如何追踪哪个应用程序将 dbghelp 注入到所有其他进程中?
似乎在特定系统上,dbghelp.dll 正在被加载到所有进程中。由于我认为这不是正常行为,因此我猜测它是由其他应用程序注入的。有没有办法追踪哪个应用程序正在执行此操作?实际问题是,此注入导致 system32\dbghelp.dll 在我们自己安装的版本之前加载。这是一个问题,b/c 我们需要加载已安装的版本 6.7.5.0,其中包括旧 dll 中找不到的 SymGetSymbolFile。我目前打赌其他一些应用程序、防病毒软件或病毒正在调用 CreateProcessWithDll() 在执行时将 dbghelp.dll 加载到所有应用程序中。我只是需要一些方法来找出是谁在做这件事?
It appears that on a particular system, dbghelp.dll is being loaded into all processes. Since I believe this to not be normal behavior, I am guessing that it is being injected by some other application. Is there a way to track down which app is doing this? The actual problem is that this injection is causing the system32\dbghelp.dll to be loaded ahead of our own installed version. And this is a prob, b/c we need to be loading our installed version 6.7.5.0 which includes SymGetSymbolFile that is not found in the older dll. I am currently taking bets that some other app, anti-virus software, or virus is calling CreateProcessWithDll() to load dbghelp.dll into all apps at execution time. I just need some way to figure out who is doing this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
检查
gflags.exe(来自 WinDbg package) 如果该系统上设置了任何全局标志。其中一些可能会导致自动加载进程的符号,这可以解释为什么加载 dbghlp.dll。Check with
gflags.exe(from the WinDbg package) if there are any global flags set on that system. Some of those might result in the symbols for the process being loaded automatically, which would explain why dbghlp.dll is loaded.