RING 3 DLL 인젝션 방어

RING3 DLL 인젝션 방어 방법

1. 주요 DLL 인젝션 기법 및 방어 방법

인젝션 기법	공격 방법	방어 방법
CreateRemoteThread + LoadLibrary	OpenProcess → VirtualAllocEx → WriteProcessMemory → CreateRemoteThread	OpenProcess 제한, CreateRemoteThread 감지 및 차단, WriteProcessMemory 감시
APC (Asynchronous Procedure Call)	QueueUserAPC를 통해 특정 스레드에서 LoadLibrary 호출	QueueUserAPC 후킹 및 차단, NtQueueApcThread 후킹
SetWindowsHookEx 기반 후킹	SetWindowsHookEx로 특정 DLL 로드	SetWindowsHookEx 제한, AppInit_DLLs 감시
Process Hollowing	NtUnmapViewOfSection으로 프로세스 메모리 덮어씌움	NtUnmapViewOfSection 후킹, PE 구조 검증

2. C++ 코드 예제

✅ SetWindowsHookEx 후킹하여 DLL 인젝션 차단

#include 
#include 

HHOOK hHook;
LRESULT CALLBACK HookCallback(int nCode, WPARAM wParam, LPARAM lParam)
{
    std::cout << "[!] SetWindowsHookEx detected! Blocking attempt.\n";
    return 1; // 차단
}

void SetHook()
{
    hHook = SetWindowsHookEx(WH_KEYBOARD_LL, HookCallback, NULL, 0);
}

int main()
{
    SetHook();
    std::cout << "SetWindowsHookEx Hooked. Running...\n";
    while (true) Sleep(1000);
    return 0;
}

✅ CreateRemoteThread 후킹하여 DLL 인젝션 차단

#include 
#include 
#include 

typedef HANDLE(WINAPI* pCreateRemoteThread)(HANDLE, LPSECURITY_ATTRIBUTES, SIZE_T, LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD);
pCreateRemoteThread OriginalCreateRemoteThread = CreateRemoteThread;

HANDLE WINAPI HookedCreateRemoteThread(HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize,
    LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId)
{
    std::cout << "[!] CreateRemoteThread detected! Blocking attempt.\n";
    return NULL;
}

void HookCreateRemoteThread()
{
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourAttach(&(PVOID&)OriginalCreateRemoteThread, HookedCreateRemoteThread);
    DetourTransactionCommit();
}

int main()
{
    HookCreateRemoteThread();
    std::cout << "CreateRemoteThread Hooked. Running...\n";
    while (true) Sleep(1000);
    return 0;
}

✅ NtQueueApcThread 후킹하여 APC 기반 DLL 인젝션 차단

#include 
#include 
#include 

typedef NTSTATUS(NTAPI* pNtQueueApcThread)(HANDLE, PVOID, PVOID, PVOID, PVOID);
pNtQueueApcThread OriginalNtQueueApcThread = (pNtQueueApcThread)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQueueApcThread");

NTSTATUS NTAPI HookedNtQueueApcThread(HANDLE ThreadHandle, PVOID ApcRoutine, PVOID ApcArgument1, PVOID ApcArgument2, PVOID ApcArgument3)
{
    std::cout << "[!] NtQueueApcThread detected! Blocking attempt.\n";
    return STATUS_ACCESS_DENIED;
}

void HookNtQueueApcThread()
{
    DetourTransactionBegin();
    DetourUpdateThread(GetCurrentThread());
    DetourAttach(&(PVOID&)OriginalNtQueueApcThread, HookedNtQueueApcThread);
    DetourTransactionCommit();
}

int main()
{
    HookNtQueueApcThread();
    std::cout << "NtQueueApcThread Hooked. Running...\n";
    while (true) Sleep(1000);
    return 0;
}

✅ ProcessMitigationPolicy 적용하여 DLL 인젝션 방어

#include 
#include 
#include 

void SetMitigationPolicies()
{
    PROCESS_MITIGATION_DYNAMIC_CODE_POLICY codePolicy = { 0 };
    codePolicy.ProhibitDynamicCode = 1;  // 동적 코드 실행 금지
    SetProcessMitigationPolicy(ProcessDynamicCodePolicy, &codePolicy, sizeof(codePolicy));

    PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY hookPolicy = { 0 };
    hookPolicy.DisableExtensionPoints = 1;  // DLL 인젝션 차단
    SetProcessMitigationPolicy(ProcessExtensionPointDisablePolicy, &hookPolicy, sizeof(hookPolicy));

    std::cout << "[+] Mitigation policies applied.\n";
}

int main()
{
    SetMitigationPolicies();
    std::cout << "Mitigation policies set. Running...\n";
    while (true) Sleep(1000);
    return 0;
}

3. 결론

• CreateRemoteThread, NtQueueApcThread, SetWindowsHookEx 등의 API를 후킹하여 차단 가능
• ProcessMitigationPolicy 적용하면 원천 차단 가능
• Windows Defender Application Control을 활용하여 보안 강화

💡 더 강력한 보호가 필요하면 RING0(커널 모드)에서 필터 드라이버를 개발해야 합니다.