Sign in to follow this  
Followers 0
wraithdu

ModuleSpy

22 posts in this topic

#1 ·  Posted (edited)

This is an idea I've been toying around with since writing my _WinApiHook UDF. This little app will let you view all modules loaded by a process. You can selectively unload a module, or inject a module of your own. I think this could be useful to help remove viruses or malware, but is more of a development tool I suppose. It has some fun tooltip and resizing code too :)

Note: Not all modules can be unloaded. I don't have a workaround (if there is one) at the moment.

Posted Image

Update v1.0.0.1

- Removed *.exe from the open file dialog

(v1.0.0.0 downloads: 32)

ModuleSpy.zip

Edited by wraithdu

Share this post


Link to post
Share on other sites



good job

Share this post


Link to post
Share on other sites

Nice man, but the inyection not work for me :S

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

Can you be more specific? What module are you trying to inject into what process? OS? Link to DLL? I can't troubleshoot with no info.

BTW, unloading and injection are tested and working on Vista.

Edited by wraithdu

Share this post


Link to post
Share on other sites

I triyin to inyect 1 script to explorer.exe

I have Windows XP SP2

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

Sorry, you can't inject a compiled script, only a DLL. I kinda misread the MSDN page and mistakenly included the EXE entension in the fileopen dialog (although my syntax error prevents it from opening EXEs anyway :)) You can use LoadLibrary on an EXE file, but it only provides a handle for use with LoadResource / FindResource.

I'll update the first post.

Edited by wraithdu

Share this post


Link to post
Share on other sites

Hi, i need inyect .exe files, its posible using autoit?

Share this post


Link to post
Share on other sites

#8 ·  Posted (edited)

No, it's not possible using anything.

Edited by wraithdu

Share this post


Link to post
Share on other sites

Tanks algain :)

Share this post


Link to post
Share on other sites

Really Nice, wraithdu!!

I have no intention to inject anything. All the information looks great even the tool-tip info.

This is very informative as to.... "what is really going on here!!!"

I think this could help emensly with virus detection!!

Thanks for sharing

8)


NEWHeader1.png

Share this post


Link to post
Share on other sites

#11 ·  Posted (edited)

Thanks for the support!

Virus detection / removal was my primary thought. I'm very careful and my system has never been infected (knock on wood). But I've had to disinfect many other systems, and I hate finding the offending DLLs and not being able to remove them (easily) because they're loaded and in use. Hopefully this can help with that problem.

I'm toying with the idea of a search function to help with that end as well.

Edited by wraithdu

Share this post


Link to post
Share on other sites

In my "MaXoFF" program, I have a function called

_CheckMalwareProcess() ; "http://pcpitstop.com/libraries/process/topmalicous"

It downloads, reads the file into an array then, gets all running processes and checks them for malware/virus.

The site I read from states it's the top 100 malware programs processes.

The function is actually very short and sweet!

http://www.autoitscript.com/forum/index.ph...st&p=625226

8)


NEWHeader1.png

Share this post


Link to post
Share on other sites

I've seen your script. What I meant, was to be able to search all processes for a specific module. So if you identified a virus / malware on your system, you could find out into what processes it has been loaded and, hopefully, unload it.

Share this post


Link to post
Share on other sites

I've seen your script. What I meant, was to be able to search all processes for a specific module. So if you identified a virus / malware on your system, you could find out into what processes it has been loaded and, hopefully, unload it.

Of Course!!!

I meant as an introduction to the depth you need to go. There are many malware programs that replace know or system processes. if there is one that "may" be a malware, you could check the modules that should or should not be present.

8)


NEWHeader1.png

Share this post


Link to post
Share on other sites

#15 ·  Posted (edited)

HI!

Good work wraithdu!

Your code is much easier to read than mine!

Thanks for being first to comment my app, slightly reminiscent of yours:

http://www.autoitscript.com/forum/index.php?showtopic=84939

I think your app is a given complement to your UDF.

But for security I would still choose mine... :)

btw, I finally figured out a way to get commandline NOT using WMI.

It's a little rough. Please test it if you have time.

http://www.autoitscript.com/forum/index.php?showtopic=88214

/Manko

Edited by Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

Thanks. I didn't realize your app unloaded modules also. Eh, I'm not really developing mine anymore after I put in a search function. It was just an idea I had that I wanted to see in action.

Keep up the good work on ModHelper though, it's become quite a full-featured app!

Share this post


Link to post
Share on other sites

good job thk

Share this post


Link to post
Share on other sites

#18 ·  Posted (edited)

@wraithdu

Good job :)

Cheers, FireFox.

Edited by FireFox

 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites

wraithdu

Great and useful! 5 stars! :)

Share this post


Link to post
Share on other sites

Thanks everyone!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0