0

Currently I'm working on trying to find out if an function (Foo()) in my executable has been called from an injected dll.

My first idea was to call GetModule(NULL) and then check the result with the address given by GetModule("InjectedDllName"), all this is done inside Foo().

Apperantly GetModule(NULL) will return the address of the executable and not the address of the current calling module. Is there maybe any other solution for my problem?

Another idea I have is locating the thread start address when foo() is called and check if this is inside the injected dll address space, dunno if this is possible.

JoeG
  • 12,994
  • 1
  • 38
  • 63
user3324551
  • 1
  • 2
  • An "initial calling module"? If this is not a fancy redundant name for "executable", what is it? – n. m. could be an AI Feb 18 '14 at 17:49
  • If you intend to use this as a security mechanism, be aware that malicious code can jump unconditionally to an existing call of your DLL function. I.e. If `Foo()` calls `Bar()`, an unconditional jump inside `Foo` will still end up calling `Bar()`. Ordinarily you have to look up the return address. – MSalters Feb 18 '14 at 17:51
  • edited the question a little to make this more understandable. – user3324551 Feb 18 '14 at 18:06
  • You can walk up the callstack and see if any function in the callstack comes from an injected DLL but as MSalters points out this won't fully protect you from malicious code if that is the intent here. – mattnewport Feb 18 '14 at 18:26
  • maybe this http://stackoverflow.com/questions/557081/how-do-i-get-the-hmodule-for-the-currently-executing-code in combination with the current thread start address works. – user3324551 Feb 18 '14 at 18:40

1 Answers1

0

You may get the handle of loaded DLL with EnumProcessModulesEx, then use GetModuleFileNameEx to identify the filename, or check if any duplicated exported function names, which may suggested a hijack/wrappers.

However, this may not prevent the situation which the user renamed your DLL and wrap it, or other advanced debug tools manipulations. And this can get very messy to handle every cases, and too technical to be explained in few lines.

Non-maskable Interrupt
  • 3,841
  • 1
  • 19
  • 26
  • Thank you for the quick answer but I allready have the handle and the name of dlls injecting. I just want to find out if an function in my executable (my.exe) has been called from within an dll´s-code(injected.dll). – user3324551 Feb 18 '14 at 18:22
  • I think the proper approach is to sign the DLL, for any other hack you cannot make sure the DLL is not fake. – Non-maskable Interrupt Feb 18 '14 at 18:24