# HustDetours **Repository Path**: yeahooooo/hust-detours ## Basic Information - **Project Name**: HustDetours - **Description**: No description available - **Primary Language**: Unknown - **License**: MIT - **Default Branch**: main - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 272 - **Created**: 2024-02-27 - **Last Updated**: 2024-06-03 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # 软件安全课程设计:基于API Hook的软件行为分析系统 ## 课程设计任务与要求 本次课程设计是利用Detours开源项目包提供的接口,完成基本的程序行为分析。任务主要分为API调用截获和分析两大部分。 ## 课程设计文件结构 - Console-injector: 命令行注入程序,运行时提供注入目标程序的路径,以及注入使用的DLL的路径。基本用法为:Console-injector.exe [program path] [DLL path]。 - hook: 包含需要Hook的API函数拦截及分析的dll,相关信息直接在终端输出。 - hookdll_copy: 包含需要Hook的API函数拦截及分析的dll, 相关信息通过管道传递给图形界面程序显示。 - GUI:图形界面程序,从管道内读取DLL发送的信息,打印到界面上。 - Heap_test, Server_test, file_test, network_test, registry_test等:一些具体的测试程序,包含一些windows API的简单使用示例。 ## 环境配置 - Detours库 - Qt 5.12.12 - 在对Detours进行编译之后,需要根据编译后bin.X64, bin.X86, lib.X64, lib.X86, include文件夹的路径对使用detours库的项目属性进行配置 ## 支持的Windows API列表 ### 弹窗 MessageBoxW,MessageBoxA ### 文件操作 CreateFile,ReadFile,WriteFile,CloseHandle,MoveFile,CopyFile,DeleteFile ### 堆操作 HeapCreate,HeapDestroy,HeapAlloc,HeapFree ### 注册表操作 RegQueryValueExW,RegSetValueExW,RegOpenKeyEx,RegCreateKeyEx,RegCloseKey RegDeleteKey,RegDeleteValue ### 网络操作 socket,bind,listen,accept,closesocket,connect,recv ### 内存操作 memcpy,memmove ## 任务中指定行为分析思路 ### 文件操作行为检测 1. 判断操作范围是否存在多个文件夹 解析一个文件的绝对路径,判断路径内是否前后包含多个文件夹 在CreateFile, ReadFile, WriteFile, MoveFile,CopyFile, DeleteFile内进行检测。 2. 是否存在自我复制 CreateFile内检测传递的文件名参数是否和进程自身对应的文件名相同,存在相同的情况认为进程尝试进行自我复制。 ReadFile中检测到进程尝试读取自身对应文件的内容,认为进程尝试进行自我复制。 CopyFile内检测要移动的文件是否为进程本身对应的文件,是则认为进程尝试进行自我复制。 3. 是否修改其他可执行代码 CreateFile内检测传递的文件名是否后缀为exe, dll, ocx而且函数的权限参数中允许写,满足该条件认为进程尝试修改其他可执行程序代码。 ​ WriteFile内检测到参数表示的文件后缀为exe, dll, ocx,认为尝试向对应文件中写入内容。 ​ MoveFile, CopyFile内检测文件后缀是否为exe,dll,ocx ​ DeleteFile中检测是否尝试删除后缀为exe, dll, ocx的文件 ### 注册表操作行为分析 1. 判断是否新增注册表项并判断是否为自启动项 RegCreateKeyEx中检测新增注册表的行为,同时将该函数的参数和一般自启动项的位置进行匹配,如果发现匹配,则是通过该函数创建新的自启动注册表项。 2. 是否修改了注册表 RegSetValueExW设置一个键值,认为是修改注册表的行为 RegDeleteKey中检测删除一个注册表键的行为 RegDeleteValue中检测删除一个注册表键值的行为 ### 堆操作行为分析 1. 检测堆申请和释放是否一致 记录通过HeapCreate函数创建堆时返回的句柄,对应要使用HeapDestroy销毁堆时,判断其参数句柄表示的堆是否已经被销毁,如果是,则是对一个堆的重复销毁。 2. 是否发生重复的多次释放 记录HeapAlloc返回的指针,每次使用HeapFree释放内存时,查找对应指针指向的内存是否已经被释放,如果是,则为重复多次释放。 ### 网络通信操作行为分析 1. 实现对网络传输SOCKET操作的API的截获 2. 打印进程连接端口、协议类型、IP信息 ​ 在bind函数、accept函数、connect函数内对参数进行分析,从而打印出所需要的端口、协议、 IP信息。 ### 内存拷贝检测与关联分析 能够输出内存拷贝信息,分析拷贝的内容流向 -> 打印出内存操作函数的源地址参数和目的地址参数即可。 # Microsoft Research Detours Package Detours is a software package for monitoring and instrumenting API calls on Windows. Detours has been used by many ISVs and is also used by product teams at Microsoft. Detours is now available under a standard open source license ([MIT](https://github.com/microsoft/Detours/blob/master/LICENSE.md)). This simplifies licensing for programmers using Detours and allows the community to support Detours using open source tools and processes. Detours is compatible with the Windows NT family of operating systems: Windows NT, Windows XP, Windows Server 2003, Windows 7, Windows 8, and Windows 10. It cannot be used by Windows Store apps because Detours requires APIs not available to those applications. This repo contains the source code for version 4.0.1 of Detours. For technical documentation on Detours, see the [Detours Wiki](https://github.com/microsoft/Detours/wiki). For directions on how to build and run samples, see the samples [README.txt](https://github.com/Microsoft/Detours/blob/master/samples/README.TXT) file. ## Contributing The [`Detours`](https://github.com/microsoft/detours) repository is where development is done. Here are some ways you can participate in the project: * [Answer questions](https://github.com/microsoft/detours/issues) about using Detours. * [Improve the Wiki](https://github.com/microsoft/detours/wiki). * [Submit bugs](https://github.com/microsoft/detours/issues) and help us verify fixes and changes as they are checked in. * Review [source code changes](https://github.com/microsoft/detours/pulls). Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com. When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA. This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. ## Issues, questions, and feedback * Open an issue on [GitHub Issues](https://github.com/Microsoft/detours/issues). ## Mailing list for announcements The detours-announce mailing list is a low-traffic email list for important announcements about the project, such as the availability of new versions of Detours. To join it, send an email to listserv@lists.research.microsoft.com with a message body containing only the text SUBSCRIBE DETOURS-ANNOUNCE. To leave it, send an email to listserv@lists.research.microsoft.com with a message body containing only the text UNSUBSCRIBE DETOURS-ANNOUNCE. ## License Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the [MIT](LICENSE.md) License.