Answer the question
In order to leave comments, you need to log in
How to understand what one process is doing with another process?
Hey %habrauser%!
There are two processes in the system.
Situation:
The first process changes something in the memory of the second process.
Task: It is
necessary to study what exactly it changes and what it reads from it. Perhaps this is implemented using a process attack followed by a call to the ReadProcessMemory, WriteProcessMemory API functions.
Is there software that can intercept this data and somehow pledge it?
PS I did not work with WinAPI, so I don’t quite understand whether it is possible to put a hook on these two functions, a cursory googling did not bring any results.
Answer the question
In order to leave comments, you need to log in
If one process has introduced its module into another, then ReadProcesMemory and WriteProcessMemory are no longer needed (you can work with memory directly).
You need to put hooks in the other process and in the victim process on some functions (WritePM, ReadPM, VirtualProtect, LoadLibrary) and log the calls. Pretty easy if you know how to program. In the same way, you can block calls.
In principle, Jetico Personal Firewall can intercept and pledge .
But this is probably not what you are looking for. And in the log (as well as in pop-up messages, until you set it up), there will be only the type of access. No addresses, no other details.
But it's worth a look - at least to assess the possibility of interception.
For simplicity, you can disable (bypass) all branches except for Process Attack. And in Process Atack add rules for applications of interest with a log entry. The rest can also be skipped.
This is quite difficult to do, because there are a lot of ways to “do something with a different process”. If you need to see which apis a process calls, there is the Monitor API for this , or WinDbg.
If in a hurry, then a virtual machine (vmware, virtual box) and win32apioverride. This tool is nothing more than an API monitor (free and with fairly serious functionality). If this method does not work, then it means virtual + WinDbg (to speed up virtualkd). WinDbg has an extension which is an API monitor(!load logexts)
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question