Solved

API hooking

Posted on 2013-12-17
6
735 Views
Last Modified: 2013-12-19
Hi,

Is there any way to identify the processes hooked to a particular dll?

For example,
When a malware infects, it does api hooking such as to "user32.dl".
So, how to detect these hooked programs for a particular api ?
0
Comment
Question by:rpgeegange
  • 3
  • 3
6 Comments
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 39728438
Yes you can using process explorer or even debugger like windbg or maybe ollydebug if you will to attached to that process
http://www.symantec.com/connect/blogs/using-process-explorer-who-loaded-dll

Probably you can use process explorer to simply view the list of dlls loaded into the address space of a particular process's address space first and also view the patch process into which the code was being injected by looking at the handles provided the injecting process must live in memory for some time without closing the handle of the process which it opened for injection.

Or  using debugger set a breakpoint near OpenProcess--this will inevitably be called if the malware is in fact doing process injection, and the function takes the PID of the process as an argument. If you know the PID, you know the process. Typically there would be some outstanding anomalous code or handle injected when you compared to similar named service like svchost.exe which is favourite for malware to hide itself known process name.

Can also check out volatility from memory forensic,  spydllremover or GMER

https://code.google.com/p/volatility/wiki/CommandReference#malfind
http://securityxploded.com/spydllremover.php
http://www.gmer.net/?m=0
0
 

Author Comment

by:rpgeegange
ID: 39728477
Hi,
Thank you breadtan.

Is there any C# libraries to do such operations , if I want to develop a similar tool ?
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 39728508
Not straightforward and in the below link stated not in C# or simple coding as assembly is the preferred assured means...in general I see that you need to inject "yourself" into the process to detect that the process is been injected or tampered. Or subscribed to global system event listener...

http://social.msdn.microsoft.com/Forums/vstudio/en-US/c993a16e-3ebb-49fc-959f-f9b99513bc8a/how-to-detect-code-injection

There are interception in the IL level but that is probably not what we can leverage since not malware is IL or .NET based...Using tool is more straightforward or writing dirver kernel based which c# is not ideal

http://www.codeproject.com/Articles/463508/NET-CLR-Injection-Modify-IL-Code-during-Run-time
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:rpgeegange
ID: 39728543
What about the http://easyhook.codeplex.com/ ? will this library helps ?

Thank you.
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39728662
Seems like you looking for libraries to perform hooking... Easyhook is possible. But it maybe under Lesser GPL (LGPL), so be aware of this License. E.g. You are not granted to sell any software that includes parts of the EasyHook source code or any modification. If you want to modify EasyHook, you are forced to release your work under the LGPL or GPL... Of course this only applies to the library itself. For example you could release a modification of EasyHook under LGPL, while still being able to release software, which takes advantage of this modification over DLL or NET bindings, under a proprietary license.

http://www.codeproject.com/Tips/481976/Statically-linking-to-EasyHook 

There are couple of libraries...
>Detours only works for C++ and not for C#...
>Deviare support C#, but note that it is free for non-commercial use only.
http://www.nektra.com/products/deviare-api-hook-windows/features/

Overall, do note that there may be false positive of AV detecting such libraries as well as it contain "hooking" capabilities
0
 

Author Comment

by:rpgeegange
ID: 39729490
Thanks a lot breadtan.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question