Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
F
F
ForhaxeD2012-12-07 23:45:24
Windows
ForhaxeD, 2012-12-07 23:45:24

How to understand what one process is doing with another process?

Hey %habrauser%!
There are two processes in the system.
Situation:
The first process changes something in the memory of the second process.
Task: It is
necessary to study what exactly it changes and what it reads from it. Perhaps this is implemented using a process attack followed by a call to the ReadProcessMemory, WriteProcessMemory API functions.
Is there software that can intercept this data and somehow pledge it?
PS I did not work with WinAPI, so I don’t quite understand whether it is possible to put a hook on these two functions, a cursory googling did not bring any results.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
H
Hint, 2012-12-08
@Hint

If one process has introduced its module into another, then ReadProcesMemory and WriteProcessMemory are no longer needed (you can work with memory directly).
You need to put hooks in the other process and in the victim process on some functions (WritePM, ReadPM, VirtualProtect, LoadLibrary) and log the calls. Pretty easy if you know how to program. In the same way, you can block calls.

Report
K
Killy, 2012-12-08
@Killy

In principle, Jetico Personal Firewall can intercept and pledge .
But this is probably not what you are looking for. And in the log (as well as in pop-up messages, until you set it up), there will be only the type of access. No addresses, no other details.
But it's worth a look - at least to assess the possibility of interception.
For simplicity, you can disable (bypass) all branches except for Process Attack. And in Process Atack add rules for applications of interest with a log entry. The rest can also be skipped.

Report
A
Antelle, 2012-12-08
@Antelle

This is quite difficult to do, because there are a lot of ways to “do something with a different process”. If you need to see which apis a process calls, there is the Monitor API for this , or WinDbg.

Report
D
Dmitry, 2012-12-08
@EvilsInterrupt

If in a hurry, then a virtual machine (vmware, virtual box) and win32apioverride. This tool is nothing more than an API monitor (free and with fairly serious functionality). If this method does not work, then it means virtual + WinDbg (to speed up virtualkd). WinDbg has an extension which is an API monitor(!load logexts)

Similar questions
N
NewDevLab2020-06-04 00:39:52
What is the current sequence of steps for non-interactive Windows installation? 2Reply
V
Vadim Solovyov2015-01-01 15:47:40
How to remove write protection from system fonts? 1Reply
L
Lion Golden2018-05-10 22:14:50
What is the easiest way to redirect a list of specific domains / ip through a proxy (Win)? 1Reply
O
Oleg Pogrebnyak2018-05-11 09:56:22
Batch doing multiple things? 1Reply
M
matros972018-05-11 10:52:18
Is it worth installing Windows 7 x64 Home Premium on a laptop? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question