Wednesday, December 28, 2005
ANTI DLL INJECTION - A "C++" PORT
since i released the asm version of it some time ago i thought it's maybe a nice gift to also release a C port of it...
the following source will display every injected dll / thread that exists in the process
compiled output should be like this below, if you notice more dll's in the process or more threads this can be of more reasons:
1. anti-dialer/trojan/virus software is installed / or some firewall app
2. you got infected by some malware
this can also be used to detect virus infections...
-------------------------------------------------------
Detecting injected DLL's v0.1
Process Environment Block found @ 0x7FFDF000
PEB_LDR_DATA found @ 0x00241E90
InLoadOrderModuleListHead found @ 0x00241EC0
===[ THIS MODULE ]===
ExeModuleFileName found @ 0x00020A28
ExeModuleName = G:\readtree.exe
===[ MODULES ]===
ModuleFileName found @ 0x77FB1618
ModuleName = E:\WINDOWS\System32\ntdll.dll - DLL OKAY!
ModuleFileName found @ 0x00241F70
ModuleName = E:\WINDOWS\system32\kernel32.dll - DLL OKAY!
===[ THREADS ]===
Active TH_CTR : 00000001
-------------------------------------------------------
#include "stdafx.h"
#include "windows.h"
#include "stdio.h"
DWORD GetPEB();
DWORD result;
//NTSTATUS NtQuerySystemInformation(
// SYSTEM_INFORMATION_CLASS SystemInformationClass,
// PVOID SystemInformation,
// ULONG SystemInformationLength,
// PULONG ReturnLength
//);
typedef BOOL (__stdcall *_NtQuerySystemInformation)(DWORD x,DWORD y,DWORD z,DWORD b);
_NtQuerySystemInformation NtQuerySystemInformation;
int main(int argc, char* argv[])
{
printf ("Detecting injected DLL's v0.1\n\n");
// GRAB PEB
DWORD pPEB = GetPEB ();
printf ("Process Environment Block found @ 0x%8.8X\n",pPEB);
DWORD PEB_LDR_DATA = (unsigned long)*(DWORD*)(pPEB+0x0C);
printf ("PEB_LDR_DATA found @ 0x%8.8X\n",PEB_LDR_DATA);
DWORD InLoadOrderModuleListHead = (unsigned long)*(DWORD*)(PEB_LDR_DATA+0x0C);
printf ("InLoadOrderModuleListHead found @ 0x%8.8X\n\n",InLoadOrderModuleListHead);
// CURRENT FILE -- FIRST ENTRY
printf ("===[ THIS MODULE ]===\n\n");
DWORD ModuleFileName = (unsigned long)*(PDWORD*)(InLoadOrderModuleListHead+0x28);
printf ("ExeModuleFileName found @ 0x%8.8X\n",ModuleFileName);
InLoadOrderModuleListHead = *(DWORD*)(InLoadOrderModuleListHead);
int a = 255;
char *ansistr = new char[a];
WideCharToMultiByte(CP_ACP,0,(const unsigned short *)ModuleFileName,-1,ansistr,a,NULL,NULL);
printf ("ExeModuleName = %s\n",ansistr);
// START LOOPING
printf ("\n\n===[ MODULES ]===\n\n");
while (*(DWORD*)(InLoadOrderModuleListHead) != (unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C))
{
DWORD ModuleFileName = (unsigned long)*(PDWORD*)(InLoadOrderModuleListHead+0x28);
printf ("ModuleFileName found @ 0x%8.8X\n",ModuleFileName);
InLoadOrderModuleListHead = *(DWORD*)(InLoadOrderModuleListHead);
int a = 255;
char *ansistr = new char[a];
WideCharToMultiByte(CP_ACP,0,(const unsigned short *)ModuleFileName,-1,ansistr,a,NULL,NULL);
printf ("ModuleName = %s",ansistr);
_strlwr(ansistr);
if (strstr (ansistr,"kernel32.dll") strstr (ansistr,"ntdll.dll"))
{
printf (" - DLL OKAY!\n");
}
else
{
printf (" - DLL INJECTED!\n");
}
}
//
// DETECT AND DISPLAY NUMBER OF RUNNING THREADS
//
HINSTANCE aHandle = LoadLibrary ("ntdll.dll");
if (aHandle != 0)
{
NtQuerySystemInformation = (_NtQuerySystemInformation) GetProcAddress ((HINSTANCE)aHandle,"NtQuerySystemInformation");
if (NtQuerySystemInformation != 0)
{
printf ("\n\n===[ THREADS ]===\n");
DWORD BufX = (DWORD) GlobalAlloc (GMEM_ZEROINIT,0x50000);
NtQuerySystemInformation (5,BufX,0x50000,0);
DWORD xPID = GetCurrentProcessId ();
while (*(DWORD*)BufX != 0)
{
// CHECK ACTUAL RECORD's PID
if (*(DWORD*)(BufX+0x44) == xPID)
{
printf (" active thread count : %8.8X\n",*(DWORD*)(BufX+4));
}
// FORWARD TO NEXT RECORD
BufX = BufX + *(DWORD*)BufX;
}
// CHECK ACTUAL RECORD's PID
if (*(DWORD*)(BufX+0x44) == xPID)
{
printf ("\nActive TH_CTR : %8.8X\n",*(DWORD*)(BufX+4));
}
}
}
return 0;
}
DWORD GetPEB()
{
__asm
{
mov eax,dword ptr fs:[0x30]
mov result,eax;
}
return result;
}
the following source will display every injected dll / thread that exists in the process
compiled output should be like this below, if you notice more dll's in the process or more threads this can be of more reasons:
1. anti-dialer/trojan/virus software is installed / or some firewall app
2. you got infected by some malware
this can also be used to detect virus infections...
-------------------------------------------------------
Detecting injected DLL's v0.1
Process Environment Block found @ 0x7FFDF000
PEB_LDR_DATA found @ 0x00241E90
InLoadOrderModuleListHead found @ 0x00241EC0
===[ THIS MODULE ]===
ExeModuleFileName found @ 0x00020A28
ExeModuleName = G:\readtree.exe
===[ MODULES ]===
ModuleFileName found @ 0x77FB1618
ModuleName = E:\WINDOWS\System32\ntdll.dll - DLL OKAY!
ModuleFileName found @ 0x00241F70
ModuleName = E:\WINDOWS\system32\kernel32.dll - DLL OKAY!
===[ THREADS ]===
Active TH_CTR : 00000001
-------------------------------------------------------
#include "stdafx.h"
#include "windows.h"
#include "stdio.h"
DWORD GetPEB();
DWORD result;
//NTSTATUS NtQuerySystemInformation(
// SYSTEM_INFORMATION_CLASS SystemInformationClass,
// PVOID SystemInformation,
// ULONG SystemInformationLength,
// PULONG ReturnLength
//);
typedef BOOL (__stdcall *_NtQuerySystemInformation)(DWORD x,DWORD y,DWORD z,DWORD b);
_NtQuerySystemInformation NtQuerySystemInformation;
int main(int argc, char* argv[])
{
printf ("Detecting injected DLL's v0.1\n\n");
// GRAB PEB
DWORD pPEB = GetPEB ();
printf ("Process Environment Block found @ 0x%8.8X\n",pPEB);
DWORD PEB_LDR_DATA = (unsigned long)*(DWORD*)(pPEB+0x0C);
printf ("PEB_LDR_DATA found @ 0x%8.8X\n",PEB_LDR_DATA);
DWORD InLoadOrderModuleListHead = (unsigned long)*(DWORD*)(PEB_LDR_DATA+0x0C);
printf ("InLoadOrderModuleListHead found @ 0x%8.8X\n\n",InLoadOrderModuleListHead);
// CURRENT FILE -- FIRST ENTRY
printf ("===[ THIS MODULE ]===\n\n");
DWORD ModuleFileName = (unsigned long)*(PDWORD*)(InLoadOrderModuleListHead+0x28);
printf ("ExeModuleFileName found @ 0x%8.8X\n",ModuleFileName);
InLoadOrderModuleListHead = *(DWORD*)(InLoadOrderModuleListHead);
int a = 255;
char *ansistr = new char[a];
WideCharToMultiByte(CP_ACP,0,(const unsigned short *)ModuleFileName,-1,ansistr,a,NULL,NULL);
printf ("ExeModuleName = %s\n",ansistr);
// START LOOPING
printf ("\n\n===[ MODULES ]===\n\n");
while (*(DWORD*)(InLoadOrderModuleListHead) != (unsigned long)*(PDWORD*)(PEB_LDR_DATA+0x0C))
{
DWORD ModuleFileName = (unsigned long)*(PDWORD*)(InLoadOrderModuleListHead+0x28);
printf ("ModuleFileName found @ 0x%8.8X\n",ModuleFileName);
InLoadOrderModuleListHead = *(DWORD*)(InLoadOrderModuleListHead);
int a = 255;
char *ansistr = new char[a];
WideCharToMultiByte(CP_ACP,0,(const unsigned short *)ModuleFileName,-1,ansistr,a,NULL,NULL);
printf ("ModuleName = %s",ansistr);
_strlwr(ansistr);
if (strstr (ansistr,"kernel32.dll") strstr (ansistr,"ntdll.dll"))
{
printf (" - DLL OKAY!\n");
}
else
{
printf (" - DLL INJECTED!\n");
}
}
//
// DETECT AND DISPLAY NUMBER OF RUNNING THREADS
//
HINSTANCE aHandle = LoadLibrary ("ntdll.dll");
if (aHandle != 0)
{
NtQuerySystemInformation = (_NtQuerySystemInformation) GetProcAddress ((HINSTANCE)aHandle,"NtQuerySystemInformation");
if (NtQuerySystemInformation != 0)
{
printf ("\n\n===[ THREADS ]===\n");
DWORD BufX = (DWORD) GlobalAlloc (GMEM_ZEROINIT,0x50000);
NtQuerySystemInformation (5,BufX,0x50000,0);
DWORD xPID = GetCurrentProcessId ();
while (*(DWORD*)BufX != 0)
{
// CHECK ACTUAL RECORD's PID
if (*(DWORD*)(BufX+0x44) == xPID)
{
printf (" active thread count : %8.8X\n",*(DWORD*)(BufX+4));
}
// FORWARD TO NEXT RECORD
BufX = BufX + *(DWORD*)BufX;
}
// CHECK ACTUAL RECORD's PID
if (*(DWORD*)(BufX+0x44) == xPID)
{
printf ("\nActive TH_CTR : %8.8X\n",*(DWORD*)(BufX+4));
}
}
}
return 0;
}
DWORD GetPEB()
{
__asm
{
mov eax,dword ptr fs:[0x30]
mov result,eax;
}
return result;
}
# posted by ^DAEMON^ : 11:20 PM
Comments:
<< Home
Infatuation casinos? affirm this advanced [url=http://www.realcazinoz.com]casino[/url] handle and suspend online casino games like slots, blackjack, roulette, baccarat and more at www.realcazinoz.com .
you can also into our untrained [url=http://freecasinogames2010.webs.com]casino[/url] announce something at http://freecasinogames2010.webs.com and seize within easy reach law folding departure !
another diversified [url=http://www.ttittancasino.com]casino spiele[/url] locality is www.ttittancasino.com , because german gamblers, stay with unrestrained online casino bonus.
you can also into our untrained [url=http://freecasinogames2010.webs.com]casino[/url] announce something at http://freecasinogames2010.webs.com and seize within easy reach law folding departure !
another diversified [url=http://www.ttittancasino.com]casino spiele[/url] locality is www.ttittancasino.com , because german gamblers, stay with unrestrained online casino bonus.
# posted by 
: Tuesday, February 16, 2010 at 3:47:00 PM PST
: Tuesday, February 16, 2010 at 3:47:00 PM PST
prefect in this gratis [url=http://www.casinoapart.com]casino[/url] ancillary at the kindest [url=http://www.casinoapart.com]online casino[/url] warn with 10's of with it [url=http://www.casinoapart.com]online casinos[/url]. try one's hand at [url=http://www.casinoapart.com/articles/play-roulette.html]roulette[/url], [url=http://www.casinoapart.com/articles/play-slots.html]slots[/url] and [url=http://www.casinoapart.com/articles/play-baccarat.html]baccarat[/url] at this [url=http://www.casinoapart.com/articles/no-deposit-casinos.html]no stop a minimize down casino[/url] , www.casinoapart.com
the finest [url=http://de.casinoapart.com]casino[/url] in support of the get of UK, german and all to the world. so recompense the treatment of the choicest [url=http://es.casinoapart.com]casino en linea[/url] snag us now.
the finest [url=http://de.casinoapart.com]casino[/url] in support of the get of UK, german and all to the world. so recompense the treatment of the choicest [url=http://es.casinoapart.com]casino en linea[/url] snag us now.
# posted by : Thursday, March 11, 2010 at 7:43:00 PM PST
: Thursday, March 11, 2010 at 7:43:00 PM PST
You could easily be making money online in the hush-hush world of [URL=http://www.www.blackhatmoneymaker.com]blackhat guide[/URL], It's not a big surprise if you haven’t heard of it before. Blackhat marketing uses little-known or misunderstood avenues to build an income online.
# posted by : Friday, March 19, 2010 at 2:26:00 AM PDT
: Friday, March 19, 2010 at 2:26:00 AM PDT
[url=http://www.23planet.com]online casino[/url], also known as understood casinos or Internet casinos, are online versions of acknowledged ("hunk and mortar") casinos. Online casinos sponsorship gamblers to heighten ingredient in and wager on casino games persistence the Internet.
Online casinos habitually demand odds and payback percentages that are comparable to land-based casinos. Some online casinos govern higher payback percentages as a drug looking in place of awaiting orders within earshot to account automobile games, and some educate the low-down nearly payout concord audits on their websites. Assuming that the online casino is using an correctly programmed unspecific consolidate up generator, facts games like blackjack purloin an established bounds edge. The payout distribution after these games are established during the rules of the game.
Multitudinous online casinos farm out gone away from or obtaining their software from companies like Microgaming, Realtime Gaming, Playtech, Wide-ranging Knock into Technology and CryptoLogic Inc.
Online casinos habitually demand odds and payback percentages that are comparable to land-based casinos. Some online casinos govern higher payback percentages as a drug looking in place of awaiting orders within earshot to account automobile games, and some educate the low-down nearly payout concord audits on their websites. Assuming that the online casino is using an correctly programmed unspecific consolidate up generator, facts games like blackjack purloin an established bounds edge. The payout distribution after these games are established during the rules of the game.
Multitudinous online casinos farm out gone away from or obtaining their software from companies like Microgaming, Realtime Gaming, Playtech, Wide-ranging Knock into Technology and CryptoLogic Inc.
# posted by : Monday, January 14, 2013 at 4:03:00 PM PST
: Monday, January 14, 2013 at 4:03:00 PM PST
generic viagra viagra trial pack - buy viagra online fast delivery
# posted by : Friday, January 25, 2013 at 5:42:00 PM PST
: Friday, January 25, 2013 at 5:42:00 PM PST
generic viagra cheap viagra australia online - cheap viagra suppliers
# posted by : Sunday, January 27, 2013 at 4:40:00 AM PST
: Sunday, January 27, 2013 at 4:40:00 AM PST
buy tramadol online tramadol online shipping - tramadol recreational dose
# posted by : Friday, February 1, 2013 at 12:31:00 AM PST
: Friday, February 1, 2013 at 12:31:00 AM PST
online soma soma 350 mg pills - soma medication narcotic
# posted by : Sunday, February 3, 2013 at 9:31:00 AM PST
: Sunday, February 3, 2013 at 9:31:00 AM PST
top [url=http://www.c-online-casino.co.uk/]uk casino bonus[/url] brake the latest [url=http://www.realcazinoz.com/]online casinos[/url] autonomous no set aside hand-out at the leading [url=http://www.baywatchcasino.com/]casino games
[/url].
[/url].
# posted by : Tuesday, February 5, 2013 at 2:54:00 AM PST
: Tuesday, February 5, 2013 at 2:54:00 AM PST
online soma buy online soma no prescription - soma drug test will show
# posted by : Thursday, February 7, 2013 at 3:39:00 AM PST
: Thursday, February 7, 2013 at 3:39:00 AM PST
buy cialis buy cialis jelly - generic cialis online overnight
# posted by : Monday, February 11, 2013 at 11:30:00 AM PST
: Monday, February 11, 2013 at 11:30:00 AM PST
buy cialis cialis 5mg. price in usa - generic cialis zoll
# posted by : Tuesday, February 12, 2013 at 11:24:00 PM PST
: Tuesday, February 12, 2013 at 11:24:00 PM PST
buy tramadol cod overdose from tramadol - tramadol 50mg tab amneal
# posted by : Friday, February 22, 2013 at 1:48:00 PM PST
: Friday, February 22, 2013 at 1:48:00 PM PST
xanax anxiety buy xanax online no prescription needed - xanax bars double stack
# posted by : Saturday, February 23, 2013 at 8:27:00 PM PST
: Saturday, February 23, 2013 at 8:27:00 PM PST
buy cialis online buy cialis manila - cheap cialis once day
# posted by : Wednesday, February 27, 2013 at 8:26:00 AM PST
: Wednesday, February 27, 2013 at 8:26:00 AM PST
xanax online xanax side effects in weight - 1mg xanax much klonopin
# posted by : Thursday, February 28, 2013 at 8:02:00 PM PST
: Thursday, February 28, 2013 at 8:02:00 PM PST
buy cialis online buy generic cialis online usa - buy cialis online pharmacy
# posted by : Saturday, March 2, 2013 at 10:48:00 PM PST
: Saturday, March 2, 2013 at 10:48:00 PM PST
learn how to buy tramdadol tramadol 50mg buy online - kicking tramadol addiction
# posted by : Monday, March 4, 2013 at 5:41:00 PM PST
: Monday, March 4, 2013 at 5:41:00 PM PST
buy tramadol buy tramadol online cod overnight - legal buy tramadol online usa
# posted by : Wednesday, March 6, 2013 at 1:51:00 AM PST
: Wednesday, March 6, 2013 at 1:51:00 AM PST
http://landvoicelearning.com/#62431 generic tramadol an 627 - ultram tramadol forum
# posted by : Wednesday, March 6, 2013 at 11:44:00 AM PST
: Wednesday, March 6, 2013 at 11:44:00 AM PST
klonopin mg buy klonopin online with mastercard - zoloft klonopin and alcohol
# posted by : Thursday, March 7, 2013 at 5:51:00 AM PST
: Thursday, March 7, 2013 at 5:51:00 AM PST
http://buytramadolonlinecool.com/#50897 tramadol dosage 15 lb dog - tramadol for dogs dose
# posted by : Thursday, March 7, 2013 at 3:37:00 PM PST
: Thursday, March 7, 2013 at 3:37:00 PM PST
buy klonopin online overdose on klonopin and ambien - does generic klonopin look like
# posted by : Thursday, March 7, 2013 at 7:52:00 PM PST
: Thursday, March 7, 2013 at 7:52:00 PM PST
http://buytramadolonlinecool.com/#51726 tramadol with hydrocodone - tramadol for dogs to buy
# posted by : Thursday, March 7, 2013 at 8:35:00 PM PST
: Thursday, March 7, 2013 at 8:35:00 PM PST
buy klonopin online buy klonopin online mastercard - tapering klonopin dosage
# posted by : Friday, March 8, 2013 at 12:41:00 AM PST
: Friday, March 8, 2013 at 12:41:00 AM PST
cheap tramadol tramadol buy no prescription usa - how tramadol addiction is treated
# posted by : Saturday, March 9, 2013 at 11:40:00 PM PST
: Saturday, March 9, 2013 at 11:40:00 PM PST
buy klonopin online 2mg klonopin pill - buy klonopin fedex
Post a Comment
# posted by : Monday, March 11, 2013 at 3:33:00 AM PDT
: Monday, March 11, 2013 at 3:33:00 AM PDT<< Home
