Detecting System DLL …!

Recently while working on a new tool SpyDLLRemover, I had to separate out the operating system DLLs from others.  To be precise, I needed method to reliably detect malicious DLL among all loaded DLLs of the process.  This requires cornering out the malicious DLL by eliminating legitimate DLLs from the list.

So I came up with various methods of detecting system DLL such as checking if file path belongs to windows or system32 folder, company name is Microsoft, online verification etc.  But none of these are reliable or practical and can easily lead to false positives.

Finally after days of searching around, one fine morning I got lightening strike about SFC (System File Checker) functions.  Sometimes back while removing some spyware from my system, I stumbled upon this SFC stuff. In short, SFC is the mechanism used by Windows to check the integrity of OS core components as well as to protect them from accidental damage.

Windows also provides couple of  API functions to  allow applications to use this SFC functionality. One of the interesting function is SfcIsFileProtected( ) which checks if the specified filename is protected system file or not. This makes it a very reliable method to differentiate system components from others.

Here is the sample code which uses the above mentioned technique to verify if the DLL belongs to system.

#include <sfc.h>
#pragma comment(lib, “sfc.lib”)

if( SfcIsFileProtected(NULL, DLLfilePath) == TRUE )
{
printf(“This is system DLL”);
}
else
{
printf(“This is NOT the system DLL”);
}

This method can also be extended to executable files to find out if the process binary is part of the operating system. However it cannot detect redistributable system components which are copied as part of the application installation.

Still, it makes up a reliable technique to detect system DLLs and separate out the dirty fish from the pond…!

.

Similar posts
  • Computer Security Tips: Stay Safe Onl... In recent times cyber security has raised the level of awareness and public consciousness as never before. Both large corporations and big organizations try to take care of online security as much as they can. That’s why cyber criminals and hackers have focused more on smaller companies and single entrepreneurs. This awful tendency leads to [...]
  • SecurityXploded Mentorship Programme ... I am writing this blog to share my SecurityXploded Student Mentorship Programme experience with the future students of this programme. My mentorship programme started last year in August when I was in 2nd year of MS at IIIT-Allahabad. I knew about SecurityXploded community since I used to follow their blogs, training programmes and security tools [...]
  • Code Injection and API Hooking Techni... Hooking covers a range of techniques used for many purposes like debugging, monitoring, intercepting messages, extending functionality etc. Hooking is also used by a lot of rootkits to camouflage themselves on the system. Rootkits use various hooking techniques when they have to hide a process, hide a network port, redirect file writes to some different [...]
  • Announcement – SecurityXploded ... From the past two years we are working actively on couple of projects to support the security community. As you all may already know that we have successfully completed our reversing and malware analysis training programme and we are very glad that it was very helpful for everyone. In my opinion the success of any [...]
  • Advanced Malware Analysis Training Se... Here is the quick update on this month’s Local Security meet (SX/Null/G4H/owasp) and our advanced malware training session on (Part 2) Dissecting the HeartBeat  RAT Functionalities   This is part of our FREE ‘Advanced Malware Analysis Training’ series started from Dec 2012.       In this extended session, I explained “Decrypting various Communications Of HeartBeat [...]

3 Comments

2 Pings/Trackbacks

  1. Prasad Addepalli Prasad Addepalli
    February 17, 2009    

    Amazing Info!
    As always….. 🙂
    Prasad

  2. […] I wrote about ‘Detecting System DLL’ some of my friends working on malware analysis asked for any tool which can show if the particular […]

  3. […] which is used to protect system files against accidental or deliberate modification. I have written about it in more detail as how this technique can be utilized to differentiate between system and normal […]

  1. Security Blog by Nagareshwar » Blog Archive » SFCList : Windows Protected Files Listing Tool on February 21, 2009 at 1:09 am
  2. Security Blog by Nagareshwar » Blog Archive » Disabling Windows File Protection (SFC) on March 4, 2009 at 12:34 pm

Leave a Reply