Solved

Is it possible to discover if .exe file uses the GetDesktopWindow command of the Windows?

Posted on 2010-11-26
2
453 Views
Last Modified: 2012-05-10
I need to discover if one file .exe uses the GetDesktopWindow command of the Windows.

Which are the instructions hex generated when if use the GetDesktopWindow command of the Windows in program .exe?
0
Comment
Question by:mccoymad
2 Comments
 
LVL 3

Expert Comment

by:logic_chopper
ID: 34220039
Well if you have Visual Studio you could simply use "Dumpbin /imports file.exe" or "Link /dump /imports file.exe".  Or if you want to see where the call is actually made in the EXE then load the EXE into the "free" version IDAPro at http://www.hex-rays.com/idapro/ and then search the imports for GetDesktopWindow and double click on the xref.
0
 
LVL 17

Accepted Solution

by:
CSecurity earned 500 total points
ID: 34664592
May a program load and use that API dynamically in runtime like:

HMODULE test = GetModuleHandle("user32.dll");
fGetDesktopWindows = (func_GetDesktopWindow) GetProcAddress(test, "GetDesktopWindow");

For this type which mostly malwares uses, you have to debug program like in OllyDbg, then set a breakpoint in GetDesktopWindow API to see if it's getting called or you can do API Hooking, etc.

Normal softwares will have it in IAT (Import address table), so using dumpbin as logic_chopper said or using dependency walker you can look for GetDesktopWindow. Also a not technical method is open program in hex editor and look for "GetDesktopWindow", if it's found you can go further
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Convert from C to MIPS 14 1,404
find our where the exe is being aborted with abort() 11 4,528
Converting Native Code to VB or C# 9 1,447
How to join a 9V power supply cable 4 451
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Riverbed Technology's webinar discusses networking for the cloud era with simplified SD-WAN cloud connectivity.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question