/* DLL OCCURENCY FINDER UTILITY it simply searches in all running process for <DLL_NAME> occurency. Very useful with malware detecting/removing. Imagine you find a dll which you can't delete and you need to know which process is running it... coded by Piotr Bania <bania.piotr@gmail.com> Sample usage: E:/projekty/finddll/Debug>finddll jar50.dll .... [+] Searching in ping.exe (PID=0x564) for module occurency. [+] Searching in firefox.exe (PID=0xFC4) for module occurency. --- MODULE OCCURENCY FOUND --- [+] jar50.dll found in firefox.exe (PID=0xFC4) [+] jar50.dll base located at: 0x023c0000 [+] jar50.dll handle in process: 0x23C0000 [+] jar50.dll size of module: 0xD000 bytes [+] jar50.dll path: C:/Program Files/Mozilla Firefox/components/jar50.dll --- PRESS ANY KEY TO CONTINUE --- .... */ #include <stdio.h> #include <stdlib.h> #include <conio.h> #include <windows.h> #include <Tlhelp32.h> int find_dll(char *filename); void display_info(PROCESSENTRY32 pe32,MODULEENTRY32 me32); int c=0; int main(int argc, char *argv[]) { printf("[$] dll occurency finder utility /n"); printf("[$] coded by Piotr Bania <bania.piotr@gmail.com/n/n"); if (argc!=2) { printf("[!] Usage: %s <dll_name>/n",argv[0]); printf("[!] For example: %s KERNEL32.DLL/n",argv[0]); return 0; } find_dll(argv[1]); printf("/n[+] Scaning ended, found %d occurences./n",c); printf("Bye :)/n"); getch(); return 0; } void display_info(char *filename,PROCESSENTRY32 pe32,MODULEENTRY32 me32) { printf("/n --- MODULE OCCURENCY FOUND ---/n"); printf("[+] %s found in %s (PID=0x%X)/n",filename,pe32.szExeFile,pe32.th32ProcessID); printf("[+] %s base located at: 0x%08x/n",filename,me32.modBaseAddr); printf("[+] %s handle in process: 0x%X/n",filename,me32.hModule); printf("[+] %s size of module: 0x%X bytes/n",filename,me32.modBaseSize); printf("[+] %s path: %s/n",filename,me32.szExePath); printf(" --- PRESS ANY KEY TO CONTINUE ---/n/n"); c++; // super pseudo randomization fatal exit *:)* if (getch()==27) exit(GetTickCount()); } int find_dll(char *filename) { HANDLE hSnap,hMSnap; PROCESSENTRY32 pe32; MODULEENTRY32 me32; hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL); if (hSnap==INVALID_HANDLE_VALUE) { printf("[!] Error: Cannot create snapshot for processes, error=%d/n",GetLastError()); return FALSE; } printf("[+] Snapshot for processes created, handle=0x%X/n",hSnap); if (Process32First(hSnap,&pe32)==FALSE) { printf("[!] Error: Process32First() failed, error=%d/n",GetLastError()); return FALSE; } hMSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pe32.th32ProcessID); if (hMSnap==INVALID_HANDLE_VALUE) { printf("[!] Error: Cannot create snapshot for modules, error=%d/n",GetLastError()); return FALSE; } printf("[+] Searching in %s (PID=0x%X) for module occurency./n",pe32.szExeFile,pe32.th32ProcessID); if (Module32First(hMSnap,&me32)==NULL) { printf("[!] Error: Module32First() failed, error=%d/n",GetLastError()); return FALSE; } if (!strcmpi(filename,me32.szModule)) display_info(filename,pe32,me32); while(Module32Next(hMSnap,&me32)!=FALSE) { if (!strcmpi(filename,me32.szModule)) display_info(filename,pe32,me32); } CloseHandle(hMSnap); //printf("/nNext process/n"); while(Process32Next(hSnap,&pe32)!=NULL) { hMSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pe32.th32ProcessID); if (hMSnap==INVALID_HANDLE_VALUE) { printf("[!] Error: Cannot create modules snapshot for %s (PID=0x%X), error=%d/n",pe32.szExeFile,pe32.th32ProcessID,GetLastError()); goto next_process; } printf("[+] Searching in %s (PID=0x%X) for module occurency./n",pe32.szExeFile,pe32.th32ProcessID); if (Module32First(hMSnap,&me32)!=NULL) { if (!strcmpi(filename,me32.szModule)) display_info(filename,pe32,me32); while(Module32Next(hMSnap,&me32)!=FALSE) { if (!strcmpi(filename,me32.szModule)) display_info(filename,pe32,me32); } next_process: CloseHandle(hMSnap); } else { printf("[!] Error: Cannot creat snapshot for modules, error=%d/n",GetLastError()); return FALSE; } } CloseHandle(hMSnap); CloseHandle(hSnap); }