Python DLL Injection Check
They are many security tools that inject DLL into processes running on a Windows system. The classic examples are anti-virus products. They like to inject plenty of code that, combined with API hooking, implements security checks. If DLLs are injected into processes, they can be detected and it's a common anti-debugging or evasion technique implemented by many malware samples. If you're interested in such techniques, they are covered in the FOR610[1] training. The detection relies on a specific API call GetModuleFileName()
[2]. The function expects the following parameters: A handle (pointer) to a process and the name of the DLL to check. Malware samples list all running processes, get a handle on them, and search for interesting DLL names. To get the handle, the OpenProcess()
[3] API call must use the following access flag (0x0410 - PROCESS_VM_READ|PROCESS_QUERY_INFORMATION).
Today, I found a Python script that implemented this technique. Note that the script just borrows and obfuscates a snippet of code available on github.com[4] for a while. The list of DLLs is a bit outdated but remains valid.
import win32api import win32process LRazMCgmBIhqNsJ= [] wqeltyA = ["sbiedll.dll","api_log.dll","dir_watch.dll","pstorec.dll","vmcheck.dll","wpespy.dll"] eDbscqrrt= win32process.EnumProcesses() for mbPLkF in eDbscqrrt: try: mhEIFoBo = win32api.OpenProcess(0x0410, 0, mbPLkF) try: JoKxLLHnpg= win32process.EnumProcessModules(mhEIFoBo) for qGvSyMSQH in JoKxLLHnpg: XFUQQonQDUFW= str(win32process.GetModuleFileNameEx(mhEIFoBo, qGvSyMSQH)).lower() for yeksLrlmxhewfzF in wqeltyA: if yeksLrlmxhewfzF in XFUQQonQDUFW: if XFUQQonQDUFW not in LRazMCgmBIhqNsJ: LRazMCgmBIhqNsJ.append(XFUQQonQDUFW) finally: win32api.CloseHandle(mbPLkF) except: pass if not LRazMCgmBIhqNsJ:
If the array LRazMCgmBIhqNsJ
is still empty, no suspicious (from a malware point of view) DLL has been found and the execution continues...
The sample received a nice VT score of 4/59 (SHA256:b78a5b2b36639edfd622d4a7f7c00fd78ba3d9c8437df104b286642507c12334)[5]. Another good example of Python integration with the Windows API!
[1] http://for610.com
[2] https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulefilenamea
[3] https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess
[4] https://github.com/Arvanaghi/CheckPlease/blob/master/Python/check_all_DLL_names.py
[5] https://www.virustotal.com/gui/file/b78a5b2b36639edfd622d4a7f7c00fd78ba3d9c8437df104b286642507c12334/detection
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago