Injected DLL

What is the best practice help me find the injected DLL in windows 7 without using Anti virus?
I need to know if it' can also give what the function added to this DLL or API? to have good investigation for virus behavior.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

abdallah1973Author Commented:
I mean if their tools help me in analysis.
btanExec ConsultantCommented:
Probably target common injector tools like "SpyDllRemover" to check for dll inject or remove
e.g. Unique 'Advanced DLL Ejection': This is one of the Advanced & Unique feature of SpyDLLRemover used to completely remove the injected DLL from Remote Process.
e.g. 'DLL Tracer' Feature: Search for suspicious DLL within all running processes.

Another is the common process analysis tools ProcessExplorer or Processhacker will helped in surfacing the handles created due to the injection as the latter is done via on memory and removed after process terminated, no physical file per se ... as the norm is createremotethread and using virtualprotect to inject etc (or the using Detour libraries for inline code jmp

using processexplorer
 e.g. view the list of dlls loaded into the address space of a particular process's address space or
 e.g. view the process into which the code was being injected by looking at the handles provided the injecting process must live in memory for some time with out closing the handle of the process which it opened for injection

furthermore, there are couple of rootkit detection tools such as BlackLight from F-Secure, Mcafee's Rootkit Detective, Rootkit Revealer from and IceSword by PJF. IceSword is very advanced tool among all and it shows all hidden processes, services, drivers, SSDT hooks, messages hooks etc.

** note that these a/m tools may trigger AV or host intrusion s/w since these are dual use and please do scan them on demand during download and prior to running or installation. also most of the time such tool will requires 'Run as Administrator' so be wary on the usage in test machine

the more hand-on (but hardcore) alternative is also use a tool that facilitates searching process memory or debugger (like windbg) to scan each instance of svchost for a sequence of bytes that are being injected.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.