[转载]Finddll.c - searches are running processes For module occurrency

Finddll.c - searches are running processes For module occurrency

文章作者：Piotr Bania
信息来源：邪恶八进制信息安全团队（www.eviloctal.com）

/*

DLL OCCURENCY FINDER UTILITY
it simply searches in all running process for <DLL_NAME> occurency.

Very useful with malware detecting/removing. Imagine you
find a dll which you can&#39;t delete and you need to know
which process is running it...

coded by Piotr Bania <bania.piotr@gmail.com>

Sample usage:

  E:\projekty\finddll\Debug>finddll jar50.dll

....
[+] Searching in ping.exe (PID=0x564) for module occurency.
[+] Searching in firefox.exe (PID=0xFC4) for module occurency.

--- MODULE OCCURENCY FOUND ---
[+] jar50.dll found in firefox.exe (PID=0xFC4)
[+] jar50.dll base located at: 0x023c0000
[+] jar50.dll handle in process: 0x23C0000
[+] jar50.dll size of module: 0xD000 bytes
[+] jar50.dll path: C:\Program Files\Mozilla Firefox\components\jar50.dll

--- PRESS ANY KEY TO CONTINUE ---
....

*/

#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <windows.h>
#include <Tlhelp32.h>

int find_dll(char *filename);
void display_info(PROCESSENTRY32 pe32,MODULEENTRY32 me32);

int c=0;

int main(int argc, char *argv[]) {


printf("[$] dll occurency finder utility \n");
printf("[$] coded by Piotr Bania <bania.piotr@gmail.com\n\n");
if (argc!=2) {
printf("[!] Usage: %s <dll_name>\n",argv[0]);
printf("[!] For example: %s KERNEL32.DLL\n",argv[0]);
return 0;
}

find_dll(argv[1]);

printf("\n[+] Scaning ended, found %d occurences.\n",c);
printf("Bye :)\n");
getch();

return 0;
}


void display_info(char *filename,PROCESSENTRY32 pe32,MODULEENTRY32 me32) {


printf("\n

--- MODULE OCCURENCY FOUND ---\n");
printf("[+] %s found in %s (PID=0x%X)\n",filename,pe32.szExeFile,pe32.th32ProcessID);
printf("[+] %s base located at: 0x%08x\n",filename,me32.modBaseAddr);
printf("[+] %s handle in process: 0x%X\n",filename,me32.hModule);
printf("[+] %s size of module: 0x%X bytes\n",filename,me32.modBaseSize);
printf("[+] %s path: %s\n",filename,me32.szExePath);
printf("

--- PRESS ANY KEY TO CONTINUE ---\n\n");
c++;

// super pseudo randomization fatal exit *:)*
if (getch()==27) exit(GetTickCount());
}


int find_dll(char *filename) {
HANDLE hSnap,hMSnap;
PROCESSENTRY32 pe32;
MODULEENTRY32 me32;

hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);

if (hSnap==INVALID_HANDLE_VALUE) {
printf("[!] Error: Cannot create snapshot for processes, error=%d\n",GetLastError());
return FALSE;
}

printf("[+] Snapshot for processes created, handle=0x%X\n",hSnap);

if (Process32First(hSnap,&pe32)==FALSE) {
   printf("[!] Error: Process32First() failed, error=%d\n",GetLastError());
return FALSE;
}

hMSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pe32.th32ProcessID);
if (hMSnap==INVALID_HANDLE_VALUE) {
printf("[!] Error: Cannot create snapshot for modules, error=%d\n",GetLastError());
return FALSE;
}

printf("[+] Searching in %s (PID=0x%X) for module occurency.\n",pe32.szExeFile,pe32.th32ProcessID);
if (Module32First(hMSnap,&me32)==NULL) {
printf("[!] Error: Module32First() failed, error=%d\n",GetLastError());
return FALSE;
}


if (!strcmpi(filename,me32.szModule)) display_info(filename,pe32,me32);
while(Module32Next(hMSnap,&me32)!=FALSE) {
if (!strcmpi(filename,me32.szModule)) display_info(filename,pe32,me32);
}
CloseHandle(hMSnap);
//printf("\nNext process\n");

while(Process32Next(hSnap,&pe32)!=NULL) {
hMSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pe32.th32ProcessID);
if (hMSnap==INVALID_HANDLE_VALUE) {
  printf("[!] Error: Cannot create modules snapshot for %s (PID=0x%X), error=%d\n",pe32.szExeFile,pe32.th32ProcessID,GetLastError());
  goto next_process;
}
  
printf("[+] Searching in %s (PID=0x%X) for module occurency.\n",pe32.szExeFile,pe32.th32ProcessID);
if (Module32First(hMSnap,&me32)!=NULL) {
  if (!strcmpi(filename,me32.szModule)) display_info(filename,pe32,me32);
  while(Module32Next(hMSnap,&me32)!=FALSE) {
   if (!strcmpi(filename,me32.szModule)) display_info(filename,pe32,me32);
  }
  next_process:
  CloseHandle(hMSnap);
  }
else {
  printf("[!] Error: Cannot creat snapshot for modules, error=%d\n",GetLastError());
  return FALSE;
}
}   

CloseHandle(hMSnap);
CloseHandle(hSnap);
}