-2

I have a program that gets every module loaded into a process and compares them with a database of forbidden DLL files, which works just fine, but it's too simple to circumvent (just change the name of dll file which you want to inject into the process). So I'm asking how can I distinguish DLL files. Is there any unique identifier which can be used in C#? Thanks.

EDIT: I forgot to mention that the program I'm creating checks dll files of another program not created by me which is written in C++.

Nicolas Cage
  • 33
  • 1
  • 9
  • There very well [could be...](http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha256%28v=vs.110%29.aspx) – Ichabod Clay Jan 11 '15 at 13:32
  • When the forbidden files are signed it's very easy. But they probably aren't. You should elaborate on the actual situation. – H H Jan 11 '15 at 13:48
  • @HenkHolterman Sorry, no they aren't signed. – Nicolas Cage Jan 11 '15 at 13:52
  • Then you'll have to come up with a better definition/signature for the forbidden dlls. Not likely anyone here can come up with something. – H H Jan 11 '15 at 13:53

2 Answers2

0

You can iterate through every module loaded in a process How do I list all loaded assemblies? and see if there is a properly of each module such as ModuleVersionId that does not change when the filename is changed?

Community
  • 1
  • 1
sevzas
  • 701
  • 2
  • 5
  • 13
  • You could use LoadForReflection and check for certain clasess. But the question isn't clear about the definitions. – H H Jan 11 '15 at 13:55
  • @sevzas I forgot to mention that I'm checking the dll files on other application which I didn't create, so if I'm right, I can't acess the "ModuleVersionId". I searched a bit more and found "ModuleMemorySize". I know that it isn't unique, but the chances that the sizes will meet is very low. What do you think? – Nicolas Cage Jan 11 '15 at 13:55
  • So your checker program examines the modules in *other* .net processes? – sevzas Jan 11 '15 at 14:09
  • Then you're working with ProcessModule class which doesn't offer much. There is one thing I noticed: you maintain a list of *forbidden* dlls yet all comments allude to a list of *permitted* dlls. – sevzas Jan 11 '15 at 14:35
  • @sevzas Sorry if I misled you. I get all modules from the process and check if there are any forbidden DLLs (DLLs I don't want to be injected into the process). – Nicolas Cage Jan 11 '15 at 17:52
0

I'm not sure if this is even remotely a decent way of handling it, but maybe try hashing the DLL file and check against known trusted hashes of the files? this would require you to already have a trusted list of dll hashes but should safeguard against simply renaming to bypass your current security measure.

user2835725
  • 154
  • 6