SysInternals product suite has an application called listdlls which helps in listing/searching for dlls loaded in a process. This tool is useful in the following scenarios.
- List all dlls used in a process or within all processes…
- List all processes using a particular dll
- List all unsigned dlls
- List all relocated dlls
- List dlls along with their version number
- Listing can be done via process id/process name.
List the DLLs loaded into winword.exe, including their version information:
listdlls -v winword
Show processes that have loaded kernel32.DLL:
listdlls -d kernel32.dll
listdlls also kind of help in figuring out malware’s by helping in searching for unsigned dll’s. I didn’t know I had an unsigned module in my application execution list when executing the tests for writing this blog, As soon as I found one, renamed and quarantined the suspicious file. Note that not all unsigned modules are malware’s but there is a high chance for it to be a malware.
listdlls is useful to locate relocated modules. The following command lists out all relocated modules in a given process. If you remove process name its going to list out relocated modules of all processes.
Just above a relocated module (in the output generated) you’ll find the following line of text.
### Relocated from base of 0x00400000:
0x0000000001ba0000 0x26000 C:windowsCCMsqlceer35EN.DLL
Another piece of information generated in the output by listdlls is the command line for a process, which is very useful information. Also note that Process Explorer also does something similar in searching for a module loaded by a process, but this one’s quick and to the point. Enjoy!