C++ Hooking kernel32.dll OpenProcess 少走弯路
C++ Hooking kernel32.dll OpenProcess with detours
我正在尝试从 Kernel32.dll 挂钩 OpenProcess 以防止所谓的“injector " 程序将其他 dll 注入我的进程:
// -------------------------------------------------------------------
HANDLE WINAPI myOpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId)
{
//
if (dwDesiredAccess == PROCESS_ALL_ACCESS || dwDesiredAccess == PROCESS_VM_OPERATION ||
dwDesiredAccess == PROCESS_VM_READ || dwDesiredAccess == PROCESS_VM_WRITE)
{
printf("Blcoked Process ID : %d , DesiredAccess : %d ", dwProcessId, dwDesiredAccess);
return false;
}
//
return dOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
}
如果有人打开“injecting”进程,我需要添加什么才能“检测”?
我不想"prevent",我想"detect"注射,然后决定如何做。
该图描述了注入器通常执行的将 dll 注入另一个进程的步骤。你的程序应该进行行为分析来决定它是否正在注入。你需要挂钩其他 api,如 VirtualAlloc \ WriteProcessMemory、CreateRemoteThread 等
Below shows the approach to follow to analyse the injector flow and
block the execution when needed. Injector uses many techniques to
inject a dll, the below won't be sufficient to all methods.
//
//HookOpenProcess keep track of opened process handle
//
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);
/*
HookVirtualAlloc Check whether the first param is openprocess handle :: Make the suspicion level 3
*/
LPVOID arg = (LPVOID)VirtualAllocEx(process, NULL, ...);
/*
HookWriteProcessMemory Check whether the first param is openprocess handle :: Make the suspicion level 2
*/
int n = WriteProcessMemory(process, .....);
/*
HookCreateRemoteThread Check whether the first param is openprocess handle :: Make the suspicion level 1 and block it from execution
*/
HANDLE threadID = CreateRemoteThread(process, .........);
我正在尝试从 Kernel32.dll 挂钩 OpenProcess 以防止所谓的“injector " 程序将其他 dll 注入我的进程:
// -------------------------------------------------------------------
HANDLE WINAPI myOpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId)
{
//
if (dwDesiredAccess == PROCESS_ALL_ACCESS || dwDesiredAccess == PROCESS_VM_OPERATION ||
dwDesiredAccess == PROCESS_VM_READ || dwDesiredAccess == PROCESS_VM_WRITE)
{
printf("Blcoked Process ID : %d , DesiredAccess : %d ", dwProcessId, dwDesiredAccess);
return false;
}
//
return dOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
}
如果有人打开“injecting”进程,我需要添加什么才能“检测”? 我不想"prevent",我想"detect"注射,然后决定如何做。
该图描述了注入器通常执行的将 dll 注入另一个进程的步骤。你的程序应该进行行为分析来决定它是否正在注入。你需要挂钩其他 api,如 VirtualAlloc \ WriteProcessMemory、CreateRemoteThread 等
Below shows the approach to follow to analyse the injector flow and block the execution when needed. Injector uses many techniques to inject a dll, the below won't be sufficient to all methods.
//
//HookOpenProcess keep track of opened process handle
//
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);
/*
HookVirtualAlloc Check whether the first param is openprocess handle :: Make the suspicion level 3
*/
LPVOID arg = (LPVOID)VirtualAllocEx(process, NULL, ...);
/*
HookWriteProcessMemory Check whether the first param is openprocess handle :: Make the suspicion level 2
*/
int n = WriteProcessMemory(process, .....);
/*
HookCreateRemoteThread Check whether the first param is openprocess handle :: Make the suspicion level 1 and block it from execution
*/
HANDLE threadID = CreateRemoteThread(process, .........);