我想制作一个恶意软件分析软件,我必须将代码注入到进程的不同kernel32函数中,比如Sleep来覆盖恶意软件尝试进行的任何睡眠,ExitProcess在获取进程被杀死之前转储内存等
我尝试启动该进程暂停然后我尝试枚举库希望我可以得到kernel32 rva但是当我启动进程暂停时看起来甚至没有加载库.
您可以使用EasyHook API轻松完成您要实现的目标.该API可用
https://github.com/EasyHook/EasyHook
下面是从Kernel32.dll重写CreateFile的示例.你需要CreateAndInject方法
EasyHook.RemoteHooking.CreateAndInject(
targetExe, // executable to run
"", // command line arguments for target
0, // additional process creation flags to pass to CreateProcess
EasyHook.InjectionOptions.DoNotRequireStrongName, // allow injectionLibrary to be unsigned
injectionLibrary, // 32-bit library to inject (if target is 32-bit)
injectionLibrary, // 64-bit library to inject (if target is 64-bit)
out targetPID, // retrieve the newly created process ID
channelName // the parameters to pass into injected library
// ...
);
关键是将进程的主线程ID发送到您的Hooking DLL,然后该DLL应该修补并唤醒主线程.这在EasyHook中完成如下
if((hThread = OpenThread(THREAD_SUSPEND_RESUME, FALSE, ThreadID)) == NULL)
THROW(STATUS_INTERNAL_ERROR, L"Unable to open wake up thread.");
if(!ResumeThread(hThread))
THROW(STATUS_INTERNAL_ERROR, L"Unable to resume process main thread.");
通过打开进程并写入其内存以发送有效负载,休息挂钩过程与任何Windows进程相同
PS:如果您需要有关样本记事本应用程序的文件监控的详细示例,请查看
https://easyhook.github.io/tutorials/remotefilemonitor.html
更多教程源代码可用
https://github.com/EasyHook/EasyHook-Tutorials