检查API是否受到监控(已钩住?) [英] Checking if an API is monitored (hooked?)

问题描述

我的应用程序使用了GetProcAddress和CreateProcess之类的API，有时会导致防病毒软件将其标记为恶意软件，即使它不是恶意软件.

My application uses some APIs like GetProcAddress and CreateProcess that cause sometimes antiviruses to flag it as malicious even though it is not.

我要做的是检查是否正在监视或挂钩特定的API，如果是，那么我将不调用代码的那一部分.

What I am trying to do is check whether a specific API is being monitored or hooked and if it is then I won't call that part of the code.

如何检查某个API是否已被钩住?

How do I check whether a certain API is hooked?

这是用C语言编写的Windows应用程序.

This is a Windows application written in C.

谢谢.

推荐答案

在win32上，没有检测和/或放置钩子的官方方法(除了SetWindowsHookEx()(

On win32 there are no offical methods to detect and/or place hooks (besides the SetWindowsHookEx() (http://msdn.microsoft.com/en-us/library/windows/desktop/ms644990) et al functions which only cover a very small set of functionality).

检测钩子取决于钩子的应用方式.

Detecting a hook depends on how the hook was applied.

有两种流行的放置钩子的方法:

There are two popular methods to place a hook:

1. 导入/导出表补丁
2. 代码覆盖

有关放置钩子的不同方法的详细信息(优点/缺点)，请考虑在此处阅读 http://help.madshi.net/ApiHookingMethods.htm .

For details (pros/cons) on the different methods to place hooks please consider reading here http://help.madshi.net/ApiHookingMethods.htm.

每种钩子方法都需要一种不同的方法来检测它.

Each method of hooking requieres a different approach to detect it.

有关检测如上所述放置的挂钩的方法，请在此处的"ApiHookCheck算法"下查看 http ://www.security.org.sg/code/apihookcheck.html .此页面上有一些示例资源，我没有进行 测试.

For methods to detect hooks placed as mentioned above please look under "ApiHookCheck Algorithm" here http://www.security.org.sg/code/apihookcheck.html. There are sample sources available on this page, which I did not test.

这篇关于检查API是否受到监控(已钩住?)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！