This is the mail archive of the
cygwin-talk
mailing list for the cygwin project.
RE: The Big List of Dodgy Apps
- From: "Phil Betts" <Phil dot Betts at ascribe dot com>
- To: "The Cygwin-Talk Maiming List" <cygwin-talk at cygwin dot com>
- Date: Wed, 21 Mar 2007 11:21:05 -0000
- Subject: RE: The Big List of Dodgy Apps
- Reply-to: The Cygwin-Talk Maiming List <cygwin-talk at cygwin dot com>
Dave Korn wrote on Tuesday, March 20, 2007 7:00 PM::
> On 20 March 2007 18:45, Brian Dessent wrote:
>
>> Dave Korn wrote:
>>
>>>> I would think it was possible to have cygcheck do something like
>>>> sysinternals' process explorer does to get the DLL list, but to do
>>>> it only on itself - essentially asking the question "to which DLLs
>>>> am I linked?" The expected DLLs can be eliminated from all
>>>> enquiries. If the fingerprint of a known offender is detected, it
>>>> can be reported as such. Anything else can be reported as a
>>>> "potential problem".
>>>
>>> This seems a reasonably good idea. I was thinking at one point of
>>> adding it to the cygwin crashdump routines invoked after fork()
>>> errors.
>>
>> It won't work to check "to which DLLs am I linked", at least not in
>> the way of inspecting the PE headers of the file on disk. The
>> injecting is dynamic, through system hook functions, so you have to
>> use the DebugHlp/ImageHlp libraries to inspect the process space,
>> IIRC.
>
>
> Yes, that's what I meant too; I was skipping over the minor
> inaccuracy in Phil's terminology because I'm sure that's what he
> intended.
>
>
> cheers,
> DaveK
Absolutely. I was using "linked" in its broadest sense. I'm not a
Windows coder (always leaves me feeling dirty - and not in a good way),
so what would be the proper term for "files linked into my process
right now, however they got there"?
I didn't want to restrict it to just injected code because that would
miss the chance of spotting say a known bad version of msvcrt.dll, and
there's no reason why the blacklist shouldn't include a cygwin library,
should a rogue hippo ever make it out of the water-hole.
Speaking of which, is this cygwin's secret sponsor:
http://www.thatimagesite.com/image/1485
Phil