Solved

How can I detect if running DLL module is valid system DLL?

Posted on 2009-07-09
3
240 Views
Last Modified: 2012-05-07
Hello,
I'm using a code for detecting running modules which is getting the list from peb. I want to seperate system dlls and other dlls like malwares,viruses etc.
Is there a way to detect it with some way? I give a sample for detecting some net cafe dll detecting with my code.
Regards,
Justin Uberti

char szakinsoftDLLs[][100] = {
	"cplushook.dll",
	"cafeplusfiltrehook.dll"
};
bool in_akinsoft (char *aranan) {
	for(int i = 0; i < 2; i++) {
		if(strnistr(aranan,szakinsoftDLLs[i]) != NULL){
			return true;
		}
	}
	return false;
}
int anti_load()
{
	DWORD pPEB = GetPEB ();
	DWORD PEB_LDR_DATA = (unsigned long)*(DWORD*)(pPEB+0x0C);
	DWORD InLoadOrderModuleListHead = (unsigned long)*(DWORD*)(PEB_LDR_DATA+0x0C);
	DWORD ModuleFileName;
	while (*(DWORD*)(InLoadOrderModuleListHead) != (unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C) && (!AC_STATUSX))
	{
		ModuleFileName = (unsigned long)*(PDWORD*)(InLoadOrderModuleListHead+0x28);
		InLoadOrderModuleListHead = *(DWORD*)(InLoadOrderModuleListHead);
		int a = 255;
		char *ansistr = new char[a];
		WideCharToMultiByte(CP_ACP,0,(LPCWSTR)(const unsigned short *)ModuleFileName,-1,ansistr,a,NULL,NULL);
	//	_strlwr(ansistr);
		if (in_akinsoft(ansistr)) {
			*(PVOID *)((unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C) + 0x1C) = NULL;
			HMODULE BaseAddress = *(HMODULE *)((unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C)+0x18);
			FreeLibrary(BaseAddress);
		}
		free(ansistr);
	}
	return 0;
}
bool

Open in new window

0
Comment
Question by:juberti
  • 2
3 Comments
 
LVL 39

Expert Comment

by:itsmeandnobodyelse
ID: 24814289
>>>> Is there a way to detect it with some way?
You would need to check the dll/exe file for known virus/malware signatures or use heuristical methods to find out whether the code is somewhat suspicious. Unfortunately the names of dlls will not always give an evidence as a virus mostly will be covered by another name. 'system dlls' are services started by the Service Control Manager (SCM) at boot time (or manually later). It can be malware as well if they were installed by some bot or worm.
0
 

Author Comment

by:juberti
ID: 24828322
Thanks for your comment, so there is no way to detect it :(
0
 
LVL 39

Accepted Solution

by:
itsmeandnobodyelse earned 500 total points
ID: 24830042
>>>>  so there is no way to detect it :(

One way is to try to find the dll/exe behind the process, then call antivirus (or explorer plug-in of antivirus) to check that file.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Templates For Beginners Or How To Encourage The Compiler To Work For You Introduction This tutorial is targeted at the reader who is, perhaps, familiar with the basics of C++ but would prefer a little slower introduction to the more ad…
This article will show you some of the more useful Standard Template Library (STL) algorithms through the use of working examples.  You will learn about how these algorithms fit into the STL architecture, how they work with STL containers, and why t…
The goal of the tutorial is to teach the user how to use functions in C++. The video will cover how to define functions, how to call functions and how to create functions prototypes. Microsoft Visual C++ 2010 Express will be used as a text editor an…
The viewer will learn how to clear a vector as well as how to detect empty vectors in C++.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question