I keep seeing people ask about process injection detection on Twitter, Stackflow, etc. If anyone is interested I released the
source code to
injdmp.
Longer than usual disclaimer:
- This project was for learning C. The code sucks but the concepts are there, even if they are basic.
- I'd recommend updating the repo often. Odds are 0xdabbad00 will keep pointing out my mistakes. His current count is 2.
- Any type of detection from User Space is fundamentally flawed.
- Volatility did all this stuff years ago, use it.
- Code was tested on Windows XP, very minimal was done on Windows 7.
With that being said it's fun to think of ways to detect process injection. If anyone can recommend any good articles on how anti-cheating engines detect process injection or other detection techniques please shoot me an email
( line 3 in the source code) or ping me on Twitter.
Nice...
ReplyDeleteThanks for sharing the source.
I'm just a "c" enthusiast.
> detect process injection or other detection techniques
ReplyDeleteMaybe try doing it from kernel-mode. Just a guess (I'm not an expert).
http://www.codeproject.com/Articles/43586/File-System-Filter-Driver-Tutorial
Thanks for the link, I forgot about that tutorial. Creating a driver running in kernel mode would be the best option.
DeleteHi, is it possible to upload the code to GitHub?
ReplyDeleteThanx in advance
I have no future plans to setup a GitHub account. Bit-Bucket does accept GitHub as a login option if needed.
Delete