23 | 	auto NtQuerySystemInformation = (lpNtQuerySystemInformation)GetProcAddress(LoadLibraryA("ntdll"), "NtQuerySystemInformation");
 24 | 
 25 | 	BYTE * mp_Data;
 26 | 	DWORD mu32_DataSize = 1024 * 1024;
 27 | 
 28 | 	while (true)
 29 | 	{
 30 | 		mp_Data = (BYTE*)malloc(mu32_DataSize);
 31 | 		if (!mp_Data)
 32 | 			break;
 33 | 
 34 | 		ULONG ntNeeded = 0;
 35 | 		auto ntStat = NtQuerySystemInformation(SystemProcessInformation, mp_Data, mu32_DataSize, &ntNeeded);
 36 | 
 37 | 		if (ntStat == STATUS_INFO_LENGTH_MISMATCH)
 38 | 		{
 39 | 			mu32_DataSize *= 2;
 40 | 			mp_Data = (BYTE*)realloc((PVOID)mp_Data, mu32_DataSize);
 41 | 			continue;
 42 | 		}
 43 | 
 44 | 		return mp_Data;
 45 | 	}
 46 | 
 47 | 	printf("CThreadEnumerator::InitializeQuery fail!");
 48 | 	return nullptr;
 49 | }
 50 | 
 51 | SYSTEM_PROCESS_INFORMATION * CThreadEnumerator::GetProcInfo()
 52 | {
 53 | 	auto pk_Proc = (SYSTEM_PROCESS_INFORMATION*)m_Cap;
 54 | 
 55 | 	while (true)
 56 | 	{
 57 | 		if ((DWORD)pk_Proc->UniqueProcessId == m_dwProcessId)
 58 | 			return pk_Proc;
 59 | 
 60 | 		if (!pk_Proc->NextEntryOffset)
 61 | 			return nullptr;
 62 | 
 63 | 		pk_Proc = (SYSTEM_PROCESS_INFORMATION*)((BYTE*)pk_Proc + pk_Proc->NextEntryOffset);
 64 | 	}
 65 | 
 66 | 	return nullptr;
 67 | }
 68 | 
 69 | SYSTEM_THREAD_INFORMATION * CThreadEnumerator::GetThreadList(SYSTEM_PROCESS_INFORMATION * procInfo)
 70 | {
 71 | 	auto pk_Thread = procInfo->Threads;
 72 | 	return pk_Thread;
 73 | }
 74 | 
 75 | DWORD CThreadEnumerator::GetThreadCount(SYSTEM_PROCESS_INFORMATION * procInfo)
 76 | {
 77 | 	return procInfo->NumberOfThreads;
 78 | }
 79 | 
 80 | SYSTEM_THREAD_INFORMATION * CThreadEnumerator::FindThread(SYSTEM_PROCESS_INFORMATION * procInfo, DWORD dwThreadId)
 81 | {
 82 | 	auto pk_Thread = procInfo->Threads;
 83 | 	if (!pk_Thread)
 84 | 		return nullptr;
 85 | 
 86 | 	for (DWORD i = 0; i < procInfo->NumberOfThreads; i++)
 87 | 	{
 88 | 		if ((DWORD)pk_Thread->ClientId.UniqueThread == dwThreadId)
 89 | 			return pk_Thread;
 90 | 
 91 | 		pk_Thread++;
 92 | 	}
 93 | 
 94 | 	return nullptr;
 95 | }
 96 | 
 97 | bool CUtils::IsSuspendedThread(DWORD dwThreadId)
 98 | {
 99 | 	auto threadEnumerator = new CThreadEnumerator(GetCurrentProcessId());
100 | 	if (threadEnumerator == nullptr) {
101 | 		delete threadEnumerator;
102 | 		return true;
103 | 	}
104 | 
105 | 	auto systemThreadOwnerProcInfo = threadEnumerator->GetProcInfo();
106 | 	if (systemThreadOwnerProcInfo == nullptr) {
107 | 		delete threadEnumerator;
108 | 		return true;
109 | 	}
110 | 
111 | 	auto systemThreadInfo = threadEnumerator->FindThread(systemThreadOwnerProcInfo, dwThreadId);
112 | 	if (systemThreadInfo == nullptr) {
113 | 		delete threadEnumerator;
114 | 		return true;
115 | 	}
116 | 
117 | 	if (systemThreadInfo->ThreadState == Waiting && systemThreadInfo->WaitReason == Suspended) {
118 | 		delete threadEnumerator;
119 | 		return true;
120 | 	}
121 | 
122 | 	delete threadEnumerator;
123 | 	return false;
124 | }
125 | 


--------------------------------------------------------------------------------
/DLLInjectionDetector/ThreadEnumerator.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | class CThreadEnumerator
 4 | {
 5 | 	public:
 6 | 		CThreadEnumerator(DWORD dwProcessId);
 7 | 		~CThreadEnumerator();
 8 | 
 9 | 		SYSTEM_PROCESS_INFORMATION * GetProcInfo();
10 | 		SYSTEM_THREAD_INFORMATION  * GetThreadList(SYSTEM_PROCESS_INFORMATION * procInfo);
11 | 		DWORD				    	 GetThreadCount(SYSTEM_PROCESS_INFORMATION * procInfo);
12 | 
13 | 		SYSTEM_THREAD_INFORMATION  * FindThread(SYSTEM_PROCESS_INFORMATION * procInfo, DWORD dwThreadId);
14 | 
15 | 	protected:
16 | 		BYTE * InitializeQuery();
17 | 
18 | 	private:
19 | 		DWORD  m_dwProcessId;
20 | 		BYTE * m_Cap;
21 | };
22 | 
23 | 


--------------------------------------------------------------------------------
/DLLInjectionDetector/Utils.cpp:
--------------------------------------------------------------------------------
 1 | #include "main.h"
 2 | #include "Utils.h"
 3 | #include "ThreadEnumerator.h"
 4 | 
 5 | PVOID CUtils::DetourFunc(BYTE *src, const BYTE *dst, const int len)
 6 | {
 7 | 	BYTE *jmp = (BYTE*)malloc(len + 5);
 8 | 
 9 | 	DWORD dwback;
10 | 	VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &dwback);
11 | 
12 | 	memcpy(jmp, src, len);
13 | 	jmp += len;
14 | 
15 | 	jmp[0] = 0xE9;
16 | 	//relative address from trampoline to orig function + 5
17 | 	*(DWORD*)(jmp + 1) = (DWORD)(src + len - jmp) - 5;
18 | 
19 | 	src[0] = 0xE9;
20 | 	*(DWORD*)(src + 1) = (DWORD)(dst - src) - 5;
21 | 
22 | 	VirtualProtect(src, len, dwback, &dwback);
23 | 
24 | 	//address to trampoline
25 | 	return (jmp - len);
26 | }
27 | 
28 | PVOID CUtils::GetModuleAddressFromName(const wchar_t* c_wszName)
29 | {
30 | 	PPEB pPEB = (PPEB)__readfsdword(0x30);
31 | 	PLDR_DATA_TABLE_ENTRY Current = NULL;
32 | 	PLIST_ENTRY CurrentEntry = pPEB->Ldr->InMemoryOrderModuleList.Flink;
33 | 
34 | 	while (CurrentEntry != &pPEB->Ldr->InMemoryOrderModuleList && CurrentEntry != NULL)
35 | 	{
36 | 		Current = CONTAINING_RECORD(CurrentEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
37 | 
38 | 		// printf("%ls -> %p\n", Current->FullDllName.Buffer, Current->DllBase);
39 | 		if (wcsstr(Current->FullDllName.Buffer, c_wszName))
40 | 			return Current->DllBase;
41 | 
42 | 		CurrentEntry = CurrentEntry->Flink;
43 | 	}
44 | 	return nullptr;
45 | }
46 | bool CUtils::IsLoadedAddress(DWORD dwAddress)
47 | {
48 | 	PPEB pPEB = (PPEB)__readfsdword(0x30);
49 | 	PLDR_DATA_TABLE_ENTRY Current = NULL;
50 | 	PLIST_ENTRY CurrentEntry = pPEB->Ldr->InMemoryOrderModuleList.Flink;
51 | 
52 | 	while (CurrentEntry != &pPEB->Ldr->InMemoryOrderModuleList && CurrentEntry != NULL)
53 | 	{
54 | 		Current = CONTAINING_RECORD(CurrentEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
55 | 		if (dwAddress == (DWORD)Current->DllBase)
56 | 			return true;
57 | 
58 | 		CurrentEntry = CurrentEntry->Flink;
59 | 	}
60 | 	return false;
61 | }
62 | 
63 | BOOL bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
64 | {
65 | 	for (; *szMask; ++szMask, ++pData, ++bMask)
66 | 		if (*szMask == 'x' && *pData != *bMask)
67 | 			return FALSE;
68 | 	return (*szMask) == NULL;
69 | }
70 | DWORD CUtils::FindPattern(DWORD dwAddress, DWORD dwLen, BYTE *bMask, char * szMask)
71 | {
72 | 	for (DWORD i = 0; i < dwLen; i++)
73 | 		if (bDataCompare((BYTE*)(dwAddress + i), bMask, szMask))
74 | 			return (DWORD)(dwAddress + i);
75 | 	return 0;
76 | }
77 | 
78 | DWORD CUtils::GetThreadOwnerProcessId(DWORD dwThreadID)
79 | {
80 | 	auto hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, NULL);
81 | 	if (!hSnap || hSnap == INVALID_HANDLE_VALUE) 
82 | 		return 0;
83 | 
84 | 	THREADENTRY32 ti = { 0 };
85 | 	ti.dwSize = sizeof(ti);
86 | 
87 | 	if (Thread32First(hSnap, &ti))
88 | 	{
89 | 		do {
90 | 			if (dwThreadID == ti.th32ThreadID) {
91 | 				CloseHandle(hSnap);
92 | 				return ti.th32OwnerProcessID;
93 | 			}
94 | 		} while (Thread32Next(hSnap, &ti));
95 | 	}
96 | 
97 | 	CloseHandle(hSnap);
98 | 	return 0;
99 | }


--------------------------------------------------------------------------------
/DLLInjectionDetector/Utils.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | class CUtils
 4 | {
 5 | 	public:
 6 | 		static PVOID GetModuleAddressFromName(const wchar_t* c_wszName);
 7 | 		static bool  IsLoadedAddress(DWORD dwAddress);
 8 | 
 9 | 		static PVOID DetourFunc(BYTE *src, const BYTE *dst, const int len);
10 | 		static DWORD FindPattern(DWORD dwAddress, DWORD dwLen, BYTE *bMask, char * szMask);
11 | 
12 | 		static bool  IsSuspendedThread(DWORD dwThreadId);
13 | 
14 | 		static DWORD GetThreadOwnerProcessId(DWORD dwThreadID);
15 | };
16 | 
17 | 


--------------------------------------------------------------------------------
/DLLInjectionDetector/main.cpp:
--------------------------------------------------------------------------------
 1 | #include "main.h"
 2 | #pragma comment(lib, "psapi.lib")
 3 | 
 4 | int main()
 5 | {
 6 | 	InitializeDLLCheck();
 7 | 	InitializeThreadCheck();
 8 | 
 9 | 	while (1)
10 | 		Sleep(10000); // keep alive
11 | 
12 | 	return 0;
13 | }


--------------------------------------------------------------------------------
/DLLInjectionDetector/main.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include <Windows.h>
  3 | #include <iostream>
  4 | #include <assert.h>
  5 | #include <Psapi.h>
  6 | #include <TlHelp32.h>
  7 | 
  8 | extern void InitializeDLLCheck();
  9 | extern void InitializeThreadCheck();
 10 | 
 11 | #define STATUS_INFO_LENGTH_MISMATCH	((NTSTATUS) 0xC0000004)
 12 | 
 13 | #define NtCurrentProcess			((HANDLE)(LONG_PTR)-1)
 14 | #define NtCurrentThread				((HANDLE)(LONG_PTR)-2)
 15 | 
 16 | namespace
 17 | {
 18 | 	typedef struct _UNICODE_STRING {
 19 | 		USHORT Length;
 20 | 		USHORT MaximumLength;
 21 | 		PWSTR  Buffer;
 22 | 	} UNICODE_STRING;
 23 | 	typedef UNICODE_STRING *PUNICODE_STRING;
 24 | 
 25 | 	typedef struct _LDR_DATA_TABLE_ENTRY {
 26 | 		PVOID Reserved1[2];
 27 | 		LIST_ENTRY InMemoryOrderLinks;
 28 | 		PVOID Reserved2[2];
 29 | 		PVOID DllBase;
 30 | 		PVOID Reserved3[2];
 31 | 		UNICODE_STRING FullDllName;
 32 | 		BYTE Reserved4[8];
 33 | 		PVOID Reserved5[3];
 34 | 		union {
 35 | 			ULONG CheckSum;
 36 | 			PVOID Reserved6;
 37 | 		} DUMMYUNIONNAME;
 38 | 		ULONG TimeDateStamp;
 39 | 	} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
 40 | 
 41 | 	typedef
 42 | 		VOID
 43 | 		(NTAPI *PPS_POST_PROCESS_INIT_ROUTINE) (
 44 | 			VOID
 45 | 			);
 46 | 
 47 | 
 48 | 	typedef struct _PEB_LDR_DATA {
 49 | 		BYTE Reserved1[8];
 50 | 		PVOID Reserved2[3];
 51 | 		LIST_ENTRY InMemoryOrderModuleList;
 52 | 	} PEB_LDR_DATA, *PPEB_LDR_DATA;
 53 | 
 54 | 	typedef struct _RTL_USER_PROCESS_PARAMETERS {
 55 | 		BYTE Reserved1[16];
 56 | 		PVOID Reserved2[10];
 57 | 		UNICODE_STRING ImagePathName;
 58 | 		UNICODE_STRING CommandLine;
 59 | 	} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
 60 | 
 61 | 	typedef struct _PEB {
 62 | 		BYTE Reserved1[2];
 63 | 		BYTE BeingDebugged;
 64 | 		BYTE Reserved2[1];
 65 | 		PVOID Reserved3[2];
 66 | 		PPEB_LDR_DATA Ldr;
 67 | 		PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
 68 | 		BYTE Reserved4[104];
 69 | 		PVOID Reserved5[52];
 70 | 		PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
 71 | 		BYTE Reserved6[128];
 72 | 		PVOID Reserved7[1];
 73 | 		ULONG SessionId;
 74 | 	} PEB, *PPEB;
 75 | 
 76 | 	typedef LONG KPRIORITY;
 77 | 
 78 | 	enum KWAIT_REASON
 79 | 	{
 80 | 		Suspended = 5,
 81 | 	};
 82 | 
 83 | 	enum THREAD_STATE
 84 | 	{
 85 | 		Running = 2,
 86 | 		Waiting = 5,
 87 | 	};
 88 | 
 89 | 	typedef struct _CLIENT_ID
 90 | 	{
 91 | 		HANDLE UniqueProcess;
 92 | 		HANDLE UniqueThread;
 93 | 	} CLIENT_ID, *PCLIENT_ID;
 94 | 
 95 | 	typedef struct _SYSTEM_THREAD_INFORMATION
 96 | 	{
 97 | 		LARGE_INTEGER KernelTime;
 98 | 		LARGE_INTEGER UserTime;
 99 | 		LARGE_INTEGER CreateTime;
100 | 		ULONG WaitTime;
101 | 		PVOID StartAddress;
102 | 		CLIENT_ID ClientId;
103 | 		KPRIORITY Priority;
104 | 		LONG BasePriority;
105 | 		ULONG ContextSwitches;
106 | 		ULONG ThreadState;
107 | 		ULONG WaitReason;
108 | 	} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
109 | 
110 | 	typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION
111 | 	{
112 | 		SYSTEM_THREAD_INFORMATION ThreadInfo;
113 | 		PVOID StackBase;
114 | 		PVOID StackLimit;
115 | 		PVOID Win32StartAddress;
116 | 		PVOID TebAddress; /* This is only filled in on Vista and above */
117 | 		ULONG_PTR Reserved2;
118 | 		ULONG_PTR Reserved3;
119 | 		ULONG_PTR Reserved4;
120 | 	} SYSTEM_EXTENDED_THREAD_INFORMATION, *PSYSTEM_EXTENDED_THREAD_INFORMATION;
121 | 
122 | 	typedef struct _SYSTEM_PROCESS_INFORMATION
123 | 	{
124 | 		ULONG NextEntryOffset;
125 | 		ULONG NumberOfThreads;
126 | 		LARGE_INTEGER SpareLi1;
127 | 		LARGE_INTEGER SpareLi2;
128 | 		LARGE_INTEGER SpareLi3;
129 | 		LARGE_INTEGER CreateTime;
130 | 		LARGE_INTEGER UserTime;
131 | 		LARGE_INTEGER KernelTime;
132 | 		UNICODE_STRING ImageName;
133 | 		KPRIORITY BasePriority;
134 | 		HANDLE UniqueProcessId;
135 | 		HANDLE InheritedFromUniqueProcessId;
136 | 		ULONG HandleCount;
137 | 		ULONG SessionId;
138 | 		ULONG_PTR PageDirectoryBase;
139 | 		SIZE_T PeakVirtualSize;
140 | 		SIZE_T VirtualSize;
141 | 		ULONG PageFaultCount;
142 | 		SIZE_T PeakWorkingSetSize;
143 | 		SIZE_T WorkingSetSize;
144 | 		SIZE_T QuotaPeakPagedPoolUsage;
145 | 		SIZE_T QuotaPagedPoolUsage;
146 | 		SIZE_T QuotaPeakNonPagedPoolUsage;
147 | 		SIZE_T QuotaNonPagedPoolUsage;
148 | 		SIZE_T PagefileUsage;
149 | 		SIZE_T PeakPagefileUsage;
150 | 		SIZE_T PrivatePageCount;
151 | 		LARGE_INTEGER ReadOperationCount;
152 | 		LARGE_INTEGER WriteOperationCount;
153 | 		LARGE_INTEGER OtherOperationCount;
154 | 		LARGE_INTEGER ReadTransferCount;
155 | 		LARGE_INTEGER WriteTransferCount;
156 | 		LARGE_INTEGER OtherTransferCount;
157 | 		SYSTEM_THREAD_INFORMATION Threads[1];
158 | 	} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
159 | 
160 | 
161 | 	typedef enum _SYSTEM_INFORMATION_CLASS
162 | 	{
163 | 		SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION
164 | 		SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION
165 | 		SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION
166 | 		SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION
167 | 		SystemPathInformation, // not implemented
168 | 		SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
169 | 		SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION
170 | 		SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION
171 | 		SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION
172 | 		SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION
173 | 		SystemCallTimeInformation, // 10, not implemented
174 | 		SystemModuleInformation, // q: RTL_PROCESS_MODULES
175 | 		SystemLocksInformation,
176 | 		SystemStackTraceInformation,
177 | 		SystemPagedPoolInformation, // not implemented
178 | 		SystemNonPagedPoolInformation, // not implemented
179 | 		SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION
180 | 		SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION
181 | 		SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION
182 | 		SystemVdmInstemulInformation, // q
183 | 		SystemVdmBopInformation, // 20, not implemented
184 | 		SystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache)
185 | 		SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION
186 | 		SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION
187 | 		SystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege)
188 | 		SystemFullMemoryInformation, // not implemented
189 | 		SystemLoadGdiDriverInformation, // s (kernel-mode only)
190 | 		SystemUnloadGdiDriverInformation, // s (kernel-mode only)
191 | 		SystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege)
192 | 		SystemSummaryMemoryInformation, // not implemented
193 | 		SystemMirrorMemoryInformation, // 30, s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege)
194 | 		SystemPerformanceTraceInformation, // s
195 | 		SystemObsolete0, // not implemented
196 | 		SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION
197 | 		SystemCrashDumpStateInformation, // s (requires SeDebugPrivilege)
198 | 		SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION
199 | 		SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION
200 | 		SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege)
201 | 		SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only
202 | 		SystemPrioritySeperation, // s (requires SeTcbPrivilege)
203 | 		SystemVerifierAddDriverInformation, // 40, s (requires SeDebugPrivilege)
204 | 		SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege)
205 | 		SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION
206 | 		SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION
207 | 		SystemCurrentTimeZoneInformation, // q
208 | 		SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION
209 | 		SystemTimeSlipNotification, // s (requires SeSystemtimePrivilege)
210 | 		SystemSessionCreate, // not implemented
211 | 		SystemSessionDetach, // not implemented
212 | 		SystemSessionInformation, // not implemented
213 | 		SystemRangeStartInformation, // 50, q
214 | 		SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege)
215 | 		SystemVerifierThunkExtend, // s (kernel-mode only)
216 | 		SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION
217 | 		SystemLoadGdiDriverInSystemSpace, // s (kernel-mode only) (same as SystemLoadGdiDriverInformation)
218 | 		SystemNumaProcessorMap, // q
219 | 		SystemPrefetcherInformation, // q: PREFETCHER_INFORMATION; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation
220 | 		SystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
221 | 		SystemRecommendedSharedDataAlignment, // q
222 | 		SystemComPlusPackage, // q; s
223 | 		SystemNumaAvailableMemory, // 60
224 | 		SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION
225 | 		SystemEmulationBasicInformation, // q
226 | 		SystemEmulationProcessorInformation,
227 | 		SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX
228 | 		SystemLostDelayedWriteInformation, // q: ULONG
229 | 		SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION
230 | 		SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION
231 | 		SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION
232 | 		SystemHotpatchInformation, // q; s
233 | 		SystemObjectSecurityMode, // 70, q
234 | 		SystemWatchdogTimerHandler, // s (kernel-mode only)
235 | 		SystemWatchdogTimerInformation, // q (kernel-mode only); s (kernel-mode only)
236 | 		SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION
237 | 		SystemWow64SharedInformationObsolete, // not implemented
238 | 		SystemRegisterFirmwareTableInformationHandler, // s (kernel-mode only)
239 | 		SystemFirmwareTableInformation, // not implemented
240 | 		SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX
241 | 		SystemVerifierTriageInformation, // not implemented
242 | 		SystemSuperfetchInformation, // q: SUPERFETCH_INFORMATION; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation
243 | 		SystemMemoryListInformation, // 80, q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege)
244 | 		SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation)
245 | 		SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege)
246 | 		SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[]
247 | 		SystemVerifierCancellationInformation, // not implemented // name:wow64:whNT32QuerySystemVerifierCancellationInformation
248 | 		SystemProcessorPowerInformationEx, // not implemented
249 | 		SystemRefTraceInformation, // q; s // ObQueryRefTraceInformation
250 | 		SystemSpecialPoolInformation, // q; s (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0
251 | 		SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION
252 | 		SystemErrorPortInformation, // s (requires SeTcbPrivilege)
253 | 		SystemBootEnvironmentInformation, // 90, q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION
254 | 		SystemHypervisorInformation, // q; s (kernel-mode only)
255 | 		SystemVerifierInformationEx, // q; s
256 | 		SystemTimeZoneInformation, // s (requires SeTimeZonePrivilege)
257 | 		SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege)
258 | 		SystemCoverageInformation, // q; s // name:wow64:whNT32QuerySystemCoverageInformation; ExpCovQueryInformation
259 | 		SystemPrefetchPatchInformation, // not implemented
260 | 		SystemVerifierFaultsInformation, // s (requires SeDebugPrivilege)
261 | 		SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION
262 | 		SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION
263 | 		SystemProcessorPerformanceDistribution, // 100, q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION
264 | 		SystemNumaProximityNodeInformation, // q
265 | 		SystemDynamicTimeZoneInformation, // q; s (requires SeTimeZonePrivilege)
266 | 		SystemCodeIntegrityInformation, // q // SeCodeIntegrityQueryInformation
267 | 		SystemProcessorMicrocodeUpdateInformation, // s
268 | 		SystemProcessorBrandString, // q // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23
269 | 		SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation
270 | 		SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // since WIN7 // KeQueryLogicalProcessorRelationship
271 | 		SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[]
272 | 		SystemStoreInformation, // q; s // SmQueryStoreInformation
273 | 		SystemRegistryAppendString, // 110, s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS
274 | 		SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege)
275 | 		SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION
276 | 		SystemCpuQuotaInformation, // q; s // PsQueryCpuQuotaInformation
277 | 		SystemNativeBasicInformation, // not implemented
278 | 		SystemSpare1, // not implemented
279 | 		SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION
280 | 		SystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation
281 | 		SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION
282 | 		SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool)
283 | 		SystemSystemPtesInformationEx, // 120, q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes)
284 | 		SystemNodeDistanceInformation, // q
285 | 		SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26
286 | 		SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation
287 | 		SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1
288 | 		SystemSessionBigPoolInformation, // since WIN8
289 | 		SystemBootGraphicsInformation,
290 | 		SystemScrubPhysicalMemoryInformation,
291 | 		SystemBadPageInformation,
292 | 		SystemProcessorProfileControlArea,
293 | 		SystemCombinePhysicalMemoryInformation, // 130
294 | 		SystemEntropyInterruptTimingCallback,
295 | 		SystemConsoleInformation,
296 | 		SystemPlatformBinaryInformation,
297 | 		SystemThrottleNotificationInformation,
298 | 		SystemHypervisorProcessorCountInformation,
299 | 		SystemDeviceDataInformation,
300 | 		SystemDeviceDataEnumerationInformation,
301 | 		SystemMemoryTopologyInformation,
302 | 		SystemMemoryChannelInformation,
303 | 		SystemBootLogoInformation, // 140
304 | 		SystemProcessorPerformanceInformationEx, // since WINBLUE
305 | 		SystemSpare0,
306 | 		SystemSecureBootPolicyInformation,
307 | 		SystemPageFileInformationEx,
308 | 		SystemSecureBootInformation,
309 | 		SystemEntropyInterruptTimingRawInformation,
310 | 		SystemPortableWorkspaceEfiLauncherInformation,
311 | 		SystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin)
312 | 		SystemKernelDebuggerInformationEx,
313 | 		SystemBootMetadataInformation, // 150
314 | 		SystemSoftRebootInformation,
315 | 		SystemElamCertificateInformation,
316 | 		SystemOfflineDumpConfigInformation,
317 | 		SystemProcessorFeaturesInformation,
318 | 		SystemRegistryReconciliationInformation,
319 | 		SystemEdidInformation,
320 | 		MaxSystemInfoClass
321 | 	} SYSTEM_INFORMATION_CLASS;
322 | }


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # DLLThreadInjectionDetector
 2 | Windows DLL & Thread injection detector
 3 | 
 4 | Cheat engine injection; http://i.imgur.com/Xd5K8sC.png
 5 | Extreme Injector;
 6 | 	- Thread hijack: http://i.imgur.com/u3GbmM7.png
 7 | 	- LdrLoadDLL: http://i.imgur.com/2lAa0tK.png
 8 | 	- LdrpLoadDLL: http://i.imgur.com/85rxfhn.png
 9 | 	- Manual map: http://i.imgur.com/2bedwuC.png
10 | 	- Native: http://i.imgur.com/GJlU382.png
11 | Xenos injector;
12 | 	- Native: http://i.imgur.com/rxn5eYL.png
13 | 	- Manual map: http://i.imgur.com/6dqm5XL.png
14 | 	- CreateThread(Kernel): http://i.imgur.com/Es9hbvK.png
15 | 	- APC(Kernel): http://i.imgur.com/k3LO6H5.png
16 | 	- Manual map(Kernel): http://i.imgur.com/4z5v5ZW.png


--------------------------------------------------------------------------------