Grasp the DLL file and immediately make the software "green"

Is the software available only after installation? Of course not. If we have green software, do software with installation programs have to be installed before they can be used? Not necessarily, many software can be used after files are extracted directly. This not only makes the software "green", but also prevents Trojans or rogue software from being bundled into the system.

Several assistants
Universal Extractor (UE ):Click to download the Universal Extractor

Exists:Click to download exists

IcesworD:Click to download IcesworD

Knowledge-process, resident, DLL file

After the executable file is run, a process is added to the system, which loads all the code and resources required for running into the memory. In order to implement monitoring and other functions, some software will reside in the memory after it is started, such as firewall software. DLL files are encapsulated as separate executable modules for EXE to call their functions, or as basic support for EXE.

Lunar Calendar, weather forecast, WinKld. dll all have

"Windows Calendar" is a Windows Time Display enhancement software, which allows the lunar calendar to join the tray area, if the Internet can forecast the weather at any time! If you have used this software, you may notice that there is no executable file in the installation directory. There is a WinKld. dll file (42.5KB ). In fact, this software only works with WinKld. dll.

Figure 1 WinKld. dll

Use UE to extract and register thisDLLIt is equivalent to completing software installation. After the UE is installed, right-click the installation file and select "UnExtract extract file" to extract all resources to any directory, such as D:. We cannot find WinKld. dll, because it becomes a file named "$ R0" after extraction (exactly 42.5KB), change the name back. Run "regsvr32 D: WinKld. dll" and restart the computer after receiving the registration success prompt. When you hover your mouse over the time in the tray area, the time limit will be displayed. Run "regsvr32/u D: WinKld. dll" when you want to uninstall it.

　　Exabytes dig DLL files

How do I know that WinKld. dll can be used only after registration? The answer is exclusive! Exists are often used to edit resources in files such as programs and DLL, including bitmaps, icons, vc/0506/632420 .html "target = _ blank>StringAnd so on. You can customize the program interface by modifying these resources ). This is used to find the registered DLL file. Use excircle to open WinKld. dll (or $ R0), click Export → WinKld. dll, And the right pane contains "DllRegisterServer" and "DllUnRegisterServer", which indicates that this DLL must be registered by calling regsvr32. We can simply use regsvr32 to register the DLL file to see if it can achieve the same effect as installing the software. If it doesn't work, we can directly reverse register it.

Figure 2 Icesword

　　Icesword: the true face of DLL

Although some software has been installed, you still do not know what DLL it needs, so that the trojan is drilled into the blank, it is often dressed as a DLL file of other software and injected into the process. Using Icesword, you can view the DLL called by the process and identify whether the program file (especially the DLL) is suspicious. There are usually three reasons:

(1) location. Most normal DLL files are located in the System32 directory and program path, while the main program and related DLL of the Trojan may be hidden in the Windows directory (including System, System32, Temp, Prefetch), recycle bin, and System Volume Information (System Restoration directory.

(2) Company. Very simple. The DLL called by a normal system process shows that the company is generally "Microsoft Corporation" or another software company, such as Adobe, And the trojan DLL is generally null here, right-click the DLL file and select Properties.

(3) time. When Trojans in the system run slowly and other issues, you can find the directory mentioned above and find the files recently written to the hard disk, including program and DLL files: first view the details, sort by the modification date. The latest files are the most suspicious.

How to clear the DLL Trojan: Enable icesword, right-click erer.exe, select "module information", find the called trojan DLL, click "Unload", and delete the DLL.