Im looking for a simple Way to look what Files on my System are able to connect to the Internet ,so i want to Scan all Files for "WM_SOCKET" !

If i open Exefiles with Notepad i see the content but if i open Exefiles with my Program i see only MZ as Text.
When i open a Textfiles i see all Text in my Program so there is no Bug while reading the Buffer.

Do i have to program a Hex Reader before i can scan for a String or are im missing something ?
Posted on 2002-01-07 08:32:07 by Cervesia
Hi !
WM_SOCKET (and the others WM_ as well) is an integer value and not coded as a string in the compiled exe.

To know if a program is able to connect to the Internet, I think it is more simple, precise and fast to analyse his import table to look for specifical internet related API (winsock's ones, in exemple).

Some tuts about the PE (Windows executable format) are available at Iczelion's.

Regards,
Posted on 2002-01-07 08:38:14 by JCP
hm yeah, like readiosys said, it would be better to scan
the import table for winsock/capi/... but this requires your
knowledge of the pe-header... i assume you do not have
a clue what the pe-hdr is so you could just open the
executable of your desire and do a plain text search for
all the i-net libs available (wsock32/capi32/...) coz the
import-table is'nt encrypted in any form... but beware...
this would be 100% lame :)

btw most api's require strings in ASCIIZ form, the "Z"
is for ZERO -> NULLTERMINATED strings... so the pe-hdr
begins with MZ followed by unprintable chars and finially
by zero (somewhere) thats why notepad is dumb and
you only see "MZ" :)
Posted on 2002-01-07 08:54:19 by mob
I also forgot to say that some programs load functions using LoadLibrary + GetProcAddress...

They can do that at ANY moment...
Look at www.dependencywalker.com for concrete examples about that was said here. ;)

Regards,
Posted on 2002-01-07 09:07:11 by JCP
yup but loadlib and getprocadr need plain-text strings
anyhow so this doesn't matter if you use booyer-moore
or whatever... we're speaking about "normal" programms
are we? so no invidious encrypting and stuff :)
Posted on 2002-01-07 09:25:47 by mob