丹心 : 使用Windows API函数EnumProcessModules或CreateToolhelp32Snapshot来枚举当前进程的所有模块,并检查是否有未经授权的DLL被加载。
代码如下
' 模块 (Module1.bas)
Option Explicit
Private Const MAX_PATH As Long = 260
Private Type MODULEENTRY32
dwSize As Long
th32ModuleID As Long
th32ProcessID As Long
GlblcntUsage As Long
ProccntUsage As Long
modBaseAddr As Long
modBaseSize As Long
hModule As Long
szModule As String * 256
szExePath As String * MAX_PATH
End Type
Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Private Declare Function Module32First Lib "kernel32" (ByVal hSnapshot As Long, ByRef lpme As MODULEENTRY32) As Long
Private Declare Function Module32Next Lib "kernel32" (ByVal hSnapshot As Long, ByRef lpme As MODULEENTRY32) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Const TH32CS_SNAPMODULE As Long = 8
Private Const TH32CS_SNAPMODULE32 As Long = 16
Public Function DetectInjectedDLLs() As Boolean
Dim hSnapshot As Long
Dim me32 As MODULEENTRY32
Dim result As Long
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE Or TH32CS_SNAPMODULE32, 0&)
If hSnapshot = 0 Then
DetectInjectedDLLs = False
Exit Function
End If
me32.dwSize = Len(me32)
result = Module32First(hSnapshot, me32)
Do While result
Dim moduleName As String
moduleName = Left$(me32.szModule, InStr(me32.szModule, vbNullChar) - 1)
' 在这里,你可以检查模块名称是否在预期的白名单中
Debug.Print "Module: "; moduleName
' 如果发现可疑的DLL,可以设置标志
' 例如:
' If moduleName = "suspicious.dll" Then
' DetectInjectedDLLs = True
' Exit Do
' End If
result = Module32Next(hSnapshot, me32)
Loop
CloseHandle hSnapshot
DetectInjectedDLLs = False ' 修改为True以进行测试
End Function
' 测试函数
Public Sub TestDLLInjectionDetection()
If DetectInjectedDLLs() Then
MsgBox "Detected injected DLL!", vbExclamation
Else
MsgBox "No injected DLL detected.", vbInformation
End If
End Sub
Views: 93
高端局,新鲜,要试一下