RE: The Big List of Dodgy Apps

["Phil Betts" <Phil dot Betts at ascribe dot com>]

Dave Korn wrote on Tuesday, March 20, 2007 7:00 PM::

> On 20 March 2007 18:45, Brian Dessent wrote:
> 
>> Dave Korn wrote:
>> 
>>>> I would think it was possible to have cygcheck do something like
>>>> sysinternals' process explorer does to get the DLL list, but to do
>>>> it only on itself - essentially asking the question "to which DLLs
>>>> am I linked?"  The expected DLLs can be eliminated from all
>>>> enquiries.  If the fingerprint of a known offender is detected, it
>>>> can be reported as such.  Anything else can be reported as a
>>>> "potential problem". 
>>> 
>>>   This seems a reasonably good idea.  I was thinking at one point of
>>> adding it to the cygwin crashdump routines invoked after fork()
>>> errors. 
>> 
>> It won't work to check "to which DLLs am I linked", at least not in
>> the way of inspecting the PE headers of the file on disk.  The
>> injecting is dynamic, through system hook functions, so you have to
>> use the DebugHlp/ImageHlp libraries to inspect the process space,
>> IIRC. 
> 
> 
>   Yes, that's what I meant too; I was skipping over the minor
> inaccuracy in Phil's terminology because I'm sure that's what he
> intended. 
> 
> 
>     cheers,
>       DaveK

Absolutely.  I was using "linked" in its broadest sense.  I'm not a 
Windows coder (always leaves me feeling dirty - and not in a good way),
so what would be the proper term for "files linked into my process 
right now, however they got there"?

I didn't want to restrict it to just injected code because that would 
miss the chance of spotting say a known bad version of msvcrt.dll, and
there's no reason why the blacklist shouldn't include a cygwin library,
should a rogue hippo ever make it out of the water-hole.

Speaking of which, is this cygwin's secret sponsor:
http://www.thatimagesite.com/image/1485

Phil