我正在尝试从 Kernel32.dll Hook OpenProcess 以防止所谓的“injector”程序注入(inject)其他 dll进入我的过程:
// -------------------------------------------------------------------
HANDLE WINAPI myOpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId)
{
//
if (dwDesiredAccess == PROCESS_ALL_ACCESS || dwDesiredAccess == PROCESS_VM_OPERATION ||
dwDesiredAccess == PROCESS_VM_READ || dwDesiredAccess == PROCESS_VM_WRITE)
{
printf("Blcoked Process ID : %d , DesiredAccess : %d ", dwProcessId, dwDesiredAccess);
return false;
}
//
return dOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
}
如果有人打开“注入(inject)”进程,我需要添加什么才能“检测”? 我不想“预防”,我希望“检测”注入(inject)并决定做什么。
最佳答案
该图描述了注入(inject)器通常执行的将 dll 注入(inject)另一个进程的步骤。你的程序应该进行行为分析来决定它是否正在注入(inject)。您需要挂接其他 API,例如 VirtualAlloc\WriteProcessMemory、CreateRemoteThread 等
Below shows the approach to follow to analyse the injector flow and block the execution when needed. Injector uses many techniques to inject a dll, the below won't be sufficient to all methods.
//
//HookOpenProcess keep track of opened process handle
//
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);
/*
HookVirtualAlloc Check whether the first param is openprocess handle :: Make the suspicion level 3
*/
LPVOID arg = (LPVOID)VirtualAllocEx(process, NULL, ...);
/*
HookWriteProcessMemory Check whether the first param is openprocess handle :: Make the suspicion level 2
*/
int n = WriteProcessMemory(process, .....);
/*
HookCreateRemoteThread Check whether the first param is openprocess handle :: Make the suspicion level 1 and block it from execution
*/
HANDLE threadID = CreateRemoteThread(process, .........);
关于C++ Hooking kernel32.dll OpenProcess 走弯路,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/33561251/