The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,481 other followers

I wanted to know the loaded DLLs in a process like Process Explorer shows, but from the console: Sysinternals ListDLLs to the rescue

Posted by jpluimers on 2021/05/20

In Windows, historically most people approach investigation GUI first. Having turned 50 a while ago, I am no exception.

My real roots however are on the command-line and scripting: roughly 1980s Apple DOS, CP/M, SunOS (yay sh Bourne shell!), MS-DOS, 4DOS, and VAX/VMS (yay DCL shell!), from the 1990s on, some Solaris, a little bit of AIX, HP-UX and quite a bit of Linux, MacOS (né OS/XMac OS),  and some BSD descendants derivatives (SunOS, AIX and MacOS are based on the Berkeley Software Distribution), and this century a more growing amount of PowerShell).

So I was glad to find out the makers of Process Explorer also made [WayBack] ListDLLs – Windows Sysinternals | Microsoft Docs (via windows get dlls loaded in process – Google Search)

List all the DLLs that are currently loaded, including where they are loaded and their version numbers.

ListDLLs is a utility that reports the DLLs loaded into processes. You can use it to list all DLLs loaded into all processes, into a specific process, or to list the processes that have a particular DLL loaded. ListDLLs can also display full version information for DLLs, including their digital signature, and can be used to scan processes for unsigned DLLs.

Usage

listdlls [-r] [-v | -u] [processname|pid]
listdlls [-r] [-v] [-d dllname]

Parameter Description
processname Dump DLLs loaded by process (partial name accepted).
pid Dump DLLs associated with the specified process id.
dllname Show only processes that have loaded the specified DLL.
-r Flag DLLs that relocated because they are not loaded at their base address.
-u Only list unsigned DLLs.
-v Show DLL version information.

Download: [WayBack] ListDlls.zip.

Now it is much easier to generate a draft deploy list of DLLs (and for Delphi: BPLs) based on a process running on a development machine.

Example output (the -r flags relocation warnings; the first part is the [WayBack] shim that Chocolatey created around the second which is from SysInternals):

C:\>listdlls -r listdlls.exe

Listdlls v3.2 - Listdlls
Copyright (C) 1997-2016 Mark Russinovich
Sysinternals

------------------------------------------------------------------------------
Listdlls.exe pid: 12848
Command line: listdlls  -r listdlls.exe

Base                Size      Path
  ### Relocated from base of 0x00400000:
0x00000000007c0000  0xc000    C:\ProgramData\chocolatey\bin\Listdlls.exe
0x0000000019c70000  0x1ed000  C:\WINDOWS\SYSTEM32\ntdll.dll
0x000000000a930000  0x64000   C:\WINDOWS\SYSTEM32\MSCOREE.DLL
0x0000000017ca0000  0xb3000   C:\WINDOWS\System32\KERNEL32.dll
0x0000000016c00000  0x293000  C:\WINDOWS\System32\KERNELBASE.dll
0x0000000017530000  0xa3000   C:\WINDOWS\System32\ADVAPI32.dll
0x0000000017b50000  0x9e000   C:\WINDOWS\System32\msvcrt.dll
0x0000000017780000  0x9e000   C:\WINDOWS\System32\sechost.dll
0x0000000017e70000  0x122000  C:\WINDOWS\System32\RPCRT4.dll
0x000000000a890000  0x9c000   C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
0x0000000019650000  0x52000   C:\WINDOWS\System32\SHLWAPI.dll
0x0000000017820000  0x32c000  C:\WINDOWS\System32\combase.dll
0x0000000016a10000  0xfa000   C:\WINDOWS\System32\ucrtbase.dll
0x0000000016990000  0x7e000   C:\WINDOWS\System32\bcryptPrimitives.dll
0x0000000017d60000  0x29000   C:\WINDOWS\System32\GDI32.dll
0x0000000015d40000  0x19a000  C:\WINDOWS\System32\gdi32full.dll
0x0000000016b60000  0xa0000   C:\WINDOWS\System32\msvcp_win.dll
0x00000000175e0000  0x197000  C:\WINDOWS\System32\USER32.dll
0x00000000168c0000  0x20000   C:\WINDOWS\System32\win32u.dll
0x00000000174f0000  0x2e000   C:\WINDOWS\System32\IMM32.DLL
0x0000000015c70000  0x11000   C:\WINDOWS\System32\kernel.appcore.dll
0x000000000e5a0000  0xa000    C:\WINDOWS\SYSTEM32\VERSION.dll
0x00000000075a0000  0x9ed000  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
0x000000000a5a0000  0xf7000   C:\WINDOWS\SYSTEM32\MSVCR120_CLR0400.dll
0x0000000005c20000  0x1591000  C:\WINDOWS\assembly\NativeImages_v4.0.30319_64\mscorlib\bef0a43af1bb9a52ee47a6f60bec2961\mscorlib.ni.dll
0x0000000019a80000  0x155000  C:\WINDOWS\System32\ole32.dll
0x0000000000d80000  0x12b000  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll
0x00000000ff850000  0xc42000  C:\WINDOWS\assembly\NativeImages_v4.0.30319_64\System\f8a7bdb37af85423bb9b5675d229f7f2\System.ni.dll
0x00000000f49e0000  0xa50000  C:\WINDOWS\assembly\NativeImages_v4.0.30319_64\System.Core\b49ad0090c8a327519ec8b1d8086028f\System.Core.ni.dll
------------------------------------------------------------------------------
Listdlls.exe pid: 5020
Command line: "C:\ProgramData\chocolatey\lib\sysinternals\tools\Listdlls.exe" -r listdlls.exe

Base                Size      Path
0x00000000000e0000  0x69000   C:\ProgramData\chocolatey\lib\sysinternals\tools\Listdlls.exe
0x0000000019c70000  0x1ed000  C:\WINDOWS\SYSTEM32\ntdll.dll
0x0000000019be0000  0x53000   C:\WINDOWS\System32\wow64.dll
0x00000000195c0000  0x7c000   C:\WINDOWS\System32\wow64win.dll
0x0000000076fd0000  0x9000    C:\WINDOWS\System32\wow64cpu.dll
0x00000000000e0000  0x69000   C:\ProgramData\chocolatey\lib\sysinternals\tools\Listdlls.exe
0x0000000076fe0000  0x19c000  C:\WINDOWS\SysWOW64\ntdll.dll
0x0000000074ed0000  0xe0000   C:\WINDOWS\SysWOW64\KERNEL32.DLL
0x0000000075a80000  0x1fa000  C:\WINDOWS\SysWOW64\KERNELBASE.dll
0x00000000766b0000  0x19000   C:\WINDOWS\SysWOW64\imagehlp.dll
0x0000000075e10000  0x122000  C:\WINDOWS\SysWOW64\ucrtbase.dll
0x0000000073ff0000  0x8000    C:\WINDOWS\SysWOW64\VERSION.dll
0x0000000074bb0000  0x199000  C:\WINDOWS\SysWOW64\CRYPT32.dll
0x0000000075890000  0xc0000   C:\WINDOWS\SysWOW64\msvcrt.dll
0x0000000075a70000  0xe000    C:\WINDOWS\SysWOW64\MSASN1.dll
0x0000000075fc0000  0x199000  C:\WINDOWS\SysWOW64\USER32.dll
0x0000000075870000  0x17000   C:\WINDOWS\SysWOW64\win32u.dll
0x0000000076900000  0x23000   C:\WINDOWS\SysWOW64\GDI32.dll
0x0000000074fe0000  0x167000  C:\WINDOWS\SysWOW64\gdi32full.dll
0x00000000766d0000  0x80000   C:\WINDOWS\SysWOW64\msvcp_win.dll
0x0000000076c30000  0xfa000   C:\WINDOWS\SysWOW64\COMDLG32.dll
0x0000000076d30000  0x278000  C:\WINDOWS\SysWOW64\combase.dll
0x00000000757b0000  0xbf000   C:\WINDOWS\SysWOW64\RPCRT4.dll
0x0000000074650000  0x20000   C:\WINDOWS\SysWOW64\SspiCli.dll
0x0000000074640000  0xa000    C:\WINDOWS\SysWOW64\CRYPTBASE.dll
0x0000000076750000  0x62000   C:\WINDOWS\SysWOW64\bcryptPrimitives.dll
0x0000000076820000  0x79000   C:\WINDOWS\SysWOW64\sechost.dll
0x0000000076a20000  0x89000   C:\WINDOWS\SysWOW64\shcore.dll
0x0000000074b60000  0x44000   C:\WINDOWS\SysWOW64\SHLWAPI.dll
0x0000000076160000  0x54e000  C:\WINDOWS\SysWOW64\SHELL32.dll
0x0000000075dd0000  0x3b000   C:\WINDOWS\SysWOW64\cfgmgr32.dll
0x00000000701d0000  0x20f000  C:\WINDOWS\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.529_none_4d65773f1b98b660\COMCTL32.dll
0x0000000075150000  0x5fc000  C:\WINDOWS\SysWOW64\windows.storage.dll
0x0000000076990000  0x7e000   C:\WINDOWS\SysWOW64\advapi32.dll
0x0000000075950000  0x1c000   C:\WINDOWS\SysWOW64\profapi.dll
0x0000000075750000  0x54000   C:\WINDOWS\SysWOW64\powrprof.dll
0x0000000075f60000  0xf000    C:\WINDOWS\SysWOW64\kernel.appcore.dll
0x0000000076fb0000  0x12000   C:\WINDOWS\SysWOW64\cryptsp.dll
0x0000000074670000  0x96000   C:\WINDOWS\SysWOW64\OLEAUT32.dll
0x0000000074fb0000  0x25000   C:\WINDOWS\SysWOW64\IMM32.DLL

–jeroen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: