Security tools: Process Manager (Part 2)

I. Preface

This program aims to improve the process manager compiled last time. So that when we select a process, we can view its DLL file and uninstall suspicious modules. This effectively defends against DLL malicious injection.

 

Ii. interface creation

This interface depends on the interface created in the previous article. You need to click "view DLL" in the previous interface to start it. In the previous workspace, find the "insert" option in the menu bar of vc6 and select "resource…" from the drop-down menu ...", On the displayed page, select "dialog" and click "new", as shown below:

Figure 1 add window

Next, we need to name the new window, such as idd_dialog_dll. Then add a new class, such as cdllcheck. The design window can be started, as shown in:

Figure 2 Interface Design

The newly added window contains a list control and two button controls. Next, add a variable named m_checkdll to the list box and write code to initialize it:

Void cdllcheck: initdlllist () {// set the extended style of the "List Control" control m_checkdll.setextendedstyle (Inline () | lvs_ex_gridlines // has a network grid | lvs_ex_fullrowselect ); // select an exercise to highlight the entire line (only applicable to the report style) // Add the column category m_checkdll.insertcolumn (0, _ T ("Serial Number"); m_checkdll.insertcolumn (1, _ T ("name"); m_checkdll.insertcolumn (2, _ T ("path"); // set the column width m_checkdll.setcolumnwidth (0, lvscw_autosize_useheader ); m_checkdll.setcolumnwidth (1, lvscw_autosize_useheader); m_checkdll.setcolumnwidth (2, lvscw_autosize_useheader );}

I hope that the above initialization code can be executed when the window is opened, but the newly added window does not have an initialization function such as oninitdialog (), so I need to manually add it. Select "View" in the menu bar of vc6, click "classwizard" in the drop-down menu, and set the following in the "message map" tab:

Figure 3 add an initialization Function

After you click OK, the initialization function is displayed in the CPP program of the new window:

BOOL CDLLCheck::OnInitDialog() {        CDialog::OnInitDialog();        // TODO: Add extra initialization here        return TRUE;  // return TRUE unless you set the focus to a control                      // EXCEPTION: OCX Property Pages should return FALSE}

Then fill in:

InitDLLList();

Then write the following in the header file of the new window:

void InitDLLList();

 

3. Compile the "view DLL" button control codeThe button mentioned here refers to the "view DLL" button control in the previous window. I hope that after clicking this button, the newly created idd_dialog_dll window will pop up and the DLL of the selected process will be displayed directly. You can write a program to open a modal dialog box:

void CProcessManageDlg::OnBtnDLL() {        // TODO: Add your control notification handler code here        pid = GetSelectPid();        CDLLCheck DLLCheck;        DLLCheck.DoModal();}

The above Code defines a dialog box object: dllcheck, and then uses this object to call the domodal function to generate a modal dialog box. Because the main window does not know the Data Type of the cdllcheck dialog box, you must also include the header file of the cdllcheck class in the source file of the main window function, that is, "dllcheck. H ".

It should be emphasized that, because I want to pass the PID value of the selected process in the main window into a new window to view the DLL files it contains, therefore, you need to declare a variable in the public under cdialog in the header file of the main window:

int pid;

In this way, the child window can call the PID value obtained in the parent window. Therefore, the first sentence of the above program is to first obtain the PID value of the selected process, and then open the subwindow.

 

Iv. dll EnumerationThe DLL enumeration code is written in the source file of the new window. The principle is similar to the process enumeration discussed in the previous article. The difference is that the PID value in the parent window needs to be obtained first. The Code is as follows:

Void cdllcheck: showmodule () {// clear the list m_checkdll.deleteallitems (); // obtain the public variable (PID value of the selected process) in the parent window cprocessmanagedlg * P; P = (cprocessmanagedlg *) getparent (); int npid = p-> PID; moduleentry32 me32 = {0}; me32.dwsize = sizeof (moduleentry32); handle hsnap = callback (th32cs_snapmodule, npid); If (hsnap = invalid_handle_value) {afxmessagebox ("snapshot creation failed! "); Return;} bool Bret = module32first (hsnap, & me32); int I = 0; cstring STR; while (BRET) {Str. format ("% d", I); m_checkdll.insertitem (I, STR); m_checkdll.setitemtext (I, 1, me32.szmodule); m_checkdll.setitemtext (I, 2, me32.szexepath); I ++; bret = module32next (hsnap, & me32 );}}

This program is also displayed when the window is opened. Therefore, you need to add it to oninitdialog () in the new dialog box:

ShowMoudle();

Add the following in the header file:

void ShowModule();

 

5. Implementation of the "Uninstall DLL" buttonThis function first obtains the PID value of the selected process in the parent window, obtains the name of the DLL selected in the current list box, and then calls the uninstall function:

Void cdllcheck: onbtnuninjectdll () {// todo: add your control notification handler code here cprocessmanagedlg * P; P = (cprocessmanagedlg *) getparent (); int npid = p-> PID; // obtain the position Pos = m_checkdll.getfirstselecteditemposition (); int nselect =-1; while (POS) {nselect = m_checkdll.getnextselecteditem (POS);} // if no selection is made in the list box, the IF (-1 = nselect) {afxmessagebox ("Please select a module! "); Return;} // get the DLL name in the list box char szdllname [max_path] = {0}; m_checkdll.getitemtext (nselect, 1, szdllname, max_path); uninjectdll (npid, szdllname); showmodule ();}

It should be noted that the uninjectdll (npid, szdllname) function is the most used in the above program. I have studied anti-virus attack and defense in article 010th: DLL injection (medium) -- the compilation of DLL injection and uninstallation is discussed here. This function must be declared in the source program of the new window and the corresponding position in the header file before it can be used.

 

6. Adjust process Permissions

Generally, we cannot view the DLL file of the system process because the current process has insufficient permissions. Unless the current process has the "sedebugprivilege" permission, follow these steps:

1. Use the openprocesstoken () function to open the access token of the current process.

2. Use the lookupprivilegevalue () function to obtain the luid of the description permission.

3. Use the adjusttokenprivileges () function to adjust the access token permissions.

The Code is as follows:

void CDLLCheck::DebugPrivilege(){        HANDLE hToken = NULL;        BOOL bRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);            if ( bRet == TRUE )        {                TOKEN_PRIVILEGES tp;                tp.PrivilegeCount = 1;                LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);                tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;                AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);                        CloseHandle(hToken);        }}

Write the code to the source program of the new window, and fill in the window initialization function, so that the window has permissions when generated, and finally declare it in the header file.

 

VII. Actual testTo test this program, you can inject a DLL as described in DLL injection (in)-DLL injection and uninstallation, and then use this software to view and uninstall it:

Figure 4 View and uninstall the DLL

After practical tests, the program is feasible, which is also a powerful tool against malicious programs.

 

VIII. Summary

Two articles are discussed to complete a simple process manager. Although simple, it can also play a great role in many cases. Through the discussion in these articles, I believe that everyone has a certain understanding of the preparation of security software. I hope everyone can continue to learn and add more powerful functions to their own software, hiding malicious programs.

Security tools: Process Manager (Part 2)