Project folder path: F:\workspace\VantageAddin\aiscreenshotaddin\src\AIScreenshotAddin\bin\x64\Release\AIScreenshot
Files in above folder:
- app.exe
- 1.dll
- 2.dll
- 3.dll
Question description:
In my Wpf project folder, there is one app.exe and several DLL files (e.g. 1.dll, 2.dll, 3.dll) together. And app.exe will load some of them (not all) into its process space.
All the exe and DLL files are signed. I need to check which Dll file is loaded and then check its signature. If all loaded DLL files are signed, then continue the main function.
This is to prevent that attacher might replace some DLL file, or put a not-signed DLL file in the project folder. So I won't check all DLL files in the folder, but only check those loaded.
I use below code to get the loaded DLL info.
Process myProcess = Process.GetCurrentProcess();
foreach (ProcessModule module in myProcess.Modules)
{
Logger.Debug(ClassName, $", dll module, FileName: {module.FileName}, BaseAddress: {module.BaseAddress}, ModuleName: {module.ModuleName}");
File.AppendAllText("D:\\111.txt", $"dll module, FileName: {module.FileName}, BaseAddress: {module.BaseAddress}, ModuleName: {module.ModuleName}");
File.AppendAllText("D:\\111.txt", Environment.NewLine);
}
The result is below. As you can see, only the first item app.exe comes from the project folder. And the loaded DLL files in the project folder( 1.dll, 2.dll, 3.dll ) are not detected.
Why? And how to detect them?
dll module, FileName: F:\workspace\VantageAddin\aiscreenshotaddin\src\AIScreenshotAddin\bin\x64\Release\AIScreenshot\app.exe, BaseAddress: 1790275420160, ModuleName: app.exe
dll module, FileName: C:\windows\SYSTEM32\ntdll.dll, BaseAddress: 140723926794240, ModuleName: ntdll.dll
dll module, FileName: C:\windows\SYSTEM32\MSCOREE.DLL, BaseAddress: 140723452182528, ModuleName: MSCOREE.DLL
dll module, FileName: C:\windows\System32\KERNEL32.dll, BaseAddress: 140723902611456, ModuleName: KERNEL32.dll
dll module, FileName: C:\windows\System32\KERNELBASE.dll, BaseAddress: 140723885113344, ModuleName: KERNELBASE.dll
dll module, FileName: C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.5427.3000.105\Data\Sysfer\x64\sysfer.dll, BaseAddress: 1615527936, ModuleName: sysfer.dll
dll module, FileName: C:\windows\System32\ADVAPI32.dll, BaseAddress: 140723907002368, ModuleName: ADVAPI32.dll
dll module, FileName: C:\windows\System32\msvcrt.dll, BaseAddress: 140723913555968, ModuleName: msvcrt.dll
dll module, FileName: C:\windows\System32\sechost.dll, BaseAddress: 140723895336960, ModuleName: sechost.dll
dll module, FileName: C:\windows\System32\RPCRT4.dll, BaseAddress: 140723898482688, ModuleName: RPCRT4.dll
dll module, FileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll, BaseAddress: 140723443662848, ModuleName: mscoreei.dll
dll module, FileName: C:\windows\System32\SHLWAPI.dll, BaseAddress: 140723900907520, ModuleName: SHLWAPI.dll
dll module, FileName: C:\windows\SYSTEM32\kernel.appcore.dll, BaseAddress: 140723849461760, ModuleName: kernel.appcore.dll
dll module, FileName: C:\windows\SYSTEM32\VERSION.dll, BaseAddress: 140723720749056, ModuleName: VERSION.dll
dll module, FileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll, BaseAddress: 140723401850880, ModuleName: clr.dll
dll module, FileName: C:\windows\System32\USER32.dll, BaseAddress: 140723915390976, ModuleName: USER32.dll
dll module, FileName: C:\windows\System32\win32u.dll, BaseAddress: 140723883933696, ModuleName: win32u.dll
dll module, FileName: C:\windows\System32\GDI32.dll, BaseAddress: 140723894353920, ModuleName: GDI32.dll
dll module, FileName: C:\windows\System32\gdi32full.dll, BaseAddress: 140723891798016, ModuleName: gdi32full.dll
dll module, FileName: C:\windows\System32\msvcp_win.dll, BaseAddress: 140723884457984, ModuleName: msvcp_win.dll
dll module, FileName: C:\windows\System32\ucrtbase.dll, BaseAddress: 140723889111040, ModuleName: ucrtbase.dll
dll module, FileName: C:\windows\SYSTEM32\VCRUNTIME140_CLR0400.dll, BaseAddress: 140723419938816, ModuleName: VCRUNTIME140_CLR0400.dll
dll module, FileName: C:\windows\SYSTEM32\ucrtbase_clr0400.dll, BaseAddress: 140723419152384, ModuleName: ucrtbase_clr0400.dll
dll module, FileName: C:\windows\System32\IMM32.DLL, BaseAddress: 140723893633024, ModuleName: IMM32.DLL
dll module, FileName: C:\windows\System32\ole32.dll, BaseAddress: 140723901366272, ModuleName: ole32.dll
dll module, FileName: C:\windows\System32\combase.dll, BaseAddress: 140723903463424, ModuleName: combase.dll
dll module, FileName: C:\Program Files\Cybereason ActiveProbe\Powereason_64\Powereason.dll, BaseAddress: 140723007913984, ModuleName: Powereason.dll
dll module, FileName: C:\windows\System32\OLEAUT32.dll, BaseAddress: 140723896909824, ModuleName: OLEAUT32.dll
dll module, FileName: C:\windows\System32\WS2_32.dll, BaseAddress: 140723907723264, ModuleName: WS2_32.dll
dll module, FileName: C:\windows\SYSTEM32\WSOCK32.dll, BaseAddress: 140723422363648, ModuleName: WSOCK32.dll
dll module, FileName: C:\windows\SYSTEM32\IPHLPAPI.DLL, BaseAddress: 140723871744000, ModuleName: IPHLPAPI.DLL
dll module, FileName: C:\windows\system32\mswsock.dll, BaseAddress: 140723875282944, ModuleName: mswsock.dll
dll module, FileName: C:\windows\system32\wshunix.dll, BaseAddress: 140723697287168, ModuleName: wshunix.dll
dll module, FileName: C:\windows\SYSTEM32\CRYPTSP.dll, BaseAddress: 140723877314560, ModuleName: CRYPTSP.dll
dll module, FileName: C:\windows\system32\rsaenh.dll, BaseAddress: 140723868008448, ModuleName: rsaenh.dll
dll module, FileName: C:\windows\System32\bcrypt.dll, BaseAddress: 140723890159616, ModuleName: bcrypt.dll
dll module, FileName: C:\windows\SYSTEM32\CRYPTBASE.dll, BaseAddress: 140723877445632, ModuleName: CRYPTBASE.dll
dll module, FileName: C:\windows\System32\bcryptPrimitives.dll, BaseAddress: 140723888521216, ModuleName: bcryptPrimitives.dll
dll module, FileName: C:\windows\system32\uxtheme.dll, BaseAddress: 140723843366912, ModuleName: uxtheme.dll
dll module, FileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll, BaseAddress: 140723358334976, ModuleName: clrjit.dll
dll module, FileName: C:\windows\System32\shell32.dll, BaseAddress: 140723917094912, ModuleName: shell32.dll
dll module, FileName: C:\windows\SYSTEM32\windows.storage.dll, BaseAddress: 140723851558912, ModuleName: windows.storage.dll
dll module, FileName: C:\windows\SYSTEM32\Wldp.dll, BaseAddress: 140723878035456, ModuleName: Wldp.dll
dll module, FileName: C:\windows\System32\SHCORE.dll, BaseAddress: 140723897761792, ModuleName: SHCORE.dll
dll module, FileName: C:\windows\System32\psapi.dll, BaseAddress: 140723903397888, ModuleName: psapi.dll
CodePudding user response:
From a general standpoint, this is never going to work. You cannot look at the list of loaded modules and then decide to allow something or not because it is too late, the module has already had a chance to execute code.
If you have some sort of plug-in support in your app you should open the file first (deny writes) and if it passes your tests, you may load it and then close the file handle.
CodePudding user response:
Process only contain the information of win32 dll. For .net dll, you should use AppDomian.GetAssemblies method to obtain their information.
var assemblies = AppDomain.CurrentDomain.GetAssemblies();
foreach (var assembly in assemblies)
{
if (assembly.FullName == "Your target dll's full name")
{
// something you wantet to do
}
}