C++ Hooking kernel32.dll OpenProcess with detours

Question

I am trying to hook OpenProcess from Kernel32.dll in order to prevent so called "injector" programs from injecting other dll`s into my process:

// -------------------------------------------------------------------
HANDLE WINAPI myOpenProcess(DWORD dwDesiredAccess, BOOL  bInheritHandle, DWORD dwProcessId)
{
    //

    if (dwDesiredAccess == PROCESS_ALL_ACCESS || dwDesiredAccess == PROCESS_VM_OPERATION ||
        dwDesiredAccess == PROCESS_VM_READ || dwDesiredAccess == PROCESS_VM_WRITE)
    {
        printf("Blcoked Process ID : %d , DesiredAccess : %d ", dwProcessId, dwDesiredAccess);

        return false;
    }

    //

    return dOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
}

What do I need to add, in order to "detect" if anybody opens the process for "injecting" ? I do not want to "prevent", I wish to "detect" injection and decide what to do.

Possible duplicate of [How would I go about prevent DLL injection](http://stackoverflow.com/questions/869320/how-would-i-go-about-prevent-dll-injection) — sashoalm, Nov 06 '15 at 07:30

Balu · Accepted Answer · 2015-11-06T07:50:30.023

The diagram depicts the steps the injector usually do to inject the dll into another process. Your program should do the behavioral analysis to decide whether it is injecting or not. you need to hook other apis like VirtualAlloc \ WriteProcessMemory, CreateRemoteThread etc.

Below shows the approach to follow to analyse the injector flow and block the execution when needed. Injector uses many techniques to inject a dll, the below won't be sufficient to all methods.

//
//HookOpenProcess keep track of opened process handle
//
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);

/*
HookVirtualAlloc  Check whether the first param is openprocess handle :: Make the suspicion level 3
*/
LPVOID arg = (LPVOID)VirtualAllocEx(process, NULL, ...);

/*
HookWriteProcessMemory  Check whether the first param is openprocess handle :: Make the suspicion level 2
*/
int n = WriteProcessMemory(process, .....);

/*
HookCreateRemoteThread Check whether the first param is openprocess handle :: Make the suspicion level 1 and block it from execution
*/
HANDLE threadID = CreateRemoteThread(process, .........);

Thank you very much for answering, no problem, I can hook anything, do you have time to show me and example? — , Nov 06 '15 at 07:28
I cannot seem to do what you wrote me... "Check whether the first param is openprocess handle" how should I do that to VirtualAllocEx for example... — , Nov 06 '15 at 09:05

C++ Hooking kernel32.dll OpenProcess with detours

1 Answers1