Jump to content

ModuleSpy


wraithdu
 Share

Recommended Posts

This is an idea I've been toying around with since writing my _WinApiHook UDF. This little app will let you view all modules loaded by a process. You can selectively unload a module, or inject a module of your own. I think this could be useful to help remove viruses or malware, but is more of a development tool I suppose. It has some fun tooltip and resizing code too :)

Note: Not all modules can be unloaded. I don't have a workaround (if there is one) at the moment.

Posted Image

Update v1.0.0.1

- Removed *.exe from the open file dialog

(v1.0.0.0 downloads: 32)

ModuleSpy.zip

Edited by wraithdu
Link to comment
Share on other sites

Can you be more specific? What module are you trying to inject into what process? OS? Link to DLL? I can't troubleshoot with no info.

BTW, unloading and injection are tested and working on Vista.

Edited by wraithdu
Link to comment
Share on other sites

Sorry, you can't inject a compiled script, only a DLL. I kinda misread the MSDN page and mistakenly included the EXE entension in the fileopen dialog (although my syntax error prevents it from opening EXEs anyway :)) You can use LoadLibrary on an EXE file, but it only provides a handle for use with LoadResource / FindResource.

I'll update the first post.

Edited by wraithdu
Link to comment
Share on other sites

Thanks for the support!

Virus detection / removal was my primary thought. I'm very careful and my system has never been infected (knock on wood). But I've had to disinfect many other systems, and I hate finding the offending DLLs and not being able to remove them (easily) because they're loaded and in use. Hopefully this can help with that problem.

I'm toying with the idea of a search function to help with that end as well.

Edited by wraithdu
Link to comment
Share on other sites

In my "MaXoFF" program, I have a function called

_CheckMalwareProcess() ; "http://pcpitstop.com/libraries/process/topmalicous"

It downloads, reads the file into an array then, gets all running processes and checks them for malware/virus.

The site I read from states it's the top 100 malware programs processes.

The function is actually very short and sweet!

http://www.autoitscript.com/forum/index.ph...st&p=625226

8)

NEWHeader1.png

Link to comment
Share on other sites

I've seen your script. What I meant, was to be able to search all processes for a specific module. So if you identified a virus / malware on your system, you could find out into what processes it has been loaded and, hopefully, unload it.

Link to comment
Share on other sites

I've seen your script. What I meant, was to be able to search all processes for a specific module. So if you identified a virus / malware on your system, you could find out into what processes it has been loaded and, hopefully, unload it.

Of Course!!!

I meant as an introduction to the depth you need to go. There are many malware programs that replace know or system processes. if there is one that "may" be a malware, you could check the modules that should or should not be present.

8)

NEWHeader1.png

Link to comment
Share on other sites

HI!

Good work wraithdu!

Your code is much easier to read than mine!

Thanks for being first to comment my app, slightly reminiscent of yours:

http://www.autoitscript.com/forum/index.php?showtopic=84939

I think your app is a given complement to your UDF.

But for security I would still choose mine... :)

btw, I finally figured out a way to get commandline NOT using WMI.

It's a little rough. Please test it if you have time.

http://www.autoitscript.com/forum/index.php?showtopic=88214

/Manko

Edited by Manko
Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to comment
Share on other sites

Thanks. I didn't realize your app unloaded modules also. Eh, I'm not really developing mine anymore after I put in a search function. It was just an idea I had that I wanted to see in action.

Keep up the good work on ModHelper though, it's become quite a full-featured app!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...