C:\Program Files\Thinstall.VS>dll_dump.exe
Usage:
dll_dump ADDRESS (show DLL & process which has this address
loaded)
dll_dump SUBSTRING (shows DLLs loaded by Thinstall processes where
name matches SUBSTRING)
dll_dump * (shows DLLs loaded by all Thinstall processes)
dll_dump -fp (show DLL full path, not just filenames)
dll_dump ADDRESS SUBSTRING (only show processes matching SUBSTRING
where ADDRESS is loaded)
One of the most useful purposes for dll_dump is to list all running
Thinstalled applications on a PC.
If you use a spy program like Process Explorer on a Thinstalled
app, you will not see DLLs which are loaded by Thinstall since they
have been virtualized and Windows does not really know they exist.
Likewise, if you attach a debugger to a running Thinstall process,
the debugger will not be aware of virtual DLLs. If you are
investigating code running at a specific address, you can use
dll_dump to convert this address into a virtual DLL name and base
address.
Using log monitor, you can generate a trace and convert this to
text format. In the report near the end, you'll find a section
labeled:
— Modules loaded —
This section lists all DLLs that were loaded by the application
over the course of its execution history.
DLLs that are described as "SYSTEM_LOADED" are loaded by Windows
from the host PC; these will include all the basic OS DLLs like
kernel32.dll
DLLs that are described as "MEMORY_MAPPED_ANON" are loaded by
Thinstall and completely isolated from Windows.
For Adobe Reader, you should see something like this: