Solved

How can I detect if running DLL module is valid system DLL?

Posted on 2009-07-09
3
247 Views
Last Modified: 2012-05-07
Hello,
I'm using a code for detecting running modules which is getting the list from peb. I want to seperate system dlls and other dlls like malwares,viruses etc.
Is there a way to detect it with some way? I give a sample for detecting some net cafe dll detecting with my code.
Regards,
Justin Uberti

char szakinsoftDLLs[][100] = {
	"cplushook.dll",
	"cafeplusfiltrehook.dll"
};
bool in_akinsoft (char *aranan) {
	for(int i = 0; i < 2; i++) {
		if(strnistr(aranan,szakinsoftDLLs[i]) != NULL){
			return true;
		}
	}
	return false;
}
int anti_load()
{
	DWORD pPEB = GetPEB ();
	DWORD PEB_LDR_DATA = (unsigned long)*(DWORD*)(pPEB+0x0C);
	DWORD InLoadOrderModuleListHead = (unsigned long)*(DWORD*)(PEB_LDR_DATA+0x0C);
	DWORD ModuleFileName;
	while (*(DWORD*)(InLoadOrderModuleListHead) != (unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C) && (!AC_STATUSX))
	{
		ModuleFileName = (unsigned long)*(PDWORD*)(InLoadOrderModuleListHead+0x28);
		InLoadOrderModuleListHead = *(DWORD*)(InLoadOrderModuleListHead);
		int a = 255;
		char *ansistr = new char[a];
		WideCharToMultiByte(CP_ACP,0,(LPCWSTR)(const unsigned short *)ModuleFileName,-1,ansistr,a,NULL,NULL);
	//	_strlwr(ansistr);
		if (in_akinsoft(ansistr)) {
			*(PVOID *)((unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C) + 0x1C) = NULL;
			HMODULE BaseAddress = *(HMODULE *)((unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C)+0x18);
			FreeLibrary(BaseAddress);
		}
		free(ansistr);
	}
	return 0;
}
bool

Open in new window

0
Comment
Question by:juberti
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 39

Expert Comment

by:itsmeandnobodyelse
ID: 24814289
>>>> Is there a way to detect it with some way?
You would need to check the dll/exe file for known virus/malware signatures or use heuristical methods to find out whether the code is somewhat suspicious. Unfortunately the names of dlls will not always give an evidence as a virus mostly will be covered by another name. 'system dlls' are services started by the Service Control Manager (SCM) at boot time (or manually later). It can be malware as well if they were installed by some bot or worm.
0
 

Author Comment

by:juberti
ID: 24828322
Thanks for your comment, so there is no way to detect it :(
0
 
LVL 39

Accepted Solution

by:
itsmeandnobodyelse earned 500 total points
ID: 24830042
>>>>  so there is no way to detect it :(

One way is to try to find the dll/exe behind the process, then call antivirus (or explorer plug-in of antivirus) to check that file.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Templates For Beginners Or How To Encourage The Compiler To Work For You Introduction This tutorial is targeted at the reader who is, perhaps, familiar with the basics of C++ but would prefer a little slower introduction to the more ad…
What is C++ STL?: STL stands for Standard Template Library and is a part of standard C++ libraries. It contains many useful data structures (containers) and algorithms, which can spare you a lot of the time. Today we will look at the STL Vector. …
The goal of the tutorial is to teach the user how to use functions in C++. The video will cover how to define functions, how to call functions and how to create functions prototypes. Microsoft Visual C++ 2010 Express will be used as a text editor an…
The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question