Dependency Walker is a free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules. For each module found, it lists all the functions that are exported by that module, and which of those functions are actually being called by other modules. Another view displays the minimum set of required files, along with detailed information about each file including a full path to the file, base address, version numbers, machine type, debug information, and more.
sxe ld <module> sxe ud <module>
bm <module>!<name> # set breakpoints on 'module' with name 'name' bm *!<prefix>* # set breakpoints on all names with prefix 'prefix' bm <module>!* # set breakpoints on all names in module 'module'
bp, bm commands sets software breakpoints, debugger replaces the processor instruction with a break instruction.
cmd> WinDbg -I
When program crash and use enter in WinDbg execute:
Execute in WinDbg:
or Ctrl+S and add:
symchk /r c:\windows\system32 /s SRV*c:\symbols\*http://msdl.microsoft.com/download/symbols
Values to registry on Windows XP can be added by:
cmd> reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v run.bat /t REG_SZ /d "path\to\run.bat" cmd> reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run <-- see what done
Extract content from .cab file:
cmd# expand my.cab
The family of COM technologies includes COM+, Distributed COM (DCOM) and ActiveX® Controls.
OLE (Object Linking and Embedding) allows embedding and linking to documents and other objects.
OLE 1.0 released in 1990, OLE 2.0 released in 1993, in 1994 OLE custom controls (OCXs) were introduced.
OLE objects and containers are implemented on top of the Component Object Model.
Next release after 2.0 introdused in 1996 and named as ActiveX.
Faced with the complexity of OLE 2.0 and with poor support for COM in MFC, Microsoft rationalized the specifications to make them simpler, and rebranded the technology as ActiveX in 1996.
The Active Template Library (ATL) is a set of template-based C++ classes developed by Microsoft, intended to simplify the programming of Component Object Model (COM) objects.
MFC (Microsoft Foundation Classes) is a library that wraps portions of the Windows API in C++ classes, including functionality that enables them to use a default application framework. Classes are defined for many of the handle-managed Windows objects and also for predefined windows and common controls.
A lightweight alternative to MFC is the Windows Template Library (WTL).
WTL (Windows Template Library) is a free software, object-oriented C++ template library for Win32 development.
WTL provides support for implementing various user interface elements, to MDI, standard and common controls, common dialogs, property sheets and pages, GDI objects, and other common UI elements, such as scrollable windows, splitter windows, toolbars and command bars.
Most of the WTL API is a mirror of the standard Win32 calls.
Prefix | Data type ---------+----------------------------------------- b | boolean by | byte or unsigned char c | char cx / cy | short used as size dw | DWORD, double word or unsigned long fn | function h | handle i | int (integer) l | Long n | short int p | a pointer variable containing the address of a variable s | string sz | ASCIIZ null-terminated string w | WORD unsigned int x, y | short used as coordinates
PrefixCategory | Mean ----------------+---------------- CS | Class style CW | Create window DT | Draw text IDC | Cursor ID IDI | Icon ID WM | Window message WS | Window style
Data type | Meaning ----------+------------------------------------------------------------------- FAR | Same as far. Identifies an address that originally used the | segment:offset addressing schema. Now FAR simply identifies a | (default) 32-bit address but may be omitted entirely in many cases. | PASCAL | Same as Pascal. The Pascal convention demanded by Windows | defines the order in which arguments are found in the stack when | passed as calling parameters. | WORD | Unsigned integer (16 bits) | UINT | Unsigned integer, same as WORD | DWORD | Double word, unsigned long int (32 bits) | LONG | Signed long integer (32 bits) | LPSTR | Long (far) pointer to character string | NEAR | Obsolete, previously identified an address value within a 16KB | memory block.