PureBasic

Forums PureBasic - Français
http://forums.purebasic.com/french/

détecter les suspects code Injecté sur un programme

http://forums.purebasic.com/french/viewtopic.php?t=16811

Page 1 sur 1

détecter les suspects code Injecté sur un programme

Publié : sam. 08/juil./2017 12:07
par celtic88
slt :)
le code permet de détecter les :(shellcodes ,runpe ,load_dll_from_memory "charger un dll depuis la mémoire",..) Injecté sur un programme, c'est méthode la sont souvent utilisé par des hackers pour patcher un jeux ou un programme ou exécuter un virus direct dans la mémoire...

pour plus d'efficacité il faut activer le "Data Execution Prevention" pour tout les processus

http://allinfo.space/2016/01/29/configu ... s-windows/

voila code

Code : Tout sélectionner

;By celtic88@ h (c) 2016 new up 2017 
;For other any use say my name :) !

EnableExplicit

Import "kernel32.lib"
  OpenThread.l(dwDesiredAccess.l,
               bInheritHandle.l,
               dwThreadId.l )
EndImport

Import ""
  GetSystemInfo(ps)
EndImport

OpenLibrary(0, "Psapi.dll")
Prototype.l GetModuleFileNameExW(hProcess,
                                 hModule,
                                 *lpFilename,
                                 nSize.l)
Global GetModuleFileNameEx.GetModuleFileNameExW=GetFunction(0,"GetModuleFileNameExW")

Structure Authorized_Address ;authorized address created by process
  AddressStart.l
  AddressEnd.l
EndStructure

Procedure Process_Adjust_Token_Privileges(); Adjust Token Privileges
  Protected priv.TOKEN_PRIVILEGES ,hToken .i,iReturn
  If( OpenProcessToken_( GetCurrentProcess_(), #TOKEN_ADJUST_PRIVILEGES | #TOKEN_QUERY, @hToken ) )
    priv\PrivilegeCount           = 1;
    priv\Privileges[0]\Attributes = #SE_PRIVILEGE_ENABLED;
    If( LookupPrivilegeValue_( #Null, #SE_DEBUG_NAME, @priv\Privileges[0]\Luid ) )
      iReturn=AdjustTokenPrivileges_( hToken, #False, @priv, 0, #Null, #Null );
      CloseHandle_( hToken )                                                  ;
    EndIf
  EndIf
  ProcedureReturn iReturn
EndProcedure

Procedure Get_All_authorized_address_ByProcess(Pid, List Address.Authorized_Address())
  ClearList(Address())
  Protected hProcess,tIMAGE_DOS_HEADER.IMAGE_DOS_HEADER,tIMAGE_NT_HEADERS.IMAGE_NT_HEADERS,
            hs, lpme.MODULEENTRY32,Nsize,i,lpImageBaseAddress,filename.s{#MAX_PATH}
  
  hProcess = OpenProcess_( #PROCESS_QUERY_INFORMATION | #PROCESS_VM_READ, #False, Pid );
  If hProcess
    GetModuleFileNameEx(hProcess,0, @filename, #MAX_PATH)
    CloseHandle_(hProcess)
  EndIf
  
  hs=CreateToolhelp32Snapshot_(#TH32CS_SNAPMODULE, Pid)
  If hs <> #INVALID_HANDLE_VALUE
    lpme.MODULEENTRY32\dwSize=SizeOf(MODULEENTRY32)
    If Module32First_(hs,@lpme)
      Repeat ; get all address created by loaded dll :)
        If UCase(PeekS(@lpme\szExePath))=UCase(filename)
          lpImageBaseAddress =lpme\modBaseAddr
        Else
          AddElement(Address())
          Address()\AddressStart= (lpme\modBaseAddr)   
          Address()\AddressEnd =(lpme\modBaseAddr+lpme\modBaseSize)
        EndIf
      Until Module32Next_(hs,@lpme)=0
    EndIf
    CloseHandle_(hs)
  EndIf
  
  If ReadFile(0, FileName)
    ReadData(0,@tIMAGE_DOS_HEADER,SizeOf(IMAGE_DOS_HEADER))
    FileSeek(0,tIMAGE_DOS_HEADER\e_lfanew)
    ReadData(0,@tIMAGE_NT_HEADERS,SizeOf(IMAGE_NT_HEADERS))
    
    Protected tIMAGE_SECTION_HEADER.IMAGE_SECTION_HEADER
    #IMAGE_SCN_CNT_CODE=$00000020
    
    For i=0 To (tIMAGE_NT_HEADERS\FileHeader\NumberOfSections-1);get all pe sections
      FileSeek(0,tIMAGE_DOS_HEADER\e_lfanew+SizeOf(IMAGE_NT_HEADERS)+ (SizeOf(IMAGE_SECTION_HEADER)*i))
      If ReadData(0,@tIMAGE_SECTION_HEADER, SizeOf(IMAGE_SECTION_HEADER))
        With tIMAGE_SECTION_HEADER
          If \Characteristics & #IMAGE_SCN_CNT_CODE; Get original process work code address
            AddElement(Address())
            Address()\AddressStart= (lpImageBaseAddress+\VirtualAddress)   
            Address()\AddressEnd= (lpImageBaseAddress+\VirtualAddress+\VirtualSize)
          EndIf
        EndWith
      EndIf
    Next    
    CloseFile(0)
  EndIf
  
EndProcedure

Procedure Scan_Process( Pid)
  
  If Pid=0
    Pid=GetCurrentProcessId_()
  EndIf
  
  NewList aAddress.Authorized_Address()
  Get_All_authorized_address_ByProcess(Pid, aAddress());Get authorized address
  
  #ThreadQuerySetWin32StartAddress=9
  Protected hs=CreateToolhelp32Snapshot_(#TH32CS_SNAPTHREAD,0);Get process all THREAD 
  If hs <> #INVALID_HANDLE_VALUE
    Protected lpte.THREADENTRY32\dwSize=SizeOf(THREADENTRY32)
    Protected Tsa.i
    If Thread32First_(hs,@lpte)
      Repeat 
        If lpte\th32OwnerProcessID = Pid
          Protected ht=OpenThread(#THREAD_ALL_ACCESS,0,lpte\th32ThreadID)
          If ht
            If NtQueryInformationThread_(ht,#ThreadQuerySetWin32StartAddress,@Tsa,SizeOf(integer),0)=0;Get thread Start address
              Protected Shellcodeinrun=1
              ForEach aAddress()
                If (Tsa) >= aAddress()\AddressStart And (Tsa) < aAddress()\AddressEnd ;If the thread start address is between authorised address => Ok is Clean
                  Shellcodeinrun=0
                  Break
                EndIf
              Next
              If Shellcodeinrun=1  ;Else :)
              AddGadgetItem(4, -1,"..a suspect code is on running at address 0x"+ Hex(Tsa))
              EndIf
            EndIf
            CloseHandle_(ht)
          EndIf
        EndIf
      Until Thread32Next_(hs,@lpte)=0
    EndIf
    CloseHandle_(hs)
  EndIf
  
  Protected ps.SYSTEM_INFO
  GetSystemInfo(@ps)
  
  Protected hProcess = OpenProcess_( #PROCESS_QUERY_INFORMATION | #PROCESS_VM_READ, #False, Pid );Scan process memory
  If hProcess
    With ps
      Protected  lpMinimumApplicationAddress=\lpMinimumApplicationAddress
      Protected lpMaximumApplicationAddress=\lpMaximumApplicationAddress
      Protected mem_basic_info.MEMORY_BASIC_INFORMATION 
      While lpMinimumApplicationAddress < lpMaximumApplicationAddress
        If VirtualQueryEx_(hProcess, lpMinimumApplicationAddress, @mem_basic_info, SizeOf(MEMORY_BASIC_INFORMATION))
          If mem_basic_info\Protect = #PAGE_EXECUTE Or mem_basic_info\Protect = #PAGE_EXECUTE_READ Or mem_basic_info\Protect = #PAGE_EXECUTE_READWRITE Or mem_basic_info\Protect = #PAGE_EXECUTE_WRITECOPY
            Tsa=(mem_basic_info\BaseAddress)
            Shellcodeinrun=1
            ForEach aAddress()
              If (Tsa) >= aAddress()\AddressStart And (Tsa) < aAddress()\AddressEnd ;If the address of code is between authorised address => Ok is Clean
                Shellcodeinrun=0
                Break
              EndIf
            Next
            If Shellcodeinrun=1  ;Else :)
              AddGadgetItem(4, -1,"..a suspect executable code detected at address 0x"+ Hex(Tsa))
            EndIf
          EndIf
        EndIf
        lpMinimumApplicationAddress+mem_basic_info\RegionSize
      Wend
    EndWith
    CloseHandle_(hProcess)
  EndIf
EndProcedure

If Process_Adjust_Token_Privileges() <> 1
  Debug "Error set Process Privileges"
  End
EndIf

OpenWindow(0, 0, 0, 300, 190, "", #PB_Window_SystemMenu | #PB_Window_ScreenCentered | #PB_Window_WindowCentered)
ButtonGadget(1, 220, 10, 70, 25, "Scan")
StringGadget(2, 80, 10, 130, 25, "", #PB_String_Numeric)
TextGadget(3, 10, 10, 70, 25, "Process Pid")
EditorGadget(4, 0, 40, 300, 150, #PB_Editor_ReadOnly)

Define Event
Repeat
  Event = WaitWindowEvent()
  
  Select Event
      
    Case #PB_Event_Gadget
      Select EventGadget()
        Case 1 
          Scan_Process(Val(GetGadgetText(2)))
      EndSelect
      
  EndSelect
Until Event = #PB_Event_CloseWindow

Re: détecter les suspects code Injecté sur un programme

Publié : lun. 10/juil./2017 17:46
par Kwai chang caine
Encore un code magique
Ce doit être ce genre de code dans les antivirus qui voit le mal partout dans nos logiciels PureBasic :wink:
Il a trouvé trois process suspects quand j'ai cliqué sur "Scan" 8O
En tout cas merci beaucoup du partage 8)
Fuseau horaire sur UTC+01:00
Page 1 sur 1

Développé par phpBB® Forum Software © phpBB Limited

Traduction française officielle © Qiaeru