Detect if current CMD process has clink injected

[CarterLi]

I'm working on a neofetch like system information detection tool that tries to detect if current shell (CMD) has clink injected. All I can find is an environment variable %clink_dummy_capture_env% but it doesn't seem to be reliable.

Any suggestions?

[chrisant996]

Since you said "detect if the current shell", I think you must mean a CMD batch script, yes?

The simplest thing to do is check whether clink_dll_x* is loaded into the CMD process.

To get the CMD process ID you can use powershell (Get-WmiObject Win32_Process -Filter ProcessId=$PID).ParentProcessId to get the current CMD process ID. But it will need to be done in a for command to retrieve the process ID into a variable, so it will need to use (Get-WmiObject...).ParentProcessId twice to get the grandparent process ID since the for command internally invokes another cmd.exe.

Given the process ID of the current CMD (let's say 12345) use tasklist /fi "pid eq 12345" /fi "modules eq clink_dll_x*" /fo csv /nh to check whether the CMD process has a Clink DLL loaded.

You can append | findstr /v "^INFO" & if errorlevel 1 (echo NO) else (echo YES) to respond to whether a Clink DLL is loaded.

So, something like this:

@echo off
set CMDPID=
for /f %%a in ('powershell "(Get-WmiObject Win32_Process -Filter ProcessId=$((Get-WmiObject Win32_Process -Filter ProcessId=$PID).ParentProcessId)).ParentProcessId"') do set CMDPID=%%a
if not defined CMDPID (echo error: unable to get CMD process ID&exit /b 1)
tasklist /fi "PID eq %CMDPID%" /fi "MODULES eq clink_dll_x*" /fo csv /nh | findstr /v "^INFO" >nul 2>nul
if errorlevel 1 (echo Clink is not loaded.&exit /b 1) else (echo Clink is loaded.&exit /b 0)

[CarterLi]

I ended up with CreateToolhelp32Snapshot / Module32FirstW

Thanks for your help