Question

我正在尝试从 Kernel32.dll 挂钩 OpenProcess ，以防止所谓的＆＃34; 注入器＆＃34;程序从注入其他dll到我的过程：

// -------------------------------------------------------------------
HANDLE WINAPI myOpenProcess(DWORD dwDesiredAccess, BOOL  bInheritHandle, DWORD dwProcessId)
{
    //

    if (dwDesiredAccess == PROCESS_ALL_ACCESS || dwDesiredAccess == PROCESS_VM_OPERATION ||
        dwDesiredAccess == PROCESS_VM_READ || dwDesiredAccess == PROCESS_VM_WRITE)
    {
        printf("Blcoked Process ID : %d , DesiredAccess : %d ", dwProcessId, dwDesiredAccess);

        return false;
    }

    //

    return dOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
}

我需要添加什么才能＆＃34; 检测＆＃34;如果有人打开＆＃34; 注入＆＃34; ？我不想＆＃34;阻止＆＃34;，我希望＆＃34;检测＆＃34;注射并决定做什么。

Answer 1

该图描绘了注入器通常将dll注入另一个进程的步骤。您的程序应该进行行为分析以确定它是否注射。你需要勾选其他api，例如VirtualAlloc \ WriteProcessMemory，CreateRemoteThread等。

下面显示了分析喷射器流量的方法在需要时阻止执行。注射器使用许多技术注入一个dll，以下对所有方法都不够。

//
//HookOpenProcess keep track of opened process handle
//
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);

/*
HookVirtualAlloc  Check whether the first param is openprocess handle :: Make the suspicion level 3
*/
LPVOID arg = (LPVOID)VirtualAllocEx(process, NULL, ...);

/*
HookWriteProcessMemory  Check whether the first param is openprocess handle :: Make the suspicion level 2
*/
int n = WriteProcessMemory(process, .....);

/*
HookCreateRemoteThread Check whether the first param is openprocess handle :: Make the suspicion level 1 and block it from execution
*/
HANDLE threadID = CreateRemoteThread(process, .........);

C ++使用弯路来挂钩kernel32.dll OpenProcess

1 个答案: