Image Image Image




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: DLL Injection and stealth
PostPosted: Tue Oct 30, 2012 1:49 pm 
Offline
Junior member
User avatar

Posts: 13
Favourite Bot: Hopefully mine...
I recently read that every process gets a message about new loaded libraries to its memory. I think the sotfwaredeveleopers from teh poker platforms are not stupid. How do you manage your hooks to be undetected?


Top
 Profile E-mail  
 
 Post subject: Re: DLL Injection and stealth
PostPosted: Tue Oct 30, 2012 9:19 pm 
Offline
Regular member
User avatar

Posts: 76
Favourite Bot: ...
Screen scraping
A custom dll loader
Use of simple "bare metal" code, that doesn't need relocation.


Top
 Profile E-mail  
 
 Post subject: Re: DLL Injection and stealth
PostPosted: Wed Oct 31, 2012 11:10 am 
Offline
Junior member
User avatar

Posts: 13
Favourite Bot: Hopefully mine...
Sounds interesting could you please got into more detail?


Top
 Profile E-mail  
 
 Post subject: Re: DLL Injection and stealth
PostPosted: Wed Oct 31, 2012 2:46 pm 
Offline
Regular member
User avatar

Posts: 76
Favourite Bot: ...
You'll find more than enough information on screen scraping by any kind of searching.

Search also works for the dll loading/hiding. I'll give you a couple of links to start from.
About PEB hiding on pokerai.org
@woodmann.com, maybe this - I haven't used any of those tools myself.
To avoid any kind of fancy relocations, simply google for "codecaves" and start from there.

Last but not least, Keep in mind that simply reading process memory is often enough. Some clients just make it a bit harder than others.


Top
 Profile E-mail  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 


Who is online

Users browsing this forum: Google and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: