How do you make a real-time proccess MD5# scanner?

Question

1.00/5 (2 votes)

See more:

Currently, I'm trying to build a program which scans all running processes, gets the MD5# of that process, and compares it to a .txt file which has a list of MD5 hashes. If the MD5# matches, then I will do an action with a MessageBox.

The trouble is, I'm not sure how to do this task. Here is some code I've found, but there is no function which reads the .txt file which has the MD5 hashes in it, then compares the hash to a running process.

Option Strict On
Option Explicit On

Public Class Form1
    Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
        Dim procs() As System.Diagnostics.Process = System.Diagnostics.Process.GetProcesses
        Dim f As String

        For Each proc As System.Diagnostics.Process In procs
            f = GetProcessFileName(proc)
            If f.Length > 0 Then
                ListBox1.Items.Add(f)
                ListBox1.Items.Add("MD5: " & GetMD5String(f))
                ListBox1.Items.Add(String.Empty)
            End If
        Next
    End Sub

    Private Function GetProcessFileName(proc As System.Diagnostics.Process) As String
        Dim strRet As String = String.Empty

        Try
            strRet = proc.MainModule.FileName
        Catch ex As Exception
            ' This catch used to ignore "Access is denied" exception.
        End Try
        Return strRet
    End Function

    Private Function GetMD5String(ByVal strFilename As String) As String
        Dim cMD5 = System.Security.Cryptography.MD5.Create
        Dim bytHash As Byte()
        Dim sb As New System.Text.StringBuilder

        Using cStream As New IO.FileStream(strFilename, IO.FileMode.Open, IO.FileAccess.Read, IO.FileShare.Read)
            bytHash = cMD5.ComputeHash(cStream)
        End Using

        For Each b In bytHash
            sb.Append(b.ToString("X2"))
        Next

        Return sb.ToString
    End Function

End Class

So, how do you complete this task?

Thanks!

What I have tried:

Looked at various projects to try and help me.

Posted 13-Jun-18 23:06pm

Member 13242613

Updated 14-Jun-18 1:19am

Add a Solution

4 solutions

Solution 1

THat looks like you are trying to make a "in memory" virus scanner by checking the MD5 of a executable- and that isn't going to work, any more than it did when you tried it on files on disk. And for exactly the same reasons, plus some more.

For example, not only does the MD5 still have the same problems as the file based version you tried: What's wrong with my filesystemwatcher1 code?[^] but a modern app isn't contained in a single EXE file, which is all the Process will give you. It also loads a number - often quite a large number - of DLL assemblies (or native DLL files) which contain the bulk of the code.
So again, you will be giving a false sense of security. Find yourself a project that doesn't expect viruses to work in such a primitive way: they don't.

Posted 13-Jun-18 23:25pm

OriginalGriff

Comments

Richard Deeming 14-Jun-18 10:40am

I'm still trying to work out whether this is a sock-puppet account for Helpmecodeplz[^], or whether they're both students who've been set the same homework.

The fact that one's in the UK and the other's in Australia looks a bit odd. Maybe the teacher was forced to move to the other side of the world for setting such appallingly bad homework?

Solution 4

Quote:
Currently, I'm trying to build a program which scans all running processes, gets the MD5# of that process, and compares it to a .txt file which has a list of MD5 hashes.

Looks like a bad idea from the beginning.
Chances are that your reference MD5 will never match. The reason is that the executable disk file is never the same as the process.
Part of the loading process is to resolve internal and external jumps in code. The resolution of those jumps depend on loading address of the process and loading addresses of external code the process use.
Said otherwise, to get the same MD5 for a running process, it imply that the whole system have started exactly the same way both times. this include an exact same dynamic memory allocation for all previous processes.

Posted 14-Jun-18 1:21am

Patrice T

Solution 2

Your text file should contain lines with the full path and the MD5 sum separated by a delimiting sequence. Read that file line by line and split each line into the path and MD5 sum part. If a file name matches (should be case insentive with Windows) return a state that indicates if the MD5 sum matches or not. When reaching the end of the file, return a state that the file has not been found.

Writing such code is a basic task in any programming language. Examples can be found by searching the web for something like "vb.net read text file line by line": File.ReadAllLines Method (String) (System.IO)[^]

Splitting a string into components is again a basic task. Each programming language provides functions to split strings at specific characters: String.Split Method (Char[]) (System)[^]

In your scenario you might also use a Dictionary(TKey, TValue) Class (System.Collections.Generic)[^] to perform the lookup. That can be created at program start from the text file or be loaded using serialisation when you have created a corresponding serialised file.

Posted 13-Jun-18 23:53pm

Jochen Arndt

Comments

Richard MacCutchan 14-Jun-18 6:06am

Does not really matter because, as OriginalGriff points out, the proposed application will never work.

Jochen Arndt 14-Jun-18 6:22am

It is necessary to point out that such an application is not working as intended as Griff has done.

But I thought it would be good to answer also the question itself.

Richard MacCutchan 14-Jun-18 7:00am

Fair comment.

Member 13242613 14-Jun-18 6:51am

Well, just got it to work.

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Member 13242613 · Accepted Answer · 2018-06-14T00:55:00

Private Sub Mainframe_Load(sender As Object, e As EventArgs) Handles MyBase.Load

       Dim procs() As System.Diagnostics.Process = System.Diagnostics.Process.GetProcesses
       Dim f As String

       For Each proc As System.Diagnostics.Process In procs
           f = GetProcessFileName(proc)
           If f.Length > 0 Then
               ListBox1.Items.Add(f)
               ListBox1.Items.Add("MD5: " & GetMD5String(f))
               ListBox1.Items.Add(String.Empty)
           End If

       Next

   End Sub

Private Function GetProcessFileName(proc As System.Diagnostics.Process) As String
       Dim strRet As String = String.Empty

       Try
           strRet = proc.MainModule.FileName
       Catch ex As Exception
           ' This catch used to ignore "Access is denied" exception.
       End Try
       Return strRet
   End Function

Private Function GetMD5String(ByVal strFilename As String) As String
       Dim cMD5 = System.Security.Cryptography.MD5.Create
       Dim bytHash As Byte()
       Dim sb As New System.Text.StringBuilder
       Dim scanbox As New TextBox
       scanbox.Text = My.Computer.FileSystem.ReadAllText("viruslist.txt").ToString

       Using cStream As New IO.FileStream(strFilename, IO.FileMode.Open, IO.FileAccess.Read, IO.FileShare.Read)

           bytHash = cMD5.ComputeHash(cStream)
       End Using

       For Each B In bytHash
           sb.Append(B.ToString("X2"))
       Next

       If scanbox.Text.Contains(sb.ToString) Then
           Detect.Show()
       End If

       Return sb.ToString



   End Function

"Doubt is a pain too lonely to know that faith is his twin brother."