0

I use C++ to address the following task:

I'd like to get the list of all API functions, which are used by the particular process. It can be any Windows 7 process - 32 or 64 including system processes.

So far, the only solution I see - is to create a kernel driver to intercept all possible APIs, listen them for some time and check if particular process called them. It won't guarantee me full list of APIs of that process, but at least will give me some of them.

This method looks dangerous and not effective.

If there is any simpler way to deal with that task? If there is a way to get a full list of APIs of the process, not just the ones called during some time?

Thank you.

Konstantin P.
  • 11
  • 1
  • 1
  • 5

1 Answers1

3

No, it's not possible, at least in any meaningful or general sense.

I can write a program that (for example) takes interactive input from the user in the form of a string, then uses GetProcAddress to find the address of a function by that name, and invokes that function.

Note that although using interactive input to read function names is fairly unusual, reading them from some external file is quite a bit more common.

Also note that a kernel driver isn't really the correct place to look either. If you want to do this, you want to intercept at the level of the DLLs used by the program.

One possibility is to create a "shadow" DLL for every DLL to which the program links statically. Then if it calls LoadLibrary/GetProcAddress, you can dynamically intercept those calls to determine what functions it's calling in them, and so on.

This still won't get an absolute result, since it could (as outlined above) get data at runtime to find functions in one execution that it doesn't use in another.

If you want an existing tool to do (approximately) that, consider depends.exe. It's been around for quite a while, and works quite well.

Jerry Coffin
  • 476,176
  • 80
  • 629
  • 1,111