How to unload a memory-resident system dll from memory?

NTDEV
1

Hi all;

I want to inactivate process monitoring for a while and because this task
is done through “secur32.dll” module, I want to unload it from memory for a
few seconds.

I’ve searched to see which processes use this dll OR which process loads it
on the memory. I found that “svchost.exe” process uses it, so I run
below command in the windows7 (32 bit) command prompt:

*tasklist /m /fi “imagename eq svchost.exe” *

and I saw a list as a result that put part of it here:

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Image Name PID Modules
========================= ========

svchost.exe 696 ntdll.dll, kernel32.dll, KERNELBASE.dll,
msvcrt.dll, sechost.dll, RPCRT4.dll,
svchost.exe 800 ntdll.dll, kernel32.dll, KERNELBASE.dll,
rpcepmap.dll, RpcRtRemote.dll,
secur32.dll,
svchost.exe 936 ntdll.dll, kernel32.dll, KERNELBASE.dll,
msvcrt.dll, sechost.dll, RPCRT4.dll,
secur32.dll, SSPICLI.DLL, credssp.dll,

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////

Multiple svchost.exe processes with the PIDs [800, 936, 1008, 1048, 1260,
1344, 1716, 1772, 2352, 2508, 3104] used secur32.dll.

I also run the above command in Windows XP (32 bit) and saw a similar
result:

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Image Name PID Modules
========================= ======

svchost.exe 852 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
USER32.dll, GDI32.dll, WINMM.dll,
ole32.dll,
msvcrt.dll, OLEAUT32.dll, MSACM32.dll,
svchost.exe 948 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
WS2HELP.dll, Secur32.dll, xpsp2res.dll,

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

In the above list, processes with PIDs [852, 948, 1064, 1328] use
secur32.dll module.

Now, my question is:

How should I unload this dll for a while and afterward load it into memory
rapidly to prevent a SYSTEM CRASH?
I mean, how to get handle of a memory-resident dll (secur32.dll in here!)
to unload it from memory?

I guess that first should get svchost.exe process handle (I don’t know with
which PID, of course!) and then use this handle to get secure32.dll handle.
Then pass the dll handle to the unloadlibrary function, sleep some
miliseconds and then load the dll again to svchost.exe process address
space to prevent system crash.

But I don’t know which Windows functions should use respectively to
implement this steps?
Or have you another & better solution for this purpose?

Could you put here a sample code to do this work in C++ please?

Thanks in Advance.

2

Let me have the honor of asking - “what problem are you trying to solve
that requires you unloading a particular dll?”

On 6/29/2012 11:50 AM, Bahareh Rostamiyan wrote:

Hi all;

I want to inactivate process monitoring for a while and because this
task is done through “secur32.dll” module, I want to unload it from
memory for a few seconds.

I’ve searched to see which processes use this dll OR which process
loads it on the memory. I found that “svchost.exe” process uses it, so
I run below command in the windows7 (32 bit) command prompt:

*tasklist /m /fi “imagename eq svchost.exe” *

and I saw a list as a result that put part of it here:

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Image Name PID Modules
========================= ========

svchost.exe 696 ntdll.dll, kernel32.dll,
KERNELBASE.dll,
msvcrt.dll, sechost.dll, RPCRT4.dll,
svchost.exe 800 ntdll.dll, kernel32.dll,
KERNELBASE.dll,
rpcepmap.dll, RpcRtRemote.dll,
secur32.dll,
svchost.exe 936 ntdll.dll, kernel32.dll,
KERNELBASE.dll,
msvcrt.dll, sechost.dll, RPCRT4.dll,
secur32.dll, SSPICLI.DLL, credssp.dll,

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////

Multiple svchost.exe processes with the PIDs [800, 936, 1008, 1048,
1260, 1344, 1716, 1772, 2352, 2508, 3104] used secur32.dll.

I also run the above command in Windows XP (32 bit) and saw a similar
result:

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Image Name PID Modules
========================= ======

svchost.exe 852 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
USER32.dll, GDI32.dll, WINMM.dll,
ole32.dll,
msvcrt.dll, OLEAUT32.dll, MSACM32.dll,
svchost.exe 948 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
WS2HELP.dll, Secur32.dll, xpsp2res.dll,

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

In the above list, processes with PIDs [852, 948, 1064, 1328] use
secur32.dll module.

Now, my question is:

How should I unload this dll for a while and afterward load it into
memory rapidly to prevent a SYSTEM CRASH?
I mean, how to get handle of a memory-resident dll (secur32.dll in
here!) to unload it from memory?

I guess that first should get svchost.exe process handle (I don’t know
with which PID, of course!) and then use this handle to get
secure32.dll handle.
Then pass the dll handle to the unloadlibrary function, sleep some
miliseconds and then load the dll again to svchost.exe process address
space to prevent system crash.

But I don’t know which Windows functions should use respectively to
implement this steps?
Or have you another & better solution for this purpose?

Could you put here a sample code to do this work in C++ please?

Thanks in Advance.
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging
and other seminars visit: http://www.osr.com/seminars To unsubscribe,
visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

3

I’m writing a security software that transfers an argument to the other
program so that I don’t want this argument to be monitored in the memory.
So, I’ve decided to inactivate or stop process monitoring (through
secur32.dll unloading) for a short time to transfer the argument securely
(invisible by other programs and processes!).

I’ve tried many methods to hide & protect this argument from capturing, but
the remainder method is this, I think!

Thus, in order to prevent breaking os functionality, it must be loaded into
svchost.exe address space quickly (After my argument transmission).

I want to find a working procedure to do this job?

For example using some functions like GetModuleHandle, FreeLibrary and
LoadLibrary…

But LoadLibrary function loads the dll into calling process address space
(there, my program) not svchost.exe process!

I’m looking for an appropriate solution to achieve this goal.

Have you any suggestion to do this work please?!

On Fri, Jun 29, 2012 at 3:59 PM, lorddoskias wrote:

> Let me have the honor of asking - “what problem are you trying to solve
> that requires you unloading a particular dll?”
>
>
>
>
>
>
> On 6/29/2012 11:50 AM, Bahareh Rostamiyan wrote:
>
> Hi all;
>
> I want to inactivate process monitoring for a while and because this task
> is done through “secur32.dll” module, I want to unload it from memory for a
> few seconds.
>
> I’ve searched to see which processes use this dll OR which process loads
> it on the memory. I found that “svchost.exe” process uses it, so I run
> below command in the windows7 (32 bit) command prompt:
>
> *tasklist /m /fi “imagename eq svchost.exe” *
>
> and I saw a list as a result that put part of it here:
>
>
> //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
> Image Name PID Modules
> ========================= ========
> ============================================
> svchost.exe 696 ntdll.dll, kernel32.dll, KERNELBASE.dll,
> msvcrt.dll, sechost.dll, RPCRT4.dll,
> svchost.exe 800 ntdll.dll, kernel32.dll, KERNELBASE.dll,
> rpcepmap.dll, RpcRtRemote.dll,
> secur32.dll,
> svchost.exe 936 ntdll.dll, kernel32.dll, KERNELBASE.dll,
> msvcrt.dll, sechost.dll, RPCRT4.dll,
> secur32.dll, SSPICLI.DLL, credssp.dll,
> …
>
> //////////////////////////////////////////////////////////////////////////////////////////////////////////////////
>
> Multiple svchost.exe processes with the PIDs [800, 936, 1008, 1048, 1260,
> 1344, 1716, 1772, 2352, 2508, 3104] used secur32.dll.
>
> I also run the above command in Windows XP (32 bit) and saw a similar
> result:
>
>
> ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
> Image Name PID Modules
> ========================= ======
> =============================================
> svchost.exe 852 ntdll.dll, kernel32.dll, ADVAPI32.dll,
> RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
> USER32.dll, GDI32.dll, WINMM.dll,
> ole32.dll,
> msvcrt.dll, OLEAUT32.dll, MSACM32.dll,
> svchost.exe 948 ntdll.dll, kernel32.dll, ADVAPI32.dll,
> RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
> WS2HELP.dll, Secur32.dll, xpsp2res.dll,
> …
>
> ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
>
> In the above list, processes with PIDs [852, 948, 1064, 1328] use
> secur32.dll module.
>
> Now, my question is:
>
> How should I unload this dll for a while and afterward load it into memory
> rapidly to prevent a SYSTEM CRASH?
> I mean, how to get handle of a memory-resident dll (secur32.dll in here!)
> to unload it from memory?
>
> I guess that first should get svchost.exe process handle (I don’t know
> with which PID, of course!) and then use this handle to get secure32.dll
> handle.
> Then pass the dll handle to the unloadlibrary function, sleep some
> miliseconds and then load the dll again to svchost.exe process address
> space to prevent system crash.
>
> But I don’t know which Windows functions should use respectively to
> implement this steps?
> Or have you another & better solution for this purpose?
>
> Could you put here a sample code to do this work in C++ please?
>
> Thanks in Advance.
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

4

THIS WILL NOT WORK. Even if it did work, there are other ways to get
the data. As it is you will just crash the system which will in one
sense make it secure, if the system is down with a crash no one is
getting data from you.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“Bahareh Rostamiyan” wrote in message
news:xxxxx@ntdev:

> I’m writing a security software that transfers an argument to the other
> program so that I don’t want this argument to be monitored in the memory.
> So, I’ve decided to inactivate or stop process monitoring (through
> secur32.dll unloading) for a short time to transfer the argument securely
> (invisible by other programs and processes!).
>
> I’ve tried many methods to hide & protect this argument from capturing, but
> the remainder method is this, I think!
>
> Thus, in order to prevent breaking os functionality, it must be loaded into
> svchost.exe address space quickly (After my argument transmission).
>
> I want to find a working procedure to do this job?
>
> For example using some functions like GetModuleHandle, FreeLibrary and
> LoadLibrary…
>
> But LoadLibrary function loads the dll into calling process address space
> (there, my program) not svchost.exe process!
>
> I’m looking for an appropriate solution to achieve this goal.
>
> Have you any suggestion to do this work please?!
>
> On Fri, Jun 29, 2012 at 3:59 PM, lorddoskias wrote:
>
> > Let me have the honor of asking - “what problem are you trying to solve
> > that requires you unloading a particular dll?”
> >
> >
> >
> >
> >
> >
> > On 6/29/2012 11:50 AM, Bahareh Rostamiyan wrote:
> >
> > Hi all;
> >
> > I want to inactivate process monitoring for a while and because this task
> > is done through “secur32.dll” module, I want to unload it from memory for a
> > few seconds.
> >
> > I’ve searched to see which processes use this dll OR which process loads
> > it on the memory. I found that “svchost.exe” process uses it, so I run
> > below command in the windows7 (32 bit) command prompt:
> >
> > *tasklist /m /fi “imagename eq svchost.exe” *
> >
> > and I saw a list as a result that put part of it here:
> >
> >
> > //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
> > Image Name PID Modules
> > ========================= ========
> > ============================================
> > svchost.exe 696 ntdll.dll, kernel32.dll, KERNELBASE.dll,
> > msvcrt.dll, sechost.dll, RPCRT4.dll,
> > svchost.exe 800 ntdll.dll, kernel32.dll, KERNELBASE.dll,
> > rpcepmap.dll, RpcRtRemote.dll,
> > secur32.dll,
> > svchost.exe 936 ntdll.dll, kernel32.dll, KERNELBASE.dll,
> > msvcrt.dll, sechost.dll, RPCRT4.dll,
> > secur32.dll, SSPICLI.DLL, credssp.dll,
> > …
> >
> > //////////////////////////////////////////////////////////////////////////////////////////////////////////////////
> >
> > Multiple svchost.exe processes with the PIDs [800, 936, 1008, 1048, 1260,
> > 1344, 1716, 1772, 2352, 2508, 3104] used secur32.dll.
> >
> > I also run the above command in Windows XP (32 bit) and saw a similar
> > result:
> >
> >
> > ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
> > Image Name PID Modules
> > ========================= ======
> > =============================================
> > svchost.exe 852 ntdll.dll, kernel32.dll, ADVAPI32.dll,
> > RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
> > USER32.dll, GDI32.dll, WINMM.dll,
> > ole32.dll,
> > msvcrt.dll, OLEAUT32.dll, MSACM32.dll,
> > svchost.exe 948 ntdll.dll, kernel32.dll, ADVAPI32.dll,
> > RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
> > WS2HELP.dll, Secur32.dll, xpsp2res.dll,
> > …
> >
> > ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
> >
> > In the above list, processes with PIDs [852, 948, 1064, 1328] use
> > secur32.dll module.
> >
> > Now, my question is:
> >
> > How should I unload this dll for a while and afterward load it into memory
> > rapidly to prevent a SYSTEM CRASH?
> > I mean, how to get handle of a memory-resident dll (secur32.dll in here!)
> > to unload it from memory?
> >
> > I guess that first should get svchost.exe process handle (I don’t know
> > with which PID, of course!) and then use this handle to get secure32.dll
> > handle.
> > Then pass the dll handle to the unloadlibrary function, sleep some
> > miliseconds and then load the dll again to svchost.exe process address
> > space to prevent system crash.
> >
> > But I don’t know which Windows functions should use respectively to
> > implement this steps?
> > Or have you another & better solution for this purpose?
> >
> > Could you put here a sample code to do this work in C++ please?
> >
> > Thanks in Advance.
> > — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> > other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> > the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
> >
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >

5

your description of your problem space is not adequate
try running tasklist /m secu* and watch the result and decide on the
problem space first before
looking for solutions to your problem

On 6/29/12, Don Burn wrote:
> THIS WILL NOT WORK. Even if it did work, there are other ways to get
> the data. As it is you will just crash the system which will in one
> sense make it secure, if the system is down with a crash no one is
> getting data from you.
>
>
> Don Burn
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
> “Bahareh Rostamiyan” wrote in message
> news:xxxxx@ntdev:
>
>> I’m writing a security software that transfers an argument to the other
>> program so that I don’t want this argument to be monitored in the memory.
>> So, I’ve decided to inactivate or stop process monitoring (through
>> secur32.dll unloading) for a short time to transfer the argument securely
>> (invisible by other programs and processes!).
>>
>> I’ve tried many methods to hide & protect this argument from capturing,
>> but
>> the remainder method is this, I think!
>>
>> Thus, in order to prevent breaking os functionality, it must be loaded
>> into
>> svchost.exe address space quickly (After my argument transmission).
>>
>> I want to find a working procedure to do this job?
>>
>> For example using some functions like GetModuleHandle, FreeLibrary and
>> LoadLibrary…
>>
>> But LoadLibrary function loads the dll into calling process address space
>> (there, my program) not svchost.exe process!
>>
>> I’m looking for an appropriate solution to achieve this goal.
>>
>> Have you any suggestion to do this work please?!
>>
>> On Fri, Jun 29, 2012 at 3:59 PM, lorddoskias
>> wrote:
>>
>> > Let me have the honor of asking - “what problem are you trying to
>> > solve
>> > that requires you unloading a particular dll?”
>> >
>> >
>> >
>> >
>> >
>> >
>> > On 6/29/2012 11:50 AM, Bahareh Rostamiyan wrote:
>> >
>> > Hi all;
>> >
>> > I want to inactivate process monitoring for a while and because this
>> > task
>> > is done through “secur32.dll” module, I want to unload it from memory
>> > for a
>> > few seconds.
>> >
>> > I’ve searched to see which processes use this dll OR which process
>> > loads
>> > it on the memory. I found that “svchost.exe” process uses it, so I run
>> > below command in the windows7 (32 bit) command prompt:
>> >
>> > *tasklist /m /fi “imagename eq svchost.exe” *
>> >
>> > and I saw a list as a result that put part of it here:
>> >
>> >
>> > //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
>> > Image Name PID Modules
>> > ========================= ========
>> > ============================================
>> > svchost.exe 696 ntdll.dll, kernel32.dll,
>> > KERNELBASE.dll,
>> > msvcrt.dll, sechost.dll, RPCRT4.dll,
>> > svchost.exe 800 ntdll.dll, kernel32.dll,
>> > KERNELBASE.dll,
>> > rpcepmap.dll, RpcRtRemote.dll,
>> > secur32.dll,
>> > svchost.exe 936 ntdll.dll, kernel32.dll,
>> > KERNELBASE.dll,
>> > msvcrt.dll, sechost.dll, RPCRT4.dll,
>> > secur32.dll, SSPICLI.DLL,
>> > credssp.dll,
>> > …
>> >
>> > //////////////////////////////////////////////////////////////////////////////////////////////////////////////////
>> >
>> > Multiple svchost.exe processes with the PIDs [800, 936, 1008, 1048,
>> > 1260,
>> > 1344, 1716, 1772, 2352, 2508, 3104] used secur32.dll.
>> >
>> > I also run the above command in Windows XP (32 bit) and saw a similar
>> > result:
>> >
>> >
>> > ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
>> > Image Name PID Modules
>> > ========================= ======
>> > =============================================
>> > svchost.exe 852 ntdll.dll, kernel32.dll, ADVAPI32.dll,
>> > RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
>> > USER32.dll, GDI32.dll, WINMM.dll,
>> > ole32.dll,
>> > msvcrt.dll, OLEAUT32.dll, MSACM32.dll,
>> > svchost.exe 948 ntdll.dll, kernel32.dll, ADVAPI32.dll,
>> > RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
>> > WS2HELP.dll, Secur32.dll,
>> > xpsp2res.dll,
>> > …
>> >
>> > ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
>> >
>> > In the above list, processes with PIDs [852, 948, 1064, 1328] use
>> > secur32.dll module.
>> >
>> > Now, my question is:
>> >
>> > How should I unload this dll for a while and afterward load it into
>> > memory
>> > rapidly to prevent a SYSTEM CRASH?
>> > I mean, how to get handle of a memory-resident dll (secur32.dll in
>> > here!)
>> > to unload it from memory?
>> >
>> > I guess that first should get svchost.exe process handle (I don’t know
>> > with which PID, of course!) and then use this handle to get
>> > secure32.dll
>> > handle.
>> > Then pass the dll handle to the unloadlibrary function, sleep some
>> > miliseconds and then load the dll again to svchost.exe process address
>> > space to prevent system crash.
>> >
>> > But I don’t know which Windows functions should use respectively to
>> > implement this steps?
>> > Or have you another & better solution for this purpose?
>> >
>> > Could you put here a sample code to do this work in C++ please?
>> >
>> > Thanks in Advance.
>> > — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging
>> > and
>> > other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> > the List Server section of OSR Online at
>> > http://www.osronline.com/page.cfm?name=ListServer
>> >
>> >
>> >
>> >
>> > —
>> > NTDEV is sponsored by OSR
>> >
>> > For our schedule of WDF, WDM, debugging and other seminars visit:
>> > http://www.osr.com/seminars
>> >
>> > To unsubscribe, visit the List Server section of OSR Online at
>> > http://www.osronline.com/page.cfm?name=ListServer
>> >
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

6

The solution you’ve decided on (suspending process monitoring for a short period of time) is neither necessary nor sufficient to solve the problem you’ve listed (transfering argument data securely between modules).

Seriously.

You’ll need to find another solution.

For more information, see: http://www.osronline.com/downloads/pp_asking.pdf

Peter
OSR

7

>You’ll need to find another solution.

For more information, see: http://www.osronline.com/downloads/pp_asking.pdf

Or this:

http://weblogs.asp.net/alex_papadimoulis/archive/2005/05/25/408925.aspx

8

Your questions is out of curiosity

farsi:

Soale Shoma khaily gong hastesh

Va albate rahe hale galat

xxxxx@gmail.com

Sent from my iPad

On ۲۹ ژوئن ۲۰۱۲, at ۱۵:۲۰, Bahareh Rostamiyan wrote:

> Hi all;
>
> I want to inactivate process monitoring for a while and because this task is done through “secur32.dll” module, I want to unload it from memory for a few seconds.
>
> I’ve searched to see which processes use this dll OR which process loads it on the memory. I found that “svchost.exe” process uses it, so I run below command in the windows7 (32 bit) command prompt:
>
> tasklist /m /fi “imagename eq svchost.exe”
>
> and I saw a list as a result that put part of it here:
>
> //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
> Image Name PID Modules
> ========================= ======== ============================================
> svchost.exe 696 ntdll.dll, kernel32.dll, KERNELBASE.dll,
> msvcrt.dll, sechost.dll, RPCRT4.dll,
> svchost.exe 800 ntdll.dll, kernel32.dll, KERNELBASE.dll,
> rpcepmap.dll, RpcRtRemote.dll, secur32.dll,
> svchost.exe 936 ntdll.dll, kernel32.dll, KERNELBASE.dll,
> msvcrt.dll, sechost.dll, RPCRT4.dll,
> secur32.dll, SSPICLI.DLL, credssp.dll,
> …
> //////////////////////////////////////////////////////////////////////////////////////////////////////////////////
>
> Multiple svchost.exe processes with the PIDs [800, 936, 1008, 1048, 1260, 1344, 1716, 1772, 2352, 2508, 3104] used secur32.dll.
>
> I also run the above command in Windows XP (32 bit) and saw a similar result:
>
> ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
> Image Name PID Modules
> ========================= ====== =============================================
> svchost.exe 852 ntdll.dll, kernel32.dll, ADVAPI32.dll,
> RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
> USER32.dll, GDI32.dll, WINMM.dll, ole32.dll,
> msvcrt.dll, OLEAUT32.dll, MSACM32.dll,
> svchost.exe 948 ntdll.dll, kernel32.dll, ADVAPI32.dll,
> RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
> WS2HELP.dll, Secur32.dll, xpsp2res.dll,
> …
> ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
>
> In the above list, processes with PIDs [852, 948, 1064, 1328] use secur32.dll module.
>
> Now, my question is:
>
> How should I unload this dll for a while and afterward load it into memory rapidly to prevent a SYSTEM CRASH?
> I mean, how to get handle of a memory-resident dll (secur32.dll in here!) to unload it from memory?
>
> I guess that first should get svchost.exe process handle (I don’t know with which PID, of course!) and then use this handle to get secure32.dll handle.
> Then pass the dll handle to the unloadlibrary function, sleep some miliseconds and then load the dll again to svchost.exe process address space to prevent system crash.
>
> But I don’t know which Windows functions should use respectively to implement this steps?
> Or have you another & better solution for this purpose?
>
> Could you put here a sample code to do this work in C++ please?
>
> Thanks in Advance.
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

9

Whatever you are trying to accomplish this is the absolutely wrong
approach. You cannot unload a DLL from some other process’s address
space. The operation makes no sense. You also appear to be totally
cluless about how DLLs work, how DLL memory is managed, and several dozen
other details.

No matter what you are trying to do, your proposed solution will not
accomplish it. In fact, the specification of your problem suggests you
have no clue as to how applications work, what paging is and does, and
what you mean by “remove from memory”. The concept itself is nonsensical,
from my interpretation of what you are asking.

What makes you think that having this code in memory compromises your
security? What makes you think the impossible goal of “removing” it from
memory is going to enhance your security in any way? Do you understand
shared vs. private segments, the stack, and how a function call works?

Once you state your problem, I’m sure that someone can suggest an idea
that would work. As far as your current development path, I suggest you
stop wasting your time and spend it on understanding why your suggestion
results in an impossible situation.

This beyond the question of how to fasten wings to pigs, and is in the
domain of asking how to modify plant DNA so we can grow bacon plants.

Instead of proposing a solution as ridiculous as this, you should say “I
have a problem to solve, [problem description here]” and ask for
approaches. I have no idea what led you to believe that “removing” the
DLL from memory could possibly be a solution, but you are so far down the
wrong path the only thing you can do is go all the way back to the
beginning and start by specifying the problem.
joe

Hi all;.

I want to inactivate process monitoring for a while and because this task
is done through “secur32.dll” module, I want to unload it from memory for
a
few seconds.

I’ve searched to see which processes use this dll OR which process loads
it
on the memory. I found that “svchost.exe” process uses it, so I run
below command in the windows7 (32 bit) command prompt:

*tasklist /m /fi “imagename eq svchost.exe” *

and I saw a list as a result that put part of it here:

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Image Name PID Modules
========================= ========

svchost.exe 696 ntdll.dll, kernel32.dll,
KERNELBASE.dll,
msvcrt.dll, sechost.dll, RPCRT4.dll,
svchost.exe 800 ntdll.dll, kernel32.dll,
KERNELBASE.dll,
rpcepmap.dll, RpcRtRemote.dll,
secur32.dll,
svchost.exe 936 ntdll.dll, kernel32.dll,
KERNELBASE.dll,
msvcrt.dll, sechost.dll, RPCRT4.dll,
secur32.dll, SSPICLI.DLL, credssp.dll,

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////

Multiple svchost.exe processes with the PIDs [800, 936, 1008, 1048, 1260,
1344, 1716, 1772, 2352, 2508, 3104] used secur32.dll.

I also run the above command in Windows XP (32 bit) and saw a similar
result:

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Image Name PID Modules
========================= ======

svchost.exe 852 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
USER32.dll, GDI32.dll, WINMM.dll,
ole32.dll,
msvcrt.dll, OLEAUT32.dll, MSACM32.dll,
svchost.exe 948 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
WS2HELP.dll, Secur32.dll, xpsp2res.dll,

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

In the above list, processes with PIDs [852, 948, 1064, 1328] use
secur32.dll module.

Now, my question is:

How should I unload this dll for a while and afterward load it into memory
rapidly to prevent a SYSTEM CRASH?
I mean, how to get handle of a memory-resident dll (secur32.dll in here!)
to unload it from memory?

I guess that first should get svchost.exe process handle (I don’t know
with
which PID, of course!) and then use this handle to get secure32.dll
handle.
Then pass the dll handle to the unloadlibrary function, sleep some
miliseconds and then load the dll again to svchost.exe process address
space to prevent system crash.

But I don’t know which Windows functions should use respectively to
implement this steps?
Or have you another & better solution for this purpose?

Could you put here a sample code to do this work in C++ please?

Thanks in Advance.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

10

This is not possible. Anyone with sufficient privileges, including
(especially) malware, can monitor the contents of memory. VirtualRead is
pretty good for this, and if you have a malware driver, it has even more
power.

Why do you think that unloading the code is going to have any effect on
the data? The data should be in the stack, and like all memory that can
be monitored, it can be seen by suitable malware. Removing the DLL image
from memory will have zero effect on this. And it doesn’t make sense to
do this, and if you understood how DLLs work, you would know this idea
makes no sense whatsoever. Note also that if the data is in the DLL data
segment, then that data segment is in the process address space of the
application, and thus it’s just another readable data segment. If anyone
can see it, then it is not “secure”. So the real goal is not to unload
the DLL (which will do NOTHING sensible, sane, or maintainable), but to
make sure the machine does not have any malware on it.

You have obviously confused code and data segments, and stack segments,
and until you understand how data is organized in the app, you will
continue to attempt to solve the wrong problem. You also do not seem to
understand address space and how it is managed.

If the data is in memory, it can be seen. And it has to be somewhere in
memory. I fail to see how “unloading” secur32.dll is going to have any
impact on this problem. Tell me what you are doing in “passing” this
argument and I can probably tell you, with less than five minutes’
thought, how I would go about reading it. Of course, if you let me get a
driver installed, then it’s trivial, and if you end up with a rootkit
installed, it’s even more trivial. But “removing” the DLL “from memory”,
a concept that is merely meaningless noise, will not change my ability to
get the information. Particularly if it is valuable enough.

Since you will never let anyone with admin privileges on the machine, and
all users will be restricted, this should not be a problem, because no
malware is going to get in.
joe

\

I’m writing a security software that transfers an argument to the other
program so that I don’t want this argument to be monitored in the memory.
So, I’ve decided to inactivate or stop process monitoring (through
secur32.dll unloading) for a short time to transfer the argument securely
(invisible by other programs and processes!).

I’ve tried many methods to hide & protect this argument from capturing,
but
the remainder method is this, I think!

Thus, in order to prevent breaking os functionality, it must be loaded
into
svchost.exe address space quickly (After my argument transmission).

I want to find a working procedure to do this job?

For example using some functions like GetModuleHandle, FreeLibrary and
LoadLibrary…

But LoadLibrary function loads the dll into calling process address space
(there, my program) not svchost.exe process!

I’m looking for an appropriate solution to achieve this goal.

Have you any suggestion to do this work please?!

On Fri, Jun 29, 2012 at 3:59 PM, lorddoskias
> wrote:
>
>> Let me have the honor of asking - “what problem are you trying to solve
>> that requires you unloading a particular dll?”
>>
>>
>>
>>
>>
>>
>> On 6/29/2012 11:50 AM, Bahareh Rostamiyan wrote:
>>
>> Hi all;
>>
>> I want to inactivate process monitoring for a while and because this
>> task
>> is done through “secur32.dll” module, I want to unload it from memory
>> for a
>> few seconds.
>>
>> I’ve searched to see which processes use this dll OR which process loads
>> it on the memory. I found that “svchost.exe” process uses it, so I run
>> below command in the windows7 (32 bit) command prompt:
>>
>> *tasklist /m /fi “imagename eq svchost.exe” *
>>
>> and I saw a list as a result that put part of it here:
>>
>>
>> //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
>> Image Name PID Modules
>> ========================= ========
>> ============================================
>> svchost.exe 696 ntdll.dll, kernel32.dll,
>> KERNELBASE.dll,
>> msvcrt.dll, sechost.dll, RPCRT4.dll,
>> svchost.exe 800 ntdll.dll, kernel32.dll,
>> KERNELBASE.dll,
>> rpcepmap.dll, RpcRtRemote.dll,
>> secur32.dll,
>> svchost.exe 936 ntdll.dll, kernel32.dll,
>> KERNELBASE.dll,
>> msvcrt.dll, sechost.dll, RPCRT4.dll,
>> secur32.dll, SSPICLI.DLL,
>> credssp.dll,
>> …
>>
>> //////////////////////////////////////////////////////////////////////////////////////////////////////////////////
>>
>> Multiple svchost.exe processes with the PIDs [800, 936, 1008, 1048,
>> 1260,
>> 1344, 1716, 1772, 2352, 2508, 3104] used secur32.dll.
>>
>> I also run the above command in Windows XP (32 bit) and saw a similar
>> result:
>>
>>
>> ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
>> Image Name PID Modules
>> ========================= ======
>> =============================================
>> svchost.exe 852 ntdll.dll, kernel32.dll, ADVAPI32.dll,
>> RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
>> USER32.dll, GDI32.dll, WINMM.dll,
>> ole32.dll,
>> msvcrt.dll, OLEAUT32.dll, MSACM32.dll,
>> svchost.exe 948 ntdll.dll, kernel32.dll, ADVAPI32.dll,
>> RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
>> WS2HELP.dll, Secur32.dll, xpsp2res.dll,
>> …
>>
>> ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
>>
>> In the above list, processes with PIDs [852, 948, 1064, 1328] use
>> secur32.dll module.
>>
>> Now, my question is:
>>
>> How should I unload this dll for a while and afterward load it into
>> memory
>> rapidly to prevent a SYSTEM CRASH?
>> I mean, how to get handle of a memory-resident dll (secur32.dll in
>> here!)
>> to unload it from memory?
>>
>> I guess that first should get svchost.exe process handle (I don’t know
>> with which PID, of course!) and then use this handle to get secure32.dll
>> handle.
>> Then pass the dll handle to the unloadlibrary function, sleep some
>> miliseconds and then load the dll again to svchost.exe process address
>> space to prevent system crash.
>>
>> But I don’t know which Windows functions should use respectively to
>> implement this steps?
>> Or have you another & better solution for this purpose?
>>
>> Could you put here a sample code to do this work in C++ please?
>>
>> Thanks in Advance.
>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging
>> and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer