Finding Which Executables Use A DLL Entry Point

Raymod Chen wrote a blog post called "Don’t be helpless: …" where he shows a batch command to start the process of finding which executables use a particular DLL entry point.

for /f %i in (dlls.txt) do ^
@echo %i & link /dump /imports %i | findstr PostThreadMessage

The hard work is done by link (dumpbin really) so the script provides the glue code and formatting support.  I just had to give this a go in PowerShell where I knew the formatting would be superior plus I wanted to support searching on multiple entry points.  Here is the script I came up with:

param([string[]]$filter=$(throw "-filter parameter is required"))

get-process | select ProcessName -expand Modules -ea 0 |
    foreach {
        $dll = $_
        link /dump /imports $_.filename | 
            select-string $filter | 
            select @{n='Process';e={$dll.ProcessName}}, 
                   @{n='Dll';    e={$dll.ModuleName}}, 
                   @{n='Entry';  e={$_.Line.Substring(6)}} 
    } | 
    format-table Dll, Entry -groupby Process 
The script output looks like this:
PS> .\FindDllEntryPoint.ps1 'PostThreadMessage','QueueUserWorkItem'

   Process: apcsystray

Dll                       Entry
---                       -----
SHELL32.dll               77E19FF7    35F QueueUserWorkItem
SHELL32.dll               77D718C9    222 PostThreadMessageW
SHLWAPI.dll               77E09FF7    35F QueueUserWorkItem
SHLWAPI.dll               77D5B4B9    221 PostThreadMessageA
ole32.dll                 77D618C9    222 PostThreadMessageW
MSCTF.dll                 77D618C9    222 PostThreadMessageW
DpOFeedb.dll                          205 PostThreadMessageW

   Process: DPAgnt

Dll                       Entry
---                       -----
DPAgnt.exe                            205 PostThreadMessageW
SHELL32.dll               77E19FF7    35F QueueUserWorkItem

Now that is some nice formatting made possible by the Format-Table -GroupBy parameter.

This entry was posted in PowerShell. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s