2015-11-06 105 views
0

我試圖鉤OpenProcess的Kernel32.dll,以防止所謂的「注射器」從注入其他dll`s到我的過程的程序:C++掛鉤kernel32.dll中OpenProcess與彎路

// ------------------------------------------------------------------- 
HANDLE WINAPI myOpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId) 
{ 
    // 

    if (dwDesiredAccess == PROCESS_ALL_ACCESS || dwDesiredAccess == PROCESS_VM_OPERATION || 
     dwDesiredAccess == PROCESS_VM_READ || dwDesiredAccess == PROCESS_VM_WRITE) 
    { 
     printf("Blcoked Process ID : %d , DesiredAccess : %d ", dwProcessId, dwDesiredAccess); 

     return false; 
    } 

    // 

    return dOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId); 
} 

什麼我需要添加,以「檢測」如果有人打開了「注入」的過程? 我不想「阻止」,我希望「發現」注射並決定要做什麼。

+0

當然,C++ :) – Mecanik

+0

你在哪裏看到C#的標籤? – Mecanik

+0

Ahhh對不起...它被自動添加oO – Mecanik

回答

2

Pic from http://resources.infosecinstitute.com/

該圖描述的步驟的噴射器通常做到DLL注入另一種方法。你的程序應該做行爲分析來決定是否注射。您需要掛接其他API像VirtualAlloc \ WriteProcessMemoryCreateRemoteThread

下面顯示的方法遵循分析注入流量和 需要時阻止執行。注射器使用了很多技術來注入一個dll,下面的所有方法都不足以支持 。

// 
//HookOpenProcess keep track of opened process handle 
// 
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID); 

/* 
HookVirtualAlloc Check whether the first param is openprocess handle :: Make the suspicion level 3 
*/ 
LPVOID arg = (LPVOID)VirtualAllocEx(process, NULL, ...); 

/* 
HookWriteProcessMemory Check whether the first param is openprocess handle :: Make the suspicion level 2 
*/ 
int n = WriteProcessMemory(process, .....); 

/* 
HookCreateRemoteThread Check whether the first param is openprocess handle :: Make the suspicion level 1 and block it from execution 
*/ 
HANDLE threadID = CreateRemoteThread(process, .........); 
+0

非常感謝你的回答,沒問題,我可以勾住任何東西,你有時間來展示我和例子嗎? – Mecanik

+0

非常感謝,我現在正在進行測試:) – Mecanik

+0

我似乎無法完成您所寫的任何內容......「檢查第一個參數是否爲openprocess句柄」我應該如何以VirtualAllocEx爲例... – Mecanik