From aldeid
Jump to navigation Jump to search


ListDLLs is a utility from Sysinternals that reports the DLLs loaded into processes. You can use it to list all DLLs loaded into all processes, into a specific process, or to list the processes that have a particular DLL loaded. ListDLLs can also display full version information for DLLs, including their digital signature, and can be used to scan processes for unsigned DLLs.




listdlls [-r] [processname|pid]
listdlls [-r] [-d dllname]


Dump DLLs loaded by process (partial name accepted)
Dump DLLs associated with the specified process id
-d dllname
Show only processes that have loaded the specified DLL.
Flag DLLs that relocated because they are not loaded at their base address.


The following example shows how you can use listdlls to check that a malicious DLL has been loaded by a process. The output below is what is loaded after the kInject example.

C:\malware>listdlls.exe -d kntillusion.dll 
ListDLLs v2.25 - DLL lister for Win9x/NT
Copyright (C) 1997-2004 Mark Russinovich
Sysinternals -

notepad.exe pid: 1484
Command line: notepad.exe

  Base        Size      Version         Path
  0x10000000  0x10000                   c:\malware\kntillusion.dll

We can check this by listing all DLLs loaded by notepad.exe:

C:\malware>listdlls.exe notepad.exe

ListDLLs v2.25 - DLL lister for Win9x/NT
Copyright (C) 1997-2004 Mark Russinovich
Sysinternals -

notepad.exe pid: 1484
Command line: notepad.exe

  Base        Size      Version         Path
  0x01000000  0x14000   5.01.2600.5512  C:\WINDOWS\system32\notepad.exe
  0x7c910000  0xb6000   5.01.2600.5512  C:\WINDOWS\system32\ntdll.dll
  0x7c800000  0x106000  5.01.2600.5512  C:\WINDOWS\system32\kernel32.dll
  0x76340000  0x4a000   6.00.2900.5512  C:\WINDOWS\system32\comdlg32.dll
  0x77da0000  0xac000   5.01.2600.5512  C:\WINDOWS\system32\ADVAPI32.dll
  0x77e50000  0x92000   5.01.2600.5512  C:\WINDOWS\system32\RPCRT4.dll
  0x77fc0000  0x11000   5.01.2600.5512  C:\WINDOWS\system32\Secur32.dll
  0x77390000  0x103000  6.00.2900.5512  C:\WINDOWS\WinSxS\x86_Microsoft.Windows.
  0x77be0000  0x58000   7.00.2600.5512  C:\WINDOWS\system32\msvcrt.dll
  0x77ef0000  0x49000   5.01.2600.5512  C:\WINDOWS\system32\GDI32.dll
  0x7e390000  0x91000   5.01.2600.5512  C:\WINDOWS\system32\USER32.dll
  0x77f40000  0x76000   6.00.2900.5512  C:\WINDOWS\system32\SHLWAPI.dll
  0x7c9d0000  0x825000  6.00.2900.5512  C:\WINDOWS\system32\SHELL32.dll
  0x72f50000  0x26000   5.01.2600.5512  C:\WINDOWS\system32\WINSPOOL.DRV
  0x5cea0000  0x26000   5.01.2600.5512  C:\WINDOWS\system32\ShimEng.dll
  0x595b0000  0x1ca000  5.01.2600.5512  C:\WINDOWS\AppPatch\AcGenral.DLL
  0x76ae0000  0x2f000   5.01.2600.5512  C:\WINDOWS\system32\WINMM.dll
  0x774a0000  0x13d000  5.01.2600.5512  C:\WINDOWS\system32\ole32.dll
  0x770e0000  0x8b000   5.01.2600.5512  C:\WINDOWS\system32\OLEAUT32.dll
  0x77bb0000  0x15000   5.01.2600.5512  C:\WINDOWS\system32\MSACM32.dll
  0x77bd0000  0x8000    5.01.2600.5512  C:\WINDOWS\system32\VERSION.dll
  0x76960000  0xb6000   5.01.2600.5512  C:\WINDOWS\system32\USERENV.dll
  0x5b090000  0x38000   6.00.2900.5512  C:\WINDOWS\system32\UxTheme.dll
  0x10000000  0x10000                   c:\malware\kntillusion.dll


blog comments powered by Disqus