Jump to content

Recommended Posts

Posted (edited)

This is an idea I've been toying around with since writing my _WinApiHook UDF. This little app will let you view all modules loaded by a process. You can selectively unload a module, or inject a module of your own. I think this could be useful to help remove viruses or malware, but is more of a development tool I suppose. It has some fun tooltip and resizing code too :)

Note: Not all modules can be unloaded. I don't have a workaround (if there is one) at the moment.

Posted Image

Update v1.0.0.1

- Removed *.exe from the open file dialog

(v1.0.0.0 downloads: 32)

ModuleSpy.zip

Edited by wraithdu
Posted (edited)

Can you be more specific? What module are you trying to inject into what process? OS? Link to DLL? I can't troubleshoot with no info.

BTW, unloading and injection are tested and working on Vista.

Edited by wraithdu
Posted (edited)

Sorry, you can't inject a compiled script, only a DLL. I kinda misread the MSDN page and mistakenly included the EXE entension in the fileopen dialog (although my syntax error prevents it from opening EXEs anyway :)) You can use LoadLibrary on an EXE file, but it only provides a handle for use with LoadResource / FindResource.

I'll update the first post.

Edited by wraithdu
Posted

Really Nice, wraithdu!!

I have no intention to inject anything. All the information looks great even the tool-tip info.

This is very informative as to.... "what is really going on here!!!"

I think this could help emensly with virus detection!!

Thanks for sharing

8)

NEWHeader1.png

Posted (edited)

Thanks for the support!

Virus detection / removal was my primary thought. I'm very careful and my system has never been infected (knock on wood). But I've had to disinfect many other systems, and I hate finding the offending DLLs and not being able to remove them (easily) because they're loaded and in use. Hopefully this can help with that problem.

I'm toying with the idea of a search function to help with that end as well.

Edited by wraithdu
Posted

I've seen your script. What I meant, was to be able to search all processes for a specific module. So if you identified a virus / malware on your system, you could find out into what processes it has been loaded and, hopefully, unload it.

Posted

I've seen your script. What I meant, was to be able to search all processes for a specific module. So if you identified a virus / malware on your system, you could find out into what processes it has been loaded and, hopefully, unload it.

Of Course!!!

I meant as an introduction to the depth you need to go. There are many malware programs that replace know or system processes. if there is one that "may" be a malware, you could check the modules that should or should not be present.

8)

NEWHeader1.png

Posted (edited)

HI!

Good work wraithdu!

Your code is much easier to read than mine!

Thanks for being first to comment my app, slightly reminiscent of yours:

http://www.autoitscript.com/forum/index.php?showtopic=84939

I think your app is a given complement to your UDF.

But for security I would still choose mine... :)

btw, I finally figured out a way to get commandline NOT using WMI.

It's a little rough. Please test it if you have time.

http://www.autoitscript.com/forum/index.php?showtopic=88214

/Manko

Edited by Manko
Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Posted

Thanks. I didn't realize your app unloaded modules also. Eh, I'm not really developing mine anymore after I put in a search function. It was just an idea I had that I wanted to see in action.

Keep up the good work on ModHelper though, it's become quite a full-featured app!

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...