Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Tool locates all 'injected' DLLs in your system

A utility called InjectedDLL displays the list of DLLs that are automatically injected on every process in your system.

DLL injection may sound like a new medical procedure, but it's actually a way of attaching a dynamic link library, or DLL, to certain system actions in Windows. Many programs employ DLL injection to trap program functions that are not normally trapped by the system. It is used by many desktop utilities, debugging tools (such as Microsoft's Spy++ utility), and antivirus and firewall applications.

DLL injection has both legitimate and illegitimate uses. A macro recorder is one example of a legitimate DLL injection. But a key logger that's been installed without your (or your supervisor's) knowledge would be a problem. Because DLL injection isn't obvious—it doesn't usually show up as a process in the Task Manager—it can be hard to tell if injection is taking place, or how legitimate it might be.

Programmer Nir Sofer has written a tool, InjectedDLL, that takes a good deal of the mystery out of injected DLLs. Run it and you're presented with a report that lists all of the injected DLLs currently at work in the system: the image name, pathname and file attributes; a description (if available); any security-signing information; code revision; and so on.

The report can be saved as HTML or copied piecemeal or en masse to the clipboard. The program itself requires no installation -- it can be unpacked and run in any directory -- and there are translations available for several languages.

One quick way to tell if a given injected DLL is malicious or at least unwanted is to look at the company/product name signing. If there isn't one, or if it's a misspelling or variant on something else (such as "Micorsoft") there's a chance the DLL in question isn't legit.

Another interesting aspect of the program is that when it's first loaded, it forces a small window to open and then close directly under the cursor, which is attached to a process called dummywin.exe. This is deliberate. Some DLLs are only injected when the mouse cursor moves over a window, so this is a way to force that action to take place so the DLL in question will show up in the report. Note: On some particularly fast machines, the window may open and close too quickly for you to see.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators.

More information on this topic:

Dig Deeper on Windows Server storage management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.