• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 644
  • Last Modified:

Check if process is injected

Is there any way to check if a process is injected? for example : explorer.exe / notepad.exe / hl2.exe / etc ?

In VB.Net / C# / C++ .

Thanks in advance.
0
Nick_23
Asked:
Nick_23
  • 2
  • 2
1 Solution
 
CodeCruiserCommented:
What you mean by injected? If its security related then Microsoft would also want to find a way of doing this.
0
 
Nick_23Author Commented:
for example, if a code is injected into bf3.exe (game... bf3.exe is a running process) is there a way to discover if that process was injected?
0
 
CodeCruiserCommented:
I think the only way would be compare the process's memory image with the disk image or the disk image with the originally compiled image. I am not aware of any technique to do that.
0
 
Russell_VenableCommented:
If your trying to detect injected Dll's in a running process you need to check the original imports of the target executable and cross-view check using a snapshot of the modules currently loaded.

To check a currently running process the code below would partly due what you want. You would also need to add another parameter to allow you to check for certain modules and if they match return true or return the module name/path and/or forget all of that and store all currently loaded modules into a array and cross check with the static executables IAT. That is a lot of code to write out so I am not going to write a example of that here. That would be your homework.

int RetrieveModules(DWORD dwProcessID)
{
    HMODULE hMods[1024];
    HANDLE hProcess;
    DWORD cbNeeded;
    unsigned int i;

    // Print the process identifier.
    printf("\nProcess ID: %u\n", dwProcessID);

    // Get a handle to the process.
    hProcess = OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, FALSE, dwProcessID);
    if (NULL == hProcess)
        return 1;
    // Get a list of all the modules in this process.
    if(EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded))
    {
        //Recurse module list
        for (i = 0; i < (cbNeeded / sizeof(HMODULE)); i++)
        {
            TCHAR szModName[MAX_PATH];
            // Get the full path to the module's file.
            if (GetModuleFileNameEx(hProcess, hMods[i], szModName, sizeof(szModName) / sizeof(TCHAR)))
            {
                // Print the module name and handle value.
                if(strstr(szModName, "exe")){
                     _tprintf( TEXT("%s (0x%08X)\n"), szModName, hMods[i]);
                } else {
	             _tprintf( TEXT("\t%s (0x%08X)\n"), szModName, hMods[i]);
		}
            }
        }
    }
    // Release the handle to the process.
    CloseHandle(hProcess);
    return 0;
}

Open in new window

0
 
Nick_23Author Commented:
thanks Mr. Russell_Venable sir
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now