j ai fini de programmer un détecteur de runpe tres simple, la méthode est de comparer le processus avec son fichier sur le disk...
et voila le résulta
Code : Tout sélectionner
;By Celtic88 :)
IncludeFile "PEB_STRUCTURE.Pbi"
Structure PROCESS_BASIC_INFORMATION Align #PB_Structure_AlignC
*Reserved1;
*PebBaseAddress.PEB ;
*Reserved2[2] ;
*UniqueProcessId ;
*Reserved3 ;
EndStructure
Prototype.l GetModuleFileNameEx(hProcess.i,hModule.i,*Str,len.l)
OpenLibrary(0,"psapi.dll")
Global GetModuleFileNameEx.GetModuleFileNameEx = GetFunction(0,"GetModuleFileNameExW")
Structure Process_Info
Pid.l
Name.s
EndStructure
Procedure Process_Adjust_Token_Privileges()
Protected priv.TOKEN_PRIVILEGES ,hToken .i,iReturn
If( OpenProcessToken_( GetCurrentProcess_(), #TOKEN_ADJUST_PRIVILEGES | #TOKEN_QUERY, @hToken ) )
priv\PrivilegeCount = 1;
priv\Privileges[0]\Attributes = #SE_PRIVILEGE_ENABLED;
If( LookupPrivilegeValue_( #Null, #SE_DEBUG_NAME, @priv\Privileges[0]\Luid ) )
iReturn=AdjustTokenPrivileges_( hToken, #False, @priv, 0, #Null, #Null );
CloseHandle_( hToken ) ;
EndIf
EndIf
ProcedureReturn iReturn
EndProcedure
Procedure Process_Is_Injected_Process(pPid.l)
Protected hProcess,GetPeb.PROCESS_BASIC_INFORMATION,iPeb.PEB,tIMAGE_DOS_HEADER.IMAGE_DOS_HEADER,FileName.s{#MAX_PATH},tIMAGE_DOS_HEADER2.IMAGE_DOS_HEADER,iReturn=-1,tIMAGE_NT_HEADERS.IMAGE_NT_HEADERS,tIMAGE_NT_HEADERS2.IMAGE_NT_HEADERS
hProcess = OpenProcess_( #PROCESS_QUERY_INFORMATION | #PROCESS_VM_READ, #False, pPid );
If hProcess
If NtQueryInformationProcess_(hProcess, 0, @GetPeb,SizeOf(PROCESS_BASIC_INFORMATION),@Nsize) =#S_OK
If ReadProcessMemory_(hProcess, GetPeb\PebBaseAddress, @iPeb, SizeOf(PEB), 0)
If ReadProcessMemory_(hProcess, iPeb\lpImageBaseAddress,@tIMAGE_DOS_HEADER, SizeOf(IMAGE_DOS_HEADER), 0)
If ReadProcessMemory_(hProcess, iPeb\lpImageBaseAddress+tIMAGE_DOS_HEADER\e_lfanew,@tIMAGE_NT_HEADERS, SizeOf(IMAGE_NT_HEADERS), 0)
If GetModuleFileNameEx(hProcess,0,@FileName,#MAX_PATH)
If ReadFile(0, FileName)
ReadData(0,@tIMAGE_DOS_HEADER2,SizeOf(IMAGE_DOS_HEADER))
FileSeek(0,tIMAGE_DOS_HEADER2\e_lfanew)
ReadData(0,@tIMAGE_NT_HEADERS2,SizeOf(IMAGE_NT_HEADERS))
CloseFile(0)
iReturn= 1
If CompareMemory(tIMAGE_DOS_HEADER,tIMAGE_DOS_HEADER2,SizeOf(IMAGE_DOS_HEADER))=1
If tIMAGE_NT_HEADERS\OptionalHeader\SizeOfImage = tIMAGE_NT_HEADERS2\OptionalHeader\SizeOfImage And
CompareMemory(tIMAGE_NT_HEADERS\FileHeader,tIMAGE_NT_HEADERS2\FileHeader,SizeOf(IMAGE_FILE_HEADER)) =1
iReturn= 0
EndIf
EndIf
EndIf
EndIf
EndIf
EndIf
EndIf
EndIf
CloseHandle_(hProcess)
EndIf
ProcedureReturn iReturn
EndProcedure
Procedure Process_Get_Process_List(List Process_List.Process_Info())
ClearList(Process_List())
Protected hSnapshot,ProcEntry.PROCESSENTRY32
hSnapshot = CreateToolhelp32Snapshot_(#TH32CS_SNAPPROCESS, #Null)
If hSnapshot
ClearStructure(@ProcEntry,PROCESSENTRY32)
ProcEntry\dwSize = SizeOf(PROCESSENTRY32)
If Process32First_(hSnapshot, @ProcEntry)
While Process32Next_(hSnapshot, @ProcEntry)
AddElement(Process_List())
Process_List()\Pid = ProcEntry\th32ProcessID
Process_List()\Name=PeekS(@ProcEntry\szExeFile)
Wend
EndIf
CloseHandle_(hSnapshot)
EndIf
ProcedureReturn ListSize(Process_List())
EndProcedure
Process_Adjust_Token_Privileges()
NewList Process_List.Process_Info()
Process_Get_Process_List(Process_List())
ForEach Process_List()
Debug "Process name : " +Process_List()\Name + " Pid : " + Str(Process_List()\Pid) + " Is Injected : "+ Str(Process_Is_Injected_Process(Process_List()\Pid))
Next