'Safe' DLL Injection

别等时光非礼了梦想. 提交于 2019-12-21 05:48:33

问题


Not a terribly good question, sorry.

I have a program that needs to be alerted when a file is opened from explorer (i.e. ShellExecute(A/W) is called).

Unfortunately, Microsoft removed the COM interface (IShellExecuteHook) that allows you to hook these events in Vista and up, supposedly because older code could cause a crash due to changes. There was a work-around to re-enable this feature, but it no longer works.

I've done some research and it looks like the only way to catch calls to ShellExecute is to re-route the call to shell32.dll. At the moment, I'm looking at injecting my own DLL into the explorer process, then copying the IAT entry for ShellExecute to some address allocation in my DLL, and finally modifying the IAT entry for ShellExecute to point to my function, which will notify the program that a file was opened and jump to the original ShellExecute function, whose address we stored earlier.

My biggest concern here is antiviruses. Will they care that I'm injecting into explorer? Will they care that I'm modifying the IAT?

Another concern is whether this is safe; is it possible (or rather likely) for explorer's security priveleges to not allow injection via CreateRemoteThread? If so, is there a better way to do this injection?

Is there a better way to do this in general?

EDIT: For anyone who comes across this in the future, explorer.exe has no IAT for shell32.dll; it has a header, but the thunk is full of junk values, so there's no way (as far as I can tell) to retrieve the entry for any imported functions.
Looks like code tunneling is the only way to hook this.


回答1:


Most good antivirus heuristics should pick up on import table patching as being a red flag for a trojan.

The online documentation for madcodehook has some extended articles on various code injection techniques, their benefits/drawbacks, and the API provides some options for specifying "safe" hooking: http://www.madshi.net/madCodeHookDescription.htm




回答2:


The Detours library:

http://research.microsoft.com/en-us/projects/detours/

From Microsoft Research allows arbitrary hooking of functions. You might give that a shot.




回答3:


Some more resources on API hooking:

Easy hook: http://www.codeplex.com/easyhook

Deviare: http://www.nektra.com/products/deviare-api-hook-windows/

An interesting post: http://www.codeproject.com/KB/system/hooksys.aspx

When doing API hooking it is very important to asses in which environments you need to run. Not all libraries support x86/x64 for example.

Detours only supports x64 in the licensed (payed) version. Easy hook supports x86 and x64.




回答4:


Windows Explorer in Windows Vista and Windows 7 doesn't even call ShellExecuteA or ShellExecuteW.

No point bother. Lol :-)

AND, if i may add, i have tested by hooking both functions with both 32 bit and 64 bit inline hooks.

Sorry. Lol :-)



来源:https://stackoverflow.com/questions/1764980/safe-dll-injection

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!