如何防止 DLL 注入 [英] How do I prevent DLL injection
问题描述
所以前几天,我看到了这个:
So the other day, I saw this:
http:///www.edgeofnowhere.cc/viewtopic.php?p=2483118
并且介绍了三种不同的 DLL 注入方法.我将如何防止这些过程发生?或者至少,我如何防止第一个?
and it goes over three different methods of DLL injection. How would I prevent these from the process? Or at a bare minimum, how do I prevent the first one?
我在想,也许 Ring 0 驱动程序可能是阻止这三者的唯一方法,但我想看看社区是怎么想的.
I was thinking maybe a Ring 0 driver might be the only way to stop all three, but I'd like to see what the community thinks.
推荐答案
最好的技术解决方案是做一些导致加载器代码在您的进程初始化后无法正常运行的事情.这样做的一种方法是获取 NT 加载程序锁,这将有效地阻止任何加载程序操作的发生.其他选项包括直接在内存中修补加载程序代码,以使攻击者无法调用 LoadLibrary(例如,插入 int3 断点和自我调试以处理预期情况).
The best technical solution would be to do something that causes the loader code to not be able to run properly after your process initializes. One way of doing this is by taking the NT loader lock, which will effectively prevent any loader action from taking place. Other options include patching the loader code directly in memory to make calls to LoadLibrary fail for the attacker (e.g. insert an int3 breakpoint and self-debug to handle expected cases)..
但作为一名黑客(实际上是管理您链接的网站的黑客),您永远不会阻止人们以某种方式将代码引入您的流程.LoadLibrary 恰好是一个方便的快捷方式,但是有很多不同的方法可以手动加载代码,除了一些非常复杂的 ring0 代码之外,您永远无法希望完全停止.即使你去 ring0,黑客也会在你身边.
But speaking as a hacker (one who admins the site you linked to, in fact), you're not going to ever stop people from getting code into your process, one way or another. LoadLibrary just happens to be a handy shortcut, but there are tons of different ways to load code manually that you could never hope to stop entirely, short of some extremely involved ring0 code. And even if you do go to ring0, the hackers will be right there beside you.
此外,DLL 注入有很多合法用途.主题程序、辅助工具和各种扩展操作系统功能的程序都可能使用 DLL 注入为任何程序提供附加功能.
Also, there are plenty of legitimate uses for DLL injection. Theme programs, accessibility tools, and various programs that extend OS functionality can all potentially use DLL injection to give added functionality to any program.
这篇关于如何防止 DLL 注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
