# HustDetours **Repository Path**: ljyhhhh/hust-detours ## Basic Information - **Project Name**: HustDetours - **Description**: No description available - **Primary Language**: Unknown - **License**: MIT - **Default Branch**: main - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 272 - **Created**: 2024-02-28 - **Last Updated**: 2024-05-30 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # HUST-CSE2024软件安全课程设计——基于API HOOK的软件行为分析系统 本次课设在Detours开源项目基础上实现对无源码程序API调用的截获和分析,小组合作实现了Hook项目。本项目通过gitee实现协同合作,后端部分在VisualStudio平台上使用c++语言开发,主要包括客户端主体、注射器、dll、服务端程序三部分,前端部分采用 框架封装GUI界面。项目结构如下图所示: ![项目结构图](https://gitee.com/hzh_zero/hust-detours/raw/main/assets/struct.png) ## 客户端 客户端主体是整个项目的控制核心,并采用 框架实现GUI界面以便与用户交互。用户在客户端上选择需要分析的程序,客户端将调用注射器模块将HOOK DLL注入目标程序并启动分析。DLL中的截获和分析函数会将运行信息反馈回客户端程序,由客户端记录日志并显示。 ## 注射器 注射器模块主要利用DetourCreateProcessWithDllEx完成开启和关闭注入的操作 ## DLL文件 DLL是本项目的功能核心,所有的API截获与程序异常行为分析都是在DLL中实现的。通过注射器程序可以将DLL注入目标进程中以进行截获与分析。 DLL文件分为两大部分,分别是截获和异常分析函数与钩子主函数。 ### 截获函数 截获函数是需要HOOK的函数的改进,本项目针对不同类别的待钩取函数编写了不同的头文件用以具体函数的编写。截获函数对目标API操作进行截获,并将相关参数发送回客户端显示。同时,截获函数中包含了对程序行为的异常分析,通过分析API调用的参数可判断是否为异常行为,并将结果发送给用于统计的服务器程序。最终实现对堆、文件、注册表、网络通信操作的异常行为分析。 ### 钩子主函数 钩子函数即DetourAttach和DetourDettach两个函数,它们分别完成挂钩和解除挂钩的操作,以将截获函数插入目标代码之中。 ## 服务端程序 服务端程序主要用于接收异常分析信息进行统计,并将统计结果送回客户端进行显示。 ## 项目分工与最终实现功能 ### 分工 李婧瑶:实现基本的第三方进程WindowsAPI截获框架,MessageBox截取,内存拷贝监测与关联分析 王婧薇:实现堆操作API截获,堆操作异常行为分析,提供行为检测样本库 邬雪菲:实现文件操作API截获,文件操作异常行为分析,撰写项目文档,进行网络通信操作异常行为分析 陈欣然:完成系统界面,开发客户端,服务端,注射器程序,并进行样本测试 胡展豪:实现注册表API截获,注册表异常行为分析,整合分支,审计代码提交 ### 实现功能列表 1. 前端:完成图形交互界面,用户可在界面中选取目标程序进行分析,分析结果回显在客户端中供查看 2. 后端:实现了基本的WIndowsAPI截获框架 1. API函数截获: 1. 弹窗:MessageBoxA,MessageBoxW 2. 堆:HeapCreate,HeapCreate,HeapFree,HeapAlloc 3. 文件:CreateFile,CloseHandle,ReadFile,WriteFile,CopyFile 4. 注册表:CreateKeyExW,RegSetValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegDeleteValueW 5. 网络通信:WSAConnet,WSASend,WSARecv 2. 异常分析: 1. 堆:堆申请与释放是否一致;是否发生重复的多次释放 2. 文件:操作范围内是否存在多个文件夹;是否存在自我复制;是否修改了可执行代码; 3. 注册表:是否新增注册表项且判断是否为自启动执行文件项;是否修改注册表; 4. 网络通信:获取网络连接信息 5. 内存:输出内存拷贝信息并分析拷贝内容流向 **下面是Detours源仓库的说明:** # Microsoft Research Detours Package Detours is a software package for monitoring and instrumenting API calls on Windows. Detours has been used by many ISVs and is also used by product teams at Microsoft. Detours is now available under a standard open source license ([MIT](https://github.com/microsoft/Detours/blob/master/LICENSE.md)). This simplifies licensing for programmers using Detours and allows the community to support Detours using open source tools and processes. Detours is compatible with the Windows NT family of operating systems: Windows NT, Windows XP, Windows Server 2003, Windows 7, Windows 8, and Windows 10. It cannot be used by Windows Store apps because Detours requires APIs not available to those applications. This repo contains the source code for version 4.0.1 of Detours. For technical documentation on Detours, see the [Detours Wiki](https://github.com/microsoft/Detours/wiki). For directions on how to build and run samples, see the samples [README.txt](https://github.com/Microsoft/Detours/blob/master/samples/README.TXT) file. ## Contributing The [`Detours`](https://github.com/microsoft/detours) repository is where development is done. Here are some ways you can participate in the project: * [Answer questions](https://github.com/microsoft/detours/issues) about using Detours. * [Improve the Wiki](https://github.com/microsoft/detours/wiki). * [Submit bugs](https://github.com/microsoft/detours/issues) and help us verify fixes and changes as they are checked in. * Review [source code changes](https://github.com/microsoft/detours/pulls). Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com. When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA. This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. ## Issues, questions, and feedback * Open an issue on [GitHub Issues](https://github.com/Microsoft/detours/issues). ## Mailing list for announcements The detours-announce mailing list is a low-traffic email list for important announcements about the project, such as the availability of new versions of Detours. To join it, send an email to listserv@lists.research.microsoft.com with a message body containing only the text SUBSCRIBE DETOURS-ANNOUNCE. To leave it, send an email to listserv@lists.research.microsoft.com with a message body containing only the text UNSUBSCRIBE DETOURS-ANNOUNCE. ## License Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the [MIT](LICENSE.md) License.