丹心 : 使用Windows API函数EnumProcessModules或CreateToolhelp32Snapshot来枚举当前进程的所有模块,并检查是否有未经授权的DLL被加载。

代码如下

' 模块 (Module1.bas)
Option Explicit

Private Const MAX_PATH As Long = 260

Private Type MODULEENTRY32
    dwSize As Long
    th32ModuleID As Long
    th32ProcessID As Long
    GlblcntUsage As Long
    ProccntUsage As Long
    modBaseAddr As Long
    modBaseSize As Long
    hModule As Long
    szModule As String * 256
    szExePath As String * MAX_PATH
End Type

Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Private Declare Function Module32First Lib "kernel32" (ByVal hSnapshot As Long, ByRef lpme As MODULEENTRY32) As Long
Private Declare Function Module32Next Lib "kernel32" (ByVal hSnapshot As Long, ByRef lpme As MODULEENTRY32) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long

Private Const TH32CS_SNAPMODULE As Long = 8
Private Const TH32CS_SNAPMODULE32 As Long = 16

Public Function DetectInjectedDLLs() As Boolean
    Dim hSnapshot As Long
    Dim me32 As MODULEENTRY32
    Dim result As Long
    
    hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE Or TH32CS_SNAPMODULE32, 0&)
    If hSnapshot = 0 Then
        DetectInjectedDLLs = False
        Exit Function
    End If
    
    me32.dwSize = Len(me32)
    result = Module32First(hSnapshot, me32)
    
    Do While result
        Dim moduleName As String
        moduleName = Left$(me32.szModule, InStr(me32.szModule, vbNullChar) - 1)
        
        ' 在这里,你可以检查模块名称是否在预期的白名单中
        Debug.Print "Module: "; moduleName
        
        ' 如果发现可疑的DLL,可以设置标志
        ' 例如:
        ' If moduleName = "suspicious.dll" Then
        '     DetectInjectedDLLs = True
        '     Exit Do
        ' End If
        
        result = Module32Next(hSnapshot, me32)
    Loop
    
    CloseHandle hSnapshot
    DetectInjectedDLLs = False ' 修改为True以进行测试
End Function

' 测试函数
Public Sub TestDLLInjectionDetection()
    If DetectInjectedDLLs() Then
        MsgBox "Detected injected DLL!", vbExclamation
    Else
        MsgBox "No injected DLL detected.", vbInformation
    End If
End Sub

Views: 96

Hi, I’m 邓伟

本来无一物,何处惹尘埃

One Comment

发表回复