Anti-Virus Defense Research: using Inline HOOK for active defense

Anti-Virus Defense Research: using Inline HOOK for active defense
I. Preface The methods discussed in the previous article about how to deal with malicious programs are very passive. That is, only when a malicious program is executed can remedial measures be taken into consideration. In this way, we will remain in the latter State. If the virus is extremely harmful, even if we repair sensitive locations such as registry keys and service items perfectly and delete the virus itself, however, it may still have damaged important files in the system, resulting in irreversible damage. Therefore, this article will briefly discuss how to use Inline HOOK Technology to implement active defense. Before virus execution, we will proactively hijack dangerous functions, like a firewall, to protect the security of our computers.

Ii. Inline HOOK principle the APIS we usually use are stored in the DLL files provided by the operating system. When the program needs to use an API function, after the program runs, the program will implicitly load the DLL where the API function is located to the memory. In this way, the program will call the API just like calling its own function. Based on this principle, if we want to HOOK an API function in the system, we first need to find the address of the function in the memory of the specified process, then modify the code at the beginning of the function to the "jmp MyProc" command. Here, "MyProc" is the function we compile to execute. In this way, when the specified process wants to call the function normally, it will directly jump to the function we compile to execute, thus completing the Inline HOOK. The process is summarized as follows:
(1) construct a jump command, namely, jmp MyProc.
(2) find the address of the function to be hooked in the memory (this can be achieved by using the GetProcAddress () function ), save the first five bytes at the HOOK location (the jump command occupies 5 bytes ).
(3) write the constructed jump command to the location where the HOOK is needed. When the HOOK is executed, the jump will jump to our function execution.
(4) If you want to execute the original function, cancel the HOOK and restore the 5 bytes saved in step (2.
(5) execute the original process.
Then we will follow this process for the next programming.


3. encapsulate the InlineHOOK class. For convenience, I use the object-oriented idea for HOOK Technology programming. Encapsulate an Inline HOOK class in C ++ so that it can be used for future programming.
Generally, the encapsulated classes have two files: one is the Class header file and the other is the class implementation file. The Class Name generally starts with the letter "C", indicating "Class Name". Therefore, the Class Name here is "CInlineHOOK", and the header file is "CInlineHOOK. h, the class implementation file is named "CInlineHOOK. cpp ". First, the header file code of the class:

# Include <Windows. h> class CInlineHOOK {public: CInlineHOOK (); // constructor for initialization ~ CInlineHOOK (); // destructor, resource release after the user program ends // HOOK function bool hook (LPSTR pszModuleName, LPSTR pszFuncName, PROC pfnHookFunc ); // cancel the HOOK function void UnHOOK (); // re-HOOK the function BOOL ReHOOK (); private: PROC m_pfnOrig; // the address of the custom function BYTE m_bOldBytes [5]; // Original Function entry code BYTE m_bNewBytes [5]; // constructed jump instruction code };

The header file mainly declares some functions and variables that need to be used, and the corresponding comments have been given in the code. The following is the code of the class implementation file:

# Include "stdafx. h "# include" InlineHOOK. h "CInlineHOOK: CInlineHOOK () {// initialize m_pfnOrig = NULL for member variables; ZeroMemory (m_bOldBytes, 5); ZeroMemory (m_bNewBytes, 5);} CInlineHOOK ::~ CInlineHOOK () {// cancel the HOOK UnHOOK () ;}// HOOK function. The parameters are module name, function name, and custom HOOK function BOOL CInlineHOOK :: HOOK (LPSTR pszModuleName, LPSTR pszFuncName, PROC listener) {BOOL bRet = FALSE; // obtain the address of the function in the specified module m_pfnOrig = (PROC) GetProcAddress (GetModuleHandle (pszModuleName ), pszFuncName); if (m_pfnOrig! = NULL) {// Save the content of the first five bytes of the address DWORD dwNum = 0; ReadProcessMemory (GetCurrentProcess (), m_pfnOrig, m_bOldBytes, 5, & dwNum ); // construct the JMP command. "\ xe9" is the Opcode m_bNewBytes [0] = '\ xe9' of jmp. // pfnHookFunc is the address after the HOOK and m_pfnOrig is the original address, 5 is the instruction length * (DWORD *) (m_bNewBytes + 1) = (DWORD) pfnHookFunc-(DWORD) m_pfnOrig-5; // write the constructed address to WriteProcessMemory (GetCurrentProcess (), m_pfnOrig, m_bNewBytes, 5, & dwNum); bRet = TRUE;} Return bRet;} // cancel function hook void CInlineHOOK: UnHOOK () {if (m_pfnOrig! = 0) {DWORD dwNum = 0; WriteProcessMemory (GetCurrentProcess (), m_pfnOrig, m_bOldBytes, 5, & dwNum) ;}// hook the function BOOL CInlineHOOK again :: reHOOK () {BOOL bRet = FALSE; if (m_pfnOrig! = 0) {DWORD dwNum = 0; WriteProcessMemory (GetCurrentProcess (), m_pfnOrig, m_bNewBytes, 5, & dwNum); bRet = TRUE;} return bRet ;}

The above is the encapsulation of the entire Inline HOOK. The code is very simple and will not be repeated here. This class will be used in future research articles. It can be used to easily HOOK functions.

 

4. HOOK Functions used by viruses

Here we will discuss the article "anti-virus attack and defense research article 010th: DLL injection (in)-DLL injection and uninstallation Preparation" I wrote earlier. In that article, I used the DLL Injector to inject the DLL file of the simulated virus program into the notepad process, so that after the DLL is successfully injected, the dialog box program used to simulate viruses runs automatically. In this article, I also want to write a DLL file to hijack the "virus" program. Here we assume that MessageBoxA () is a dangerous function and also the target of hijacking. First inject the DLL generated in this article, and then inject the "virus" DLL for verification.

Create a simple Win32 Dynamic Link Library Project and add the following code:

// HookMessageBoxA. cpp: Defines the entry point for the DLL application. // # include "stdafx. h "# include" InlineHOOK. h "CInlineHOOK MsgHOOK; // The HOOK function int WINAPI MyMessageBoxA (HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType) We implemented {// uninstall the Inline HOOK first, to display the user prompt dialog box MsgHOOK. unHOOK (); if (MessageBox (NULL, "suspicious programs are being started. Are you sure you want to intercept it? "," Prompt ", MB_YESNO) = IDNO) {// The user selects not to intercept MessageBoxA (hWnd, lpText, lpCaption, uType); MessageBox (NULL, "Suspected malicious programs are not intercepted", "prompt", MB_ OK); MsgHOOK. reHOOK ();} else {// The user selected to intercept MessageBox (NULL, "suspected malicious program interception successful", "prompt", MB_ OK); MsgHOOK. reHOOK ();} return 0;} bool apientry DllMain (HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {switch (ul_reason_for_call) {// when the DLL is loaded by a process, DllMain is called case DLL_PROCESS_ATTACH: {MsgHOOK. HOOK ("user32.dll", "MessageBoxA", (PROC) MyMessageBoxA); break;} // when the DLL is uninstalled by a process, DllMain is called case DLL_PROCESS_DETACH: {MsgHOOK. unHOOK (); break;} return TRUE ;}

Add the two files of the previously encapsulated class to the project, as shown in:

Figure 1 Add a class file to the Project

Compile and generate the DLL file to test the file.

 

V. program testing

First open the Notepad program, get its process ID, and then use the anti-virus Attack and Defense study article 010th: DLL injection (medium) -- DLL injection tool compiled in DLL injection and uninstallation to inject the above DLL file into the notepad process. Then inject the "virus" program, as shown in:

Figure 2 successful interception of suspicious programs

We can see that our Inline HOOK has successfully intercepted the MessageBox () function, and then click "yes ":

Figure 3 malicious program interception successful

The program prompts that the interception is successful, and the dialog box used to simulate the virus does not pop up. Check the module information in the notepad process:

 

Figure 4 view the module information of the notepad Process

It can be seen that the two DLL files we injected are in the notepad process, but HackedDll. dll has expired and will no longer pose a threat to our system. If "no" is selected in the dialog box shown in figure 2, it indicates that we do not intercept, as shown in:

Figure 5 discard Interception

In this case, the dialog box program used to simulate the virus pops up. If this is a real virus, our computer will be infected. Click "OK ":

Figure 6 malicious programs are not intercepted

So far, our Inline HOOK program is feasible.

 

Vi. Summary

In fact, HOOK is widely used. The example in this article is just the tip of the iceberg. Using this idea flexibly can achieve many goals in the security field. For example, anti-virus software uses the HOOK technique to HOOK some API functions, such as the RegSetValueEx () function, to prevent viruses from writing data to the Registry. From the analysis in this article, we can find that the knowledge we have learned is often a link. Only by learning the previous knowledge well has laid a solid foundation, in order to constantly explore more advanced fields. I have mentioned and applied my previous knowledge many times in future articles, so I hope that readers will be able to work hard and never be jealous.