Board index » cppbuilder » How to detect dll injection and hook installers on a Windows system

How to detect dll injection and hook installers on a Windows system


2007-05-29 05:13:13 AM
cppbuilder52
I need some information on how an application can raise an alert if another
process on the system attempts to perform DLL code injection. I also need to
know how to detect when a process attempts to install a hook into the
Windows system. Any ideas anyone? It is for a security application. TIA,
--
Mark Jacobs
jacobsm.com
 
 

Re:How to detect dll injection and hook installers on a Windows system

"Mark Jacobs" <www.jacobsm.com/mjmsg.htm?Borland Newsgroup>wrote in
message news:465b45cb$ XXXX@XXXXX.COM ...
Quote
I need some information on how an application can raise an alert
if another process on the system attempts to perform DLL code
injection.
The only way I know of would be to install your own hook that
redirects the VirtualAllocEx(), LoadLibrary/Ex(), and/or
CreateRemoteThread() functions of every running process, such as with
madCodeHook (www.madshi.net), which incidently also has DLL
injection capabilities of its own implemented. You can then detect
whenever those functions are called by any process you hook.
On NT-based systems at least, DLL injection is commonly done by
calling VirtualAllocEx() to create a block of memory in the context of
the target process, then filling that memory with the desired DLL
filename, and then calling CreateRemoteThread() to run a new thread in
the target process that calls LoadLibrary/Ex(), passing it the memory
block that was allocated.
So in theory, you could keep track of whenever VirtualAllocEx() is
used to allocate memory in a different process than the one calling
VirtualAllocEx(), and then detect when that same memory address is
being passed as a parameter to CreateRemoteThread(), as well as when
LoadLibrary/Ex() is being passed as the starting address of the new
thread procedure.
I am sure that there are other ways to inject a DLL into a process,
but this will get you started.
Gambit
 

Re:How to detect dll injection and hook installers on a Windows system

As Remy has pointed out, there are some api's that are used specifically
when injecting.
However, there are many many ways to inject and hook. Madshi's system, as
far as i know, uses a layer file system driver as well. The concepts most
commonly explained when taking about injection, are often outdated. It
really all depends on what you are trying to achieve. Are you looking for a
global protection and alert system to inform on rouge injection or do you
have a specific requirement. Most of the text that you will read, relates
directly to user-land injection although the current trend is moving towards
system injection systems.
A particularly good text is "Rootkits - Subverting the Windows kernal" by
Greg Hoglund and James Bulter. Madshi's site is also a very good basis for
practical information.
HTH
Mike
"Mark Jacobs" <www.jacobsm.com/mjmsg.htm?Borland Newsgroup>wrote in message
Quote
I need some information on how an application can raise an alert if another
process on the system attempts to perform DLL code injection. I also need
to know how to detect when a process attempts to install a hook into the
Windows system. Any ideas anyone? It is for a security application. TIA,
--
Mark Jacobs
jacobsm.com


 

{smallsort}

Re:How to detect dll injection and hook installers on a Windows system

"Mike Collins" <its@TheBottomOfThePost>wrote in message
Quote
Are you looking for a global protection and alert system to inform on rouge
injection or do you have a specific requirement.
I am looking for something similar to KAV6.0's detection mechanism. In fact, I
just want to log something to a file if my app detects such activities.
Quote
A particularly good text is "Rootkits - Subverting the Windows kernal" by
Greg Hoglund and James Bulter. Madshi's site is also a very good basis for
practical information.
Thanks. I have a lot of reading to do. It seems some injection techniques do
not even call Win API routines to achieve their purpose - they install
low-level drivers to do it! Yikes! I wonder if KAV6.0 detects those?!?
--
Mark Jacobs
DK Computing
www.dkcomputing.co.uk
 

Re:How to detect dll injection and hook installers on a Windows system

DLL injection is not an intentional design feature - it's a hack and as such
is open to problems. Hence, most serious developers either i) go with
madshi ii) go lower down the chain i.e. below the win32 api's.
If you need any particular help feel free to e-mail me - i've done a huge
amoutn of work with injection and hooking
HTH
Mike C
"Mark Jacobs" <www.jacobsm.com/mjmsg.htm?BorlandNG>wrote in message
Quote
"Mike Collins" <its@TheBottomOfThePost>wrote in message
news:465d98ef$ XXXX@XXXXX.COM ...
>Are you looking for a global protection and alert system to inform on
>rouge injection or do you have a specific requirement.

I am looking for something similar to KAV6.0's detection mechanism. In
fact, I just want to log something to a file if my app detects such
activities.

>A particularly good text is "Rootkits - Subverting the Windows kernal" by
>Greg Hoglund and James Bulter. Madshi's site is also a very good basis
>for practical information.

Thanks. I have a lot of reading to do. It seems some injection techniques
do not even call Win API routines to achieve their purpose - they install
low-level drivers to do it! Yikes! I wonder if KAV6.0 detects those?!?
--
Mark Jacobs
DK Computing
www.dkcomputing.co.uk

 

Re:How to detect dll injection and hook installers on a Windows system

"Mike Collins" <its@TheBottomOfThePost>wrote in message
Quote
DLL injection is not an intentional design feature - it's a hack and as
such is open to problems. Hence, most serious developers either i) go
with madshi ii) go lower down the chain i.e. below the win32 api's.

If you need any particular help feel free to e-mail me - i've done a huge
amoutn of work with injection and hooking
I do not seem to be able to ascertain your email address.
--
Mark Jacobs
jacobsm.com
 

Re:How to detect dll injection and hook installers on a Windows system

mike (at) softwareassociates (dot) nu
- if that still doesn't make sense, post back :-)
Regards,
Mike
"Mar
 

Re:How to detect dll injection and hook installers on a Windows system

After some experiments with KAV6 (followed by a reinstall of Windows XP!), and
some delving into madshi's forums, I decided to shelve the idea for a while -
it looks really complicated. To detect hooks, I have to install a hook first!
To detect DLL code injection, I have to learn about executable file formats
and redirection tables. It seems a bit steep at the moment! Thanks anyway.
--
Mark Jacobs
DK Computing
www.dkcomputing.co.uk