Detects DLL Injected

[Doll]

I'm new here and still learning. Is it possible to detect a DLL injected into a program?

Like for example your AutoIt.exe runs another program called ProgramA. Then, if another program called ProgramB injects 'test.dll' into ProgramA, a MsgBox would appear saying 'test.dll' is detected.

Or the other way is like detecting the 'test.dll' in memory then a MsgBox would appear, too.

Could someone help me? Thanks in advance.

EDIT:

BTW, I've searched the forums but I couldn't find a program or code that is related to my problem.

Edited January 25, 2009 by Doll

[SmOke_N]

You could mod this to accomplish what you want.

http://www.autoitscript.com/forum/index.ph...c=88121&hl=

[Doll]

Ok thanks for the fast reply. I'll try to do it.

[Doll]

Sorry for double posting but I have a problem with the code.

So anyway, my modified code is just to check whether "test.dll" is in the memory. When it detects the DLL, a message will inform the user that "test.dll" was found.

So what I've done so far is I've downloaded the ModuleSpy in this link (SmOke_N's post). I have modified the code so because I don't really need the GUI but just to detect a Module name. And I'm kinda stuck in this code -> (Line: 11 -> "If $g_aMods[$j][1] == "test.dll" Then").

The error is:

If $g_aMods[$j][1] == "test.dll" Then
If $g_aMods^ ERROR

Error: Subscript used with non-Array variable.

I don't know what's wrong, I checked the dimensional a lot of times but I'm pretty sure I inputted the correct Subscript. So could anyone debug or at least help me? Thanks in advance.

expandcollapse popup

Global $PSAPI = DllOpen("psapi.dll")
Global $g_aProcs, $g_aMods

_CheckDLL()

Func _CheckDLL()
    $g_aProcs = _EnumProcesses()
    For $i=0 To UBound($g_aProcs)-1
        $g_aMods = _EnumModules($g_aProcs[$i][0])
        For $j = 0 To UBound($g_aProcs,2)-1
            If $g_aMods[$j][1] == "test.dll" Then
                MsgBox(64, 'Info', 'test.dll Found!')
            EndIf
        Next            
    Next
EndFunc
    
Func _EnumModules($process)
; enumerate all modules in a process
    Local $aMods
    Local $hProcess = _GetProcHandle($process)
    If $hProcess Then
        Local $modules = DllStructCreate("ptr[1024]")
        Local $ret = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($modules), "dword", DllStructGetSize($modules), "dword*", 0)
        If $ret[4] > 0 Then
            Local $nummods = $ret[4] / 4
            Local $aMods[$nummods][3]
            For $i = 1 To $nummods
                $aMods[$i - 1][0] = DllStructGetData($modules, 1, $i); base address
                $aMods[$i - 1][1] = "n/a"; module name
                $aMods[$i - 1][2] = "n/a"; module path
                Local $name = _GetModuleBaseNameW($hProcess, Ptr($aMods[$i - 1][0]))
                If $name Then $aMods[$i - 1][1] = $name
                Local $path = _GetModuleFileNameW($hProcess, Ptr($aMods[$i - 1][0]))
                If $path Then $aMods[$i - 1][2] = $path
            Next
        EndIf
        $modules = 0
    EndIf
    
    Return $aMods
EndFunc

Func _EnumProcesses()
; enumerate processes and build array
    Local $aProc
    Local $pids = DllStructCreate("dword[1024]")
    Local $ret = DllCall($PSAPI, "int", "EnumProcesses", "ptr", DllStructGetPtr($pids), "dword", DllStructGetSize($pids), "dword*", 0)
    If $ret[3] > 0 Then
        Local $numpids = $ret[3] / 4; number of pids
        Local $aProc[$numpids][2]
        For $i = 1 To $numpids
            $aProc[$i - 1][0] = DllStructGetData($pids, 1, $i); process pid
            $aProc[$i - 1][1] = "System"; process name
        ; open the process and get the filename
            Local $hProcess = _GetProcHandle(DllStructGetData($pids, 1, $i))
            If $hProcess Then
                Local $name = _GetModuleBaseNameW($hProcess)
            EndIf
        Next
    EndIf
    $pids = 0
    
    Return $aProc
EndFunc

Func _GetProcHandle($process)
    Local $hProcess = 0
    Local $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020); CREATE_THREAD, QUERY_INFORMATION, VM_OPERATION, VM_READ, VM_WRITE
    
    If IsInt($process) Then
        If $process > 0 Then
            Local $ret = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $process)
            If $ret[0] Then
                $hProcess = $ret[0]
            EndIf
        EndIf
    EndIf
    
    Return $hProcess
EndFunc

Func _GetModuleBaseNameW($hProcess, $hModule = 0)
    Local $name = ""
    Local $ret = DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", $hModule, "wstr", "", "dword", 260)
    If $ret[0] Then
        $name = $ret[3]
    EndIf
    
    Return $name
EndFunc

Func _GetModuleFileNameW($hProcess, $hModule = 0)
    Local $path = ""
    Local $ret = DllCall($PSAPI, "dword", "GetModuleFileNameExW", "ptr", $hProcess, "ptr", $hModule, "wstr", "", "dword", 260)
    If $ret[0] Then
        $path = $ret[3]
    EndIf
    
    Return $path
EndFunc

[monoceres]

The problem is that for some processes the _EnumModules() fails because you don't have the appropriate rights to open a handle to the process. (For example pid=0 fails because that's the "system idle process" and I'm pretty sure user mode applications cannot open that process). The solution is simple, just check if _EnumModules returned an array or else continue the loop.

Like for example:

$g_aMods = _EnumModules($g_aProcs[$i][0])
        If Not IsArray($g_aMods) Then ContinueLoop

Edited January 25, 2009 by monoceres

[Doll]

It worked! Thank you.