'''
@author:       Peter Silberman
@contact:      peter.silberman@mandiant.com
@organization: http://www.mandiant.com
'''


import os
import sys

try:
    import pefile
except:
    print "Need to install pefile from http://code.google.com/p/pefile/"
    sys.exit(1)


if len(sys.argv) != 2:
    print "find_injected_dll.py <dir of acquired process>"
    sys.exit(1)

path = sys.argv[1]

path = path.strip("\"")

if path[len(path)-1] != '\\':
    path+="\\"


dir_list = os.listdir(path)

injected_dll_count = 0

for file in dir_list:
    full_path = path+file
    try:
	pe =  pefile.PE(full_path, fast_load=True)
	if file[-3:].lower() == "vad":
	    print "Found injected dll %s" % file
	    injected_dll_count+= 1
    except:
	pass
print "Found %d injected dll(s)" % injected_dll_count