feat: initial commit

2023-09-09 09:43:16 +02:00
commit 127676d562
7 changed files with 376 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,2 @@
+.vs
+x64/
--- a/DllFinder.sln
+++ b/DllFinder.sln
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.1.32407.343
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DllFinder", "DllFinder.vcxproj", "{C85A8C3B-1C6C-48AF-8327-4BA51970AB87}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{C85A8C3B-1C6C-48AF-8327-4BA51970AB87}.Debug|x64.ActiveCfg = Debug|x64
+		{C85A8C3B-1C6C-48AF-8327-4BA51970AB87}.Debug|x64.Build.0 = Debug|x64
+		{C85A8C3B-1C6C-48AF-8327-4BA51970AB87}.Debug|x86.ActiveCfg = Debug|Win32
+		{C85A8C3B-1C6C-48AF-8327-4BA51970AB87}.Debug|x86.Build.0 = Debug|Win32
+		{C85A8C3B-1C6C-48AF-8327-4BA51970AB87}.Release|x64.ActiveCfg = Release|x64
+		{C85A8C3B-1C6C-48AF-8327-4BA51970AB87}.Release|x64.Build.0 = Release|x64
+		{C85A8C3B-1C6C-48AF-8327-4BA51970AB87}.Release|x86.ActiveCfg = Release|Win32
+		{C85A8C3B-1C6C-48AF-8327-4BA51970AB87}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {8B545DE4-1141-4EBB-9A1A-F8345A621D6F}
+	EndGlobalSection
+EndGlobal
--- a/DllFinder.vcxproj
+++ b/DllFinder.vcxproj
@@ -0,0 +1,147 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{c85a8c3b-1c6c-48af-8327-4ba51970ab87}</ProjectGuid>
+    <RootNamespace>DllFinder</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="main.cpp" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
--- a/DllFinder.vcxproj.filters
+++ b/DllFinder.vcxproj.filters
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Fichiers sources">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Fichiers d%27en-tête">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+    <Filter Include="Fichiers de ressources">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="main.cpp">
+      <Filter>Fichiers sources</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
--- a/DllFinder.vcxproj.user
+++ b/DllFinder.vcxproj.user
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LocalDebuggerCommand>$(TargetPath)</LocalDebuggerCommand>
+    <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
+    <LocalDebuggerCommandArguments>
+    </LocalDebuggerCommandArguments>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LocalDebuggerCommandArguments>21660</LocalDebuggerCommandArguments>
+    <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
+  </PropertyGroup>
+</Project>
--- a/README.md
+++ b/README.md
@@ -0,0 +1,57 @@
+# DllFinder
+A simple tool to find manual mapped DLLs in a target process.
+
+# Usage
+`DllFinder.exe [PID`
+
+# Example output
+```
+C:\Users\patate>DllFinder.exe 11828
+PID : 11828
+notepad.exe --> 0x00007FF7972A0000
+ntdll.dll --> 0x00007FFBBF6F0000
+KERNEL32.DLL --> 0x00007FFBBF3E0000
+KERNELBASE.dll --> 0x00007FFBBCEB0000
+GDI32.dll --> 0x00007FFBBDEC0000
+win32u.dll --> 0x00007FFBBCDD0000
+gdi32full.dll --> 0x00007FFBBD630000
+msvcp_win.dll --> 0x00007FFBBD1B0000
+ucrtbase.dll --> 0x00007FFBBD280000
+USER32.dll --> 0x00007FFBBED70000
+combase.dll --> 0x00007FFBBDA30000
+RPCRT4.dll --> 0x00007FFBBEB20000
+shcore.dll --> 0x00007FFBBF600000
+msvcrt.dll --> 0x00007FFBBE6B0000
+COMCTL32.dll --> 0x00007FFBA4BB0000
+IMM32.DLL --> 0x00007FFBBD980000
+bcryptPrimitives.dll --> 0x00007FFBBD4E0000
+ADVAPI32.dll --> 0x00007FFBBF4B0000
+sechost.dll --> 0x00007FFBBF560000
+kernel.appcore.dll --> 0x00007FFBBAC90000
+uxtheme.dll --> 0x00007FFBBA7C0000
+clbcatq.dll --> 0x00007FFBBD8D0000
+MrmCoreR.dll --> 0x00007FFBAB9C0000
+SHELL32.dll --> 0x00007FFBBDEF0000
+windows.storage.dll --> 0x00007FFBBAE90000
+Wldp.dll --> 0x00007FFBBC810000
+shlwapi.dll --> 0x00007FFBBF380000
+MSCTF.dll --> 0x00007FFBBEC50000
+OLEAUT32.dll --> 0x00007FFBBEA50000
+TextShaping.dll --> 0x00007FFBAF610000
+efswrt.dll --> 0x00007FFB9E060000
+MPR.dll --> 0x00007FFBA0C50000
+wintypes.dll --> 0x00007FFBB9960000
+twinapi.appcore.dll --> 0x00007FFBB6B80000
+oleacc.dll --> 0x00007FFBA4A50000
+textinputframework.dll --> 0x00007FFBABEF0000
+CoreMessaging.dll --> 0x00007FFBBA390000
+WS2_32.dll --> 0x00007FFBBE900000
+CoreUIComponents.dll --> 0x00007FFBBA030000
+ntmarta.dll --> 0x00007FFBBBF30000
+vcruntime140.dll --> 0x00007FFB9F640000
+Found 41 modules.
+Finding manual mapped dlls..
+
+Module found --> 0x0000000180000000
+Found 1 modules.
+```
--- a/main.cpp
+++ b/main.cpp
@@ -0,0 +1,104 @@
+#include <Windows.h>
+#include <Psapi.h>
+#include <vector>
+#include <string>
+#include <iostream>
+#include <fstream>
+#include <sstream>
+#include <stdio.h>
+
+#define HEADER_SIZE 0x1000 
+
+bool address_in_vector(LPVOID addr, std::vector<std::pair<std::string, LPVOID>> modules, std::string &name) {
+    // Check if the target_address is present in the vector
+    for (const auto& module : modules) {
+        if (module.second == addr) {
+            name = module.first;
+            return true;
+        }
+    }
+    return false;
+}
+
+int main(int argc, char** argv) {
+	if (argc != 2) {
+		printf("Usage: DllFinder.exe [PID]\n");
+		return 1;
+	}
+
+	int pid;
+	sscanf_s(argv[1], "%d", &pid);
+
+	if (pid < 0) {
+		printf("Bad PID value\n");
+		return 1;
+	}
+
+	printf("PID : %d\n", pid);
+
+	HANDLE proc_handle = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, TRUE, pid);
+	if (proc_handle == nullptr) {
+		printf("Could not open the process\n");
+		return 1;
+	}
+	
+	std::vector<std::pair<std::string, LPVOID>> modules = {};
+
+    int mod_count = 0;
+	HMODULE module_handles[1024];
+    DWORD needed;
+    if (EnumProcessModulesEx(proc_handle, module_handles, sizeof(module_handles), &needed, LIST_MODULES_ALL)) {
+        int module_count = needed / sizeof(HMODULE);
+
+        for (int i = 0; i < module_count; i++) {
+            TCHAR module_name[MAX_PATH];
+            MODULEINFO module_info;
+
+            if (GetModuleBaseName(proc_handle, module_handles[i], module_name, sizeof(module_name) / sizeof(TCHAR))) {
+                if (GetModuleInformation(proc_handle, module_handles[i], &module_info, sizeof(module_info))) {
+                    // module_name now contains the name of the DLL
+                    std::wstring wide_module_name(module_name);
+                    std::string module_name_str(wide_module_name.begin(), wide_module_name.end());
+
+					modules.push_back(std::make_pair(module_name_str, module_info.lpBaseOfDll));
+                    // module_name_str now contains the name as a std::string
+                    std::cout << module_name_str;
+                    std::cout << " --> 0x" << std::hex << module_info.lpBaseOfDll << "\n";
+                    ++mod_count;
+                }
+            }
+        }
+    }
+
+    printf("Found %d modules.\n", mod_count);
+	printf("Finding manual mapped dlls..\n\n");
+
+	MEMORY_BASIC_INFORMATION mem_info;
+    LPVOID current_address = 0;
+    int m_mod_count = 0;
+    while (VirtualQueryEx(proc_handle, current_address, &mem_info, sizeof(mem_info))) {
+        if (mem_info.RegionSize == HEADER_SIZE) { //sizeof(header)
+            short mz = 0;
+            ReadProcessMemory(proc_handle, mem_info.BaseAddress, &mz, sizeof(mz), NULL);
+
+            if (mz == 0x5a4d) { //'ZM'
+                std::string mod_name;
+                if (address_in_vector(current_address, modules, mod_name)) {
+                }
+                else {
+                    std::string out_name;
+                    std::cout << "Module found --> 0x" << std::hex << current_address << std::endl;
+                    ++m_mod_count;
+                }
+            }
+        }
+
+        // Move to the next memory region
+        current_address = (LPVOID)((DWORD_PTR)mem_info.BaseAddress + mem_info.RegionSize);
+    }
+
+    printf("Found %d modules.\n", m_mod_count);
+
+	CloseHandle(proc_handle);
+	return 0;
+}