gpt4 book ai didi

C++ Hooking kernel32.dll OpenProcess 走弯路

转载 作者:行者123 更新时间:2023-11-28 02:17:39 26 4
gpt4 key购买 nike

我正在尝试从 Kernel32.dll Hook OpenProcess 以防止所谓的“injector”程序注入(inject)其他 dll进入我的过程:

// -------------------------------------------------------------------
HANDLE WINAPI myOpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId)
{
//

if (dwDesiredAccess == PROCESS_ALL_ACCESS || dwDesiredAccess == PROCESS_VM_OPERATION ||
dwDesiredAccess == PROCESS_VM_READ || dwDesiredAccess == PROCESS_VM_WRITE)
{
printf("Blcoked Process ID : %d , DesiredAccess : %d ", dwProcessId, dwDesiredAccess);

return false;
}

//

return dOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
}

如果有人打开“注入(inject)”进程,我需要添加什么才能“检测”?我不想“预防”,我希望“检测”注入(inject)并决定做什么。

最佳答案

Pic from http://resources.infosecinstitute.com/

该图描述了注入(inject)器通常执行的将 dll 注入(inject)另一个进程的步骤。你的程序应该进行行为分析来决定它是否正在注入(inject)。您需要挂接其他 API,例如 VirtualAlloc\WriteProcessMemoryCreateRemoteThread

Below shows the approach to follow to analyse the injector flow and block the execution when needed. Injector uses many techniques to inject a dll, the below won't be sufficient to all methods.

//
//HookOpenProcess keep track of opened process handle
//
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);

/*
HookVirtualAlloc Check whether the first param is openprocess handle :: Make the suspicion level 3
*/
LPVOID arg = (LPVOID)VirtualAllocEx(process, NULL, ...);

/*
HookWriteProcessMemory Check whether the first param is openprocess handle :: Make the suspicion level 2
*/
int n = WriteProcessMemory(process, .....);

/*
HookCreateRemoteThread Check whether the first param is openprocess handle :: Make the suspicion level 1 and block it from execution
*/
HANDLE threadID = CreateRemoteThread(process, .........);

关于C++ Hooking kernel32.dll OpenProcess 走弯路,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/33561251/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com