Solved

Check if process is injected

Posted on 2012-04-01
5
622 Views
Last Modified: 2012-04-05
Is there any way to check if a process is injected? for example : explorer.exe / notepad.exe / hl2.exe / etc ?

In VB.Net / C# / C++ .

Thanks in advance.
0
Comment
Question by:Nick_23
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 83

Expert Comment

by:CodeCruiser
ID: 37795444
What you mean by injected? If its security related then Microsoft would also want to find a way of doing this.
0
 

Author Comment

by:Nick_23
ID: 37795490
for example, if a code is injected into bf3.exe (game... bf3.exe is a running process) is there a way to discover if that process was injected?
0
 
LVL 83

Expert Comment

by:CodeCruiser
ID: 37795527
I think the only way would be compare the process's memory image with the disk image or the disk image with the originally compiled image. I am not aware of any technique to do that.
0
 
LVL 15

Accepted Solution

by:
Russell_Venable earned 340 total points
ID: 37797706
If your trying to detect injected Dll's in a running process you need to check the original imports of the target executable and cross-view check using a snapshot of the modules currently loaded.

To check a currently running process the code below would partly due what you want. You would also need to add another parameter to allow you to check for certain modules and if they match return true or return the module name/path and/or forget all of that and store all currently loaded modules into a array and cross check with the static executables IAT. That is a lot of code to write out so I am not going to write a example of that here. That would be your homework.

int RetrieveModules(DWORD dwProcessID)
{
    HMODULE hMods[1024];
    HANDLE hProcess;
    DWORD cbNeeded;
    unsigned int i;

    // Print the process identifier.
    printf("\nProcess ID: %u\n", dwProcessID);

    // Get a handle to the process.
    hProcess = OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, FALSE, dwProcessID);
    if (NULL == hProcess)
        return 1;
    // Get a list of all the modules in this process.
    if(EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded))
    {
        //Recurse module list
        for (i = 0; i < (cbNeeded / sizeof(HMODULE)); i++)
        {
            TCHAR szModName[MAX_PATH];
            // Get the full path to the module's file.
            if (GetModuleFileNameEx(hProcess, hMods[i], szModName, sizeof(szModName) / sizeof(TCHAR)))
            {
                // Print the module name and handle value.
                if(strstr(szModName, "exe")){
                     _tprintf( TEXT("%s (0x%08X)\n"), szModName, hMods[i]);
                } else {
	             _tprintf( TEXT("\t%s (0x%08X)\n"), szModName, hMods[i]);
		}
            }
        }
    }
    // Release the handle to the process.
    CloseHandle(hProcess);
    return 0;
}

Open in new window

0
 

Author Comment

by:Nick_23
ID: 37813686
thanks Mr. Russell_Venable sir
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're writing a .NET application to connect to an Access .mdb database and use pre-existing queries that require parameters, you've come to the right place! Let's say the pre-existing query(qryCust) in Access takes a Date as a parameter and l…
A while ago, I was working on a Windows Forms application and I needed a special label control with reflection (glass) effect to show some titles in a stylish way. I've always enjoyed working with graphics, but it's never too clever to re-invent …
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question