Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Python DLL Injection Check SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Python DLL Injection Check

They are many security tools that inject DLL into processes running on a Windows system. The classic examples are anti-virus products. They like to inject plenty of code that, combined with API hooking, implements security checks. If DLLs are injected into processes, they can be detected and it's a common anti-debugging or evasion technique implemented by many malware samples. If you're interested in such techniques, they are covered in the FOR610[1] training. The detection relies on a specific API call GetModuleFileName()[2]. The function expects the following parameters: A handle (pointer) to a process and the name of the DLL to check. Malware samples list all running processes, get a handle on them, and search for interesting DLL names. To get the handle, the OpenProcess()[3] API call must use the following access flag (0x0410 - PROCESS_VM_READ|PROCESS_QUERY_INFORMATION).

Today, I found a Python script that implemented this technique. Note that the script just borrows and obfuscates a snippet of code available on[4] for a while. The list of DLLs is a bit outdated but remains valid.

import win32api
import win32process
LRazMCgmBIhqNsJ= []
wqeltyA = ["sbiedll.dll","api_log.dll","dir_watch.dll","pstorec.dll","vmcheck.dll","wpespy.dll"]
eDbscqrrt= win32process.EnumProcesses()
for mbPLkF in eDbscqrrt:
        mhEIFoBo = win32api.OpenProcess(0x0410, 0, mbPLkF)
            JoKxLLHnpg= win32process.EnumProcessModules(mhEIFoBo)
            for qGvSyMSQH in JoKxLLHnpg:
                XFUQQonQDUFW= str(win32process.GetModuleFileNameEx(mhEIFoBo, qGvSyMSQH)).lower()
                for yeksLrlmxhewfzF in wqeltyA:
                    if yeksLrlmxhewfzF in XFUQQonQDUFW:
                        if XFUQQonQDUFW not in LRazMCgmBIhqNsJ:
if not LRazMCgmBIhqNsJ:

If the array LRazMCgmBIhqNsJ is still empty, no suspicious (from a malware point of view) DLL has been found and the execution continues...

The sample received a nice VT score of 4/59 (SHA256:b78a5b2b36639edfd622d4a7f7c00fd78ba3d9c8437df104b286642507c12334)[5]. Another good example of Python integration with the Windows API!


Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Threat Hunting London 2022


651 Posts
ISC Handler
Jul 6th 2021

Sign Up for Free or Log In to start participating in the conversation!