How can I detect if running DLL module is valid system DLL?

Posted on 2009-07-09
Medium Priority
Last Modified: 2012-05-07
I'm using a code for detecting running modules which is getting the list from peb. I want to seperate system dlls and other dlls like malwares,viruses etc.
Is there a way to detect it with some way? I give a sample for detecting some net cafe dll detecting with my code.
Justin Uberti

char szakinsoftDLLs[][100] = {
bool in_akinsoft (char *aranan) {
	for(int i = 0; i < 2; i++) {
		if(strnistr(aranan,szakinsoftDLLs[i]) != NULL){
			return true;
	return false;
int anti_load()
	DWORD pPEB = GetPEB ();
	DWORD PEB_LDR_DATA = (unsigned long)*(DWORD*)(pPEB+0x0C);
	DWORD InLoadOrderModuleListHead = (unsigned long)*(DWORD*)(PEB_LDR_DATA+0x0C);
	DWORD ModuleFileName;
	while (*(DWORD*)(InLoadOrderModuleListHead) != (unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C) && (!AC_STATUSX))
		ModuleFileName = (unsigned long)*(PDWORD*)(InLoadOrderModuleListHead+0x28);
		InLoadOrderModuleListHead = *(DWORD*)(InLoadOrderModuleListHead);
		int a = 255;
		char *ansistr = new char[a];
		WideCharToMultiByte(CP_ACP,0,(LPCWSTR)(const unsigned short *)ModuleFileName,-1,ansistr,a,NULL,NULL);
	//	_strlwr(ansistr);
		if (in_akinsoft(ansistr)) {
			*(PVOID *)((unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C) + 0x1C) = NULL;
			HMODULE BaseAddress = *(HMODULE *)((unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C)+0x18);
	return 0;

Open in new window

Question by:juberti
  • 2
LVL 39

Expert Comment

ID: 24814289
>>>> Is there a way to detect it with some way?
You would need to check the dll/exe file for known virus/malware signatures or use heuristical methods to find out whether the code is somewhat suspicious. Unfortunately the names of dlls will not always give an evidence as a virus mostly will be covered by another name. 'system dlls' are services started by the Service Control Manager (SCM) at boot time (or manually later). It can be malware as well if they were installed by some bot or worm.

Author Comment

ID: 24828322
Thanks for your comment, so there is no way to detect it :(
LVL 39

Accepted Solution

itsmeandnobodyelse earned 1500 total points
ID: 24830042
>>>>  so there is no way to detect it :(

One way is to try to find the dll/exe behind the process, then call antivirus (or explorer plug-in of antivirus) to check that file.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Unlike C#, C++ doesn't have native support for sealing classes (so they cannot be sub-classed). At the cost of a virtual base class pointer it is possible to implement a pseudo sealing mechanism The trick is to virtually inherit from a base class…
This article will show you some of the more useful Standard Template Library (STL) algorithms through the use of working examples.  You will learn about how these algorithms fit into the STL architecture, how they work with STL containers, and why t…
The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…
The viewer will be introduced to the member functions push_back and pop_back of the vector class. The video will teach the difference between the two as well as how to use each one along with its functionality.

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question