Caiol Posted March 27, 2011 Share Posted March 27, 2011 (edited) Hello everybody!! I'm making a Game anti cheating and in my actual script, i'm using _ProcessGetLoadedModules() to get all the game process modules and compare it to an array with good modules, but the exceptions list is becoming too big... I've searched in the forum and found a script named by "ModuleSpy", that can read, inject and unload a module from an executable, but when do I unload an malicious module previrously injected, the game crashes and exit... Have a way to unload the module without get a game exit? Or have a way to change something in the function to it don't get unnecessary modules? Thanks!! EDIT: Sorry for my english... The script of 'ModuleSpy' that i want to do a "module unload" without game executable exit. expandcollapse popup#NoTrayIcon #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_icon=ModuleSpy.ico #AutoIt3Wrapper_Compression=4 #AutoIt3Wrapper_Res_Comment=View and unload modules in a process, or inject a module into a process. #AutoIt3Wrapper_Res_Description=ModuleSpy #AutoIt3Wrapper_Res_Fileversion=1.0.0.1 #AutoIt3Wrapper_Res_LegalCopyright=by Erik Pilsits #AutoIt3Wrapper_Res_Language=1033 #AutoIt3Wrapper_Res_requestedExecutionLevel=asInvoker #AutoIt3Wrapper_Run_Obfuscator=y #Obfuscator_Parameters=/striponly #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** Opt("MustDeclareVars", 1) Opt("GUIOnEventMode", 1) Opt("GUICloseOnESC", 0) #include <GuiListView.au3> #include <WindowsConstants.au3> #include <GuiConstantsEx.au3> #include <GUITooltip.au3> _GetPrivilege_SEDEBUG() Global $PSAPI = DllOpen("psapi.dll") Global $g_aProcs, $g_aMods Global $g_LoadLibraryA, $g_FreeLibrary Global $LV_tooltiptext = DllStructCreate("char[1024]") ; structure for LV tooltips Global $oWMI = ObjGet("winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy, (Debug)}!\\.\root\cimv2") Global $borderoffset = _WinAPI_GetSystemMetrics(4) + _WinAPI_GetSystemMetrics(32) ; SM_CYCAPTION + SM_CXSIZEFRAME Global $gui = GUICreate("ModuleSpy", 900, 600, -1, -1, BitOR($GUI_SS_DEFAULT_GUI, $WS_SIZEBOX)) ; listviews Global $hLV1 = _GUICtrlListView_Create($gui, "Process|PID", 4, 4, 220, 563, BitOR($LVS_SHOWSELALWAYS, $LVS_SINGLESEL, $LVS_NOSORTHEADER, $LVS_REPORT), $WS_EX_CLIENTEDGE) _GUICtrlListView_SetExtendedListViewStyle($hLV1, BitOR($LVS_EX_GRIDLINES, $LVS_EX_DOUBLEBUFFER, $LVS_EX_FULLROWSELECT, $LVS_EX_INFOTIP, $LVS_EX_LABELTIP), _ BitOR($LVS_EX_GRIDLINES, $LVS_EX_DOUBLEBUFFER, $LVS_EX_FULLROWSELECT, $LVS_EX_INFOTIP, $LVS_EX_LABELTIP)) _GUICtrlListView_SetColumnWidth($hLV1, 0, 150) _GUICtrlListView_SetColumnWidth($hLV1, 1, $LVSCW_AUTOSIZE_USEHEADER) Global $hLV2 = _GUICtrlListView_Create($gui, "Module|Base Address|Path", 228, 4, 668, 563, BitOR($LVS_SHOWSELALWAYS, $LVS_SINGLESEL, $LVS_NOSORTHEADER, $LVS_REPORT), $WS_EX_CLIENTEDGE) _GUICtrlListView_SetExtendedListViewStyle($hLV2, BitOR($LVS_EX_GRIDLINES, $LVS_EX_DOUBLEBUFFER, $LVS_EX_FULLROWSELECT, $LVS_EX_INFOTIP, $LVS_EX_LABELTIP), _ BitOR($LVS_EX_GRIDLINES, $LVS_EX_DOUBLEBUFFER, $LVS_EX_FULLROWSELECT, $LVS_EX_INFOTIP, $LVS_EX_LABELTIP)) _GUICtrlListView_SetColumnWidth($hLV2, 0, 150) _GUICtrlListView_SetColumnWidth($hLV2, 1, $LVSCW_AUTOSIZE_USEHEADER) _GUICtrlListView_SetColumnWidth($hLV2, 2, $LVSCW_AUTOSIZE_USEHEADER) ; buttons Global $LV1Refresh = GUICtrlCreateButton("Refresh", 4, 571, 50, 25) GUICtrlSetResizing(-1, BitOR($GUI_DOCKLEFT, $GUI_DOCKWIDTH, $GUI_DOCKBOTTOM, $GUI_DOCKHEIGHT)) Global $LV2Refresh = GUICtrlCreateButton("Refresh", 228, 571, 50, 25) GUICtrlSetResizing(-1, BitOR($GUI_DOCKLEFT, $GUI_DOCKWIDTH, $GUI_DOCKBOTTOM, $GUI_DOCKHEIGHT)) Global $UnloadModule = GUICtrlCreateButton("Unload Module", 282, 571, 85, 25) GUICtrlSetResizing(-1, BitOR($GUI_DOCKLEFT, $GUI_DOCKWIDTH, $GUI_DOCKBOTTOM, $GUI_DOCKHEIGHT)) Global $InjectModule = GUICtrlCreateButton("Inject Module", 371, 571, 85, 25) GUICtrlSetResizing(-1, BitOR($GUI_DOCKLEFT, $GUI_DOCKWIDTH, $GUI_DOCKBOTTOM, $GUI_DOCKHEIGHT)) GUIRegisterMsg($WM_NOTIFY, "_MY_WM_NOTIFY") GUIRegisterMsg($WM_SIZING, "_MY_WM_SIZE") GUISetOnEvent($GUI_EVENT_CLOSE, "_Exit") GUICtrlSetOnEvent($LV1Refresh, "_RefreshProcs") GUICtrlSetOnEvent($LV2Refresh, "_RefreshMods") GUICtrlSetOnEvent($UnloadModule, "_UnloadModule") GUICtrlSetOnEvent($InjectModule, "_InjectModule") _GetOffsets() _UpdateProcs() ; get values for resizing Global $GUIpos = WinGetPos($gui) Global $LV1pos = ControlGetPos($gui, "", $hLV1) Global $LV2Pos = ControlGetPos($gui, "", $hLV2) GUISetState() While 1 Sleep(1000) WEnd Func _Exit() DllClose($PSAPI) Exit EndFunc Func _GetOffsets() ; get LoadLibraryA and FreeLibrary offsets from kernel32.dll base address Local $hKernel32 = _WinAPI_LoadLibrary("kernel32.dll") $g_LoadLibraryA = _GetProcAddress($hKernel32, "LoadLibraryA") - $hKernel32 $g_FreeLibrary = _GetProcAddress($hKernel32, "FreeLibrary") - $hKernel32 _WinAPI_FreeLibrary($hKernel32) EndFunc Func _MY_WM_NOTIFY($hWnd, $iMsg, $iwParam, $ilParam) Local $tNMHDR = DllStructCreate($tagNMLVGETINFOTIP, $ilParam) Local $hWndFrom = HWnd(DllStructGetData($tNMHDR, "hWndFrom")) ;~ Local $iIDFrom = DllStructGetData($tNMHDR, "IDFrom") Local $iCode = DllStructGetData($tNMHDR, "Code") Local $LVN_GETINFOTIP Switch $hWndFrom Case $hLV1 Switch $iCode Case $NM_CLICK Local $idx = _GUICtrlListView_GetSelectedIndices($hLV1) If $idx <> "" Then _UpdateMods(Number($idx)) Else _GUICtrlListView_DeleteAllItems($hLV2) EndIf Case $LVN_GETINFOTIP Local $oProc Local $ttip = "n/a" Local $colProcs = $oWMI.ExecQuery("SELECT ExecutablePath,CommandLine FROM Win32_Process WHERE ProcessId = " & $g_aProcs[DllStructGetData($tNMHDR, "Item")][0]) If IsObj($colProcs) Then For $oProc In $colProcs If $oProc.ExecutablePath Then Local $desc = FileGetVersion($oProc.ExecutablePath, "FileDescription") If $desc == "" Then $desc = "(No Description)" $ttip = $desc & @CRLF & "--------------------" & @CRLF & $oProc.ExecutablePath EndIf If $oProc.CommandLine Then $ttip &= @CRLF & $oProc.CommandLine Next EndIf DllStructSetData($LV_tooltiptext, 1, $ttip) DllStructSetData($tNMHDR, "Flags", 1) ; LVGIT_UNFOLDED DllStructSetData($tNMHDR, "Text", DllStructGetPtr($LV_tooltiptext)) EndSwitch Case $hLV2 Switch $iCode Case $LVN_GETINFOTIP Local $modpath = $g_aMods[DllStructGetData($tNMHDR, "Item")][2] Local $ttip = FileGetVersion($modpath, "FileDescription") If $ttip == "" Then $ttip = "(No Description)" Local $ver = FileGetVersion($modpath, "FileVersion") If $ver <> "" Then $ttip &= @CRLF & $ver DllStructSetData($LV_tooltiptext, 1, $ttip) DllStructSetData($tNMHDR, "Flags", 1) ; LVGIT_UNFOLDED DllStructSetData($tNMHDR, "Text", DllStructGetPtr($LV_tooltiptext)) EndSwitch EndSwitch Return $GUI_RUNDEFMSG EndFunc Func _MY_WM_SIZE($hWnd, $iMsg, $iwParam, $ilParam) ; resize owner controls Local $tRECT = DllStructCreate($tagRECT, $ilParam) Local $newheight = DllStructGetData($tRECT, "Bottom") - DllStructGetData($tRECT, "Top") Local $newwidth = DllStructGetData($tRECT, "Right") - DllStructGetData($tRECT, "Left") ; original control height/width + difference in new GUI height/width Local $controlheight = $LV1pos[3] + ($newheight - $GUIpos[3]) ; same for both listviews ControlMove($gui, "", $hLV1, $LV1pos[0], $LV1pos[1], $LV1pos[2], $controlheight) ControlMove($gui, "", $hLV2, $LV2pos[0], $LV2pos[1], $LV2Pos[2] + ($newwidth - $GUIpos[2]), $controlheight) EndFunc Func _UpdateProcs() _GUICtrlListView_BeginUpdate($hLV1) _GUICtrlListView_DeleteAllItems($hLV1) $g_aProcs = _EnumProcesses() If IsArray($g_aProcs) Then _ArraySort($g_aProcs, 0, 0, 0, 1) For $i = 0 To UBound($g_aProcs) - 1 _GUICtrlListView_AddItem($hLV1, $g_aProcs[$i][1]) _GUICtrlListView_AddSubItem($hLV1, $i, $g_aProcs[$i][0], 1) Next EndIf _GUICtrlListView_EndUpdate($hLV1) EndFunc Func _EnumProcesses() ; enumerate processes and build array Local $aProc Local $pids = DllStructCreate("dword[1024]") Local $ret = DllCall($PSAPI, "int", "EnumProcesses", "ptr", DllStructGetPtr($pids), "dword", DllStructGetSize($pids), "dword*", 0) If $ret[3] > 0 Then Local $numpids = $ret[3] / 4 ; number of pids Local $aProc[$numpids][2] For $i = 1 To $numpids $aProc[$i - 1][0] = DllStructGetData($pids, 1, $i) ; process pid $aProc[$i - 1][1] = "System" ; process name ; open the process and get the filename Local $hProcess = _GetProcHandle(DllStructGetData($pids, 1, $i)) If $hProcess Then Local $name = _GetModuleBaseNameW($hProcess) If $name Then $aProc[$i - 1][1] = $name _WinAPI_CloseHandle($hProcess) EndIf Next EndIf $pids = 0 Return $aProc EndFunc Func _GetModuleBaseNameW($hProcess, $hModule = 0) Local $name = "" Local $ret = DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", $hModule, "wstr", "", "dword", 260) If $ret[0] Then $name = $ret[3] EndIf Return $name EndFunc Func _GetModuleFileNameW($hProcess, $hModule = 0) Local $path = "" Local $ret = DllCall($PSAPI, "dword", "GetModuleFileNameExW", "ptr", $hProcess, "ptr", $hModule, "wstr", "", "dword", 260) If $ret[0] Then $path = $ret[3] EndIf Return $path EndFunc Func _UpdateMods($idx) _GUICtrlListView_BeginUpdate($hLV2) _GUICtrlListView_DeleteAllItems($hLV2) $g_aMods = _EnumModules($g_aProcs[$idx][0]) If IsArray($g_aMods) Then _ArraySort($g_aMods, 0, 0, 0, 1) For $i = 0 To UBound($g_aMods) - 1 _GUICtrlListView_AddItem($hLV2, $g_aMods[$i][1]) _GUICtrlListView_AddSubItem($hLV2, $i, $g_aMods[$i][0], 1) _GUICtrlListView_AddSubItem($hLV2, $i, $g_aMods[$i][2], 2) Next EndIf _GUICtrlListView_EndUpdate($hLV2) EndFunc Func _EnumModules($process) ; enumerate all modules in a process Local $aMods Local $hProcess = _GetProcHandle($process) If $hProcess Then Local $modules = DllStructCreate("ptr[1024]") Local $ret = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($modules), "dword", DllStructGetSize($modules), "dword*", 0) If $ret[4] > 0 Then Local $nummods = $ret[4] / 4 Local $aMods[$nummods][3] For $i = 1 To $nummods $aMods[$i - 1][0] = DllStructGetData($modules, 1, $i) ; base address $aMods[$i - 1][1] = "n/a" ; module name $aMods[$i - 1][2] = "n/a" ; module path Local $name = _GetModuleBaseNameW($hProcess, Ptr($aMods[$i - 1][0])) If $name Then $aMods[$i - 1][1] = $name Local $path = _GetModuleFileNameW($hProcess, Ptr($aMods[$i - 1][0])) If $path Then $aMods[$i - 1][2] = $path Next EndIf _WinAPI_CloseHandle($hProcess) $modules = 0 EndIf Return $aMods EndFunc Func _RefreshProcs() _GUICtrlListView_DeleteAllItems($hLV2) _UpdateProcs() EndFunc Func _RefreshMods() Local $idx = _GUICtrlListView_GetSelectedIndices($hLV1) If $idx <> "" Then _UpdateMods(Number($idx)) EndFunc Func _InjectModule() Local $err = 0, $hModule = 0 Local $procidx = _GUICtrlListView_GetSelectedIndices($hLV1) If $procidx == "" Then $err = 1 Else Local $dllpath = FileOpenDialog("Inject Module into " & $g_aProcs[Number($procidx)][1] & "...", @ScriptDir, "Modules (*.dll)", 3, "", $gui) If @error Then $err = 2 Else If StringRight($dllpath, 4) <> ".dll" Then $err = 3 Else Local $hProcess = _GetProcHandle($g_aProcs[Number($procidx)][0]) If Not $hProcess Then $err = 4 Else ; allocate memory in remote process for dll path Local $pMem = _MemVirtualAllocEx($hProcess, 0, 260, $MEM_COMMIT, $PAGE_READWRITE) If Not $pMem Then $err = 5 Else ; write dll path to remote process Local $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "ptr", $hProcess, "ptr", $pMem, "str", $dllpath, "uint", 260, "uint*", 0) If $ret[5] <> 260 Then $err = 6 Else ; get LoadLibraryA address and call the remote thread with a pointer to the dll path Local $kernelidx = _ArraySearch($g_aMods, "kernel32.dll", 0, 0, 0, 0, 1, 1) If $kernelidx == -1 Then $err = 7 Else Local $LoadLibraryA = $g_aMods[$kernelidx][0] + $g_LoadLibraryA ; add offset to base address $ret = DllCall("kernel32.dll", "ptr", "CreateRemoteThread", "ptr", $hProcess, "ptr", 0, "uint", 0, "ptr", $LoadLibraryA, "ptr", $pMem, "dword", 0, "ptr", 0) If Not $ret[0] Then $err = 8 ; create remote thread failed Else Local $hThread = $ret[0] _WinAPI_WaitForSingleObject($hThread) ; wait for thread to finish ; get thread return value, which is the HMODULE (base address) of the injected dll $ret = DllCall("kernel32.dll", "int", "GetExitCodeThread", "ptr", $hThread, "dword*", 0) $hModule = Ptr($ret[2]) _WinAPI_CloseHandle($hThread) ; close thread handle EndIf EndIf EndIf _MemVirtualFreeEx($hProcess, $pMem, 260, $MEM_DECOMMIT) ; release memory for dll path EndIf _WinAPI_CloseHandle($hProcess) EndIf EndIf EndIf EndIf _RefreshMods() Return SetError($err, 0, $hModule) EndFunc Func _UnloadModule() Local $err = 0, $return = 0 Local $procidx = _GUICtrlListView_GetSelectedIndices($hLV1) If $procidx == "" Then $err = 1 Else Local $modidx = _GUICtrlListView_GetSelectedIndices($hLV2) If $modidx == "" Then $err = 2 Else Local $hModule = $g_aMods[Number($modidx)][0] Local $hProcess = _GetProcHandle($g_aProcs[Number($procidx)][0]) If Not $hProcess Then $err = 3 Else ; get FreeLibrary address and call the remote thread with a pointer to hModule Local $kernelidx = _ArraySearch($g_aMods, "kernel32.dll", 0, 0, 0, 0, 1, 1) If $kernelidx == -1 Then $err = 4 Else Local $FreeLibrary = $g_aMods[$kernelidx][0] + $g_FreeLibrary ; add offset to base address Local $ret = DllCall("kernel32.dll", "ptr", "CreateRemoteThread", "ptr", $hProcess, "ptr", 0, "uint", 0, "ptr", $FreeLibrary, "ptr", $hModule, "dword", 0, "ptr", 0) If Not $ret[0] Then $err = 4 ; create remote thread failed Else _WinAPI_WaitForSingleObject($ret[0]) ; wait for thread to finish _WinAPI_CloseHandle($ret[0]) ; close thread handle EndIf EndIf _WinAPI_CloseHandle($hProcess) EndIf EndIf EndIf _RefreshMods() If $err Then $return = 1 Return SetError($err, 0, $return) EndFunc Func _GetProcAddress($module, $function) Local $call = DllCall("kernel32.dll", "ptr", "GetProcAddress", "ptr", $module, "str", $function) Return $call[0] EndFunc Func _GetProcHandle($process) Local $hProcess = 0 Local $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020) ; CREATE_THREAD, QUERY_INFORMATION, VM_OPERATION, VM_READ, VM_WRITE If IsInt($process) Then If $process > 0 Then Local $ret = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $process) If $ret[0] Then $hProcess = $ret[0] EndIf EndIf EndIf Return $hProcess EndFunc Func _GetPrivilege_SEDEBUG() Local $tagLUIDANDATTRIB = "int64 Luid;dword Attributes" Local $count = 1 Local $tagTOKENPRIVILEGES = "dword PrivilegeCount;byte LUIDandATTRIB[" & $count * 12 & "]" ; count of LUID structs * sizeof LUID struct Local $TOKEN_ADJUST_PRIVILEGES = 0x20 Local $call = DllCall("advapi32.dll", "int", "OpenProcessToken", "ptr", _WinAPI_GetCurrentProcess(), "dword", $TOKEN_ADJUST_PRIVILEGES, "ptr*", "") Local $hToken = $call[3] $call = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", Chr(0), "str", "SeDebugPrivilege", "int64*", "") Local $iLuid = $call[3] Local $TP = DllStructCreate($tagTOKENPRIVILEGES) Local $LUID = DllStructCreate($tagLUIDANDATTRIB, DllStructGetPtr($TP, "LUIDandATTRIB")) DllStructSetData($TP, "PrivilegeCount", $count) DllStructSetData($LUID, "Luid", $iLuid) DllStructSetData($LUID, "Attributes", $SE_PRIVILEGE_ENABLED) $call = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "ptr", $hToken, "int", 0, "ptr", DllStructGetPtr($TP), "dword", 0, "ptr", Chr(0), "ptr", Chr(0)) Return ($call[0] <> 0) ; $call[0] <> 0 is success EndFunc ;==>_GetPrivilege_SEDEBUG The function _ProcessGetLoadedModules() that i'm using and are getting a lot of unnecessary modules: expandcollapse popup#Include <WinAPI.au3> ; #FUNCTION#;=============================================================================== ; ; Name...........: _ProcessGetLoadedModules ; Description ...: Returns an array containing the full path of the loaded modules ; Syntax.........: _ProcessGetLoadedModules($iPID) ; Parameters ....: ; Return values .: Success - An array with all the paths ; : Failure - -1 and @error=1 if the specified process couldn't be opened. ; Author ........: Andreas Karlsson (monoceres) & ProgAndy ; Modified.......: ; Remarks .......: ; Related .......: ; Link ..........; ; Example .......; No ; ;;========================================================================================== Func _ProcessGetLoadedModules($iPID) Local Const $PROCESS_QUERY_INFORMATION=0x0400 Local Const $PROCESS_VM_READ=0x0010 Local $aCall, $hPsapi=DllOpen("Psapi.dll") Local $hProcess, $tModulesStruct $tModulesStruct=DllStructCreate("hwnd [200]") Local $SIZEOFHWND = DllStructGetSize($tModulesStruct)/200 $hProcess=_WinAPI_OpenProcess(BitOR($PROCESS_QUERY_INFORMATION,$PROCESS_VM_READ),False,$iPID) If Not $hProcess Then Return SetError(1,0,-1) $aCall=DllCall($hPsapi,"int","EnumProcessModules","ptr",$hProcess,"ptr",DllStructGetPtr($tModulesStruct),"dword",DllStructGetSize($tModulesStruct),"dword*","") If $aCall[4]>DllStructGetSize($tModulesStruct) Then $Dimensions = $aCall[4] / $SIZEOFHWND If $Dimensions <= 0 Then $Dimensions = 1 ;just an example ;~ Local $aReturn[$Dimensions] ;This way, you will not get an error $tModulesStruct=DllStructCreate("hwnd ["&$dimensions&"]") $aCall=DllCall($hPsapi,"int","EnumProcessModules","ptr",$hProcess,"ptr",DllStructGetPtr($tModulesStruct),"dword",$aCall[4],"dword*","") EndIf $Dimensions = $aCall[4] / $SIZEOFHWND If $Dimensions <= 0 Then $Dimensions = 1 ;just an example Local $aReturn[$Dimensions] ;This way, you will not get an error For $i=0 To Ubound($aReturn)-1 $aCall=DllCall($hPsapi,"dword","GetModuleFileNameExW","ptr",$hProcess,"ptr",DllStructGetData($tModulesStruct,1,$i+1),"wstr","","dword",65536) $aReturn[$i]=$aCall[3] Next _WinAPI_CloseHandle($hProcess) DllClose($hPsapi) Return $aReturn EndFunc Edited March 27, 2011 by Caiol Link to comment Share on other sites More sharing options...
Caiol Posted March 27, 2011 Author Share Posted March 27, 2011 Up... Link to comment Share on other sites More sharing options...
FaridAgl Posted August 20, 2011 Share Posted August 20, 2011 i was trying to do something like what you want to do, unfortunately i saw that ModuleSpy cannot unload modules. if you find a way i hope you share http://faridaghili.ir Link to comment Share on other sites More sharing options...
Info Posted August 20, 2011 Share Posted August 20, 2011 No idea what "ModuleSpy" is but for injecting a dll.AlsoI'm making a Game anti cheatingAre you sure you want to use AutoIt for that? Link to comment Share on other sites More sharing options...
Manko Posted August 20, 2011 Share Posted August 20, 2011 It would be easier to work with an actual example of what one wants to achieve... you would need to look at a live example and then look at more info about threads and modules and stuff... names of modules dont get us far... though you do atleast have the "path" which is one clue... (shows if it was loaded from usual place..) Hmm... but if you look at what modules the game(?) usually loads... then killing other things still crashes??? Ooops.. ran out of time... L8er! /Manko Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually... Link to comment Share on other sites More sharing options...
Shaggi Posted August 20, 2011 Share Posted August 20, 2011 If the modules crash on exit, they were probably not meant to do that in the first place... Your best bet might be to patch LoadLibrary() and make a codecave, and the compare the string module parameter to a list of known / unknown modules Ever wanted to call functions in another process? ProcessCall UDFConsole stuff: Console UDFC Preprocessor for AutoIt OMG Link to comment Share on other sites More sharing options...
monoscout999 Posted August 21, 2011 Share Posted August 21, 2011 I don`t know if autoit is the best option to do this... This is something that a debugger experienced programer should know how to do it. Link to comment Share on other sites More sharing options...
Valik Posted August 21, 2011 Share Posted August 21, 2011 I see this is an old thread and it should have been locked months ago. Correctly that mistake now. Link to comment Share on other sites More sharing options...
Recommended Posts