检查API是否受到监控(已钩住?) [英] Checking if an API is monitored (hooked?)
问题描述
我的应用程序使用了GetProcAddress
和CreateProcess
之类的API,有时会导致防病毒软件将其标记为恶意软件,即使它不是恶意软件.
My application uses some APIs like GetProcAddress
and CreateProcess
that cause sometimes antiviruses to flag it as malicious even though it is not.
我要做的是检查是否正在监视或挂钩特定的API,如果是,那么我将不调用代码的那一部分.
What I am trying to do is check whether a specific API is being monitored or hooked and if it is then I won't call that part of the code.
如何检查某个API是否已被钩住?
How do I check whether a certain API is hooked?
这是用C语言编写的Windows应用程序.
This is a Windows application written in C.
谢谢.
推荐答案
在win32上,没有检测和/或放置钩子的官方方法(除了SetWindowsHookEx()
(
On win32 there are no offical methods to detect and/or place hooks (besides the SetWindowsHookEx()
(http://msdn.microsoft.com/en-us/library/windows/desktop/ms644990) et al functions which only cover a very small set of functionality).
检测钩子取决于钩子的应用方式.
Detecting a hook depends on how the hook was applied.
有两种流行的放置钩子的方法:
There are two popular methods to place a hook:
- 导入/导出表补丁
- 代码覆盖
有关放置钩子的不同方法的详细信息(优点/缺点),请考虑在此处阅读 http://help.madshi.net/ApiHookingMethods.htm .
For details (pros/cons) on the different methods to place hooks please consider reading here http://help.madshi.net/ApiHookingMethods.htm.
每种钩子方法都需要一种不同的方法来检测它.
Each method of hooking requieres a different approach to detect it.
有关检测如上所述放置的挂钩的方法,请在此处的"ApiHookCheck算法"下查看 http ://www.security.org.sg/code/apihookcheck.html .此页面上有一些示例资源,我没有进行 测试.
For methods to detect hooks placed as mentioned above please look under "ApiHookCheck Algorithm" here http://www.security.org.sg/code/apihookcheck.html. There are sample sources available on this page, which I did not test.
这篇关于检查API是否受到监控(已钩住?)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!