RemoteDLL is the tool which makes it easy to inject the DLL or free the DLL from remote process. This tool is based on popular DLL Injection technique which has already been used in many top programs such as pwdump. Many spyware programs uses this technique to hide their presence. Many of these comes as DLL and injects themselves to legitimate windows process and operates from that process so that normal user will not suspect its presence. Using RemoteDLL you can easily remove such DLL from the process and then delete it from the system completely.
RemoteDLL in Action
How RemoteDLL works?
This tool is entirely based upon the DLL Injection concept. In short DLL Injection uses CreateRemoteThread API to invoke LoadLibrary or FreeLibrary on remote process.
Injecting the DLL into Remote Process
Below are the steps for injecting the DLL into another process using RemoteDLL.
- Select the "Load DLL" option.
- Now select the process to which you want to inject the DLL.
- Next specify the the DLL and press the "Load DLL" button
- The specified DLL will be injected into the target process and the result of entire operation will be displayed in status window.
Removing the DLL from Remote Process
Follow the below mentioned steps to remove DLL from any process using RemoteDLL. Note that removing DLL from process may crash it or destabilize the entire system. So make sure you know what you are doing before using it.[list][*]Select the "Free DLL" option from the main screen.[*]Next select the process from which you want to remove the DLL.[*]Now select the DLL to be removed from the process using DLL selection dialog. It displays following information about each DLL
[*]Next press the "Free DLL" button to remove the DLL from process. Result will be displayed step by step in the status window.[/list:u]
- DLL Name
- Base Address
- Entry Point of DLL
- Size of the DLL in memory
- Load count or Reference Count of DLL
- Static or dynamically loaded
Note that only dynamically loaded DLLs can be removed from the process.
Reference count : Unique feature of RemoteDLL
Reference count or load count indicates how many times the DLL is loaded into the process. Each time the DLL is loaded , process increases that DLL's reference count. So when you want to remove the DLL from the process, you have to invoke the FreeLibrary function that many times to completely free it. Reference count is the unique feature of RemoteDLL which is not present in any other similar tools. This is because there is no direct way or API function to get this information.
Reference count for the DLL is stored in the PEB (Process Environment Block) for that process. PEB contains the linked list of DLL Module Structure which contain complete information about that particular DLL. One can retrieve the PEB data of remote process by using ReadProcessMemory() API.
RemoteDLL is tested on Windows NT/2000/XP/Vista systems.
License : Freeware
Platform : Windows NT, 2000, XP, 2003 & Vista