Whitelist Module sample: Quick update

17Jul09

In this sample, we check if a module has a base image address as 0x00000000 more than once. The default executable will be set to that number; some modules attempt to hide by erasing their information from the _MODULEINFO structure, thus, GetModuleInformation would return 0x00000000 for the base address of such a module; in the end, it works nicely for detecting some hidden modules. I also included a quick comment with an example for loading other information gathered from the structure into an allocated buffer, for making a more advanced whitelist, not based off the easily-spoofable module-name factor.

#include <windows.h>
#include <strsafe.h>
#include <Psapi.h>

#define WIN32_LEAN_AND_MEAN
#define VC_EXTRALEAN

#define CODEBEGIN		0x00401000
#define CODEEND			0x004019FE
#define modAllowedSize	11
const char modAllowedArray[][255] = {
	"ADVAPI32.DLL",
	"ntdll.dll",
	"RPCRT4.dll",
	"Secur32.dll",
	"PSAPI.DLL",
	"kernel32.dll",
	"USER32.dll",
	"GDI32.dll",
	"MSVCR90.dll",
	"IMM32.DLL",
	"Killing Bad Threads.exe"
};

int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
  HMODULE modArray[1024];
  int modNumber;
  int modAllowedQ = 0;
  int noBaseAddress = 0;
  char modFileName[255];
  char modInfoTemp[255];
  _MODULEINFO modInfo;

  if( EnumProcessModules( GetCurrentProcess( ), modArray, sizeof( modArray ), ( LPDWORD ) &modNumber ) )
  {
    if( modNumber > sizeof( modArray ) )
      return( -1 );

	unsigned int i = 0;
    while( i < ( modNumber / sizeof( HMODULE ) ) )
    {
      int j = 0;
	  while( j < modAllowedSize )
      {
		GetModuleFileName( modArray[i], modFileName, 255 );
		char *ModuleName = strtok( modFileName, "\\" );
		char *ModuleTempName;
		char *ModuleLastName;
		do 
		{
			ModuleTempName = strtok( NULL, "\\" );
			if( ModuleTempName == NULL )
				break;
			ModuleName = ModuleTempName;
		} while( ModuleName != NULL );

        if( *modAllowedArray[j] == *ModuleName )
		{
			GetModuleInformation( GetCurrentProcess( ), GetModuleHandle( modAllowedArray[j] ), &modInfo, sizeof( modInfo ) );
			//sprintf( modInfoTemp, "%08x", modInfo.lpBaseOfDll );
			// If you plan to fingerprint modules, based off entrypoint
			// base address, or size of the image base, the above will
			// load that information into a buffer
			if( modInfo.lpBaseOfDll == 0 )
				noBaseAddress++;
			modAllowedQ++;
		}
        j++;
      }
      i++;
    }
	if( noBaseAddress != 1 )
	{
      MessageBox( 0, "Unknown module loaded to memory!", "Fatal error", MB_OK );
	  exit( -1 );
	}
    if( modAllowedQ < modAllowedSize )
	{
      MessageBox( 0, "Unknown module loaded to memory!", "Fatal error", MB_OK );
	  exit( -1 );
	}
  }

  MessageBox( 0, "Nothing evil detected.", "Success?", MB_OK );

  return( EXIT_SUCCESS );
}
Advertisements


No Responses Yet to “Whitelist Module sample: Quick update”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: