Check if process is injected

Is there any way to check if a process is injected? for example : explorer.exe / notepad.exe / hl2.exe / etc ?

In VB.Net / C# / C++ .

Thanks in advance.
Nick_23Asked:
Who is Participating?
 
Russell_VenableCommented:
If your trying to detect injected Dll's in a running process you need to check the original imports of the target executable and cross-view check using a snapshot of the modules currently loaded.

To check a currently running process the code below would partly due what you want. You would also need to add another parameter to allow you to check for certain modules and if they match return true or return the module name/path and/or forget all of that and store all currently loaded modules into a array and cross check with the static executables IAT. That is a lot of code to write out so I am not going to write a example of that here. That would be your homework.

int RetrieveModules(DWORD dwProcessID)
{
    HMODULE hMods[1024];
    HANDLE hProcess;
    DWORD cbNeeded;
    unsigned int i;

    // Print the process identifier.
    printf("\nProcess ID: %u\n", dwProcessID);

    // Get a handle to the process.
    hProcess = OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, FALSE, dwProcessID);
    if (NULL == hProcess)
        return 1;
    // Get a list of all the modules in this process.
    if(EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded))
    {
        //Recurse module list
        for (i = 0; i < (cbNeeded / sizeof(HMODULE)); i++)
        {
            TCHAR szModName[MAX_PATH];
            // Get the full path to the module's file.
            if (GetModuleFileNameEx(hProcess, hMods[i], szModName, sizeof(szModName) / sizeof(TCHAR)))
            {
                // Print the module name and handle value.
                if(strstr(szModName, "exe")){
                     _tprintf( TEXT("%s (0x%08X)\n"), szModName, hMods[i]);
                } else {
	             _tprintf( TEXT("\t%s (0x%08X)\n"), szModName, hMods[i]);
		}
            }
        }
    }
    // Release the handle to the process.
    CloseHandle(hProcess);
    return 0;
}

Open in new window

0
 
CodeCruiserCommented:
What you mean by injected? If its security related then Microsoft would also want to find a way of doing this.
0
 
Nick_23Author Commented:
for example, if a code is injected into bf3.exe (game... bf3.exe is a running process) is there a way to discover if that process was injected?
0
 
CodeCruiserCommented:
I think the only way would be compare the process's memory image with the disk image or the disk image with the originally compiled image. I am not aware of any technique to do that.
0
 
Nick_23Author Commented:
thanks Mr. Russell_Venable sir
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.