Security Class tool making NO. 005: Process Manager (bottom)

First, preface

This time the program is in order to be intact the last time the process manager was written. So that when we select a process. Be able to view its DLL files and be able to unload suspicious modules. This will effectively counteract the malicious injection of the DLL.

second, the interface production

This interface is based on the interface created in the previous article and needs to be started by clicking the "View DLL" button in the last interface.

In the last workspace, locate the Insert option for the menu bar in VC6. Select "Resource ..." from its drop-down menu. Select "Dialog" in the pop-up screen and click "New", as seen below:

Figure 1 Adding a form

Next you need to take a name for the new form, for example Idd_dialog_dll.

Then add a new class for it, such as Cdllcheck. This allows you to start designing the form. For example, as seen in:

Figure 2 Interface Design

In this newly added form, there is a need for a "List control" and two "button" controls. Next, add a variable named M_checkdll to the list box, and then write the code to initialize it:

void Cdllcheck::initdlllist ()  {          //sets the extended style m_checkdll.setextendedstyle for the "List Control" control          (                  m_ Checkdll.getextendedstyle ()                  | Lvs_ex_gridlines        //have network grid                  | Lvs_ex_fullrowselect);  Select one of the exercise lines highlighting (only for report style)            //Join          the M_checkdll.insertcolumn (0, _t ("serial number"));          M_checkdll.insertcolumn (1, _t ("name    "));          M_checkdll.insertcolumn (2, _t ("Road    Path"));          Sets the width of the column          m_checkdll.setcolumnwidth (0, lvscw_autosize_useheader);          M_checkdll.setcolumnwidth (1, lvscw_autosize_useheader);          M_checkdll.setcolumnwidth (2, Lvscw_autosize_useheader); }

because I want the above initialization code to run when the form is just opened, the newly added form has no oninitdialog (), so it needs to be added manually. In the VC6 menu bar, select View, click ClassWizard in the drop-down menu, and in the Message Map tab, for example, the following settings:

Figure 3 Adding an initialization function

After you click OK. The initialization function appears in the new form's CPP program:

BOOL Cdllcheck::oninitdialog () {        cdialog::oninitdialog ();        Todo:add Extra initialization here        return TRUE;  Return TRUE unless you set the focus to a control                      //Exception:ocx property Pages should return FALSE}

And then fill in:

Initdlllist ();

Then write to the new form header file:

void Initdlllist ();

Third, write the "View DLL" button control codeHere's what the button says. Refers to the View DLL button control in the previous form. I want to do this after I click the button. You can pop up this new Idd_dialog_dll form. The DLL for the selected process can be displayed directly.

You can tap code to open a modal dialog box:

void Cprocessmanagedlg::onbtndll () {        //Todo:add your control notification handler code here        PID = Getselectpid () ;        Cdllcheck Dllcheck;        Dllcheck.domodal ();}

The code above defines a dialog object: Dllcheck, and then uses this object to invoke the DoModal function to produce a modal dialog box.

Because the main form does not know what type of data this Cdllcheck dialog box is, you must also include the header file of the Cdllcheck class in the source file of the main form function. That is, "DLLCheck.h".

It's worth emphasizing that because I want to pass the PID value of the selected process in the main form into the new form to see the DLL files it includes. Therefore, you need to declare a variable in public in the main form header file under CDialog:

int pid;

In this way, the subform invokes the PID value obtained from the parent form on the line.

So the first sentence of the above procedure is to get the PID value of the selected process before opening the subform.

Iv. enumeration of DLLsDLL enumeration code is filled in the source file of the new form, the principle is similar to the process enumeration discussed in the previous article, the difference is that it is necessary to get the PID value in the parent form, code such as the following:

void Cdllcheck::showmodule () {//Empty list m_checkdll.deleteallitems ();        Gets the public variable in the parent form (the PID value of the selected process) Cprocessmanagedlg *p;        p = (Cprocessmanagedlg *) GetParent ();            int npid = p->pid;        MODULEENTRY32 Me32 = {0};        me32.dwsize = sizeof (MODULEENTRY32);        HANDLE Hsnap = CreateToolhelp32Snapshot (Th32cs_snapmodule, npid); if (Hsnap = = Invalid_handle_value) {AfxMessageBox ("Create snapshot failed!                ");        return;        } BOOL BRet = Module32first (Hsnap, &me32);        int i = 0;        CString str; while (BRet) {str.                Format ("%d", I);                M_checkdll.insertitem (i, str);                M_checkdll.setitemtext (i, 1, me32.szmodule);                M_checkdll.setitemtext (i, 2, me32.szexepath);                i + +;        BRet = Module32next (Hsnap, &me32); }}

I also hope that this program will be displayed when the form is just opened. It is therefore necessary to include in the OnInitDialog () of the New dialog box:

Showmoudle ();

and add in the header file:

void ShowModule ();

v. Implementation of the "Unload DLL" buttonThe implementation of this feature first obtains the PID value of the selected process in the parent form, then gets the name of the DLL selected in the current list box, and then calls the Unload function to:

void Cdllcheck::onbtnuninjectdll () {//Todo:add your control notification Handler co        de here Cprocessmanagedlg *p;        p = (Cprocessmanagedlg *) GetParent ();        int npid = p->pid;          Gets the position selected in the list box POSITION Pos = M_checkdll.getfirstselecteditemposition ();          int nselect =-1;          while (pos) {nselect = M_checkdll.getnextselecteditem (POS); }//Assume that no selection is made in the list box. Then the error if (-1 = = Nselect) {AfxMessageBox ("Please select the module!")                  ");          Return          }//Gets the name of the DLL in the list box char Szdllname[max_path] = {0};          M_checkdll.getitemtext (Nselect, 1, Szdllname, MAX_PATH);        Uninjectdll (Npid,szdllname); ShowModule ();} 

It should be noted that the Uninjectdll (npid,szdllname) function was used last in the above procedure. I used to be in the anti-virus defense Research No. 010: DLL injection (medium)--dll injection and uninstaller in the preparation of the discussion, which is no longer discussed here. This function is still in the source program of the new form and the corresponding position in the header file to use the ability to declare.

vi. adjustment of process permissions

In general, we are unable to view the DLL files for the system process. This is primarily due to insufficient permission levels for the current process, unless the current process has "SeDebugPrivilege" permissions. The procedure for obtaining permissions is as follows:

1. Use the OpenProcessToken () function to open an access token for the current process.

2. Use Lookupprivilegevalue () function to get the LUID of describing permission.

3. Use the AdjustTokenPrivileges () function to adjust the permissions of the access token.

the code is as follows:

void Cdllcheck::D ebugprivilege () {        HANDLE htoken = NULL;        BOOL BRet = OpenProcessToken (GetCurrentProcess (), token_all_access, &htoken);            if (BRet = = TRUE)        {                token_privileges tp;                Tp. Privilegecount = 1;                Lookupprivilegevalue (NULL, Se_debug_name, &TP. Privileges[0]. LUID);                Tp. Privileges[0]. Attributes = se_privilege_enabled;                AdjustTokenPrivileges (Htoken, FALSE, &TP, sizeof (TP), NULL, NULL);                        CloseHandle (Htoken);        }}

write code to the source program of the new form, and fill in the form initialization function, so that the form is generated with permissions, and finally declared in the header file can be.

Seven, the actual testin order to test this program. To be able to participate in the DLL injection (medium)--dll injection and uninstallation of the writing of the first to inject a DLL, and then use the software to view and uninstall:

Figure 4 Viewing and uninstalling a DLL

The actual test, the procedure is feasible, this is our anti-malicious program of the weapon.

Viii. Summary

Through the discussion of two articles, a simple process manager is completed. Even though it is simple, it can be very powerful in many cases. And through the discussion of these articles, I believe that you have a certain understanding of the security software writing, I hope you can continue to learn, will be more powerful features to add to their own software, so that malicious programs nowhere to hide.

Security Class tool making NO. 005: Process Manager (bottom)