检测对进程的内存访问 [英] Detecting memory access to a process
问题描述
我正在尝试检查应用程序是否试图操纵特定进程(例如,将自身挂钩到它).我找不到合适的方法来实现这一点.是否可以在运行过程中计算校验和?如果不是我怎么能检测到这种情况?
I'm trying to check if an application tries to manipulate a particular process (for ex. hooks itself to it). I couldn't find a proper approach to accomplish this. Is computing checksum over running process possible? If it's not how can i detect this situation?
推荐答案
其他进程不能在你的进程中做钩子,可以修改内存但是要做钩子这个代码必须在你的地址空间中,这个可以做到注入在启动时将 DLL 注入您的进程(在运行时注入 dll 是一个困难的),您可以通过列出进程中的 DLL 并搜索一些 ReadProcessMemory、WriteProcessMemory 来轻松检查这一点,OpenProcess、CallNextHookEx 函数在其代码中调用.为此,请获取地址 (GetProcAddress) 的函数和代码中的搜索值(您可以添加一些 asm call 预测以获得紧密范围的结果).
Other process can't make hooks in your process, can modify memory but to make hooks this code must be in your address space, this can be done to injecting DLL to your process when is starting (at runtime inject dll is a hard one), you can easy check this by listing DLL's in your process and searching some ReadProcessMemory, WriteProcessMemory, OpenProcess, CallNextHookEx functions calls in their code. To do that get address (GetProcAddress) of function and search value in code (you can add some asm call predictions for that for tight range result).
您可以检查您的PE文件在磁盘和内存中的问题,当在启动时发生DLL注入时,那么您从文件复制到内存后的PE文件应该已损坏,之后最后一个 dll 库,您应该使用额外的 dll 导入覆盖调试符号.这种修改可以在文件和内存中一样进行.
You can check what is wrong with your PE file in disk and in memory, when DLL injection at startup time was occurrence then your PE file after was copied to memory from file should be corrupted, after last dll library you should have overwritten debug symbols with additional dll import. This modification can be done on file same as in memory.
当您使用 C# 语言时,最好的方法是混淆代码,但对您来说可能并不容易.我认为这是一个很好的方法,因为你不会钩一些你不知道如何工作的东西,因为你不知道你必须做什么以及在哪里.但是对于好的混淆 C# 代码,您必须为此找到好的软件并且可能付出不低的价格.
The best method but probably will not easy for you when you are using C# language is obfuscate your code. I think this is a good method because you don't hook something that you don't know how work, because you don't know what hook you must do and where. But for good obfuscate C# code you must find good software for that and probably pay not low price.
这篇关于检测对进程的内存访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
