Recently while working on a new tool SpyDLLRemover, I had to separate out the operating system DLLs from others.  To be precise, I needed method to reliably detect malicious DLL among all loaded DLLs of the process.  This requires cornering out the malicious DLL by eliminating legitimate DLLs from the list.

So I came up with various methods of detecting system DLL such as checking if file path belongs to windows or system32 folder, company name is Microsoft, online verification etc.  But none of these are reliable or practical and can easily lead to false positives.

Finally after days of searching around, one fine morning I got lightening strike about SFC (System File Checker) functions.  Sometimes back while removing some spyware from my system, I stumbled upon this SFC stuff. In short, SFC is the mechanism used by Windows to check the integrity of OS core components as well as to protect them from accidental damage.

Windows also provides couple of  API functions to  allow applications to use this SFC functionality. One of the interesting function is SfcIsFileProtected( ) which checks if the specified filename is protected system file or not. This makes it a very reliable method to differentiate system components from others.

Here is the sample code which uses the above mentioned technique to verify if the DLL belongs to system.

#include <sfc.h>
#pragma comment(lib, “sfc.lib”)

if( SfcIsFileProtected(NULL, DLLfilePath) == TRUE )
{
printf(“This is system DLL”);
}
else
{
printf(“This is NOT the system DLL”);
}

This method can also be extended to executable files to find out if the process binary is part of the operating system. However it cannot detect redistributable system components which are copied as part of the application installation.

Still, it makes up a reliable technique to detect system DLLs and separate out the dirty fish from the pond…!

.