Get-Help
--------
Get-Project
-----------
Get-Publication
---------------
Get-Community
-------------

PoshInternals – Get-Dll

January 29th, 2013 8 Comments

The ListDlls SysInternals tool is used to list the DLLs that are loaded into processes on the system. It can either return DLLs for all processes, a single process or return processes that contain a particular DLL. It also has the ability to flag DLLs that are rebased and unsigned. Most of this functionality is relatively easy to implement in PowerShell. The Get-Process cmdlet returns System.Diagnostics.ProcessInfo classes that contain a Modules property. The property returns the DLLs that are currently loaded into the process. It also returns module base information. One property it does not contain is signing information. This can be accomplished with the WinVerifyTrust Win32 function. This Stackoverflow post contains a C# implementation for accessing this particular API call.

The following advanced function accepts a process name or IDs from the pipe, a module name and whether to filter by unsigned binaries. The P\Invoke for verifying signed files can be found in the PInvoke.ps1 file in the PoshInternals module.

function Get-Dll
{
    [CmdletBinding()]
    param(
    [Parameter(ValueFromPipeline=$true)]
    [String]$ProcessName = "",
    [Parameter(ValueFromPipeline=$true)]
    [Int]$ProcessId = 0,
    [Parameter()]
    [String]$ModuleName,
    [Parameter()]
    [Switch]$Unsigned
    )
 
    Begin{
        $script:Modules = @()
        $script:Processes = @()
    }
 
    Process {
        if (-not [String]::IsNullOrEmpty($ProcessName))
        {
            $Modules += Get-Process -Name $ProcessName | Select-Object -ExpandProperty Modules 
        }
        elseif ($ProcessId -ne 0)
        {
            $Modules += Get-Process -Id $ProcessId | Select-Object -ExpandProperty Modules
        }
        elseif(-not [String]::IsNullOrEmpty($ModuleName))
        {
            $Processes =  Get-Process | Where-Object { ($_.Modules).ModuleName -Contains $ModuleName }
        }
        else 
        {
            $Modules += Get-Process | Select-Object -ExpandProperty Modules
        }
    }
 
    End {
        if ($Processes.Length -gt 0)
        {
            $Processes
            return
        }
 
        if (-not [String]::IsNullOrEmpty($ModuleName))
        {
            $Modules = $Modules | Where-Object { $_.ModuleName -eq $ModuleName }
        }
 
        if ($Unsigned)
        {
            $Modules = $Modules | Where { -not [PoshInternals.AuthenticodeTools]::IsTrusted($_.FileName) }
        }
 
        $Modules
    }
}

 

 

Posted in PowerShell | Tags: , , ,
«
»
You can leave a response, or trackback from your own site.

8 Responses to “PoshInternals – Get-Dll”

  1. Dew Drop – January 30, 2013 (#1,490) | Alvin Ashcraft's Morning Dew says:
    January 30, 2013 at 7:01 am

    [...] PoshInternals – Get-Dll (Adam Driscoll) [...]

    Reply
  2. Bartek Bielawski says:
    January 30, 2013 at 10:20 am

    Great blog series, Adam! :) Really, love the idea of getting sysinternals in PS without processings csv and such… :)
    One note here though – why not use Get-Process’es -Module switch…? It would get you “there” sooner I guess… ? :)

    Reply
    • adamdriscoll says:
      January 30, 2013 at 11:17 am

      Thanks! Because I didn’t even realize that Get-Process had that switch! I will certainly update the PoshIntenals module to reflect that. Much simpler!

      Reply
  3. Microsoft Most Valuable Professional (MVP) – Best Posts of the Week around Windows Server, Exchange, SystemCenter and more – #14 - Flo's Datacenter Report says:
    February 4, 2013 at 4:04 am

    [...] [...]

    Reply
  4. Microsoft Most Valuable Professional (MVP) – Best Posts of the Week around Windows Server, Exchange, SystemCenter and more – #14 - TechCenter - Blog - TechCenter – Dell Community says:
    February 4, 2013 at 4:51 am

    [...] PoshInternals – Get-Dll by Adam Driscoll [...]

    Reply
  5. Microsoft Most Valuable Professional (MVP) – Best Posts of the Week around Windows Server, Exchange, SystemCenter and more – #14 - Dell TechCenter - TechCenter - Dell Community says:
    February 4, 2013 at 4:56 am

    [...] PoshInternals – Get-Dll by Adam Driscoll [...]

    Reply
  6. Microsoft Most Valuable Professional (MVP) – Best Posts of the Week around Windows Server, Exchange, SystemCenter and more – #14 | ServerGround.net says:
    February 4, 2013 at 5:42 am

    [...] PoshInternals – Get-Dll by Adam Driscoll [...]

    Reply
  7. Server King | Today’s Dell Digest February 4, 2013 says:
    February 4, 2013 at 5:40 pm

    [...] PoshInternals – Get-Dll by Adam Driscoll [...]

    Reply

Leave a Reply


two × = 14

Subscribe to RSS Feed Follow me on Twitter!