Check if process is injected

Is there any way to check if a process is injected? for example : explorer.exe / notepad.exe / hl2.exe / etc ?

In VB.Net / C# / C++ .

Thanks in advance.
Nick_23Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CodeCruiserCommented:
What you mean by injected? If its security related then Microsoft would also want to find a way of doing this.
0
Nick_23Author Commented:
for example, if a code is injected into bf3.exe (game... bf3.exe is a running process) is there a way to discover if that process was injected?
0
CodeCruiserCommented:
I think the only way would be compare the process's memory image with the disk image or the disk image with the originally compiled image. I am not aware of any technique to do that.
0
Russell_VenableCommented:
If your trying to detect injected Dll's in a running process you need to check the original imports of the target executable and cross-view check using a snapshot of the modules currently loaded.

To check a currently running process the code below would partly due what you want. You would also need to add another parameter to allow you to check for certain modules and if they match return true or return the module name/path and/or forget all of that and store all currently loaded modules into a array and cross check with the static executables IAT. That is a lot of code to write out so I am not going to write a example of that here. That would be your homework.

int RetrieveModules(DWORD dwProcessID)
{
    HMODULE hMods[1024];
    HANDLE hProcess;
    DWORD cbNeeded;
    unsigned int i;

    // Print the process identifier.
    printf("\nProcess ID: %u\n", dwProcessID);

    // Get a handle to the process.
    hProcess = OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, FALSE, dwProcessID);
    if (NULL == hProcess)
        return 1;
    // Get a list of all the modules in this process.
    if(EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded))
    {
        //Recurse module list
        for (i = 0; i < (cbNeeded / sizeof(HMODULE)); i++)
        {
            TCHAR szModName[MAX_PATH];
            // Get the full path to the module's file.
            if (GetModuleFileNameEx(hProcess, hMods[i], szModName, sizeof(szModName) / sizeof(TCHAR)))
            {
                // Print the module name and handle value.
                if(strstr(szModName, "exe")){
                     _tprintf( TEXT("%s (0x%08X)\n"), szModName, hMods[i]);
                } else {
	             _tprintf( TEXT("\t%s (0x%08X)\n"), szModName, hMods[i]);
		}
            }
        }
    }
    // Release the handle to the process.
    CloseHandle(hProcess);
    return 0;
}

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Nick_23Author Commented:
thanks Mr. Russell_Venable sir
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Visual Basic.NET

From novice to tech pro — start learning today.