Forensics, Malware Analysis

Scan running processes for unsigned dlls

> Download Sysinternals Suite.

> Run command line tool(cmd) with administrative privileges.

> To scan all running processes for using unverified DLLs, execute:

x:\path\to\sysinternals_suite\listdlls.exe -u

-u Only list unsigned DLLs.

> To scan a specific process for using unverified DLLs, execute:

x:\path\to\sysinternals_suite\listdlls.exe -u process_name

or

x:\path\to\sysinternals_suite\listdlls.exe -u process_id

> To search for processes that have loaded a specific DLL, execute:

x:\path\to\sysinternals_suite\listdlls.exe -d dll_name

for ex.

x:\path\to\sysinternals_suite\listdlls.exe -d kernel32

Options:

usage: listdlls [-r] [-v | -u] [processname|pid]
usage: listdlls [-r] [-v] [-d dllname]
  processname   Dump DLLs loaded by process (partial name accepted)
  pid           Dump DLLs associated with the specified process id
  dllname       Show only processes that have loaded the specified DLL.
  -r            Flag DLLs that relocated because they are not loaded at
                their base address.
  -u            Only list unsigned DLLs.
  -v            Show DLL version information.