Solved

How can I detect if running DLL module is valid system DLL?

Posted on 2009-07-09
3
242 Views
Last Modified: 2012-05-07
Hello,
I'm using a code for detecting running modules which is getting the list from peb. I want to seperate system dlls and other dlls like malwares,viruses etc.
Is there a way to detect it with some way? I give a sample for detecting some net cafe dll detecting with my code.
Regards,
Justin Uberti

char szakinsoftDLLs[][100] = {
	"cplushook.dll",
	"cafeplusfiltrehook.dll"
};
bool in_akinsoft (char *aranan) {
	for(int i = 0; i < 2; i++) {
		if(strnistr(aranan,szakinsoftDLLs[i]) != NULL){
			return true;
		}
	}
	return false;
}
int anti_load()
{
	DWORD pPEB = GetPEB ();
	DWORD PEB_LDR_DATA = (unsigned long)*(DWORD*)(pPEB+0x0C);
	DWORD InLoadOrderModuleListHead = (unsigned long)*(DWORD*)(PEB_LDR_DATA+0x0C);
	DWORD ModuleFileName;
	while (*(DWORD*)(InLoadOrderModuleListHead) != (unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C) && (!AC_STATUSX))
	{
		ModuleFileName = (unsigned long)*(PDWORD*)(InLoadOrderModuleListHead+0x28);
		InLoadOrderModuleListHead = *(DWORD*)(InLoadOrderModuleListHead);
		int a = 255;
		char *ansistr = new char[a];
		WideCharToMultiByte(CP_ACP,0,(LPCWSTR)(const unsigned short *)ModuleFileName,-1,ansistr,a,NULL,NULL);
	//	_strlwr(ansistr);
		if (in_akinsoft(ansistr)) {
			*(PVOID *)((unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C) + 0x1C) = NULL;
			HMODULE BaseAddress = *(HMODULE *)((unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C)+0x18);
			FreeLibrary(BaseAddress);
		}
		free(ansistr);
	}
	return 0;
}
bool

Open in new window

0
Comment
Question by:juberti
  • 2
3 Comments
 
LVL 39

Expert Comment

by:itsmeandnobodyelse
ID: 24814289
>>>> Is there a way to detect it with some way?
You would need to check the dll/exe file for known virus/malware signatures or use heuristical methods to find out whether the code is somewhat suspicious. Unfortunately the names of dlls will not always give an evidence as a virus mostly will be covered by another name. 'system dlls' are services started by the Service Control Manager (SCM) at boot time (or manually later). It can be malware as well if they were installed by some bot or worm.
0
 

Author Comment

by:juberti
ID: 24828322
Thanks for your comment, so there is no way to detect it :(
0
 
LVL 39

Accepted Solution

by:
itsmeandnobodyelse earned 500 total points
ID: 24830042
>>>>  so there is no way to detect it :(

One way is to try to find the dll/exe behind the process, then call antivirus (or explorer plug-in of antivirus) to check that file.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Written by John Humphreys C++ Threading and the POSIX Library This article will cover the basic information that you need to know in order to make use of the POSIX threading library available for C and C++ on UNIX and most Linux systems.   [s…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
The goal of the tutorial is to teach the user how to use functions in C++. The video will cover how to define functions, how to call functions and how to create functions prototypes. Microsoft Visual C++ 2010 Express will be used as a text editor an…
The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question