wraithdu Posted January 21, 2009 Posted January 21, 2009 (edited) This is an idea I've been toying around with since writing my _WinApiHook UDF. This little app will let you view all modules loaded by a process. You can selectively unload a module, or inject a module of your own. I think this could be useful to help remove viruses or malware, but is more of a development tool I suppose. It has some fun tooltip and resizing code too Note: Not all modules can be unloaded. I don't have a workaround (if there is one) at the moment.Update v1.0.0.1- Removed *.exe from the open file dialog(v1.0.0.0 downloads: 32)ModuleSpy.zip Edited January 22, 2009 by wraithdu
wraithdu Posted January 22, 2009 Author Posted January 22, 2009 (edited) Can you be more specific? What module are you trying to inject into what process? OS? Link to DLL? I can't troubleshoot with no info. BTW, unloading and injection are tested and working on Vista. Edited January 22, 2009 by wraithdu
ZeR0 Posted January 22, 2009 Posted January 22, 2009 I triyin to inyect 1 script to explorer.exe I have Windows XP SP2
wraithdu Posted January 22, 2009 Author Posted January 22, 2009 (edited) Sorry, you can't inject a compiled script, only a DLL. I kinda misread the MSDN page and mistakenly included the EXE entension in the fileopen dialog (although my syntax error prevents it from opening EXEs anyway ) You can use LoadLibrary on an EXE file, but it only provides a handle for use with LoadResource / FindResource.I'll update the first post. Edited January 22, 2009 by wraithdu
ZeR0 Posted January 22, 2009 Posted January 22, 2009 Hi, i need inyect .exe files, its posible using autoit?
wraithdu Posted January 22, 2009 Author Posted January 22, 2009 (edited) No, it's not possible using anything. Edited January 22, 2009 by wraithdu
Valuater Posted January 22, 2009 Posted January 22, 2009 Really Nice, wraithdu!!I have no intention to inject anything. All the information looks great even the tool-tip info. This is very informative as to.... "what is really going on here!!!"I think this could help emensly with virus detection!!Thanks for sharing8)
wraithdu Posted January 22, 2009 Author Posted January 22, 2009 (edited) Thanks for the support! Virus detection / removal was my primary thought. I'm very careful and my system has never been infected (knock on wood). But I've had to disinfect many other systems, and I hate finding the offending DLLs and not being able to remove them (easily) because they're loaded and in use. Hopefully this can help with that problem. I'm toying with the idea of a search function to help with that end as well. Edited January 22, 2009 by wraithdu
Valuater Posted January 22, 2009 Posted January 22, 2009 In my "MaXoFF" program, I have a function called _CheckMalwareProcess() ; "http://pcpitstop.com/libraries/process/topmalicous"It downloads, reads the file into an array then, gets all running processes and checks them for malware/virus.The site I read from states it's the top 100 malware programs processes.The function is actually very short and sweet!http://www.autoitscript.com/forum/index.ph...st&p=6252268)
wraithdu Posted January 22, 2009 Author Posted January 22, 2009 I've seen your script. What I meant, was to be able to search all processes for a specific module. So if you identified a virus / malware on your system, you could find out into what processes it has been loaded and, hopefully, unload it.
Valuater Posted January 23, 2009 Posted January 23, 2009 I've seen your script. What I meant, was to be able to search all processes for a specific module. So if you identified a virus / malware on your system, you could find out into what processes it has been loaded and, hopefully, unload it.Of Course!!!I meant as an introduction to the depth you need to go. There are many malware programs that replace know or system processes. if there is one that "may" be a malware, you could check the modules that should or should not be present.8)
Manko Posted January 23, 2009 Posted January 23, 2009 (edited) HI!Good work wraithdu!Your code is much easier to read than mine!Thanks for being first to comment my app, slightly reminiscent of yours:http://www.autoitscript.com/forum/index.php?showtopic=84939I think your app is a given complement to your UDF.But for security I would still choose mine... btw, I finally figured out a way to get commandline NOT using WMI.It's a little rough. Please test it if you have time.http://www.autoitscript.com/forum/index.php?showtopic=88214/Manko Edited January 23, 2009 by Manko Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
wraithdu Posted January 23, 2009 Author Posted January 23, 2009 Thanks. I didn't realize your app unloaded modules also. Eh, I'm not really developing mine anymore after I put in a search function. It was just an idea I had that I wanted to see in action. Keep up the good work on ModHelper though, it's become quite a full-featured app!
FireFox Posted January 24, 2009 Posted January 24, 2009 (edited) @wraithdu Good job Cheers, FireFox. Edited January 24, 2009 by FireFox
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now