Solved

How can I detect if running DLL module is valid system DLL?

Posted on 2009-07-09
3
237 Views
Last Modified: 2012-05-07
Hello,
I'm using a code for detecting running modules which is getting the list from peb. I want to seperate system dlls and other dlls like malwares,viruses etc.
Is there a way to detect it with some way? I give a sample for detecting some net cafe dll detecting with my code.
Regards,
Justin Uberti

char szakinsoftDLLs[][100] = {

	"cplushook.dll",

	"cafeplusfiltrehook.dll"

};

bool in_akinsoft (char *aranan) {

	for(int i = 0; i < 2; i++) {

		if(strnistr(aranan,szakinsoftDLLs[i]) != NULL){

			return true;

		}

	}

	return false;

}

int anti_load()

{

	DWORD pPEB = GetPEB ();

	DWORD PEB_LDR_DATA = (unsigned long)*(DWORD*)(pPEB+0x0C);

	DWORD InLoadOrderModuleListHead = (unsigned long)*(DWORD*)(PEB_LDR_DATA+0x0C);

	DWORD ModuleFileName;

	while (*(DWORD*)(InLoadOrderModuleListHead) != (unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C) && (!AC_STATUSX))

	{

		ModuleFileName = (unsigned long)*(PDWORD*)(InLoadOrderModuleListHead+0x28);

		InLoadOrderModuleListHead = *(DWORD*)(InLoadOrderModuleListHead);

		int a = 255;

		char *ansistr = new char[a];

		WideCharToMultiByte(CP_ACP,0,(LPCWSTR)(const unsigned short *)ModuleFileName,-1,ansistr,a,NULL,NULL);

	//	_strlwr(ansistr);

		if (in_akinsoft(ansistr)) {

			*(PVOID *)((unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C) + 0x1C) = NULL;

			HMODULE BaseAddress = *(HMODULE *)((unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C)+0x18);

			FreeLibrary(BaseAddress);

		}

		free(ansistr);

	}

	return 0;

}

bool

Open in new window

0
Comment
Question by:juberti
  • 2
3 Comments
 
LVL 39

Expert Comment

by:itsmeandnobodyelse
ID: 24814289
>>>> Is there a way to detect it with some way?
You would need to check the dll/exe file for known virus/malware signatures or use heuristical methods to find out whether the code is somewhat suspicious. Unfortunately the names of dlls will not always give an evidence as a virus mostly will be covered by another name. 'system dlls' are services started by the Service Control Manager (SCM) at boot time (or manually later). It can be malware as well if they were installed by some bot or worm.
0
 

Author Comment

by:juberti
ID: 24828322
Thanks for your comment, so there is no way to detect it :(
0
 
LVL 39

Accepted Solution

by:
itsmeandnobodyelse earned 500 total points
ID: 24830042
>>>>  so there is no way to detect it :(

One way is to try to find the dll/exe behind the process, then call antivirus (or explorer plug-in of antivirus) to check that file.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In days of old, returning something by value from a function in C++ was necessarily avoided because it would, invariably, involve one or even two copies of the object being created and potentially costly calls to a copy-constructor and destructor. A…
This article shows you how to optimize memory allocations in C++ using placement new. Applicable especially to usecases dealing with creation of large number of objects. A brief on problem: Lets take example problem for simplicity: - I have a G…
The goal of the video will be to teach the user the concept of local variables and scope. An example of a locally defined variable will be given as well as an explanation of what scope is in C++. The local variable and concept of scope will be relat…
The viewer will learn how to clear a vector as well as how to detect empty vectors in C++.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now