[SANS ISC] Python DLL Injection Check, (Tue, Jul 6th)

They are many security tools that inject DLL into processes running on a Windows system. The classic examples are anti-virus products. They like to inject plenty of code that, combined with API hooking, implements security checks. If DLLs are injected into processes, they can be detected and it’s a common anti-debugging or evasion technique implemented by many malware samples. If you’re interested in such techniques, they are covered in the FOR610[1] training. The detection relies on a specific API call GetModuleFileName()[2]. The function expects the following parameters: A handle (pointer) to a process and the name of the DLL to check. Malware samples list all running processes, get a handle on them, and search for interesting DLL names. To get the handle, the OpenProcess()[3] API call must use the following access flag (0x0410 – PROCESS_VM_READ|PROCESS_QUERY_INFORMATION).

Today, I found a Python script that implemented this technique. Note that the script just borrows and obfuscates a snippet of code available on github.com[4] for a while. The list of DLLs is a bit outdated but remains valid.

import win32api
import win32process
LRazMCgmBIhqNsJ= []
wqeltyA = [“sbiedll.dll”,”api_log.dll”,”dir_watch.dll”,”pstorec.dll”,”vmcheck.dll”,”wpespy.dll”]
eDbscqrrt= win32process.EnumProcesses()
for mbPLkF in eDbscqrrt:
try:
mhEIFoBo = win32api.OpenProcess(0x0410, 0, mbPLkF)
try:
JoKxLLHnpg= win32process.EnumProcessModules(mhEIFoBo)
for qGvSyMSQH in JoKxLLHnpg:
XFUQQonQDUFW= str(win32process.GetModuleFileNameEx(mhEIFoBo, qGvSyMSQH)).lower()
for yeksLrlmxhewfzF in wqeltyA:
if yeksLrlmxhewfzF in XFUQQonQDUFW:
if XFUQQonQDUFW not in LRazMCgmBIhqNsJ:
LRazMCgmBIhqNsJ.append(XFUQQonQDUFW)
finally:
win32api.CloseHandle(mbPLkF)
except:
pass
if not LRazMCgmBIhqNsJ:

If the array LRazMCgmBIhqNsJ is still empty, no suspicious (from a malware point of view) DLL has been found and the execution continues…

The sample received a nice VT score of 4/59 (SHA256:b78a5b2b36639edfd622d4a7f7c00fd78ba3d9c8437df104b286642507c12334)[5]. Another good example of Python integration with the Windows API!

[1] http://for610.com
[2] https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulefilenamea
[3] https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess
[4] https://github.com/Arvanaghi/CheckPlease/blob/master/Python/check_all_DLL_names.py
[5] https://www.virustotal.com/gui/file/b78a5b2b36639edfd622d4a7f7c00fd78ba3d9c8437df104b286642507c12334/detection

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[ESET] Common Facebook scams and how to avoid them

All posts, ESET feed

Are you on Facebook? So are scammers. Here are some of the most common con jobs on Facebook you should watch out for and how you can tell if you’re being scammed. The post Common Facebook scams and how to avoid them appeared first on WeLiveSecurity Source: Read More (WeLiveSecurity)

Read More

[ZDNet] Everything you need to know about the Colonial Pipeline ransomware attack

All posts, ZDNet

DarkSide has claimed responsibility for the catastrophic ransomware outbreak. Source: Read More (Latest topics for ZDNet in Security)

Read More

[SecurityWeek] Netgear Patches Remote Code Execution Flaw in SOHO Routers

All posts, Security Week

A security vulnerability in Small Offices/Home Offices (SOHO) routers from Netgear could be exploited to execute arbitrary code remotely as root, according to security researchers at consulting firm GRIMM. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.