Abstract: To study the detection of dynamic link library (DLL) injected by static modifying import table of portable executable (PE) file, a common detection method on legal scope and a depth detection method on exception backtracking are proposed. The first method calculates the range of data structure arrangement of all DLLs from a static point of view, without parsing the DLL’s function to infer whether it is malicious. The idea of debugging is used to detect malicious DLLs in second method, which control the running of the target program, and track the DLL loading process in the initialization phase of the target program. Also the debugging API is used for exception capture to realize detection. C++ was used to design DLL detection experiment: injected the DLL with download function into the target program. The detection tool DLL Detector was designed and developed for detection. The experiment successfully detects suspicious modules from the static phase and the program initialization phase. Both methods support 32-bit and 64-bit PE files and can be used to guard against malicious code.