What do I use to detect a dll injection of a legitimate dll that can inject into other processes?

malicious injection=>XXmsXX.dll (which can already)inject=>any process (winlogon.exe, explorer,exe, servicehost.exe, etc.)

Not sure if dll injection is the right term, but that is what I used.

edit: KX-Ray shows the suspect processes in gray, but would a memory dump show anything more than the legitimate dll which has the additional payload?

-{ Quote: "What do I use to detect a dll injection of a legitimate dll that can inject into other processes?

malicious injection=>XXmsXX.dll (which can already)inject=>any process (winlogon.exe, explorer,exe, servicehost.exe, etc.)

Not sure if dll injection is the right term, but that is what I used.

edit: KX-Ray shows the suspect processes in gray, but would a memory dump show anything more than the legitimate dll which has the additional payload?" }-
Most HIPSs detect DLL injection (injection would be the right term). I'm not sure if there's a specific utility dedicated to it, though. :)

It's already inside. I have hips and FW so it may have gotten in via another application that was trusted.

After noticing issues, I downloaded SIW to see what I could find. I focused on processes and their dll's, specifically internet and COM related. I noted file sizes. Now I searched to learn more about particular dll's.
While I surfed, the file I was researching changed size. What I didn't know right away was that the program I was using had been injected with the XXmsXX.dll, which was infected with extra data, and now altered the info I was seeing, hiding it's presence.

I know what dll is involved and I know what processes the infected dll injected into.

I don't know if each and every instance is an infected instance.

I don't know what is causing the dll to become infected.

I guess I should determine if the dll is necessary or terminable.

Would a memory dump of the processes involved be useful in determining the payload inside the dll?


Thanks Pseudo for the reply,

Searching

P.S.
The processes involved:

winlogon.exe
svchost.exe
svchost.exe
svchost.exe
spoolsv.exe
FWService.exe
explorer.exe
FirewallGUI.exe
firefox.exe
siw.exe
wmiprvse.exe
wmiprvse.exe

Use APM, advanced process manipulation to unload the dll injected into the process.
Memory analysis - scan or dump the memory.
Analysis sandbox or joebox.
Sysanalyzer
...

ESET SysInspector.

Thanks, PROROOTECT

-{ Quote: "What do I use to detect a dll injection of a legitimate dll that can inject into other processes?

malicious injection=>XXmsXX.dll (which can already)inject=>any process (winlogon.exe, explorer,exe, servicehost.exe, etc.)

Not sure if dll injection is the right term, but that is what I used.

edit: KX-Ray shows the suspect processes in gray, but would a memory dump show anything more than the legitimate dll which has the additional payload?" }-

Injection of code in a .dll file ?

I remember that an older version of Kaspersky once asked me if I wanted to allow 'process X to inject code in .dll file Y'. I'm not sure if that was in the default setting though.

And figuring out if you should allow it or block it is the hard part. That's why I dropped Kaspersky at the time.

Hello,

I used APM to unload the suspect dll and it left a 1KB tmp file.
Is this a report of some kind? How do I view the file?

Not sure about all of the uses for Sysanalysis. Apparently it has a memory dump feature. If you have any pointers that would be great.

Is it ok to run explorer.exe with this program, or do you have to set it up for a boot procedure?

I have used it on SIW already. I figured that is safer than mucking with Windows innards for now.