can anyone read into this .dll file to see if it's safe to use?

Discussion in 'other anti-malware software' started by suta, Oct 8, 2019.

  1. suta

    suta Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    11
    Location:
    Australia
    Hi.. this .dll is a component for music player foobar2000, it works like a add on giving foobar2k additional functionality.. which is I'm able to set keyboard 1-9 to jump to 1-9mins when listening to the song.. it works but I'm not sure if it's safe.. like it might have some extra coding in it to steal information etc etc?



    I have no knowledge in programming.. tried downloading .net reflector and hex editor to see inside the .dll content but .net reflector shows the .dll is not .net supported.. and I'm not able to understand what it's saying in hex editor.



    Wondering if someone is kind enough to help me check if this .dll file is safe to use please?

    as .dll upload is not allowed I have changed the extension to .txt..
     

    Attached Files:

  2. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    7,339
    I scanned it a VirusTotal (I'm not allowed to post the results here) and none of 69 scanners detected it as malware, so it is definitely safe.
     
  3. suta

    suta Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    11
    Location:
    Australia
    ya.. I've personally tested it on total virus.. but while I was researching about foobar malware/virus I came across a topic one of the developer said 'component can do anything. Virusscanner not detecting something doesn't mean it's safe'
     
  4. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    2,044
    Location:
    Serbia
    Actually that is not true because foobar itself runs in user space -
    foo.png
    Perhaps the statement was misunderstood or taken out of context.
     
  5. suta

    suta Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    11
    Location:
    Australia
    hey can a software reads your file? I mean if a software attempts to read your files in for example c:\Users\Documents or pictures will there be a UAC prompt?
     
  6. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    2,044
    Location:
    Serbia
    All apps (admin and user) have read permissions. There are a couple of locations in the system where you need elevated privileges to access/read the contents but these are not normally accessed by a user.
    I see where this is heading and if you're asking if there is a theoretical chance that a component could have read your personal info and sent it online then the answer is yes. Nothing is absolutely safe.
    If the only thing that will satisfy you is disassembling the dll and look into it for any possible malicious code, then I'm afraid you came to the wrong place. There is noone with that level of knowledge here. And even if there was, it is a tedious work. There are other, simpler ways (already done here) to tell if an executable/dll is reasonably safe to use.
     
  7. suta

    suta Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    11
    Location:
    Australia
    ok thanks for the help.. would it be better to store sensitive files in location that requires elevated privilege? and do you know the location that requires elevated privilege? was it in C:\ or C:\Windows?
     
  8. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    2,044
    Location:
    Serbia
    No, you can't access those locations as a user and will get a message similar to this one -
    Untitled1.png

    These locations are reserved for system use and should not be accessed by a user. It is a very bad idea to use them for personal storage, as you could lose your data altogether. In some cases, they (and I won't name other folders here) are regularly written over, deleted and created again by the system on various occasions (updates, maintenance tasks, etc.).

    Just relax. You read too much into the statement that 'AV not detecting something doesn't mean it's safe'. It misuses the fact that there is no absolute security (which is true). However there is a clear line between absolute and reasonable security.
     
  9. suta

    suta Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    11
    Location:
    Australia
    ok thanks for the help Seer
     
  10. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    2,044
    Location:
    Serbia
    You're welcome suta
     
  11. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    68
    Location:
    Here
    Foobar2000 seems to run fine in sandboxie with internet access locked down, so that may be an option if you're worried?

    For what it's worth (very little) I don't see any obvious worrying static api calls (file/internet access etc) or encrypted code. But that doesn't mean it couldn't dynamically call this functionality later. Even with such a small dll there's a great deal of code to analyze.
     
  12. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    408
    Haven't checked every routine but a quick skim hasn't raised any real flags. The most potentially dangerous of the called APIs I saw were things like GetCurrentProcess and TerminateProcess but that seems to be used only in some error handling. Also there was GetCurrentThreadId and ProcessId but that was used in conjuction with QueryPerformanceCounter so they're basically being used in order to get "high-precision timing values"

    The only other ones that might worry me a tad would be some of the VC++2015 APIs, memcpy & memset but they are also fairly common.

    I didn't see any crypto, file or network APIs being used but that doesn't mean they aren't using some small hidden resources/chunks that can be unpacked at a later time.

    May I ask, where did you get it?
    In the end it's up to your own judgement and how much you trust the source.

    https://i.ibb.co/w721wx4/DLL.jpg
     
  13. suta

    suta Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    11
    Location:
    Australia
    Syrinx thanks for taking your time checking the dll.. really appreciated it! I got the component from someone on foobar forum.. I was asking for this feature and he PM'ed me a link to download.. as I'm new to that forum i'm not really sure if I can really trust him. therefore i'm taking double precaution checking it.. because this plugin was requested personally and wasn't released to the public, I'm kind of worry because i'm the only person using it ;P

    Syrinx do you have a .jpg in readable resolution? would like to see the DLL.jpg you posted
     
  14. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    68
    Location:
    Here
    As you're the only person using it, maybe they wouldn't mind supplying the source code? Not because you're suspicious, because you're interested in how it works ;)
     
  15. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    408
    Sorry I must have copied the thumbnail link and didn't keep the original jpg. This is a new screenshot but I was just showing how I determined why those APIs I was interested in were being used.
    DLL2.jpg
     
Loading...
Similar Threads
  1. EASTER
    Replies:
    2
    Views:
    1,109
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.