Jump to content
Compatible Support Forums
Sign in to follow this  
saravanan_vv

How to detect the dll or exe from the address(memory) of its function?

Recommended Posts

Hi,

I need to know how i can detect a keylogger.

I've found some basic technique in doing the same.

The technique is

1.Get the image of the user32.dll

2.Disassemble the dll( traverse the user32.dll ie find the memory location of all the api in the user32.dll)

3.If the api is hooked means it will be having a jump instruction when the original api is called.

4.If this jump instruction points to a memory location outside the image of the user32.dll then the api is hooked otherwise it is not.

5.I've found the memory address of the hooked function.

 

My question how can i detect the dll or exe from the function pointer address which i got from the discrepancies i found when the api is hooked.

 

Pls provide a solution to that.

 

Regards

saravanan

Share this post


Link to post

Download Dependency Walker from here:

http://dependencywalker.com/

Quote:

Dependency Walker is a free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules. For each module found, it lists all the functions that are exported by that module, and which of those functions are actually being called by other modules. Another view displays the minimum set of required files, along with detailed information about each file including a full path to the file, base address, version numbers, machine type, debug information, and more.

 

Screenshot about it:

snapshot.png

 

Then open the file (user32.dll) you want with it.

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×