Monday, March 2, 2015

How to list DLLs





Introduction
ListDLLs is a utility that reports the DLLs loaded into processes. You can use it to list all DLLs loaded into all processes, into a specific process, or to list the processes that have a particular DLL loaded. ListDLLs can also display full version information for DLLs, including their digital signature, and can be used to scan processes for unsigned DLLs.
Usage




                      listdlls [-r] [-v | -u] [processname|pid]
                      listdlls [-r] [-v] [-d dllname]
            processname

Dump DLLs loaded by process (partial name accepted).
pid
Dump DLLs associated with the specified process id.
dllname
Show only processes that have loaded the specified DLL.
-r
Flag DLLs that relocated because they are not loaded at their base address.
-u
Only list unsigned DLLs.
-v
Show DLL version information.
Examples
List the DLLs loaded into Outlook.exe, including their version information:
listdlls -v outlook
List any unsigned DLLs loaded into any process:
listdlls -u
Show processes that have loaded MSO.DLL:
listdlls -d mso.dll




C:\Users\username>cd C:\Users\username\Downloads\ListDlls
OUTPUT will be
#########
C:\Users\username\Downloads\ListDlls>listdlls -v winword

ListDLLs v3.1 - List loaded DLLs
Copyright (C) 1997-2011 Mark Russinovich
Sysinternals - www.sysinternals.com

------------------------------------------------------------------------------
WINWORD.EXE pid: 3620
Command line: "C:\PROGRA~1\MICROS~2\Office14\WINWORD.EXE"

Base        Size      Path
0x2f090000  0x15d000  C:\PROGRA~1\MICROS~2\Office14\WINWORD.EXE
        Verified:       Microsoft Corporation
        Publisher:      Microsoft Corporation
        Description:    Microsoft Word
        Product:        Microsoft Office 2010
        Version:        14.0.4762.0
        File version:   14.0.4762.1000
        Create time:    Sat Mar 27 21:05:19 2010

0x77380000  0x13c000  C:\Windows\SYSTEM32\ntdll.dll
        Verified:       Microsoft Windows
        Publisher:      Microsoft Corporation
        Description:    NT Layer DLL
        Product:        Microsoft« Windows« Operating System
        Version:        6.1.7601.18247
        File version:   6.1.7601.18247
        Create time:    Thu Aug 29 07:21:24 2013

0x767a0000  0xd4000   C:\Windows\system32\kernel32.dll
        Verified:       Microsoft Windows
        Publisher:      Microsoft Corporation
        Description:    Windows NT BASE API Client DLL
        Product:        Microsoft« Windows« Operating System
        Version:        6.1.7601.18409
        File version:   6.1.7601.18409
        Create time:    Tue Mar 04 14:46:37 2014

0x754d0000  0x4b000   C:\Windows\system32\KERNELBASE.dll
        Verified:       Microsoft Windows
        Publisher:      Microsoft Corporation
        Description:    Windows NT BASE API Client DLL
        Product:        Microsoft« Windows« Operating System
        Version:        6.1.7601.18229
        File version:   6.1.7601.18229
        Create time:    Fri Aug 02 07:22:06 2013

………………………… etc


Show processes that have loaded kernel32.dll:


C:\Users\username\Downloads\ListDlls>listdlls -d kernel32.dll

ListDLLs v3.1 - List loaded DLLs
Copyright (C) 1997-2011 Mark Russinovich
Sysinternals - www.sysinternals.com

------------------------------------------------------------------------------
taskhost.exe pid: 5488
Command line: "taskhost.exe"

Base        Size      Path
0x767a0000  0xd4000   C:\Windows\system32\kernel32.dll
------------------------------------------------------------------------------
DWRCST.exe pid: 5508
Command line:  7373

Base        Size      Path
0x767a0000  0xd4000   C:\Windows\system32\kernel32.dll
------------------------------------------------------------------------------
ccSvcHst.exe pid: 5592
Command line: "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Bin\ccSvcHst.exe" /u /c /a /s "UserSession"

Base        Size      Path
0x767a0000  0xd4000   C:\Windows\system32\kernel32.dll
------------------------------------------------------------------------------
dwm.exe pid: 5788
Command line: "C:\Windows\system32\Dwm.exe"

Base        Size      Path
0x767a0000  0xd4000   C:\Windows\system32\kernel32.dll
------------------------------------------------------------------------------
explorer.exe pid: 5772
Command line: C:\Windows\Explorer.EXE

Base        Size      Path
0x767a0000  0xd4000   C:\Windows\system32\kernel32.dll
------------------------------------------------------------------------------
igfxtray.exe pid: 1292
Command line: "C:\Windows\System32\igfxtray.exe"

Base        Size      Path
0x767a0000  0xd4000   C:\Windows\system32\kernel32.dll
------------------------------------------------------------------------------
hkcmd.exe pid: 3588
Command line: "C:\Windows\System32\hkcmd.exe"
------------------------------------------------------------------------------
iexplore.exe pid: 4072
Command line: "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4604 CREDAT:144385 /prefetch:2

Base        Size      Path
0x767a0000  0xd4000   C:\Windows\system32\kernel32.dll
------------------------------------------------------------------------------
EXCEL.EXE pid: 6384
Command line: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde

Base        Size      Path
0x767a0000  0xd4000   C:\Windows\system32\kernel32.dll
------------------------------------------------------------------------------
aruser.exe pid: 4676
Command line: "C:\Program Files\AR System\aruser.exe"

Base        Size      Path
0x767a0000  0xd4000   C:\Windows\system32\kernel32.dll
------------------------------------------------------------------------------
aruser.exe pid: 3240
Command line: "C:\Program Files\AR System\aruser.exe" "-app=ITSMHelpDesk" "-server=209.114.70.102"

Base        Size      Path





at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)