Solved

API hooking

Posted on 2013-12-17
6
722 Views
Last Modified: 2013-12-19
Hi,

Is there any way to identify the processes hooked to a particular dll?

For example,
When a malware infects, it does api hooking such as to "user32.dl".
So, how to detect these hooked programs for a particular api ?
0
Comment
Question by:rpgeegange
  • 3
  • 3
6 Comments
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 39728438
Yes you can using process explorer or even debugger like windbg or maybe ollydebug if you will to attached to that process
http://www.symantec.com/connect/blogs/using-process-explorer-who-loaded-dll

Probably you can use process explorer to simply view the list of dlls loaded into the address space of a particular process's address space first and also view the patch process into which the code was being injected by looking at the handles provided the injecting process must live in memory for some time without closing the handle of the process which it opened for injection.

Or  using debugger set a breakpoint near OpenProcess--this will inevitably be called if the malware is in fact doing process injection, and the function takes the PID of the process as an argument. If you know the PID, you know the process. Typically there would be some outstanding anomalous code or handle injected when you compared to similar named service like svchost.exe which is favourite for malware to hide itself known process name.

Can also check out volatility from memory forensic,  spydllremover or GMER

https://code.google.com/p/volatility/wiki/CommandReference#malfind
http://securityxploded.com/spydllremover.php
http://www.gmer.net/?m=0
0
 

Author Comment

by:rpgeegange
ID: 39728477
Hi,
Thank you breadtan.

Is there any C# libraries to do such operations , if I want to develop a similar tool ?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 39728508
Not straightforward and in the below link stated not in C# or simple coding as assembly is the preferred assured means...in general I see that you need to inject "yourself" into the process to detect that the process is been injected or tampered. Or subscribed to global system event listener...

http://social.msdn.microsoft.com/Forums/vstudio/en-US/c993a16e-3ebb-49fc-959f-f9b99513bc8a/how-to-detect-code-injection

There are interception in the IL level but that is probably not what we can leverage since not malware is IL or .NET based...Using tool is more straightforward or writing dirver kernel based which c# is not ideal

http://www.codeproject.com/Articles/463508/NET-CLR-Injection-Modify-IL-Code-during-Run-time
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:rpgeegange
ID: 39728543
What about the http://easyhook.codeplex.com/ ? will this library helps ?

Thank you.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39728662
Seems like you looking for libraries to perform hooking... Easyhook is possible. But it maybe under Lesser GPL (LGPL), so be aware of this License. E.g. You are not granted to sell any software that includes parts of the EasyHook source code or any modification. If you want to modify EasyHook, you are forced to release your work under the LGPL or GPL... Of course this only applies to the library itself. For example you could release a modification of EasyHook under LGPL, while still being able to release software, which takes advantage of this modification over DLL or NET bindings, under a proprietary license.

http://www.codeproject.com/Tips/481976/Statically-linking-to-EasyHook

There are couple of libraries...
>Detours only works for C++ and not for C#...
>Deviare support C#, but note that it is free for non-commercial use only.
http://www.nektra.com/products/deviare-api-hook-windows/features/

Overall, do note that there may be false positive of AV detecting such libraries as well as it contain "hooking" capabilities
0
 

Author Comment

by:rpgeegange
ID: 39729490
Thanks a lot breadtan.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Suggested Solutions

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
OfficeMate Freezes on login or does not load after login credentials are input.
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now