如何检测系统过程中的变化? [英] How to detect a change in system processes?

问题描述

朋友，

我在开发应用程序时遇到问题，该应用程序检查某些重要的Windows进程(例如winlogon.exe，services.exe等)是否已被某些恶意文件更改.恶意文件会在这些过程中注入其代码.是否存在检测此更改的任何方法.我尝试了哈希值机制，但由于哈希值的前后是相同的，因此未成功.

需要想法和建议. thnx

Hi Friends,

I am having a certain problem developing an application that checks whether certain important windows processes like winlogon.exe, services.exe etc have been altered by a certain malicious file. The malicious files inject their code in these processes. Does there exist any method to detect this change. I tried a hash value mechanism but it did not succeed as the after and before hash values turn out to be same.

need ideas and suggestions. thnx

推荐答案

在.NET中无法做到这一点.您将不得不编写一些东西来将对I/O函数的调用重定向到您的代码，然后再重定向到原始函数. SysInternals ProcMon可以做到这一点.

认真地说，只要获得一个不错的防病毒包并完成此操作即可.

There''s no way to do it in .NET. You''d have to write something to redirect calls to the I/O functions to your code, then on to the original functions. SysInternals ProcMon does this very thing.

Seriously, just get a decent antivirus package and be done with this.

这篇关于如何检测系统过程中的变化?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！