#include <windows.h> #include <strsafe.h> #include
#define WIN32_LEAN_AND_MEAN #define VC_EXTRALEAN #define CODEBEGIN 0x00401000 #define CODEEND 0x004019FE #define modAllowedSize 11 const char modAllowedArray[][255] = { "ADVAPI32.DLL", "ntdll.dll", "RPCRT4.dll", "Secur32.dll", "PSAPI.DLL", "kernel32.dll", "USER32.dll", "GDI32.dll", "MSVCR90.dll", "IMM32.DLL", "Killing Bad Threads.exe" }; int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd ) { HMODULE modArray[1024]; int modNumber; int modAllowedQ = 0; int noBaseAddress = 0; char modFileName[255]; char modInfoTemp[255]; _MODULEINFO modInfo; if( EnumProcessModules( GetCurrentProcess( ), modArray, sizeof( modArray ), ( LPDWORD ) &modNumber ) ) { if( modNumber > sizeof( modArray ) ) return( -1 ); unsigned int i = 0; while( i < ( modNumber / sizeof( HMODULE ) ) ) { int j = 0; while( j < modAllowedSize ) { GetModuleFileName( modArray[i], modFileName, 255 ); char *ModuleName = strtok( modFileName, "\\" ); char *ModuleTempName; char *ModuleLastName; do { ModuleTempName = strtok( NULL, "\\" ); if( ModuleTempName == NULL ) break; ModuleName = ModuleTempName; } while( ModuleName != NULL );
if( *modAllowedArray[j] == *ModuleName ) { GetModuleInformation( GetCurrentProcess( ), GetModuleHandle( modAllowedArray[j] ), &modInfo, sizeof( modInfo ) ); //sprintf( modInfoTemp, "%08x", modInfo.lpBaseOfDll ); // If you plan to fingerprint modules, based off entrypoint // base address, or size of the image base, the above will // load that information into a buffer if( modInfo.lpBaseOfDll == 0 ) noBaseAddress++; modAllowedQ++; } j++; } i++; } if( noBaseAddress != 1 ) { MessageBox( 0, "Unknown module loaded to memory!", "Fatal error", MB_OK ); exit( -1 ); } if( modAllowedQ < modAllowedSize ) { MessageBox( 0, "Unknown module loaded to memory!", "Fatal error", MB_OK ); exit( -1 ); } } MessageBox( 0, "Nothing evil detected.", "Success?", MB_OK ); }
return( EXIT_SUCCESS );