• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 789
  • Last Modified:

API hooking

Hi,

Is there any way to identify the processes hooked to a particular dll?

For example,
When a malware infects, it does api hooking such as to "user32.dl".
So, how to detect these hooked programs for a particular api ?
0
rpgeegange
Asked:
rpgeegange
  • 3
  • 3
3 Solutions
 
btanExec ConsultantCommented:
Yes you can using process explorer or even debugger like windbg or maybe ollydebug if you will to attached to that process
http://www.symantec.com/connect/blogs/using-process-explorer-who-loaded-dll

Probably you can use process explorer to simply view the list of dlls loaded into the address space of a particular process's address space first and also view the patch process into which the code was being injected by looking at the handles provided the injecting process must live in memory for some time without closing the handle of the process which it opened for injection.

Or  using debugger set a breakpoint near OpenProcess--this will inevitably be called if the malware is in fact doing process injection, and the function takes the PID of the process as an argument. If you know the PID, you know the process. Typically there would be some outstanding anomalous code or handle injected when you compared to similar named service like svchost.exe which is favourite for malware to hide itself known process name.

Can also check out volatility from memory forensic,  spydllremover or GMER

https://code.google.com/p/volatility/wiki/CommandReference#malfind
http://securityxploded.com/spydllremover.php
http://www.gmer.net/?m=0
0
 
rpgeegangeAuthor Commented:
Hi,
Thank you breadtan.

Is there any C# libraries to do such operations , if I want to develop a similar tool ?
0
 
btanExec ConsultantCommented:
Not straightforward and in the below link stated not in C# or simple coding as assembly is the preferred assured means...in general I see that you need to inject "yourself" into the process to detect that the process is been injected or tampered. Or subscribed to global system event listener...

http://social.msdn.microsoft.com/Forums/vstudio/en-US/c993a16e-3ebb-49fc-959f-f9b99513bc8a/how-to-detect-code-injection

There are interception in the IL level but that is probably not what we can leverage since not malware is IL or .NET based...Using tool is more straightforward or writing dirver kernel based which c# is not ideal

http://www.codeproject.com/Articles/463508/NET-CLR-Injection-Modify-IL-Code-during-Run-time
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
rpgeegangeAuthor Commented:
What about the http://easyhook.codeplex.com/ ? will this library helps ?

Thank you.
0
 
btanExec ConsultantCommented:
Seems like you looking for libraries to perform hooking... Easyhook is possible. But it maybe under Lesser GPL (LGPL), so be aware of this License. E.g. You are not granted to sell any software that includes parts of the EasyHook source code or any modification. If you want to modify EasyHook, you are forced to release your work under the LGPL or GPL... Of course this only applies to the library itself. For example you could release a modification of EasyHook under LGPL, while still being able to release software, which takes advantage of this modification over DLL or NET bindings, under a proprietary license.

http://www.codeproject.com/Tips/481976/Statically-linking-to-EasyHook 

There are couple of libraries...
>Detours only works for C++ and not for C#...
>Deviare support C#, but note that it is free for non-commercial use only.
http://www.nektra.com/products/deviare-api-hook-windows/features/

Overall, do note that there may be false positive of AV detecting such libraries as well as it contain "hooking" capabilities
0
 
rpgeegangeAuthor Commented:
Thanks a lot breadtan.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now