Spelunking - Which API Functions Are Used?
Our main goal is to analyze Getright and see by ourselves what
functions the program is using. We don't want to harm the program, we are just curious.
Note: It's not illegal to perform this analysis. On the contrary, it's
perfectly legal and Microsoft itself has published tools equivalent to Hackman
Debugger in order to help debugging.
- Start Hackman Debugger.
- From Files menu click open.
- Locate GetRight.exe and load it.
- Hackman Debugger will reply (or something similar):
IN: C:\Program Files\GetRight\getright.exe opened.
And the party starts. Explore the information menu that is now enabled.
We can see (depending on your settings, you may need to manually dump the file from Dump
menu):
- DOS HEADER: just for
compatibility reasons, Windows do include a dos header. If you try to
run the windows program in a DOS environment, you'll get an error that will
say something similar to "This program cannot be run in MS-DOS
mode." We bet that you've seen this error message a hundred times.
- PE HEADER: that's the Windows
Header. Some (not to say all) of these fields will make no sense to you. But
try to focus on the sections (File Header\Number of Sections\*.*)
- IMPORTED MODULES: What the
program is using from other DLLs (here's the list of the API functions we need).
- EXPORTED MODULES: Usually an
executable exports nothing. But DLLs obviously export a lot of interesting functions.
- DEPENDENCIES TREE: Yeah, this
is useless for our example; it just gives you a tree that shows how the DLLs
are connecting with each other.
PE Header Sections
If you click on PE Header, then on File Header and on Number of sections you'll see
(you have to click on each section):
| Section Name |
Description |
| .text |
Here's located the executable code of the file. |
| .rdata |
Here are all the initialized data (debug information, description strings, OLE info, etc) |
| .data |
Also initialized data (variables) |
| .idata |
The most useful! It contains the Import Address Table of the program! |
| .rsrc |
Contains all the program resources (icons, menus, labels, AVIs, etc) |
We know beforehand that all of these may seem nonsense. But you have to know how
windows really work. If you use this function in your program:
int main()
{
GetVersion();
}
The GetVersion function belongs to Kernel32.DLL. However if you compile this
program, you'll see that you program is not pointing directly to Kernel32.DLL.
When it sees this instruction, it points to the equivalent address within the
.idata section. So the .idata section contains all the real addresses of the
functions used by your program.
Imported Modules:
Here's a list given by Hackman Debugger of the modules that GetRight imports:
- WINMM.DLL - audio operations
- KERNEL32.DLL -kernel operations
- USER32.DLL -user libraries
- GDI32.DLL -graphics environment related functions
- COMDLG32.DLL -common dialog control
- WINSPOOL.DRV -printing related
- ADVAPI32.DLL -registry operations
- SHELL32.DLL -shell operations
- COMCTL32.DLL -common controls library (toolbar, imagelist, etc)
- OLEDLG.DLL -OLE interface
- OLE32.DLL -for OLE
- OLEAUT32.DLL -for OLE automation
- WSOCK32.DLL -the glorious WinSock that connects to a TCP/IP and not only!
But that's not enough; KERNEL32.DLL contains too
many functions. To see what functions are imported, then you have to use the
Imported Modules dialog box (in Hackman Debugger, Information|Imported modules).
Here's an example of what functions are imported for COMDLG32.DLL:
- GetOpenFileNameA (9)
- GetSaveFileNameA (11)
- GetFileTitleA (26)
Where A stands for ASCII and W for Unicode. Now,
don't tell us you can't guess what the above do! That's how GetRight is using
common dialog boxes!
Common questions & some answers:
Yes, but sometimes Hackman Debugger says
<no name> instead of the name of the imported functions.
Yes, but i don't get any imported modules but msvbvmxx.dll.
Return