listdlls: listing/searching dlls used in a Windows process

Download: http://technet.microsoft.com/en-us/sysinternals/bb896656.aspx

SysInternals product suite has an application called listdlls which helps in listing/searching for dlls loaded in a process. This tool is useful in the following scenarios.

  • List all dlls used in a process or within all processes…
  • List all processes using a particular dll
  • List all unsigned dlls
  • List all relocated dlls
  • List dlls along with their version number
  • Listing can be done via process id/process name.
Sample usage:

List the DLLs loaded into winword.exe, including their version information:
listdlls -v winword

Show processes that have loaded kernel32.DLL:
listdlls -d kernel32.dll

listdlls also kind of help in figuring out malware’s by helping in searching for unsigned dll’s. I didn’t know I had an unsigned module in my application execution list when executing the tests for writing this blog, As soon as I found one, renamed and quarantined the suspicious file. Note that not all unsigned modules are malware’s but there is a high chance for it to be a malware.

listdlls –u

listdlls is useful to locate relocated modules. The following command lists out all relocated modules in a given process. If you remove process name its going to list out relocated modules of all processes.

listdlls –r

Just above a relocated module (in the output generated) you’ll find the following line of text.

  ### Relocated from base of 0x00400000:
0x0000000001ba0000  0x26000   C:windowsCCMsqlceer35EN.DLL

Another piece of information generated in the output by listdlls is the command line for a process, which is very useful information. Also note that Process Explorer also does something similar in searching for a module loaded by a process, but this one’s quick and to the point. Enjoy!

Appreciate your comments...