Check for loaded modules that aren’t whitelisted

16Jul09

I know it’s a terrible idea, but, somebody had to do it!

#include <tlhelp32.h>
#include <windows.h>

#define WIN32_LEAN_AND_MEAN
#define VC_EXTRALEAN

#define CODEBEGIN		0x00401000
#define CODEEND			0x004019FE
#define modAllowedSize	11
const char modAllowedArray[][255] = {
	"ADVAPI32.DLL",
	"ntdll.dll",
	"RPCRT4.dll",
	"Secur32.dll",
	"PSAPI.DLL",
	"kernel32.dll",
	"USER32.dll",
	"GDI32.dll",
	"MSVCR90.dll",
	"IMM32.DLL",
	"Killing Bad Threads.exe"
};


int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
  HMODULE modArray[1024];
  int modNumber;
  int modAllowedQ = 0;
  char modFileName[255];

  if( EnumProcessModules( GetCurrentProcess( ), modArray, sizeof( modArray ), ( LPDWORD ) &modNumber ) )
  {
    if( modNumber > sizeof( modArray ) )
      return( -1 );

	unsigned int i = 0;
    while( i < ( modNumber / sizeof( HMODULE ) ) )
    {
      int j = 0;
	  while( j < modAllowedSize )
      {
		GetModuleFileName( modArray[i], modFileName, 255 );
		char *ModuleName = strtok( modFileName, "\\" );
		char *ModuleTempName;
		char *ModuleLastName;
		do 
		{
			ModuleTempName = strtok( NULL, "\\" );
			if( ModuleTempName == NULL )
				break;
			ModuleName = ModuleTempName;
		} while( ModuleName != NULL );

        if( *modAllowedArray[j] == *ModuleName )
			modAllowedQ++;
        j++;
      }
      i++;
    }
    if( modAllowedQ < modAllowedSize )
	{
      MessageBox( 0, "Unknown module loaded to memory!", "Fatal error", MB_OK );
	  exit( -1 );
	}
  }

  MessageBox( 0, "Nothing evil detected.", "Success?", MB_OK );

  return( EXIT_SUCCESS );
}
Advertisements


3 Responses to “Check for loaded modules that aren’t whitelisted”

  1. You’re kidding.. right? Stop posting all this dumb shit and think about what you’re submitting. Or at least check the entire path of each module.

    • 2 majii

      This serves as a base for what you may want to do with each module; compare it to a hash table for different modules on different versions of Windows (While ensuring the specific version of Windows is supported), checking for blacklisted module names, etc.

      “think about what you’re submitting. Or at least check the entire path of each module.” – anything not relating to an instance where I’m limited to a privacy policy (e.g. Typically anyone I’ve freelanced for is an example of that), I’ll end up submitting here. What’s wrong with that?

  2. 3 4e4en

    This isn’t best method, how to check if module is whitelisted, better approach would be if you hash valid names with zombie hash, and store just DWORDS of all valid dll’s, so if someone would start analysing your file, it would be harder to find out, which dll’s is allowed to be loaded.

    Zombie Hash:

    .while BYTE PTR[EDI] != 0
    MOV DL,BYTE PTR[EDI]
    ROL EBX,7
    XOR BL,DL
    INC EDI
    .endw


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: