Solved

Is it possible to discover if .exe file uses the GetDesktopWindow command of the Windows?

Posted on 2010-11-26
2
430 Views
Last Modified: 2012-05-10
I need to discover if one file .exe uses the GetDesktopWindow command of the Windows.

Which are the instructions hex generated when if use the GetDesktopWindow command of the Windows in program .exe?
0
Comment
Question by:mccoymad
2 Comments
 
LVL 3

Expert Comment

by:logic_chopper
ID: 34220039
Well if you have Visual Studio you could simply use "Dumpbin /imports file.exe" or "Link /dump /imports file.exe".  Or if you want to see where the call is actually made in the EXE then load the EXE into the "free" version IDAPro at http://www.hex-rays.com/idapro/ and then search the imports for GetDesktopWindow and double click on the xref.
0
 
LVL 17

Accepted Solution

by:
CSecurity earned 500 total points
ID: 34664592
May a program load and use that API dynamically in runtime like:

HMODULE test = GetModuleHandle("user32.dll");
fGetDesktopWindows = (func_GetDesktopWindow) GetProcAddress(test, "GetDesktopWindow");

For this type which mostly malwares uses, you have to debug program like in OllyDbg, then set a breakpoint in GetDesktopWindow API to see if it's getting called or you can do API Hooking, etc.

Normal softwares will have it in IAT (Import address table), so using dumpbin as logic_chopper said or using dependency walker you can look for GetDesktopWindow. Also a not technical method is open program in hex editor and look for "GetDesktopWindow", if it's found you can go further
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

A procedure for exporting installed hotfix details of remote computers using powershell
In  today’s increasingly digital world, managed service providers (MSPs) fight for their customers’ attention, looking for ways to make them stay and purchase more services. One way to encourage that behavior is to develop a dependable brand of prod…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now