Skip to content
/ process-injection-guard Public

Signature scanner and API hooks to detect malicious process injection

22 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

christianshub/process-injection-guard

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

47 Commits
Detection
Detection
 
 
Snapshots
Snapshots
 
 
.gitignore
.gitignore
 
 
Detection.sln
Detection.sln
 
 
README.md
README.md
 
 

Repository files navigation

Introduction

Process-Injection-Guard is a DLL file intended to be injected into a process to then detect if foreign intruders are injecting malicious code into it's process. The intention is to study how anti-cheat/anti-virus works on a basic scale.

The tool consists of two core features:

  1. Function hooks (detects injections)
    • hooks LoadLibraryA and RtlGetFullPathName_U, known functions injectors are using.
  2. Signature scanners (detects malicious sigs)
    • scan through the PEB's module list
    • scan suspect memory regions (PAGE_EXECUTE_READWRITE) to detect hacks injected through the Manual Map injection technique.

Console options once injected into a target process:

Operation system, project, etc.

  • IDE: Visual Studio 2019 (x86 project).
  • OS: Windows 10, version 1909.

Setup

  1. Compile the source code
  2. Run it one time - a folder and a config.ini file should be created on your desktop.
  3. Navigate to Desktop/Detection/config.ini.
  4. Fill in info about which signatures to scan for (e.g.: 4D5A90, 4d5a90, 4d??90)
  5. Fill in info about which modules you wish to scan through. If left blank, it scans through all visible modules.
  6. Run it and choose appropriate console options.

Detecting Extreme Injector v3.7.2

Injector link: https://www.unknowncheats.me/forum/downloads.php?do=file&id=21570

Remote DLL injection

Thread hijack

LdrLoadDll

LdrpLoadDll

Manual map

Detecting Cheat Engine 7.0

Injector link: https://www.cheatengine.org/

Remote DLL injection - (detected: hook + sigscan)

Detecting Winject 1.7b

Injector link: https://www.unknowncheats.me/forum/downloads.php?do=file&id=578

Remote DLL injection

Detecting Xenos 2.3.2.7

Injector link: https://www.unknowncheats.me/forum/downloads.php?do=file&id=23686

Remote DLL injection

Manual map

Kernel Create thread

Kernel APC

Kernal Manual Map

Closing thoughts

  1. Function hooks
    • RtlGetFullPathName_U proved effective when monitoring injections. LoadLibraryA, not so much.
  2. Signature scanners
    • Many injectors avoid revealing information about their payload in the PEB, hence scanning the PEB seems meaningless. Scanning in suspect memory regions proved more useful. We could catch Extreme injector's hidden payload this way. This was not the case against Xenos injector, however.

References

About

Signature scanner and API hooks to detect malicious process injection

Resources

Readme
Activity

Stars

22 stars

Watchers

3 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages