Jump to content
Sign in to follow this  
Doll

Detects DLL Injected

Recommended Posts

Doll

I'm new here and still learning. Is it possible to detect a DLL injected into a program?

Like for example your AutoIt.exe runs another program called ProgramA. Then, if another program called ProgramB injects 'test.dll' into ProgramA, a MsgBox would appear saying 'test.dll' is detected.

Or the other way is like detecting the 'test.dll' in memory then a MsgBox would appear, too.

Could someone help me? Thanks in advance.

EDIT:

BTW, I've searched the forums but I couldn't find a program or code that is related to my problem.

Edited by Doll

Smile. :)

Share this post


Link to post
Share on other sites
Doll

Ok thanks for the fast reply. I'll try to do it.


Smile. :)

Share this post


Link to post
Share on other sites
Doll

Sorry for double posting but I have a problem with the code.

So anyway, my modified code is just to check whether "test.dll" is in the memory. When it detects the DLL, a message will inform the user that "test.dll" was found.

So what I've done so far is I've downloaded the ModuleSpy in this link (SmOke_N's post). I have modified the code so because I don't really need the GUI but just to detect a Module name. And I'm kinda stuck in this code -> (Line: 11 -> "If $g_aMods[$j][1] == "test.dll" Then").

The error is:

If $g_aMods[$j][1] == "test.dll" Then
If $g_aMods^ ERROR

Error: Subscript used with non-Array variable.

I don't know what's wrong, I checked the dimensional a lot of times but I'm pretty sure I inputted the correct Subscript. So could anyone debug or at least help me? Thanks in advance.

Global $PSAPI = DllOpen("psapi.dll")
Global $g_aProcs, $g_aMods

_CheckDLL()

Func _CheckDLL()
    $g_aProcs = _EnumProcesses()
    For $i=0 To UBound($g_aProcs)-1
        $g_aMods = _EnumModules($g_aProcs[$i][0])
        For $j = 0 To UBound($g_aProcs,2)-1
            If $g_aMods[$j][1] == "test.dll" Then
                MsgBox(64, 'Info', 'test.dll Found!')
            EndIf
        Next            
    Next
EndFunc
    
Func _EnumModules($process)
; enumerate all modules in a process
    Local $aMods
    Local $hProcess = _GetProcHandle($process)
    If $hProcess Then
        Local $modules = DllStructCreate("ptr[1024]")
        Local $ret = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($modules), "dword", DllStructGetSize($modules), "dword*", 0)
        If $ret[4] > 0 Then
            Local $nummods = $ret[4] / 4
            Local $aMods[$nummods][3]
            For $i = 1 To $nummods
                $aMods[$i - 1][0] = DllStructGetData($modules, 1, $i); base address
                $aMods[$i - 1][1] = "n/a"; module name
                $aMods[$i - 1][2] = "n/a"; module path
                Local $name = _GetModuleBaseNameW($hProcess, Ptr($aMods[$i - 1][0]))
                If $name Then $aMods[$i - 1][1] = $name
                Local $path = _GetModuleFileNameW($hProcess, Ptr($aMods[$i - 1][0]))
                If $path Then $aMods[$i - 1][2] = $path
            Next
        EndIf
        $modules = 0
    EndIf
    
    Return $aMods
EndFunc

Func _EnumProcesses()
; enumerate processes and build array
    Local $aProc
    Local $pids = DllStructCreate("dword[1024]")
    Local $ret = DllCall($PSAPI, "int", "EnumProcesses", "ptr", DllStructGetPtr($pids), "dword", DllStructGetSize($pids), "dword*", 0)
    If $ret[3] > 0 Then
        Local $numpids = $ret[3] / 4; number of pids
        Local $aProc[$numpids][2]
        For $i = 1 To $numpids
            $aProc[$i - 1][0] = DllStructGetData($pids, 1, $i); process pid
            $aProc[$i - 1][1] = "System"; process name
        ; open the process and get the filename
            Local $hProcess = _GetProcHandle(DllStructGetData($pids, 1, $i))
            If $hProcess Then
                Local $name = _GetModuleBaseNameW($hProcess)
            EndIf
        Next
    EndIf
    $pids = 0
    
    Return $aProc
EndFunc

Func _GetProcHandle($process)
    Local $hProcess = 0
    Local $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020); CREATE_THREAD, QUERY_INFORMATION, VM_OPERATION, VM_READ, VM_WRITE
    
    If IsInt($process) Then
        If $process > 0 Then
            Local $ret = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $process)
            If $ret[0] Then
                $hProcess = $ret[0]
            EndIf
        EndIf
    EndIf
    
    Return $hProcess
EndFunc

Func _GetModuleBaseNameW($hProcess, $hModule = 0)
    Local $name = ""
    Local $ret = DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", $hModule, "wstr", "", "dword", 260)
    If $ret[0] Then
        $name = $ret[3]
    EndIf
    
    Return $name
EndFunc

Func _GetModuleFileNameW($hProcess, $hModule = 0)
    Local $path = ""
    Local $ret = DllCall($PSAPI, "dword", "GetModuleFileNameExW", "ptr", $hProcess, "ptr", $hModule, "wstr", "", "dword", 260)
    If $ret[0] Then
        $path = $ret[3]
    EndIf
    
    Return $path
EndFunc

Smile. :)

Share this post


Link to post
Share on other sites
monoceres

The problem is that for some processes the _EnumModules() fails because you don't have the appropriate rights to open a handle to the process. (For example pid=0 fails because that's the "system idle process" and I'm pretty sure user mode applications cannot open that process). The solution is simple, just check if _EnumModules returned an array or else continue the loop.

Like for example:

$g_aMods = _EnumModules($g_aProcs[$i][0])
        If Not IsArray($g_aMods) Then ContinueLoop

:)

Edited by monoceres

Broken link? PM me and I'll send you the file!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.