0

I try to decompile an executable which is something like key-logger, and it references these 2 dlls in which I cannot drill down:

enter image description here

Any idea/help please of where to find more information/documentation about these? I mean their api contracts.

UPDATE:

It is difficult to identify which methods of it are called, because in the decompiled code there is code like that: 

[DllImport("user32.dll", CallingConvention=CallingConvention.StdCall, CharSet=CharSet.Auto)]
public static extern int SetWindowsHookEx(int idHook, HookProc lpfn, IntPtr hInstance, int threadId);
public void Start()
{
    if (hKeyboardHook == 0)
    {
        this.KeyboardHookProcedure = new HookProc(this.KeyboardHookProc);
        hKeyboardHook = SetWindowsHookEx(13, this.KeyboardHookProcedure, Marshal.GetHINSTANCE(Assembly.GetExecutingAssembly().GetModules()[0]), 0);
        if (hKeyboardHook == 0)
        {
            this.Stop();
            throw new Exception("SetWindowsHookEx ist failed.");
        }
    }
}

Take a look at the following line: Marshal.GetHINSTANCE(Assembly.GetExecutingAssembly().GetModules()[0])

It does not have the method name explicitly...

That is why I am trying to guess

cnom
  • 123

1 Answers1

2

Both advapi32.dll and user32.dll are completely standard DLLs that come with Windows. And both export a great many functions.

In general Microsoft does not document their APIs by grouping them by DLL; rather, in the documentation for each API, the DLL that exports it will be mentioned, along with the .lib file and the .h file.

For example, see this reference for the MessageBox function (from User32), or this one for GetUserNameA from AdvApi32.

In general, User32 contains APIs that help an app create and implement the standard Windows GUI (i.e. a character-mode app, or service process, probably won't use many of these), and AdvApi32 contains "higher level" base API functions (the "lower level" being in kernel32.dll).

These DLLs do not export C# methods. They export functions callable from C/C++.

However, many C# methods will correspond, more or less directly, to these Windows APIs. In most such cases the C# method will call the corresponding C/C++ API to implement its function (after appropriate argument massaging, etc.).

If you want the complete list of what a DLL exports, I suggest you use one of several "dependency walker" tools that are available. Microsoft apparently stopped development of theirs around 2006; here is a more recent, open source alternative. If you just want to look things up, look here (but Geoff does not appear to have updated these lists since Windows 8).

Jamie Hanrahan
  • 24,326