[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 638
  • Last Modified:

Injected DLL

Hi
What is the best practice help me find the injected DLL in windows 7 without using Anti virus?
I need to know if it' can also give what the function added to this DLL or API? to have good investigation for virus behavior.

Thanks
0
abdallah1973
Asked:
abdallah1973
1 Solution
 
abdallah1973Author Commented:
I mean if their tools help me in analysis.
0
 
btanExec ConsultantCommented:
Probably target common injector tools like "SpyDllRemover" to check for dll inject or remove
e.g. Unique 'Advanced DLL Ejection': This is one of the Advanced & Unique feature of SpyDLLRemover used to completely remove the injected DLL from Remote Process.
e.g. 'DLL Tracer' Feature: Search for suspicious DLL within all running processes.

Another is the common process analysis tools ProcessExplorer or Processhacker will helped in surfacing the handles created due to the injection as the latter is done via on memory and removed after process terminated, no physical file per se ... as the norm is createremotethread and using virtualprotect to inject etc (or the using Detour libraries for inline code jmp

using processexplorer
 e.g. view the list of dlls loaded into the address space of a particular process's address space or
 e.g. view the process into which the code was being injected by looking at the handles provided the injecting process must live in memory for some time with out closing the handle of the process which it opened for injection

furthermore, there are couple of rootkit detection tools such as BlackLight from F-Secure, Mcafee's Rootkit Detective, Rootkit Revealer from SysInternals.com and IceSword by PJF. IceSword is very advanced tool among all and it shows all hidden processes, services, drivers, SSDT hooks, messages hooks etc.

** note that these a/m tools may trigger AV or host intrusion s/w since these are dual use and please do scan them on demand during download and prior to running or installation. also most of the time such tool will requires 'Run as Administrator' so be wary on the usage in test machine

the more hand-on (but hardcore) alternative is also use a tool that facilitates searching process memory or debugger (like windbg) to scan each instance of svchost for a sequence of bytes that are being injected.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now