'安全'的DLL注入 [英] 'Safe' DLL Injection
问题描述
不是一个非常好的问题,不好意思。
Not a terribly good question, sorry.
我有需要时,将文件从资源管理器中打开被惊动了的程序(即的ShellExecute(A / W)被调用)。
I have a program that needs to be alerted when a file is opened from explorer (i.e. ShellExecute(A/W) is called).
不幸的是,微软删除了COM接口(IShellExecuteHook),它允许你勾在Vista中这些事件和起来,据说是因为旧的code可能导致崩溃,由于变化。有一个变通重新启用此功能,但它不再工作。
Unfortunately, Microsoft removed the COM interface (IShellExecuteHook) that allows you to hook these events in Vista and up, supposedly because older code could cause a crash due to changes. There was a work-around to re-enable this feature, but it no longer works.
我做了一些研究,它看起来像赶调用的唯一办法是的ShellExecute重新路由调用SHELL32.DLL。此刻,我看着我的注入自己的DLL到Explorer进程,然后在我的DLL复制到一些地址分配IAT条目的ShellExecute,最后修改IAT条目的ShellExecute指向我的功能,它会通知一个文件被打开,并跳转到原来的ShellExecute函数的程序,其地址我们前面保存。
I've done some research and it looks like the only way to catch calls to ShellExecute is to re-route the call to shell32.dll. At the moment, I'm looking at injecting my own DLL into the explorer process, then copying the IAT entry for ShellExecute to some address allocation in my DLL, and finally modifying the IAT entry for ShellExecute to point to my function, which will notify the program that a file was opened and jump to the original ShellExecute function, whose address we stored earlier.
在这里我最担心的是防病毒软件。他们会关心我正在注入的探险家?他们会关心我是修改IAT?
My biggest concern here is antiviruses. Will they care that I'm injecting into explorer? Will they care that I'm modifying the IAT?
另一个值得关注的是,这是否是安全的;是否有可能(或相当可能)对Explorer的安全权限来不允许注射用CreateRemoteThread?如果是这样,有没有更好的方法,这样做注射?
Another concern is whether this is safe; is it possible (or rather likely) for explorer's security priveleges to not allow injection via CreateRemoteThread? If so, is there a better way to do this injection?
有没有更好的办法,一般做到这一点?
Is there a better way to do this in general?
编辑:任何人谁在将来遇到此,Explorer.exe的没有IAT的shell32.dll中;它有一个头,但thunk是垃圾满值的,所以就没有办法(据我可以告诉)来检索任何导入函数的入口。
貌似code隧道是唯一的出路挂钩这一点。
推荐答案
最优秀的杀毒启发式应导入表的修补拿起作为是一个木马红旗。
Most good antivirus heuristics should pick up on import table patching as being a red flag for a trojan.
有关疯codehook在线文档对各类code注射技术,它们的好处/缺点一些扩展条款,和API提供了一些选项来指定安全挂钩:
http://www.madshi.net/mad$c$cHookDescription.htm
The online documentation for madcodehook has some extended articles on various code injection techniques, their benefits/drawbacks, and the API provides some options for specifying "safe" hooking: http://www.madshi.net/madCodeHookDescription.htm
这篇关于'安全'的DLL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
