Solved

Check if process is injected

Posted on 2012-04-01
5
611 Views
Last Modified: 2012-04-05
Is there any way to check if a process is injected? for example : explorer.exe / notepad.exe / hl2.exe / etc ?

In VB.Net / C# / C++ .

Thanks in advance.
0
Comment
Question by:Nick_23
  • 2
  • 2
5 Comments
 
LVL 83

Expert Comment

by:CodeCruiser
ID: 37795444
What you mean by injected? If its security related then Microsoft would also want to find a way of doing this.
0
 

Author Comment

by:Nick_23
ID: 37795490
for example, if a code is injected into bf3.exe (game... bf3.exe is a running process) is there a way to discover if that process was injected?
0
 
LVL 83

Expert Comment

by:CodeCruiser
ID: 37795527
I think the only way would be compare the process's memory image with the disk image or the disk image with the originally compiled image. I am not aware of any technique to do that.
0
 
LVL 15

Accepted Solution

by:
Russell_Venable earned 340 total points
ID: 37797706
If your trying to detect injected Dll's in a running process you need to check the original imports of the target executable and cross-view check using a snapshot of the modules currently loaded.

To check a currently running process the code below would partly due what you want. You would also need to add another parameter to allow you to check for certain modules and if they match return true or return the module name/path and/or forget all of that and store all currently loaded modules into a array and cross check with the static executables IAT. That is a lot of code to write out so I am not going to write a example of that here. That would be your homework.

int RetrieveModules(DWORD dwProcessID)
{
    HMODULE hMods[1024];
    HANDLE hProcess;
    DWORD cbNeeded;
    unsigned int i;

    // Print the process identifier.
    printf("\nProcess ID: %u\n", dwProcessID);

    // Get a handle to the process.
    hProcess = OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, FALSE, dwProcessID);
    if (NULL == hProcess)
        return 1;
    // Get a list of all the modules in this process.
    if(EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded))
    {
        //Recurse module list
        for (i = 0; i < (cbNeeded / sizeof(HMODULE)); i++)
        {
            TCHAR szModName[MAX_PATH];
            // Get the full path to the module's file.
            if (GetModuleFileNameEx(hProcess, hMods[i], szModName, sizeof(szModName) / sizeof(TCHAR)))
            {
                // Print the module name and handle value.
                if(strstr(szModName, "exe")){
                     _tprintf( TEXT("%s (0x%08X)\n"), szModName, hMods[i]);
                } else {
	             _tprintf( TEXT("\t%s (0x%08X)\n"), szModName, hMods[i]);
		}
            }
        }
    }
    // Release the handle to the process.
    CloseHandle(hProcess);
    return 0;
}

Open in new window

0
 

Author Comment

by:Nick_23
ID: 37813686
thanks Mr. Russell_Venable sir
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction As chip makers focus on adding processor cores over increasing clock speed, developers need to utilize the features of modern CPUs.  One of the ways we can do this is by implementing parallel algorithms in our software.   One recent…
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now