Solved

How can I detect if running DLL module is valid system DLL?

Posted on 2009-07-09
3
236 Views
Last Modified: 2012-05-07
Hello,
I'm using a code for detecting running modules which is getting the list from peb. I want to seperate system dlls and other dlls like malwares,viruses etc.
Is there a way to detect it with some way? I give a sample for detecting some net cafe dll detecting with my code.
Regards,
Justin Uberti

char szakinsoftDLLs[][100] = {

	"cplushook.dll",

	"cafeplusfiltrehook.dll"

};

bool in_akinsoft (char *aranan) {

	for(int i = 0; i < 2; i++) {

		if(strnistr(aranan,szakinsoftDLLs[i]) != NULL){

			return true;

		}

	}

	return false;

}

int anti_load()

{

	DWORD pPEB = GetPEB ();

	DWORD PEB_LDR_DATA = (unsigned long)*(DWORD*)(pPEB+0x0C);

	DWORD InLoadOrderModuleListHead = (unsigned long)*(DWORD*)(PEB_LDR_DATA+0x0C);

	DWORD ModuleFileName;

	while (*(DWORD*)(InLoadOrderModuleListHead) != (unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C) && (!AC_STATUSX))

	{

		ModuleFileName = (unsigned long)*(PDWORD*)(InLoadOrderModuleListHead+0x28);

		InLoadOrderModuleListHead = *(DWORD*)(InLoadOrderModuleListHead);

		int a = 255;

		char *ansistr = new char[a];

		WideCharToMultiByte(CP_ACP,0,(LPCWSTR)(const unsigned short *)ModuleFileName,-1,ansistr,a,NULL,NULL);

	//	_strlwr(ansistr);

		if (in_akinsoft(ansistr)) {

			*(PVOID *)((unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C) + 0x1C) = NULL;

			HMODULE BaseAddress = *(HMODULE *)((unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C)+0x18);

			FreeLibrary(BaseAddress);

		}

		free(ansistr);

	}

	return 0;

}

bool

Open in new window

0
Comment
Question by:juberti
  • 2
3 Comments
 
LVL 39

Expert Comment

by:itsmeandnobodyelse
ID: 24814289
>>>> Is there a way to detect it with some way?
You would need to check the dll/exe file for known virus/malware signatures or use heuristical methods to find out whether the code is somewhat suspicious. Unfortunately the names of dlls will not always give an evidence as a virus mostly will be covered by another name. 'system dlls' are services started by the Service Control Manager (SCM) at boot time (or manually later). It can be malware as well if they were installed by some bot or worm.
0
 

Author Comment

by:juberti
ID: 24828322
Thanks for your comment, so there is no way to detect it :(
0
 
LVL 39

Accepted Solution

by:
itsmeandnobodyelse earned 500 total points
ID: 24830042
>>>>  so there is no way to detect it :(

One way is to try to find the dll/exe behind the process, then call antivirus (or explorer plug-in of antivirus) to check that file.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

When writing generic code, using template meta-programming techniques, it is sometimes useful to know if a type is convertible to another type. A good example of when this might be is if you are writing diagnostic instrumentation for code to generat…
Templates For Beginners Or How To Encourage The Compiler To Work For You Introduction This tutorial is targeted at the reader who is, perhaps, familiar with the basics of C++ but would prefer a little slower introduction to the more ad…
The viewer will learn how to user default arguments when defining functions. This method of defining functions will be contrasted with the non-default-argument of defining functions.
The viewer will be introduced to the technique of using vectors in C++. The video will cover how to define a vector, store values in the vector and retrieve data from the values stored in the vector.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now