DLL Analysis tools

Dependency Walker

Dependency Walker is a free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules. For each module found, it lists all the functions that are exported by that module, and which of those functions are actually being called by other modules. Another view displays the minimum set of required files, along with detailed information about each file including a full path to the file, base address, version numbers, machine type, debug information, and more.


Tool Description as in http://www.dependencywalker.com/

Image Credit: http://www.dependencywalker.com/



Pestudio is used by many Computer Emergency Response Teams (CERT) worldwide in order to perform malware initial assessments. Malicious software often attempts to hide its intents in order to evade early detection and static analysis. In doing so, it often leaves suspicious patterns, unexpected metadata, anomalies and other indicators. The goal of pestudio is to spot these artifacts in order to ease and accelerate Malware Initial Assessment. The tool uses a powerful parser and a flexible set of configuration files that are used to detect various types of indicators and determine thresholds.


Tool Description as in https://www.winitor.com/

Image Credit: https://www.winitor.com/


MiTec EXE Explorer

This application is based on MiTeC Portable Executable Reader. It reads and displays executable file properties and structure. It is compatible with PE32 (Portable Executable), PE32+ (64bit), NE (Windows 3.x New Executable) and VxD (Windows 9x Virtual Device Driver) file types. .NET executables are supported too. It contains powerfull Resource Viewer that is able to abalyze and display al basic resouce types and some extra ones as JPEG, PNG, GIF, AVI, REGISTRY. It contains excellent Type Library viewer that enumerates all objects and creates import interface unit in Object Pascal language. Every type of resource can be saved to file.


Tool Description as in http://www.mitec.cz/exe.html

Image Credit: http://www.mitec.cz/exe.html


CFF Explorer

Created by Daniel Pistelli, a freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86 and x64.


Tool Description as in http://www.ntcore.com/exsuite.php

Image Credit: https://www.raymond.cc/blog/check-what-dll-or-ocx-dependency-files-is-needed-for-a-software/



Although many PE editors or readers claim to support .NET applications, AdmiralDebilitate is probably the only one that can truly show the dependencies of a .NET application. It also tells you the required .NET framework version at the Assembly Details window. Do note that the program itself requires .NET Framework 3.5 to run which is not included in Windows 8.1 by default. Although the official website of AdmiralDebilitate is no longer accessible, thankfully you can still find the source code and program hosted at Collaborative RCE Tool Library.


Tool Description as in https://www.raymond.cc/blog/check-what-dll-or-ocx-dependency-files-is-needed-for-a-software/

Image Credit: https://www.raymond.cc/blog/check-what-dll-or-ocx-dependency-files-is-needed-for-a-software/



PEview is a lightweight program, being a small standalone executable around 70kb in size. For determining basic PE information, PEview the job done well. On the other hand, for those looking for a feature-rich PE analysis tool, PEview may disappoint, as it only provides basic information about the PE.


Tool Description as in https://blog.malwarebytes.com/threat-analysis/2014/05/five-pe-analysis-tools-worth-looking-at/

Image Credit: https://blog.malwarebytes.com/threat-analysis/2014/05/five-pe-analysis-tools-worth-looking-at/



FileAlyzer is a tool to analyze files – the name itself was initially just a typo of FileAnalyzer, but after a few days I decided to keep it. FileAlyzer allows a basic analysis of files (showing file properties and file contents in hex dump form) and is able to interpret common file contents like resources structures (like text, graphics, HTML, media and PE). Using FileAlyzer is as simple as viewing the regular properties of a file – just right-click the file you want to analyze and choose Open in FileAlyzer.


Tool Description as in https://www.safer-networking.org/products/filealyzer/

Image Credit: https://www.safer-networking.org/wp-content/uploads/2011/12/version_small1.jpg


Exeinfo PE

While performing malware analysis, I’ve found Exeinfo PE to be an invaluable tool. Exeinfo PE is a lightweight program that usually answers one of my main questions: what am I looking at? Even when the program fails to give you the exact information you may be looking for, it provides nice hints that in turn help you to streamline the process of identifying a file.


Tool Description as in https://blog.malwarebytes.com/threat-analysis/2014/05/five-pe-analysis-tools-worth-looking-at/

Image Credit: http://exeinfo.atwebpages.com/xxExeinfoPE_screens.png


Headers Info

PE Explorer lets you open, view and edit a variety of different 32-bit Windows executable file types (also called PE files) ranging from the common, such as EXE, DLL and ActiveX Controls, to the less familiar types, such as SCR (Screensavers), CPL (Control Panel Applets), SYS, MSSTYLES, BPL, DPL and more (including executable files that run on MS Windows Mobile platform).


Tool Description as in http://www.heaventools.com/overview.htm

Image Credit: http://www.heaventools.com/overview.htm


Dll Export Viewer

This utility displays the list of all exported functions and their virtual memory addresses for the specified DLL files. You can easily copy the memory address of the desired function, paste it into your debugger, and set a breakpoint for this memory address. When this function is called, the debugger will stop in the beginning of this function.


Tool Description as in http://www.nirsoft.net/utils/dll_export_viewer.html

Image Credit: http://www.nirsoft.net/utils/dll_export_viewer.html

download-Dll Export-Viewer

Useful Videos

Dependency Walker

Source:James Hamilton


Source:Safer-Networking Videos

Exeinfo PE

Source:2ClickRun Download

Leave a Reply

Your email address will not be published. Required fields are marked *