Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

API hooking

Posted on 2013-12-17
6
Medium Priority
?
772 Views
Last Modified: 2013-12-19
Hi,

Is there any way to identify the processes hooked to a particular dll?

For example,
When a malware infects, it does api hooking such as to "user32.dl".
So, how to detect these hooked programs for a particular api ?
0
Comment
Question by:rpgeegange
  • 3
  • 3
6 Comments
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 39728438
Yes you can using process explorer or even debugger like windbg or maybe ollydebug if you will to attached to that process
http://www.symantec.com/connect/blogs/using-process-explorer-who-loaded-dll

Probably you can use process explorer to simply view the list of dlls loaded into the address space of a particular process's address space first and also view the patch process into which the code was being injected by looking at the handles provided the injecting process must live in memory for some time without closing the handle of the process which it opened for injection.

Or  using debugger set a breakpoint near OpenProcess--this will inevitably be called if the malware is in fact doing process injection, and the function takes the PID of the process as an argument. If you know the PID, you know the process. Typically there would be some outstanding anomalous code or handle injected when you compared to similar named service like svchost.exe which is favourite for malware to hide itself known process name.

Can also check out volatility from memory forensic,  spydllremover or GMER

https://code.google.com/p/volatility/wiki/CommandReference#malfind
http://securityxploded.com/spydllremover.php
http://www.gmer.net/?m=0
0
 

Author Comment

by:rpgeegange
ID: 39728477
Hi,
Thank you breadtan.

Is there any C# libraries to do such operations , if I want to develop a similar tool ?
0
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 39728508
Not straightforward and in the below link stated not in C# or simple coding as assembly is the preferred assured means...in general I see that you need to inject "yourself" into the process to detect that the process is been injected or tampered. Or subscribed to global system event listener...

http://social.msdn.microsoft.com/Forums/vstudio/en-US/c993a16e-3ebb-49fc-959f-f9b99513bc8a/how-to-detect-code-injection

There are interception in the IL level but that is probably not what we can leverage since not malware is IL or .NET based...Using tool is more straightforward or writing dirver kernel based which c# is not ideal

http://www.codeproject.com/Articles/463508/NET-CLR-Injection-Modify-IL-Code-during-Run-time
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:rpgeegange
ID: 39728543
What about the http://easyhook.codeplex.com/ ? will this library helps ?

Thank you.
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 39728662
Seems like you looking for libraries to perform hooking... Easyhook is possible. But it maybe under Lesser GPL (LGPL), so be aware of this License. E.g. You are not granted to sell any software that includes parts of the EasyHook source code or any modification. If you want to modify EasyHook, you are forced to release your work under the LGPL or GPL... Of course this only applies to the library itself. For example you could release a modification of EasyHook under LGPL, while still being able to release software, which takes advantage of this modification over DLL or NET bindings, under a proprietary license.

http://www.codeproject.com/Tips/481976/Statically-linking-to-EasyHook 

There are couple of libraries...
>Detours only works for C++ and not for C#...
>Deviare support C#, but note that it is free for non-commercial use only.
http://www.nektra.com/products/deviare-api-hook-windows/features/

Overall, do note that there may be false positive of AV detecting such libraries as well as it contain "hooking" capabilities
0
 

Author Comment

by:rpgeegange
ID: 39729490
Thanks a lot breadtan.
0

Featured Post

WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question