Jump to content
Nytro

RemoteDLL

By Nytro, in Programe securitate

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

About RemoteDLL

RemoteDLL is the tool which makes it easy to inject the DLL or free the DLL from remote process. This tool is based on popular DLL Injection technique which has already been used in many top programs such as pwdump. Many spyware programs uses this technique to hide their presence. Many of these comes as DLL and injects themselves to legitimate windows process and operates from that process so that normal user will not suspect its presence. Using RemoteDLL you can easily remove such DLL from the process and then delete it from the system completely.

remotedll.jpg

How RemoteDLL works?

This tool is entirely based upon the DLL Injection concept. In short DLL Injection uses CreateRemoteThread API to invoke LoadLibrary or FreeLibrary on remote process. Here is a very good article which explains this technique in detail. I suggest you to read that article to better understand working of RemoteDLL.

Injecting the DLL into Remote Process

Below are the steps for injecting the DLL into another process using RemoteDLL.

* Select the "Load DLL" option.

* Now select the process to which you want to inject the DLL.

* Next specify the the DLL and press the "Load DLL" button

* The specified DLL will be injected into the target process and the result of entire operation will be displayed in status window.

Removing the DLL from Remote Process

Follow the below mentioned steps to remove DLL from any process using RemoteDLL. Note that removing DLL from process may crash it or destabilize the entire system. So make sure you know what you are doing before using it.

* Select the "Free DLL" option from the main screen.

* Next select the process from which you want to remove the DLL.

* Now select the DLL to be removed from the process using DLL selection dialog. It displays following information about each DLL

o DLL Name

o Base Address

o Entry Point of DLL

o Size of the DLL in memory

o Load count or Reference Count of DLL

o Static or dynamically loaded

* Next press the "Free DLL" button to remove the DLL from process. Result will be displayed step by step in the status window.

Note that only dynamically loaded DLLs can be removed from the process.

Reference count : Unique feature of RemoteDLL

Reference count or load count indicates how many times the DLL is loaded into the process. Each time the DLL is loaded , process increases that DLL's reference count. So when you want to remove the DLL from the process, you have to invoke the FreeLibrary function that many times to completely free it. Reference count is the unique feature of RemoteDLL which is not present in any other similar tools. This is because there is no direct way or API function to get this information.

Reference count for the DLL is stored in the PEB (Process Environment Block) for that process. PEB contains the linked list of DLL Module Structure which contain complete information about that particular DLL. One can retrieve the PEB data of remote process by using ReadProcessMemory() API.

For detailed information on finding reference count read the detailed article here.

Download:

http://securityxploded.com/getfile.php?id=7111

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...