如何在我的进程中获得所有加载的DLL?
如何在我的进程中获得所有加载的DLL?
提问于 2022-09-15 12:02:23
项目文件夹路径: F:\workspace\VantageAddin\aiscreenshotaddin\src\AIScreenshotAddin\bin\x64\Release\AIScreenshot
上面文件夹中的文件:
- app.exe
- 1.dll
- 2.dll
- 3.dll
问题描述:
在我的Wpf项目文件夹中,有一个app.exe和几个DLL文件(,例如1.dll、2.dll、3.dll)。app.exe将将其中的一些(并非全部)加载到其进程空间中。
所有的exe和DLL文件都已签名。我需要检查加载了哪个Dll文件,然后检查它的签名。如果所有加载的DLL文件都已签名,则继续主函数。
这是为了防止攻击者替换某些DLL文件,或者将未签名的DLL文件放在项目文件夹中。因此,我不会检查文件夹中的所有DLL文件,而是只检查加载的文件。
我使用下面的代码获取加载的DLL信息。
Process myProcess = Process.GetCurrentProcess();
foreach (ProcessModule module in myProcess.Modules)
{
Logger.Debug(ClassName, $", dll module, FileName: {module.FileName}, BaseAddress: {module.BaseAddress}, ModuleName: {module.ModuleName}");
File.AppendAllText("D:\\111.txt", $"dll module, FileName: {module.FileName}, BaseAddress: {module.BaseAddress}, ModuleName: {module.ModuleName}");
File.AppendAllText("D:\\111.txt", Environment.NewLine);
}结果如下。如您所见,只有第一项app.exe来自项目文件夹。并且未检测到项目文件夹( 1.dll、2.dll、3.dll )中加载的DLL文件。
为什么?以及如何发现它们?
dll module, FileName: F:\workspace\VantageAddin\aiscreenshotaddin\src\AIScreenshotAddin\bin\x64\Release\AIScreenshot\app.exe, BaseAddress: 1790275420160, ModuleName: app.exe
dll module, FileName: C:\windows\SYSTEM32\ntdll.dll, BaseAddress: 140723926794240, ModuleName: ntdll.dll
dll module, FileName: C:\windows\SYSTEM32\MSCOREE.DLL, BaseAddress: 140723452182528, ModuleName: MSCOREE.DLL
dll module, FileName: C:\windows\System32\KERNEL32.dll, BaseAddress: 140723902611456, ModuleName: KERNEL32.dll
dll module, FileName: C:\windows\System32\KERNELBASE.dll, BaseAddress: 140723885113344, ModuleName: KERNELBASE.dll
dll module, FileName: C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.5427.3000.105\Data\Sysfer\x64\sysfer.dll, BaseAddress: 1615527936, ModuleName: sysfer.dll
dll module, FileName: C:\windows\System32\ADVAPI32.dll, BaseAddress: 140723907002368, ModuleName: ADVAPI32.dll
dll module, FileName: C:\windows\System32\msvcrt.dll, BaseAddress: 140723913555968, ModuleName: msvcrt.dll
dll module, FileName: C:\windows\System32\sechost.dll, BaseAddress: 140723895336960, ModuleName: sechost.dll
dll module, FileName: C:\windows\System32\RPCRT4.dll, BaseAddress: 140723898482688, ModuleName: RPCRT4.dll
dll module, FileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll, BaseAddress: 140723443662848, ModuleName: mscoreei.dll
dll module, FileName: C:\windows\System32\SHLWAPI.dll, BaseAddress: 140723900907520, ModuleName: SHLWAPI.dll
dll module, FileName: C:\windows\SYSTEM32\kernel.appcore.dll, BaseAddress: 140723849461760, ModuleName: kernel.appcore.dll
dll module, FileName: C:\windows\SYSTEM32\VERSION.dll, BaseAddress: 140723720749056, ModuleName: VERSION.dll
dll module, FileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll, BaseAddress: 140723401850880, ModuleName: clr.dll
dll module, FileName: C:\windows\System32\USER32.dll, BaseAddress: 140723915390976, ModuleName: USER32.dll
dll module, FileName: C:\windows\System32\win32u.dll, BaseAddress: 140723883933696, ModuleName: win32u.dll
dll module, FileName: C:\windows\System32\GDI32.dll, BaseAddress: 140723894353920, ModuleName: GDI32.dll
dll module, FileName: C:\windows\System32\gdi32full.dll, BaseAddress: 140723891798016, ModuleName: gdi32full.dll
dll module, FileName: C:\windows\System32\msvcp_win.dll, BaseAddress: 140723884457984, ModuleName: msvcp_win.dll
dll module, FileName: C:\windows\System32\ucrtbase.dll, BaseAddress: 140723889111040, ModuleName: ucrtbase.dll
dll module, FileName: C:\windows\SYSTEM32\VCRUNTIME140_CLR0400.dll, BaseAddress: 140723419938816, ModuleName: VCRUNTIME140_CLR0400.dll
dll module, FileName: C:\windows\SYSTEM32\ucrtbase_clr0400.dll, BaseAddress: 140723419152384, ModuleName: ucrtbase_clr0400.dll
dll module, FileName: C:\windows\System32\IMM32.DLL, BaseAddress: 140723893633024, ModuleName: IMM32.DLL
dll module, FileName: C:\windows\System32\ole32.dll, BaseAddress: 140723901366272, ModuleName: ole32.dll
dll module, FileName: C:\windows\System32\combase.dll, BaseAddress: 140723903463424, ModuleName: combase.dll
dll module, FileName: C:\Program Files\Cybereason ActiveProbe\Powereason_64\Powereason.dll, BaseAddress: 140723007913984, ModuleName: Powereason.dll
dll module, FileName: C:\windows\System32\OLEAUT32.dll, BaseAddress: 140723896909824, ModuleName: OLEAUT32.dll
dll module, FileName: C:\windows\System32\WS2_32.dll, BaseAddress: 140723907723264, ModuleName: WS2_32.dll
dll module, FileName: C:\windows\SYSTEM32\WSOCK32.dll, BaseAddress: 140723422363648, ModuleName: WSOCK32.dll
dll module, FileName: C:\windows\SYSTEM32\IPHLPAPI.DLL, BaseAddress: 140723871744000, ModuleName: IPHLPAPI.DLL
dll module, FileName: C:\windows\system32\mswsock.dll, BaseAddress: 140723875282944, ModuleName: mswsock.dll
dll module, FileName: C:\windows\system32\wshunix.dll, BaseAddress: 140723697287168, ModuleName: wshunix.dll
dll module, FileName: C:\windows\SYSTEM32\CRYPTSP.dll, BaseAddress: 140723877314560, ModuleName: CRYPTSP.dll
dll module, FileName: C:\windows\system32\rsaenh.dll, BaseAddress: 140723868008448, ModuleName: rsaenh.dll
dll module, FileName: C:\windows\System32\bcrypt.dll, BaseAddress: 140723890159616, ModuleName: bcrypt.dll
dll module, FileName: C:\windows\SYSTEM32\CRYPTBASE.dll, BaseAddress: 140723877445632, ModuleName: CRYPTBASE.dll
dll module, FileName: C:\windows\System32\bcryptPrimitives.dll, BaseAddress: 140723888521216, ModuleName: bcryptPrimitives.dll
dll module, FileName: C:\windows\system32\uxtheme.dll, BaseAddress: 140723843366912, ModuleName: uxtheme.dll
dll module, FileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll, BaseAddress: 140723358334976, ModuleName: clrjit.dll
dll module, FileName: C:\windows\System32\shell32.dll, BaseAddress: 140723917094912, ModuleName: shell32.dll
dll module, FileName: C:\windows\SYSTEM32\windows.storage.dll, BaseAddress: 140723851558912, ModuleName: windows.storage.dll
dll module, FileName: C:\windows\SYSTEM32\Wldp.dll, BaseAddress: 140723878035456, ModuleName: Wldp.dll
dll module, FileName: C:\windows\System32\SHCORE.dll, BaseAddress: 140723897761792, ModuleName: SHCORE.dll
dll module, FileName: C:\windows\System32\psapi.dll, BaseAddress: 140723903397888, ModuleName: psapi.dll更多:
要检查的签名如下所示。我想这与强名无关。
回答 2
Stack Overflow用户
发布于 2022-09-15 13:01:15
从一般的观点来看,这是行不通的。您不能查看加载模块的列表,然后决定是否允许某些内容,因为为时已晚,该模块已经有机会执行代码。
如果您的应用程序中有某种插件支持,您应该先打开文件(拒绝写),如果它通过了测试,您可以加载它,然后关闭文件句柄。
Stack Overflow用户
发布于 2022-09-15 13:54:42
Process只包含win32 dll的信息。对于.net dll,应使用AppDomian.GetAssemblies方法获取它们的信息。
var assemblies = AppDomain.CurrentDomain.GetAssemblies();
foreach (var assembly in assemblies)
{
if (assembly.FullName == "Your target dll's full name")
{
// something you wantet to do
}
}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/73730788
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号