Finddll.c - searches are running processes For module occurrency

最新推荐文章于 2025-11-25 12:19:09 发布

原创最新推荐文章于 2025-11-25 12:19:09 发布 · 801 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#module #dll #jar #null #path #delete

vcbcbdelphi的window编程专栏收录该内容

551 篇文章

订阅专栏

/*



DLL OCCURENCY FINDER UTILITY

it simply searches in all running process for <DLL_NAME> occurency.



Very useful with malware detecting/removing. Imagine you

find a dll which you can't delete and you need to know

which process is running it...



coded by Piotr Bania <bania.piotr@gmail.com>



Sample usage:



  E:/projekty/finddll/Debug>finddll jar50.dll



....

[+] Searching in ping.exe (PID=0x564) for module occurency.

[+] Searching in firefox.exe (PID=0xFC4) for module occurency.





--- MODULE OCCURENCY FOUND ---

[+] jar50.dll found in firefox.exe (PID=0xFC4)

[+] jar50.dll base located at: 0x023c0000

[+] jar50.dll handle in process: 0x23C0000

[+] jar50.dll size of module: 0xD000 bytes

[+] jar50.dll path: C:/Program Files/Mozilla Firefox/components/jar50.dll



--- PRESS ANY KEY TO CONTINUE ---

....



*/



#include <stdio.h>

#include <stdlib.h>

#include <conio.h>

#include <windows.h>

#include <Tlhelp32.h>



int find_dll(char *filename);

void display_info(PROCESSENTRY32 pe32,MODULEENTRY32 me32);



int c=0;



int main(int argc, char *argv[]) {





printf("[$] dll occurency finder utility /n");

printf("[$] coded by Piotr Bania <bania.piotr@gmail.com/n/n");

if (argc!=2) {

printf("[!] Usage: %s <dll_name>/n",argv[0]);

printf("[!] For example: %s KERNEL32.DLL/n",argv[0]);

return 0;

}



find_dll(argv[1]);



printf("/n[+] Scaning ended, found %d occurences./n",c);

printf("Bye :)/n");

getch();



return 0;

}





void display_info(char *filename,PROCESSENTRY32 pe32,MODULEENTRY32 me32) {





printf("/n 

--- MODULE OCCURENCY FOUND ---/n");

printf("[+] %s found in %s (PID=0x%X)/n",filename,pe32.szExeFile,pe32.th32ProcessID);

printf("[+] %s base located at: 0x%08x/n",filename,me32.modBaseAddr);

printf("[+] %s handle in process: 0x%X/n",filename,me32.hModule);

printf("[+] %s size of module: 0x%X bytes/n",filename,me32.modBaseSize);

printf("[+] %s path: %s/n",filename,me32.szExePath);

printf(" 

--- PRESS ANY KEY TO CONTINUE ---/n/n");

c++;



// super pseudo randomization fatal exit *:)*

if (getch()==27) exit(GetTickCount());

}





int find_dll(char *filename) {

HANDLE hSnap,hMSnap;

PROCESSENTRY32 pe32;

MODULEENTRY32 me32;



hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);



if (hSnap==INVALID_HANDLE_VALUE) {

printf("[!] Error: Cannot create snapshot for processes, error=%d/n",GetLastError());

return FALSE;

} 



printf("[+] Snapshot for processes created, handle=0x%X/n",hSnap);



if (Process32First(hSnap,&pe32)==FALSE) {

   printf("[!] Error: Process32First() failed, error=%d/n",GetLastError());

return FALSE;

}



hMSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pe32.th32ProcessID);

if (hMSnap==INVALID_HANDLE_VALUE) {

printf("[!] Error: Cannot create snapshot for modules, error=%d/n",GetLastError());

return FALSE;

}



printf("[+] Searching in %s (PID=0x%X) for module occurency./n",pe32.szExeFile,pe32.th32ProcessID);

if (Module32First(hMSnap,&me32)==NULL) {

printf("[!] Error: Module32First() failed, error=%d/n",GetLastError());

return FALSE;

}





if (!strcmpi(filename,me32.szModule)) display_info(filename,pe32,me32);

while(Module32Next(hMSnap,&me32)!=FALSE) {

if (!strcmpi(filename,me32.szModule)) display_info(filename,pe32,me32);

}

CloseHandle(hMSnap);

//printf("/nNext process/n");



while(Process32Next(hSnap,&pe32)!=NULL) {

hMSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pe32.th32ProcessID);

if (hMSnap==INVALID_HANDLE_VALUE) {

  printf("[!] Error: Cannot create modules snapshot for %s (PID=0x%X), error=%d/n",pe32.szExeFile,pe32.th32ProcessID,GetLastError());

  goto next_process;

}

  

printf("[+] Searching in %s (PID=0x%X) for module occurency./n",pe32.szExeFile,pe32.th32ProcessID);

if (Module32First(hMSnap,&me32)!=NULL) {

  if (!strcmpi(filename,me32.szModule)) display_info(filename,pe32,me32);

  while(Module32Next(hMSnap,&me32)!=FALSE) {

   if (!strcmpi(filename,me32.szModule)) display_info(filename,pe32,me32);

  }

  next_process:

  CloseHandle(hMSnap);

  }

else {

  printf("[!] Error: Cannot creat snapshot for modules, error=%d/n",GetLastError());

  return FALSE; 

}

}   



CloseHandle(hMSnap);

CloseHandle(hSnap);

}