Doll Posted January 25, 2009 Share Posted January 25, 2009 (edited) I'm new here and still learning. Is it possible to detect a DLL injected into a program? Like for example your AutoIt.exe runs another program called ProgramA. Then, if another program called ProgramB injects 'test.dll' into ProgramA, a MsgBox would appear saying 'test.dll' is detected. Or the other way is like detecting the 'test.dll' in memory then a MsgBox would appear, too. Could someone help me? Thanks in advance. EDIT: BTW, I've searched the forums but I couldn't find a program or code that is related to my problem. Edited January 25, 2009 by Doll Smile. :) Link to comment Share on other sites More sharing options...
Moderators SmOke_N Posted January 25, 2009 Moderators Share Posted January 25, 2009 You could mod this to accomplish what you want.http://www.autoitscript.com/forum/index.ph...c=88121&hl= Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer. Link to comment Share on other sites More sharing options...
Doll Posted January 25, 2009 Author Share Posted January 25, 2009 Ok thanks for the fast reply. I'll try to do it. Smile. :) Link to comment Share on other sites More sharing options...
Doll Posted January 25, 2009 Author Share Posted January 25, 2009 Sorry for double posting but I have a problem with the code.So anyway, my modified code is just to check whether "test.dll" is in the memory. When it detects the DLL, a message will inform the user that "test.dll" was found.So what I've done so far is I've downloaded the ModuleSpy in this link (SmOke_N's post). I have modified the code so because I don't really need the GUI but just to detect a Module name. And I'm kinda stuck in this code -> (Line: 11 -> "If $g_aMods[$j][1] == "test.dll" Then").The error is:If $g_aMods[$j][1] == "test.dll" Then If $g_aMods^ ERROR Error: Subscript used with non-Array variable.I don't know what's wrong, I checked the dimensional a lot of times but I'm pretty sure I inputted the correct Subscript. So could anyone debug or at least help me? Thanks in advance.expandcollapse popupGlobal $PSAPI = DllOpen("psapi.dll") Global $g_aProcs, $g_aMods _CheckDLL() Func _CheckDLL() $g_aProcs = _EnumProcesses() For $i=0 To UBound($g_aProcs)-1 $g_aMods = _EnumModules($g_aProcs[$i][0]) For $j = 0 To UBound($g_aProcs,2)-1 If $g_aMods[$j][1] == "test.dll" Then MsgBox(64, 'Info', 'test.dll Found!') EndIf Next Next EndFunc Func _EnumModules($process) ; enumerate all modules in a process Local $aMods Local $hProcess = _GetProcHandle($process) If $hProcess Then Local $modules = DllStructCreate("ptr[1024]") Local $ret = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($modules), "dword", DllStructGetSize($modules), "dword*", 0) If $ret[4] > 0 Then Local $nummods = $ret[4] / 4 Local $aMods[$nummods][3] For $i = 1 To $nummods $aMods[$i - 1][0] = DllStructGetData($modules, 1, $i); base address $aMods[$i - 1][1] = "n/a"; module name $aMods[$i - 1][2] = "n/a"; module path Local $name = _GetModuleBaseNameW($hProcess, Ptr($aMods[$i - 1][0])) If $name Then $aMods[$i - 1][1] = $name Local $path = _GetModuleFileNameW($hProcess, Ptr($aMods[$i - 1][0])) If $path Then $aMods[$i - 1][2] = $path Next EndIf $modules = 0 EndIf Return $aMods EndFunc Func _EnumProcesses() ; enumerate processes and build array Local $aProc Local $pids = DllStructCreate("dword[1024]") Local $ret = DllCall($PSAPI, "int", "EnumProcesses", "ptr", DllStructGetPtr($pids), "dword", DllStructGetSize($pids), "dword*", 0) If $ret[3] > 0 Then Local $numpids = $ret[3] / 4; number of pids Local $aProc[$numpids][2] For $i = 1 To $numpids $aProc[$i - 1][0] = DllStructGetData($pids, 1, $i); process pid $aProc[$i - 1][1] = "System"; process name ; open the process and get the filename Local $hProcess = _GetProcHandle(DllStructGetData($pids, 1, $i)) If $hProcess Then Local $name = _GetModuleBaseNameW($hProcess) EndIf Next EndIf $pids = 0 Return $aProc EndFunc Func _GetProcHandle($process) Local $hProcess = 0 Local $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020); CREATE_THREAD, QUERY_INFORMATION, VM_OPERATION, VM_READ, VM_WRITE If IsInt($process) Then If $process > 0 Then Local $ret = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $process) If $ret[0] Then $hProcess = $ret[0] EndIf EndIf EndIf Return $hProcess EndFunc Func _GetModuleBaseNameW($hProcess, $hModule = 0) Local $name = "" Local $ret = DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", $hModule, "wstr", "", "dword", 260) If $ret[0] Then $name = $ret[3] EndIf Return $name EndFunc Func _GetModuleFileNameW($hProcess, $hModule = 0) Local $path = "" Local $ret = DllCall($PSAPI, "dword", "GetModuleFileNameExW", "ptr", $hProcess, "ptr", $hModule, "wstr", "", "dword", 260) If $ret[0] Then $path = $ret[3] EndIf Return $path EndFunc Smile. :) Link to comment Share on other sites More sharing options...
monoceres Posted January 25, 2009 Share Posted January 25, 2009 (edited) The problem is that for some processes the _EnumModules() fails because you don't have the appropriate rights to open a handle to the process. (For example pid=0 fails because that's the "system idle process" and I'm pretty sure user mode applications cannot open that process). The solution is simple, just check if _EnumModules returned an array or else continue the loop. Like for example: $g_aMods = _EnumModules($g_aProcs[$i][0]) If Not IsArray($g_aMods) Then ContinueLoop Edited January 25, 2009 by monoceres Broken link? PM me and I'll send you the file! Link to comment Share on other sites More sharing options...
Doll Posted January 26, 2009 Author Share Posted January 26, 2009 It worked! Thank you. Smile. :) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now