30 results about "DLL injection" patented technology

The invention discloses a method and device for loading user-defined DLL into a target progress, and belongs to the technical field of computers. The method comprises the steps that the target progress is established; before the target progress starts to operate, a loading function is modified to enable the target progress to skip to an assigned memory after starting to operate and calling the loading function, and then the target progress; after the target progress starts to operate and the loading function is called, a true function body of the loading function is called, and the user-defined DLL is loaded to the target progress through the true function body of the loading function. According to the method and device for loading the user-defined DLL into the target progress, the target progress is established, and the user-defined DLL is loaded into the target progress before the target progress operates other codes; the problem that in the prior art, when the HOOK operation is carried out through an existing loading method, data produced when the target progress operates cannot be completely obtained is solved, and the effect that the user-defined DLL can be inserted immediately, and all data when the target progress operates can be obtained is achieved.

The invention provides a method and a system for injecting a DLL (Dynamic Link Library) into a target process. A DLL injection module used for monitoring the program start in an operating system is set; the DLL injection module is registered into the operating system; when the target process sends a start request to the operating system, the operating system informs the DLL injection module of the request; and a user inserts a target DLL to be injected into the DLL of the target process according to requirements. The method and the system have the advantages of control comprehensiveness, good concealing performance, high flexibility and the like; the method and the system can be applied to data leaking prevention and can enhance the data protection grade; all non-system key processes can be injected; an injection system explorer technology can be applied to a secure desktop technology; and the method and the system can adapt to various common operating systems such as Windows XP, Windows Server 2003 and Windows 7.

Provided is a method for protecting mirror image codes based on executable mirror image hiding and dll injection. The method comprises the following steps that 1, a target mirror image is decrypted in a memorizer; 2, a PE mirror image is loaded, wherein a dll file needed for a program is loaded, mirror image repositioning is executed, and finally OEP is executed; 3, whether an IAT of an exe module is hijacked or not is checked; 4, a Load Library and a Load Library Ex are actively hijacked, operation in the step 3 is executed on a dll mirror image of a load result, and if judgment is not abnormal, the step 5 is executed; 5, a Create Process function is hijacked, and a protection dll is injected while a subprocess is set up; 6, remote thread injection is carried out, a protected target process is injected in a Ring3 environment, and thread injection of a vicious loader is avoided; 7, a thread (THREAD_PRIORITY_BELOW_NORMAL) with low priority is built, endless loop check is carried out, whether the thread is loaded by a Debugger or not is checked, and checking is carried out once every second.

There is provided a method to protect applications running in a hostile environment, including against trampoline based attacks which use dll injection and code modification. The method includes protecting an application when access is performed from injected dll, and protecting the application when access is performed from modified codes.

The invention discloses a configurable and integratable Hook system in Windows environment and a method thereof and relates to the technical field of DLL injection technology, Hook technology and interprocess communication. The system is characterized in that an application program subsystem comprises an injector unit and a hook unit, the injector unit comprises an injection module and a communication module, the hook unit comprises an inline hook module, an import address table hook module and a vectored exception handling module, and the injection module, the hook unit, an injected hook unitand the communication module sequentially interact. The method includes: 1, creating a naming pipeline; 2, selecting a target process; 3, selecting a dynamic link library for injection; 4, selectingan injection mode; 5, feeding back injection information; 6, configuring Hook parameters; 7, transmitting the Hook parameters to the injected hook unit; 8, completing Hook functional procedure; 9, feeding back Hook information. The system is configurable, and related process parameters of Hook can be configured by a user; the system has the characteristic of being easy to operate and can help to intercept and acquire enough useful information.

The invention relates to a dll injection method and system under a Windows platform. The dll injection method comprises the following steps: S01, preparing an injection program; S02, improving the authority of the operator; S03, sending a breakpoint event to a target process; S04, enabling the target process to respond to the breakpoint event; S05, running the target process to the breakpoint, suspending the program, storing the return address of the stack, and modifying the return address into the address of the injection program; S06, correcting the code of the injection program, and returning the code to the original return address after the code is executed; S07, enabling the target program continues to run and returning to the injection program part, and completing dll injection afterthe injection program runs; S08, enabling the target program to skip to the stored return address to continue to run, by sending the breakpoint event to the target program, modifying the breakpoint return address and skipping to the shellcode to complete dll injection. Therefore, the problem that in the prior art, dll injection cannot be conducted on the running process is solved, the success rate is high, and limited conditions are few.

The invention discloses a method and device for monitoring a program and belongs to the technical field of computers. The method includes: loading a to-be-monitored program; during the operation of the to-be-monitored program, performing instrumentation on each application programming interface API function called by the to-be-monitored program; acquiring the function name of each API function; judging whether each API function satisfies preset judging logic or not according to the corresponding function name; if so, judging that the to-be-monitored program has dynamic-link library DLL injection; detecting the injection type of the DLL injection according to preset detecting logic; acquiring injection information. The method has the advantages that whether the to-be-monitored is injected with a DLL module or not and an injection manner can be judged effectively, only the information of the API functions conforming to the logic needs to be output and judged, other API functions are not processed and output, and accordingly monitoring efficiency is increased evidently.

The invention discloses a DLL injection method and system based on a Windows platform. The method includes the following steps: starting a process, judging whether the current process needs to inject a safety detection DLL, and if so, obtaining the module name that needs to be injected into the safety detection DLL; judging the module Whether the name is "ntdll.dll", if yes, insert the injection information of the current process into the work queue; the safety detection DLL performs safety detection on the current process; if it is detected to be unsafe, it ends, and if it is safe, the current process is allowed to start. Through the solution of the present invention, more processes can be injected, and anti-virus software will not be accidentally killed, which is more stable and efficient.

The invention discloses a method and device for loading user-defined DLL into a target progress, and belongs to the technical field of computers. The method comprises the steps that the target progress is established; before the target progress starts to operate, a loading function is modified to enable the target progress to skip to an assigned memory after starting to operate and calling the loading function, and then the target progress; after the target progress starts to operate and the loading function is called, a true function body of the loading function is called, and the user-defined DLL is loaded to the target progress through the true function body of the loading function. According to the method and device for loading the user-defined DLL into the target progress, the target progress is established, and the user-defined DLL is loaded into the target progress before the target progress operates other codes; the problem that in the prior art, when the HOOK operation is carried out through an existing loading method, data produced when the target progress operates cannot be completely obtained is solved, and the effect that the user-defined DLL can be inserted immediately, and all data when the target progress operates can be obtained is achieved.

The invention discloses a method, a storage medium, an electronic device and a system for preventing bad DLL injection, and relates to the field of Internet PC client application development. The method includes obtaining a list of abnormal DLLs. Traverse the DLL library in the Windows system to find the location of the abnormal DLL. The abnormal DLL is retrieved according to the location of the abnormal DLL, and the position of the injected function in the abnormal DLL is acquired, and the injected function is a function injected into the DLL to the client. According to the location of the injected function in the abnormal DLL, rewrite all the injected functions in the abnormal DLL, and add a hook function in the injected function, and the hook function is used to monitor the name of the DLL injected by the injected function. The DLL name is compared with the preset list of bad DLLs, and if the injected DLL is a bad DLL, the injection of the bad DLL is terminated. The invention can prevent the client running in Windows from being injected with a bad DLL, thereby preventing the client from crashing and being hacked.

The invention discloses an optimal management method for injecting multi-DLL (dynamic link library) into a target procedure. The method comprises the following steps: inserting an APC function in a kernel space by use of an APC mechanism, and additionally adding the optimal management on the injection DLL while injecting the injection execution DLL into the target procedure, and injecting the DLL management module in unification through an unified injection interception mechanism under the condition of needing to inject multi-DLL in the target procedure, thereby improving the target procedure stability and the entire execution efficiency of the interception function. The technical scheme disclosed by the invention has the advantages of being comprehensive in control and high in flexibility, any number of DLL can be injected, and the stability and the efficiency of the target procedure can be obviously improved in particular under the condition of the existence of multi-injection HookDLL; and the execution order of the multi-HookDLL is effectively managed by use of an injection control DLL module (ControlDLL module), the method is flexible and varied, and can be suitable for various places.