- Mar 23, 2018
- 16
Hello,
I am not sure if I posted this in the right category, but here it goes. As the title says, I am analysing and trying to find a way to stop malware from injecting my process via SetWindowsHookEx.
My process is currently protected via callbacks and other techniques, but this particular technique seems to be impossible to stop. ( at least now )
If we look at: Inject All the Things - Shut Up and Hack we can see different scenarios and information regarding injecting a process, where we can also see:
Maybe I should look at GetWindowThreadProcessId() to prevent getting the handle in the first place?
Long story short... does anyone know any "way" or "method" to prevent such technique ? If so, please do share. Any suggestions or feedback is highly appreciated!
I am not sure if I posted this in the right category, but here it goes. As the title says, I am analysing and trying to find a way to stop malware from injecting my process via SetWindowsHookEx.
My process is currently protected via callbacks and other techniques, but this particular technique seems to be impossible to stop. ( at least now )
If we look at: Inject All the Things - Shut Up and Hack we can see different scenarios and information regarding injecting a process, where we can also see:
SetWindowsHookEx()
In order to use this technique the first thing we need to understand is how MS Windows hooks work. Basically, hooks are a way to intercept events and act on them.
As you may guess, there are many different types of hooks. The most common ones might be WH_KEYBOARD and WH_MOUSE. You guessed right, these can be used to monitor, the keyboard and mouse input.
The ‘SetWindowsHookEx()’ “installs an application-defined hook procedure into a hook chain.”
C++:
GetWindowThreadProcessId(targetWnd, &dwProcessId);
HHOOK handle = SetWindowsHookEx(WH_KEYBOARD, addr, dll, threadID);
Maybe I should look at GetWindowThreadProcessId() to prevent getting the handle in the first place?
Long story short... does anyone know any "way" or "method" to prevent such technique ? If so, please do share. Any suggestions or feedback is highly appreciated!