Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 522
  • Last Modified:

Is it possible to discover if .exe file uses the GetDesktopWindow command of the Windows?

I need to discover if one file .exe uses the GetDesktopWindow command of the Windows.

Which are the instructions hex generated when if use the GetDesktopWindow command of the Windows in program .exe?
0
mccoymad
Asked:
mccoymad
1 Solution
 
logic_chopperCommented:
Well if you have Visual Studio you could simply use "Dumpbin /imports file.exe" or "Link /dump /imports file.exe".  Or if you want to see where the call is actually made in the EXE then load the EXE into the "free" version IDAPro at http://www.hex-rays.com/idapro/ and then search the imports for GetDesktopWindow and double click on the xref.
0
 
CSecurityCommented:
May a program load and use that API dynamically in runtime like:

HMODULE test = GetModuleHandle("user32.dll");
fGetDesktopWindows = (func_GetDesktopWindow) GetProcAddress(test, "GetDesktopWindow");

For this type which mostly malwares uses, you have to debug program like in OllyDbg, then set a breakpoint in GetDesktopWindow API to see if it's getting called or you can do API Hooking, etc.

Normal softwares will have it in IAT (Import address table), so using dumpbin as logic_chopper said or using dependency walker you can look for GetDesktopWindow. Also a not technical method is open program in hex editor and look for "GetDesktopWindow", if it's found you can go further
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now