Home > Windows Server Tips > Windows Systems and Network Administration > Tool locates all 'injected' DLLs in your system
Windows Server Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

WINDOWS SYSTEMS AND NETWORK ADMINISTRATION

Tool locates all 'injected' DLLs in your system


Serdar Yegulalp, Contributor
07.10.2006
Rating: -4.29- (out of 5)


Expert advice on Windows-based systems and hardware
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


DLL injection may sound like a new medical procedure, but it's actually a way of attaching a dynamic link library, or DLL, to certain system actions in Windows. Many programs employ DLL injection to trap program functions that are not normally trapped by the system. It is used by many desktop utilities, debugging tools (such as Microsoft's Spy++ utility), and antivirus and firewall applications.

DLL injection has both legitimate and illegitimate uses. A macro recorder is one example of a legitimate DLL injection. But a key logger that's been installed without your (or your supervisor's) knowledge would be a problem. Because DLL injection isn't obvious—it doesn't usually show up as a process in the Task Manager—it can be hard to tell if injection is taking place, or how legitimate it might be.

Programmer Nir Sofer has written a tool, InjectedDLL, that takes a good deal of the mystery out of injected DLLs. Run it and you're presented with a report that lists all of the injected DLLs currently at work in the system: the image name, pathname and file attributes; a description (if available); any security-signing information; code revision; and so on.

The report can be saved as HTML or copied piecemeal or en masse to the clipboard. The program itself requires no installation -- it can be unpacked and run in any directory -- and there are translations available for several languages.

One quick way to tell if a given injected DLL is malicious or at least unwanted is to look at the company/product name signing. If there isn't one, or if it's a misspelling or variant on something else (such as "Micorsoft") there's a chance the DLL in question isn't legit.

Another interesting aspect of the program is that when it's first loaded, it forces a small window to open and then close directly under the cursor, which is attached to a process called dummywin.exe. This is deliberate. Some DLLs are only injected when the mouse cursor moves over a window, so this is a way to force that action to take place so the DLL in question will show up in the report. Note: On some particularly fast machines, the window may open and close too quickly for you to see.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators.

More information on this topic:


Rate this Tip
To rate tips, you must be a member of SearchWindowsServer.com.
Register now to start rating these tips. Log in if you are already a member.




Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



RELATED CONTENT
Windows Systems and Network Management Tools and Techniques
Perfmon made easy with PAL utility
Troubleshooting Windows application crashes or hangs
Free Windows security tools every admin must have
Top five Server Core management tips for Windows 2008
Top free tools for Windows server administration
A first look at Internet Information Services 7.0
Windows registry hack improves offline file access for mobile users
Reducing the size of network backups in Windows
Monitor network bandwidth with CyberGauge
How to format NTFS: More tricks to improve file system performance

Windows Systems and Network Administration
Troubleshooting Windows application crashes or hangs
Converting VMware ESX machines to Hyper-V format
Using DFSR for SYSVOL replication in Windows Server 2008
Top 25 Windows PowerShell commands for administrators
Key DFS improvements in Windows Server 2008 R2
Free Windows security tools every admin must have
Group Policy makes strides in Windows Server 2008 R2
Quick tips for troubleshooting NTFS permissions
Common causes of Windows server security vulnerabilities
Cutting the cost of Windows identity and access management

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



Server Room Design - Planning, Cooling, Maintenance
HomeTopicsBlogsITKnowledge ExchangeTipsAsk the ExpertsMultimediaWhite PapersIT Downloads
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2004 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts