Is it possible to hook all the processes, or find out when a specific function in a dll is called? I want to be able to catch this call and inject my own code / deny access to this function. How can I do this without looping through all the processes and hook each one of them?
Is it possible to do so without altering system files? (I'm planning on doing this on an android device and I don't want to require a root)
Simply write a dll with the same ABI.
The idea is to make you dll call the equivalent functions from the original dll, eventually adding a special process, or do nothing or report an unauthorized call if necessary.
Related
My C++ application is using a 3rd party DLL that provides an API to some external software. There are no other options here. This is the software, API, and DLL that I must use.
I am trying to bomb-proof my interface. When an API call goes bad, the DLL does something that immediately kills the entire process. I've wrapped the call in try/catch, I'm using an SEH translation class that I've used successfully in other projects (and /EHa is selected), and I'm even handling std::unexpected. None of that gets triggered. As soon as I call the DLL function, the process ends.
What other avenues should I look at to protect my process? I want to avoid spinning off a child process for just this API.
The only surefire way to protect yourself from a DLL API gone wrong is to fork a child process and have that process do the DLL interaction (see firefox and plugin-container). For example, if the DLL calls exit nothing you do will catch that.
I have a target process which loads a DLL before its main code gets called. It accomplishes this through a DLL whose name was added to the file's ImportsTable (using StudPE). My goal is to create a hook DLL that will be injected into this process and intercept its calls before it loads its imports. So the target process will load my hook dll before its security DLL. I tried using the conventional method but I hadn't success because the security DLL always gets called before my hook DLL's DllMain is called. Can anybody tell me a method to solve this issue?
You can create the target process suspended and use CreateRemoteThread() for injection, but mind the following limitations:
You should copy the thread main routine for the remote thread to the address space of the target process.
This code cannot contain any external references (e.g. CRTL or direct WinApi calls). I would usually limit this code to loading of the DLL and either executing function from it, or relying on the DllMain to do the job you need. In order to call LoadLibrary and GetProcAddress methods, I obtain their addresses and copy structure containing this information to the target process and pass the address of the remote structure as an argument for the thread main routine in CreateRemoteThread(). You can use VirtualAllocEx() to allocate memory in the remote process.
Remote thread in this situation will be executed before main thread, including process and some Win32/64 initialization. Therefore, not every Win32 API is safe to call in this condition.
If the target process is spawned by someone else, you have to intercept its creation before it is initialized. There are some ways to do that, all of them are undocumented and therefore not future proof.
The DLL are loaded sequentially in the same order as the imports entries in the PE header. Most PE editors will let you reorder the imports. You should also note that if another DLL X has dependencies on the security DLL, then it will be loaded at the same time as DLL X. Also, if security DLL is using static loading, hooking by modifying the import tables at runtime should still be effective even if your DLL is loaded later, though you will miss the calls done in the meantime (but there shouldn't be any).
Is there anyway to hook/detour either of OpenProcess() or ReadProcessMemory() function calls to my own custom functions?
Without:
kernel driver on Zw/NtOpenProcess, requires rootkit exploit or
driver signing for deployment
injecting .dll's in every process, spammy waste of resources and
alerts many antivirus
I am trying to prevent other processes from getting a HANDLE or reading the memory of a vector of PIDs.
If you do not hook the calls globaly on kernelmode, you have to get into every targetprocess. A dll would be the easiest solution, but you could do more hacky and tedious stuff.
Use OpenProcess and ReadProcessMemory (what a coincidence!) and WriteProcessMemory to modify every target process. Hook the desired functions and patch in your desired functionality with a filter function.
Note that if somebody gets to know what you are doing and wants to prevent it there is nothing you can do. He could re-patch your code or use some direct asm calls to call the APIs (SYSCALL).
I have a DLL which invokes an application running underneath. This DLL is loaded by several other applications/processes simultaneously.
So, Basically Architecture is:
My Problem is if Application(s) using DLL is crashed, I want to execute an exit sequence in my Base Application and Exit it.
How can I detect that this DLL is no longer used by any application?
Is there any thing like Load Count of DLL which I can keep track of?
Another glitch is I may have to monitor this via a C# application but that is a further thing.
If you can shell an external program to do the check, you can use this:
http://technet.microsoft.com/en-us/sysinternals/bb896656
Your image is not a good model for what really happens in Windows. Every process gets its own copy of the DLL. The code inside the DLL is shared in RAM but not its data. There are ways to share data as well but that's not otherwise common, a memory mapped file is the far more typical approach.
Windows doesn't give cheap way to find out if a DLL is loaded into a process. There is no notification mechanism either. Whatever you do, it has to start with the processes first. That works in C# too, you could use the Process.Modules property.
Just keeping track of the processes you know that load the DLL is probably sufficient, when the process no longer runs then you can safely assume it doesn't have the DLL loaded anymore either. Use the Process.Exited event or use WMI as shown in this answer.
You could host the DLL in the Base Application either and implement your own ref count using shared sections, easy, and often used. As already mentioned, one possibility would be to implemented your ref counting inside your DLL entry point and detect DLL_PROCESS_DETACH, DLL_THREAD_DETACH, DLL_PROCESS_DETACH, etc according to you specifications.
In c++ ,I want to hook more than one dll to a process. Right now I use CreateProcesswithdll() which can hook only one api at a time. What can I do to inject multiple dlls?
I came across this problem because MS detours requires us to name our custom dll the same as original dll in order to properly detour the api calls. So even though i could have different api calls handled in the same detour dll I created I need to have different names to hook calls from different apis, which means I need different detour Dlls. This also means I need to inject different DLLs. Am I right?
If I am unclear about something I will try to present it more clearly :D
Thanks!
P.S: Just to make my problem more lucid. I need to inject more than 1 dll onto the same process. CreateProcesswithdll() creates a new process with its thread in sleep state. It is woken up after the detours has finished injecting the dll and setting up the hooks. If I want to inject more than one dll I obviously cant repeatedly call CreateProcesswithdll()
so what do i do?? or Is my understanding about some aspect of this wrong?
Calling LoadLibrary() and FreeLibrary() is NOT SAFE from DLLMain(). From TFA:
"The entry-point function should
perform only simple initialization or
termination tasks. It must not call
the LoadLibrary or LoadLibraryEx
function (or a function that calls
these functions), because this may
create dependency loops in the DLL
load order. This can result in a DLL
being used before the system has
executed its initialization code.
Similarly, the entry-point function
must not call the FreeLibrary function
(or a function that calls FreeLibrary)
during process termination, because
this can result in a DLL being used
after the system has executed its
termination code."
EDIT: Apologies - this was meant as a comment for Serge's answer above.
Seems like detourattach and detourdetach will do the trick for me. Thanks everyone!
I found this blog useful!
Obviously you can load any number of DLLs from the first DLL you inject with detours.
EDIT.
When DLL is loaded system runs DllMain of your DLL (with fdwReason==DLL_PROCESS_ATTACH) and then within that function you can do whatever you like, e.g. you can call LoadLibrary to load other DLLs.
ADD:
I totally agree with comments that calling LoadLibrary from DllMain is unsafe. So you can call LoadLibrary (and all the other tricky things) from thread created in DllMain.