I would like to know any executable files launched or loaded by an executable fi
ID: 658628 • Letter: I
Question
I would like to know any executable files launched or loaded by an executable file (if possible without running it,if it is not possible i don't want any change in the system).
For example i have this source code compiled in an executable :
CreateProcess("C:\Windows\explorer.exe", NULL, NULL,NULL,FALSE,0,NULL,NULL,&SI,&PI);
hKernel32 = LoadLibrary("kernel32.dll"); // I can know this by looking in the import table
g_LoadLibrary = (pLoadLibrary)GetProcAddress(hKernel32, "LoadLibrary");
g_LoadLibrary("unknow.dll");
ShellExecute(NULL,"open", "script.py", "", "", SW_SHOWDEFAULT );
Here i want to know he spawn explorer.exe, load kernel32.dll ,unknow.dll and start script.py. How i can do that ?
Thank you!
Explanation / Answer
There is no solution by static analysis, but it's quite easy to do what you want using an API monitor like this: rohitab.com/apimonitor.
You can run the target software, place a breakpoint on the CreateProcess or ShellExecute (or anything else you like) and then either allow it to go ahead or block it.
Nice product, highly recommended for problems just like this one.