Spelunking - Which API Functions Are Used?

Which API Functions Are Used?

Our main goal is to analyze the Getright program and see by ourselves what functions the program is using. We don't want to harm the program, we are just curious.

Note: It's not illegal to perform this analysis. On the contrary, it's perfectly legal and Microsoft itself has published tools equivalent to Hackman Debugger in order to help debugging.

Start Hackman Debugger.
From Files menu click open.
Locate GetRight.exe and load it.
Hackman Debugger will reply (or something similar):

IN: C:\Program Files\GetRight\getright.exe opened.

And the party starts. Explore the information menu that is now enabled. We can see:

DOS HEADER: just for compatibility reasons, Windows do include a dos header. If you try to run the windows program in a DOS environment, you'll get an error that will say something similar to "This program cannot be run in MS-DOS mode." We bet that you've seen this error message a hundred times.
PE HEADER: that's the Windows Header. Some (not to say all) of these fields will make no sense to you. But try to focus on the sections (File Header\Number of Sections\*.*)
IMPORTED MODULES: What the program is using from other DLLs (here's the list of the API functions we need).
EXPORTED MODULES: Usually an executable exports nothing. But DLLs obviously export a lot of interesting functions.
DEPENDENCIES TREE: Yeah, this is useless for our example; it just gives you a tree that shows how the DLLs are connecting with each other.

PE Header Sections: If you click on Pe Header, then on File Header and on Number of sections you'll see (you have to click on each section):

Section Name	Description
.text	Here's located the executable code of the file.
.rdata	Here are all the initialized data (debug information, description strings, OLE info, etc)
.data	Also initialized data (variables)
.idata	The most useful! It contains the Import Address Table of the program!
.rsrc	Contains all the program resources (icons, menus, labels, AVIs, etc)

We know beforehand that all of these may seem nonsense. But you have to know how windows really work. If you use this function in your program:

int main()
{
GetVersion();
}

The GetVersion function belongs to Kernel32.DLL. However if you compile this program, you'll see that you program is not pointing directly to Kernel32.DLL. When it sees this instruction, it points to the equivalent address within the .idata section. So the .idata section contains all the real addresses of the functions used by your program.

Imported Modules:

Here's a list given by Hackman Debugger of the modules that GetRight imports:

WINMM.DLL - audio operations
KERNEL32.DLL -kernel operations
USER32.DLL -user libraries
GDI32.DLL -graphics environment related functions
COMDLG32.DLL -common dialog control
WINSPOOL.DRV -printing related
ADVAPI32.DLL -registry operations
SHELL32.DLL -shell operations
COMCTL32.DLL -common controls library (toolbar, imagelist, etc)
OLEDLG.DLL -OLE interface
OLE32.DLL -for OLE
OLEAUT32.DLL -for OLE automation
WSOCK32.DLL -the glorious WinSock that connects to a TCP/IP and not only!

But that's not enough; KERNEL32.DLL contains too many functions. To see what functions are imported, then you have to use the Imported Modules dialog box (in Hackman Debugger, Information|Imported modules). Here's an example of what functions are imported for COMDLG32.DLL:

GetOpenFileNameA (9)
GetSaveFileNameA (11)
GetFileTitleA (26)

Where A stands for ASCII and W for Unicode. Now, don't tell us you can't guess what the above do! That's how GetRight is using common dialog boxes!

Common questions & some answers:

Yes, but sometimes Hackman Debugger says <no name> instead of the name of the imported functions.
Yes, but i don't get any imported modules but msvbvmxx.dll.

Return