Last Updated: 2021-07-06 11:19:12 UTC
by Xavier Mertens (Version: 1)
They are many security tools that inject DLL into processes running on a Windows system. The classic examples are anti-virus products. They like to inject plenty of code that, combined with API hooking, implements security checks. If DLLs are injected into processes, they can be detected and it's a common anti-debugging or evasion technique implemented by many malware samples. If you're interested in such techniques, they are covered in the FOR610 training. The detection relies on a specific API call
GetModuleFileName(). The function expects the following parameters: A handle (pointer) to a process and the name of the DLL to check. Malware samples list all running processes, get a handle on them, and search for interesting DLL names. To get the handle, the
OpenProcess() API call must use the following access flag (0x0410 - PROCESS_VM_READ|PROCESS_QUERY_INFORMATION).
Today, I found a Python script that implemented this technique. Note that the script just borrows and obfuscates a snippet of code available on github.com for a while. The list of DLLs is a bit outdated but remains valid.
import win32api import win32process LRazMCgmBIhqNsJ=  wqeltyA = ["sbiedll.dll","api_log.dll","dir_watch.dll","pstorec.dll","vmcheck.dll","wpespy.dll"] eDbscqrrt= win32process.EnumProcesses() for mbPLkF in eDbscqrrt: try: mhEIFoBo = win32api.OpenProcess(0x0410, 0, mbPLkF) try: JoKxLLHnpg= win32process.EnumProcessModules(mhEIFoBo) for qGvSyMSQH in JoKxLLHnpg: XFUQQonQDUFW= str(win32process.GetModuleFileNameEx(mhEIFoBo, qGvSyMSQH)).lower() for yeksLrlmxhewfzF in wqeltyA: if yeksLrlmxhewfzF in XFUQQonQDUFW: if XFUQQonQDUFW not in LRazMCgmBIhqNsJ: LRazMCgmBIhqNsJ.append(XFUQQonQDUFW) finally: win32api.CloseHandle(mbPLkF) except: pass if not LRazMCgmBIhqNsJ:
If the array
LRazMCgmBIhqNsJ is still empty, no suspicious (from a malware point of view) DLL has been found and the execution continues...
The sample received a nice VT score of 4/59 (SHA256:b78a5b2b36639edfd622d4a7f7c00fd78ba3d9c8437df104b286642507c12334). Another good example of Python integration with the Windows API!
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant