1

我想检测 dll 注入器。下面的代码作为 dll 注入器工作。我需要你在 c# 源代码中的帮助,它可以帮助我检测然后我将关闭我的应用程序。我在 google.com 中搜索了很多但很累得到解决方案。请帮助并给我 C# 中的源代码

public partial class Form1 : Form
{
    [DllImport("kernel32")]
    public static extern IntPtr CreateRemoteThread(
      IntPtr hProcess,
      IntPtr lpThreadAttributes,
      uint dwStackSize,
      UIntPtr lpStartAddress, // raw Pointer into remote process  
      IntPtr lpParameter,
      uint dwCreationFlags,
      out IntPtr lpThreadId
    );

    [DllImport("kernel32.dll")]
    public static extern IntPtr OpenProcess(
        UInt32 dwDesiredAccess,
        Int32 bInheritHandle,
        Int32 dwProcessId
        );


    [DllImport("kernel32.dll")]
    public static extern Int32 CloseHandle(
    IntPtr hObject
    );

    [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
    static extern bool VirtualFreeEx(
        IntPtr hProcess,
        IntPtr lpAddress,
        UIntPtr dwSize,
        uint dwFreeType
        );

    [DllImport("kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true)]
    public static extern UIntPtr GetProcAddress(
        IntPtr hModule,
        string procName
        );

    [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
    static extern IntPtr VirtualAllocEx(
        IntPtr hProcess,
        IntPtr lpAddress,
        uint dwSize,
        uint flAllocationType,
        uint flProtect
        );


    [DllImport("kernel32.dll")]
    static extern bool WriteProcessMemory(
        IntPtr hProcess,
        IntPtr lpBaseAddress,
        string lpBuffer,
        UIntPtr nSize,
        out IntPtr lpNumberOfBytesWritten
    );

    [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
    public static extern IntPtr GetModuleHandle(
        string lpModuleName
        );

    [DllImport("kernel32", SetLastError = true, ExactSpelling = true)]
    internal static extern Int32 WaitForSingleObject(
        IntPtr handle,
        Int32 milliseconds
        );

    public Int32 GetProcessId(String proc)
    {
        Process[] ProcList;
        ProcList = Process.GetProcessesByName(proc);
        return ProcList[0].Id;
    }
    public void InjectDLL(IntPtr hProcess, String strDLLName, Process proc)
    {
        IntPtr bytesout;

        // Length of string containing the DLL file name +1 byte padding
        Int32 LenWrite = strDLLName.Length + 1;
        // Allocate memory within the virtual address space of the target process
        IntPtr AllocMem = (IntPtr)VirtualAllocEx(hProcess, (IntPtr)null, (uint)LenWrite, 0x1000, 0x40); //allocation pour WriteProcessMemory

        // Write DLL file name to allocated memory in target process
        WriteProcessMemory(hProcess, AllocMem, strDLLName, (UIntPtr)LenWrite, out bytesout);
        // Function pointer "Injector"
        UIntPtr Injector = (UIntPtr)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

        if (Injector == null)
        {
            Console.WriteLine(" Injector Error! \n ");
            // return failed
            return;
        }

        // Create thread in target process, and store handle in hThread
        IntPtr hThread = (IntPtr)CreateRemoteThread(hProcess, (IntPtr)null, 0, Injector, AllocMem, 0, out bytesout);
        // Make sure thread handle is valid
        if (hThread == null)
        {
            //incorrect thread handle ... return failed
            Console.WriteLine(" hThread [ 1 ] Error! \n ");
            return;
        }
        // Time-out is 10 seconds...
        int Result = WaitForSingleObject(hThread, 10 * 1000);
        // Check whether thread timed out...
        if (Result == 0x00000080L || Result == 0x00000102L || Result == 0xFFFFFFFF)
        {
            /* Thread timed out... */
            Console.WriteLine(" hThread [ 2 ] Error! \n ");
            // Make sure thread handle is valid before closing... prevents crashes.
            if (hThread != null)
            {
                //Close thread in target process
                CloseHandle(hThread);
            }
            return;
        }
        // Sleep thread for 1 second
        Thread.Sleep(1000);
        // Clear up allocated space ( Allocmem )
        VirtualFreeEx(hProcess, AllocMem, (UIntPtr)0, 0x8000);
        // Make sure thread handle is valid before closing... prevents crashes.
        if (hThread != null)
        {
            //Close thread in target process
            CloseHandle(hThread);
        }
        // return succeeded
        return;
    }
    public Form1()
    {
        InitializeComponent();
    }

    private void Form1_Load(object sender, EventArgs e)
    {

    }

    private void button1_Click(object sender, EventArgs e)
    {
        String strDLLName = @"C:\Users\muhammad.qasim\Desktop\qasim\testdllinject\testdllinject\bin\Debug\testdllinject.dll";
        String strProcessName = "notepad";

        Int32 ProcID = GetProcessId(strProcessName);
        Process proc = Process.GetProcessById(ProcID);

        if (ProcID >= 0)
        {
            IntPtr hProcess = (IntPtr)OpenProcess(0x1F0FFF, 1, ProcID);
            if (hProcess == null)
            {
                MessageBox.Show("OpenProcess() Failed!");
                return;
            }
            else
            {
                InjectDLL(hProcess, strDLLName, proc);
                MessageBox.Show("injected");

            }
        }
    }
}

}

4

1 回答 1

2

实现 DLL 注入(Hooking)的场景有很多,您需要了解更多关于每个方法背后的工作原理并对其进行保护,最常见的是使用 CreateRemoteThread() API 函数,例如您可以注入您的安全每个正在运行的进程上的 DLL 并挂钩/重定向/拒绝对 CreateRemoteThread() 的任何调用或任何“危险”API 调用。

PS:由于您正在编写 C# 代码,您可能对EasyHook感兴趣。

但是请记住(如果您真的想制作安全软件):

用户模式挂钩永远不会成为以任何安全方式应用额外安全检查的选项。如果你只想“沙箱化”一个专用进程,你很了解,而进程实际上并不了解 EasyHook,这可能会成功!但永远不要尝试编写任何基于用户模式挂钩的安全软件。它不会起作用的,我向你保证……</p>

更新 EasyHook 移至 github:https ://github.com/EasyHook/EasyHook

于 2013-04-29T02:53:12.013 回答