ModuleStomped

This is a very rough PoC that aims to detect module stomped DLLs by checking the pdata section of each module. This is more reliable than checking the .text section as the pdata should never change. Across all processes on my dev machine, it only picked out the C2 in memory performing module stomping.

An obvious bypass to this would be to find a text section large enough to fix your entire DLL and add the dll's pdata section manually.

However this could also be detected by correlating stack frames with pdata but I decided not to implement this.

Modes

ETW

This tool has an ETW mode, where it waits for imageload events and if the image is within a set list of DLLs then the process will be scanned. This is purely an example, a better detection point would have been ETW-Ti VirtualProtect, however I didn't want to write a driver.

Process Scanner

Executing the application without any arguments will call the process scanner path, this will scan all accessible (to OpenProcess) processes, enumerate all modules within that process and check the pdata for each module. This does take a few seconds, and its quite slow.

Usage.

  • Run as Administrator

Process Scanner

.\ModuleStomped

ETW

.\ModuleStomped etw