Injected DLL

Posted on 2014-08-29
Last Modified: 2014-09-04
What is the best practice help me find the injected DLL in windows 7 without using Anti virus?
I need to know if it' can also give what the function added to this DLL or API? to have good investigation for virus behavior.

Question by:abdallah1973

    Author Comment

    I mean if their tools help me in analysis.
    LVL 60

    Accepted Solution

    Probably target common injector tools like "SpyDllRemover" to check for dll inject or remove
    e.g. Unique 'Advanced DLL Ejection': This is one of the Advanced & Unique feature of SpyDLLRemover used to completely remove the injected DLL from Remote Process.
    e.g. 'DLL Tracer' Feature: Search for suspicious DLL within all running processes.

    Another is the common process analysis tools ProcessExplorer or Processhacker will helped in surfacing the handles created due to the injection as the latter is done via on memory and removed after process terminated, no physical file per se ... as the norm is createremotethread and using virtualprotect to inject etc (or the using Detour libraries for inline code jmp

    using processexplorer
     e.g. view the list of dlls loaded into the address space of a particular process's address space or
     e.g. view the process into which the code was being injected by looking at the handles provided the injecting process must live in memory for some time with out closing the handle of the process which it opened for injection

    furthermore, there are couple of rootkit detection tools such as BlackLight from F-Secure, Mcafee's Rootkit Detective, Rootkit Revealer from and IceSword by PJF. IceSword is very advanced tool among all and it shows all hidden processes, services, drivers, SSDT hooks, messages hooks etc.

    ** note that these a/m tools may trigger AV or host intrusion s/w since these are dual use and please do scan them on demand during download and prior to running or installation. also most of the time such tool will requires 'Run as Administrator' so be wary on the usage in test machine

    the more hand-on (but hardcore) alternative is also use a tool that facilitates searching process memory or debugger (like windbg) to scan each instance of svchost for a sequence of bytes that are being injected.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Suggested Solutions

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now