API hooking

Hi,

Is there any way to identify the processes hooked to a particular dll?

For example,
When a malware infects, it does api hooking such as to "user32.dl".
So, how to detect these hooked programs for a particular api ?
rpgeegangeAsked:
Who is Participating?
 
btanExec ConsultantCommented:
Seems like you looking for libraries to perform hooking... Easyhook is possible. But it maybe under Lesser GPL (LGPL), so be aware of this License. E.g. You are not granted to sell any software that includes parts of the EasyHook source code or any modification. If you want to modify EasyHook, you are forced to release your work under the LGPL or GPL... Of course this only applies to the library itself. For example you could release a modification of EasyHook under LGPL, while still being able to release software, which takes advantage of this modification over DLL or NET bindings, under a proprietary license.

http://www.codeproject.com/Tips/481976/Statically-linking-to-EasyHook 

There are couple of libraries...
>Detours only works for C++ and not for C#...
>Deviare support C#, but note that it is free for non-commercial use only.
http://www.nektra.com/products/deviare-api-hook-windows/features/

Overall, do note that there may be false positive of AV detecting such libraries as well as it contain "hooking" capabilities
0
 
btanExec ConsultantCommented:
Yes you can using process explorer or even debugger like windbg or maybe ollydebug if you will to attached to that process
http://www.symantec.com/connect/blogs/using-process-explorer-who-loaded-dll

Probably you can use process explorer to simply view the list of dlls loaded into the address space of a particular process's address space first and also view the patch process into which the code was being injected by looking at the handles provided the injecting process must live in memory for some time without closing the handle of the process which it opened for injection.

Or  using debugger set a breakpoint near OpenProcess--this will inevitably be called if the malware is in fact doing process injection, and the function takes the PID of the process as an argument. If you know the PID, you know the process. Typically there would be some outstanding anomalous code or handle injected when you compared to similar named service like svchost.exe which is favourite for malware to hide itself known process name.

Can also check out volatility from memory forensic,  spydllremover or GMER

https://code.google.com/p/volatility/wiki/CommandReference#malfind
http://securityxploded.com/spydllremover.php
http://www.gmer.net/?m=0
0
 
rpgeegangeAuthor Commented:
Hi,
Thank you breadtan.

Is there any C# libraries to do such operations , if I want to develop a similar tool ?
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
btanExec ConsultantCommented:
Not straightforward and in the below link stated not in C# or simple coding as assembly is the preferred assured means...in general I see that you need to inject "yourself" into the process to detect that the process is been injected or tampered. Or subscribed to global system event listener...

http://social.msdn.microsoft.com/Forums/vstudio/en-US/c993a16e-3ebb-49fc-959f-f9b99513bc8a/how-to-detect-code-injection

There are interception in the IL level but that is probably not what we can leverage since not malware is IL or .NET based...Using tool is more straightforward or writing dirver kernel based which c# is not ideal

http://www.codeproject.com/Articles/463508/NET-CLR-Injection-Modify-IL-Code-during-Run-time
0
 
rpgeegangeAuthor Commented:
What about the http://easyhook.codeplex.com/ ? will this library helps ?

Thank you.
0
 
rpgeegangeAuthor Commented:
Thanks a lot breadtan.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.