How to check a process already injected?

Sep 19, 2009 at 8:29 PM
Edited Sep 19, 2009 at 8:56 PM

Hello. I'm using the unmanaged EasyHook to inject my dll to all processes. The dll do some local hooking using EasyHook. It is possible to hook CreateProcess or NtCreateProcess to monitor process creation. Alternatively, I can use PsSetCreateProcessNotifyRoutine to get a notification upon process creation (needs to be a driver). However, the third way is to take snapshot of the process tree periodically and inject those not have been injected. So my question is, is there any signature or function in EasyHook to check whether or not a specific process was injected already? This makes sure that the injected dll will not do the hooking again. Thanks!

Sep 19, 2009 at 8:52 PM

I think I can enumerate the target process modules as the example http://msdn.microsoft.com/en-us/library/ms682621%28VS.85%29.aspx does, and check if my dll exists. But it could be an expensive procedure to do this on all processes. And it could also be untrustful, because some same-named modules may also be loaded.

Sep 22, 2009 at 1:16 AM
Edited Sep 22, 2009 at 1:17 AM

One solution is creating a mutex with the target process ID embedded in the mutex name.  Check the existence of the mutex in the entry point of the hooking.

Sep 23, 2009 at 9:22 AM

Nice idea. Thanks!