Sysinternals/Listdlls

From aldeid
Jump to navigation Jump to search

Description

ListDLLs is a utility from Sysinternals that reports the DLLs loaded into processes. You can use it to list all DLLs loaded into all processes, into a specific process, or to list the processes that have a particular DLL loaded. ListDLLs can also display full version information for DLLs, including their digital signature, and can be used to scan processes for unsigned DLLs.

Download

Usage

Syntax

listdlls [-r] [processname|pid]
listdlls [-r] [-d dllname]

Options

processname
Dump DLLs loaded by process (partial name accepted)
pid
Dump DLLs associated with the specified process id
-d dllname
Show only processes that have loaded the specified DLL.
-r
Flag DLLs that relocated because they are not loaded at their base address.

Example

The following example shows how you can use listdlls to check that a malicious DLL has been loaded by a process. The output below is what is loaded after the kInject example.

C:\malware>listdlls.exe -d kntillusion.dll 
ListDLLs v2.25 - DLL lister for Win9x/NT
Copyright (C) 1997-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

------------------------------------------------------------------------------
notepad.exe pid: 1484
Command line: notepad.exe

  Base        Size      Version         Path
  0x10000000  0x10000                   c:\malware\kntillusion.dll

We can check this by listing all DLLs loaded by notepad.exe:

C:\malware>listdlls.exe notepad.exe

ListDLLs v2.25 - DLL lister for Win9x/NT
Copyright (C) 1997-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

------------------------------------------------------------------------------
notepad.exe pid: 1484
Command line: notepad.exe

  Base        Size      Version         Path
  0x01000000  0x14000   5.01.2600.5512  C:\WINDOWS\system32\notepad.exe
  0x7c910000  0xb6000   5.01.2600.5512  C:\WINDOWS\system32\ntdll.dll
  0x7c800000  0x106000  5.01.2600.5512  C:\WINDOWS\system32\kernel32.dll
  0x76340000  0x4a000   6.00.2900.5512  C:\WINDOWS\system32\comdlg32.dll
  0x77da0000  0xac000   5.01.2600.5512  C:\WINDOWS\system32\ADVAPI32.dll
  0x77e50000  0x92000   5.01.2600.5512  C:\WINDOWS\system32\RPCRT4.dll
  0x77fc0000  0x11000   5.01.2600.5512  C:\WINDOWS\system32\Secur32.dll
  0x77390000  0x103000  6.00.2900.5512  C:\WINDOWS\WinSxS\x86_Microsoft.Windows.
Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll
  0x77be0000  0x58000   7.00.2600.5512  C:\WINDOWS\system32\msvcrt.dll
  0x77ef0000  0x49000   5.01.2600.5512  C:\WINDOWS\system32\GDI32.dll
  0x7e390000  0x91000   5.01.2600.5512  C:\WINDOWS\system32\USER32.dll
  0x77f40000  0x76000   6.00.2900.5512  C:\WINDOWS\system32\SHLWAPI.dll
  0x7c9d0000  0x825000  6.00.2900.5512  C:\WINDOWS\system32\SHELL32.dll
  0x72f50000  0x26000   5.01.2600.5512  C:\WINDOWS\system32\WINSPOOL.DRV
  0x5cea0000  0x26000   5.01.2600.5512  C:\WINDOWS\system32\ShimEng.dll
  0x595b0000  0x1ca000  5.01.2600.5512  C:\WINDOWS\AppPatch\AcGenral.DLL
  0x76ae0000  0x2f000   5.01.2600.5512  C:\WINDOWS\system32\WINMM.dll
  0x774a0000  0x13d000  5.01.2600.5512  C:\WINDOWS\system32\ole32.dll
  0x770e0000  0x8b000   5.01.2600.5512  C:\WINDOWS\system32\OLEAUT32.dll
  0x77bb0000  0x15000   5.01.2600.5512  C:\WINDOWS\system32\MSACM32.dll
  0x77bd0000  0x8000    5.01.2600.5512  C:\WINDOWS\system32\VERSION.dll
  0x76960000  0xb6000   5.01.2600.5512  C:\WINDOWS\system32\USERENV.dll
  0x5b090000  0x38000   6.00.2900.5512  C:\WINDOWS\system32\UxTheme.dll
  0x10000000  0x10000                   c:\malware\kntillusion.dll

Comments

blog comments powered by Disqus