> For the complete documentation index, see [llms.txt](https://m0uk4.gitbook.io/notebooks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://m0uk4.gitbook.io/notebooks/mouka/anticheat/injectiondefense.md).

# Inject Defense

## 导入表、输入法dll注入

* 程序启动时检查exe、dll签名及证书，
* 用户进程内hook loadlibrary，当载入的dll不在白名单内的时候，拒绝载入
* 驱动内监控 用户对关键系统dll以及用户软件相关exe、dll的修改，拒绝修改？（filesystem minifilter）

对于导入表注入，由于dll加载时，程序入口函数还未执行，无法hook loadlibrary，因此只能通过驱动监控dll的载入，如果载入了不在白名单里的dll，则通知用户进程。另外安全软件通常不会修改用户文件，因此程序如果收到不明dll载入，可以直接退出，对兼容性影响较小

对于输入法等在程序启动后进行注入的方法，可通过hook loadlibray来监控


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://m0uk4.gitbook.io/notebooks/mouka/anticheat/injectiondefense.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.