Reply To: Detecting of application component name

Home Forums Discussions General Detecting of application component name Reply To: Detecting of application component name

#6634
Vadim Smirnov
Keymaster

    You can parse the user mode stack of the calling thread. On the top of the stack is usually ntdll.dll and so on.

    However, if you are trying to detect Trojan module then it can be a bit complex. It is possible to work with TDI directly thus bypassing most of the user mode network modules. It is event possible to bypass ntdll.dll by replicating necessary system calls in Trojan module. In this case Trojan DLL will be on top of the stack. This makes the task of parsing the call stack quite complex.