finding out application dependencies;

[krish]

How can I find out the dependencies of an application inside my
program/driver? Say e.g If I want to find out the dependencies of
iexplorer.exe inside my program? What are the APIs? I knwo there is a
program something called dependency walker so I assume there must be
some way of doing this.

I wan to provide a GUI which lists all the programs installed on the
computer and when user cselects one of them I lists all the files
(.dlls etc) on which it is dependent.

Thanks.

[krish]

[David Craig]

Process Explorer from sysinternals does this fairly well for programs that
are running.

There is a document on the Windows PE format that shows how to read an
executable's binary and look at its imports and exports. To do this
properly you will need to look at the main program and determine what it
imports. Then, you read each of those binaries to see what they import.
Total Commander has a plugin, Lister, that can do this, but it takes a long
time to do it. This technique will not find delay load imports unless there
is a table for them, but I don't know. Any library loaded via LoadLibrary
will also not appear in this dependency list since only the executable code
knows when it is going to call that function. You could determine from the
imports that an executable does use LoadLibrary but not what it is loading.

"krish" <pradee...@yahoo.com> wrote in message
news:c56bdeb4-64ae-4463...@v26g2000prm.googlegroups.com...

[krish]

THanks David dfor a detailed explanation. One more question on this.
Can I determine at run time which dlls were loaded using LoadLibrary.
I mean when the LoadLibrary call is actually executed? Thanks again.

On May 15, 2:46 pm, "David Craig" <driv...@nowhere.us> wrote:
> Process Explorer from sysinternals does this fairly well for programs that
> are running.
>
> There is a document on the Windows PE format that shows how to read an
> executable's binary and look at its imports and exports. To do this
> properly you will need to look at the main program and determine what it
> imports. Then, you read each of those binaries to see what they import.
> Total Commander has a plugin, Lister, that can do this, but it takes a long
> time to do it. This technique will not find delay load imports unless there
> is a table for them, but I don't know. Any library loaded via LoadLibrary
> will also not appear in this dependency list since only the executable code
> knows when it is going to call that function. You could determine from the
> imports that an executable does use LoadLibrary but not what it is loading.
>

> "krish" <pradeep_bi...@yahoo.com> wrote in message

[David Craig]

Process Explorer as I explained earlier, if and only if the dll is loaded at
the time you look.

"krish" <pradee...@yahoo.com> wrote in message

news:95226fb8-378a-4647...@p39g2000prm.googlegroups.com...

[Pavel A.]

Just use the Dependency Walker that you've mentioned in your first post.
It can trace execution of a program, including its LoadLibrary calls.

--PA

"krish" <pradee...@yahoo.com> wrote in message

news:95226fb8-378a-4647...@p39g2000prm.googlegroups.com...

[krish]

But how will do this programmatically? I need to do this in my
program at run time.

On May 15, 5:54 pm, "Pavel A." <pave...@NOwritemeNO.com> wrote:
> Just use the Dependency Walker that you've mentioned in your first post.
> It can trace execution of a program, including its LoadLibrary calls.
>
> --PA
>

[Anand Choubey]

you can do it easily by API hooking.

Check code project, google or MS press books for SDK, you can get
each and every thing.

Regards,
Anand Choubey

> > >> > Thanks.- Hide quoted text -
>
> - Show quoted text -

[Anand Choubey]

Check for PEviewer.exe.
It is best known tool for me.

Regards,
Anand

[krish]

Hi Anand, I did not find anything and that's why I posted here :(

as per your suggestion I searched on codeproject also but no luck. The
way you said "you can get each and everything" I 'm assuming you
already have experience on this question. Can you please point me to
some code sample. Thanks a lot.

[krish]

Ok now I know what you were talking about - API hooking. But that's a
hack. I want proper windows API to do this? I'm writing a production
code not a hacking utility :-). Do you have any more suggestions.
Thanks. The only solution I know of is getting the import table from
the PE header but this does not give me the lsit of dlls which are
loaded using LoadLibrary () by the application. How can I do that?

[Jeff Henkels]

An approach that should work is to use a kernel-mode driver to install
PsSetLoadImageNotifyRoutine and PsSetCreateProcessNotifyRoutine callbacks;
these callbacks will be invoked when an image is loaded/unloaded or a
process is created/terminated. The kernel-mode driver can then build up its
own process/image tables itself, or pass the data back to a user-mode app
using the inverted call method, and let the user-mode app do all the real
work.

This approach avoids API hooking, which may be problematic on some
platforms.

"krish" <pradee...@yahoo.com> wrote in message

news:b42686b8-6bb7-4b07...@i36g2000prf.googlegroups.com...

[krish]

THanks all. THis has been really helpful.

What do you guys think about CreateFileMapping() and then using the
MapViewOfFile() to get the image view of the application file
(the .exe) and then getting the dll files from the PE header?

But in all the above solution I'm just able to get the dlls which have
been present in the header? How can I get the information about the
delayed load imports and the ones loaded using LoadLibrary function.

On May 16, 5:02 am, "Jeff Henkels" <j...@mapson.jeffhenkels.com>
wrote:

> An approach that should work is to use a kernel-mode driver to install
> PsSetLoadImageNotifyRoutine and PsSetCreateProcessNotifyRoutine callbacks;
> these callbacks will be invoked when an image is loaded/unloaded or a
> process is created/terminated. The kernel-mode driver can then build up its
> own process/image tables itself, or pass the data back to a user-mode app
> using the inverted call method, and let the user-mode app do all the real
> work.
>
> This approach avoids API hooking, which may be problematic on some
> platforms.
>

[krish]

Hi Jefff, THanks for the suggestion. I think it will work really well.
I looked at the msdn doc but couldn't find it if these functions will
notify only when an image like exe (the main program of the
application) is loaded or will they notify whenever any image exe
including dlls etc are loaded. I mean will this work for all binary
images? Thanks again.

On May 16, 5:02 am, "Jeff Henkels" <j...@mapson.jeffhenkels.com>
wrote:

> An approach that should work is to use a kernel-mode driver to install
> PsSetLoadImageNotifyRoutine and PsSetCreateProcessNotifyRoutine callbacks;
> these callbacks will be invoked when an image is loaded/unloaded or a
> process is created/terminated. The kernel-mode driver can then build up its
> own process/image tables itself, or pass the data back to a user-mode app
> using the inverted call method, and let the user-mode app do all the real
> work.
>
> This approach avoids API hooking, which may be problematic on some
> platforms.
>

[Maxim S. Shatskih]

> What do you guys think about CreateFileMapping() and then using the
> MapViewOfFile() to get the image view of the application file
> (the .exe) and then getting the dll files from the PE header?

Yes, this is OK.

Do not forget SEC_IMAGE in CreateFileMapping, in this case the file will be
mapped according to section RVAs (section layout related to base address will
be as described by header and as in executable image, not as in file).

Note that CreateFileMapping/SEC_IMAGE will fail if the file is not a PE image.

Also look StackWalk function and around, possibly there are already functions
which deal with import/export tables of the PE images.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
ma...@storagecraft.com
http://www.storagecraft.com

[krish]

thanks Maxim.

>> Note that CreateFileMapping/SEC_IMAGE will fail if the file is not a PE image.

Oh...so there can be applications (exe, the main program) which do not
have PE header? What are the chances on Vista/XP? And how to get the
dependencies dlls for such non-PE images?

On May 17, 1:41 am, "Maxim S. Shatskih" <ma...@storagecraft.com>
wrote:

[Anand Choubey]

please check following link

http://69.10.233.10/KB/system/APIHookingRevisited.aspx

Regards
Anand

> > > - Show quoted text -- Hide quoted text -

[Jeff Henkels]

It should work for all EXEs/DLLs. I haven't used the
PsSetLoadImageNotifyRoutine callbacks, but they should do what you want -- I
used the PsSetCreateProcessNotifyRoutine callbacks in an identity management
system a couple of years ago with no problems.

"krish" <pradee...@yahoo.com> wrote in message

news:a0811f5f-a7ec-42c0...@j33g2000pri.googlegroups.com...

[krish]

So if I understand you correctly: I should use Ps* functions to get a
callback to get a notification when an image/process is loaded/created
then should I use PE header to get the dependency dlls. Right?

On May 19, 4:52 am, "Jeff Henkels" <j...@mapson.jeffhenkels.com>
wrote:

> It should work for all EXEs/DLLs. I haven't used the
> PsSetLoadImageNotifyRoutine callbacks, but they should do what you want -- I
> used the PsSetCreateProcessNotifyRoutine callbacks in an identity management
> system a couple of years ago with no problems.
>

[Jeff Henkels]

You shouldn't need to use the PE header at all if you use the Ps* functions.
The PsSetLoadImageNotifyRoutine callback will be invoked for each EXE/DLL
loaded by a process at the time the module is loaded.

For example, when you load notepad, the callback will be hit for
notepad.exe, then for each of the modules (kernel32, user32, etc.)
implicitly linked (i.e. those mentioned in the PE header).

For delay-loaded modules or those loaded by LoadLibrary, the callback will
be hit when the load actually occurs (if it occurs at all).

By not reading the PE header, you should save a bit of time and
complication, and you'll avoid breakage when MS changes the internals of the
PE header in some future patch.

"krish" <pradee...@yahoo.com> wrote in message

news:1cf5c70d-6fb1-424b...@q27g2000prf.googlegroups.com...

[krish]

Jeff, Thanks for the clarification. Will the callback be hit even if
the dll is already loaded? e.g, kernel32 is used by so many
applications so it may already be loaded when I open notepad.exe.

On May 19, 2:03 pm, "Jeff Henkels" <j...@mapson.jeffhenkels.com>
wrote:

> You shouldn't need to use the PE header at all if you use the Ps* functions.
> The PsSetLoadImageNotifyRoutine callback will be invoked for each EXE/DLL
> loaded by a process at the time the module is loaded.
>
> For example, when you load notepad, the callback will be hit for
> notepad.exe, then for each of the modules (kernel32, user32, etc.)
> implicitly linked (i.e. those mentioned in the PE header).
>
> For delay-loaded modules or those loaded by LoadLibrary, the callback will
> be hit when the load actually occurs (if it occurs at all).
>
> By not reading the PE header, you should save a bit of time and
> complication, and you'll avoid breakage when MS changes the internals of the
> PE header in some future patch.
>

[Don Burn]

Yes it is called for each process that maps it.

--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

"krish" <pradee...@yahoo.com> wrote in message

news:c3d0dbe9-9a14-40f6...@k10g2000prm.googlegroups.com...

[krish]

Thanks Don.

On May 20, 1:42 pm, "Don Burn" <b...@stopspam.windrvr.com> wrote:
> Yes it is called for each process that maps it.
>
> --
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Website:http://www.windrvr.com
> Blog:http://msmvps.com/blogs/WinDrvr
> Remove StopSpam to reply
>