Winternals公司的SysInternals提供了很多方便工具,后来被微软收购,微软提供了该系列的工具
https://docs.microsoft.com/en-us/sysinternals/
监听进程访问的资源用ProcessMonitor就可以了,但是数据太多了,后来发现ProcessExplorer用起来更方便,可以监听资源的访问,还可以监听User Object和GDI Object的数量 比较好用
勾选Show Low Pane,就会在底部显示一个进程信息的窗格,里面默认是按type排序的,type里面有section、file、reg、event等信息,这里以file里面的device为例,按照name排序,就获取到\Device\开头的file,但是调用顺序和次数看不出来,
如果想看更细节的调用顺序,需要用到ProcessMonitor
这里按照时间顺序展示了所有的调用,所以有相当多的重复,用ProcessExplorer会简洁一些
这里只看到了访问的资源,没有调用的api和参数,如果想知道一个程序访问的所有系统api和参数,可以使用一个叫做Api Monitor的工具
左侧的Api filter表示要过滤哪些模块的ap,一个模块包含很多子模块,子模块里包含若干dll,这个看自己关心哪些api调用,可以自行选择,因为对自己关心的api调用还不够了解,所以先选择了所有,打开32位的apimonitor之后,再打开其他32位进程就会自动拦截,并提示是否监听。建议自己用中间的Monitor Processes选择要监听的程序,
如果直接启动失败的话,主要修改Attach Using的选项,总有一个能成功的
然后就可以看到api的调用顺序了
注意summary窗格中,显示calls的数量,这个数量跟左边api filter的模块设置有关,这里勾选了所有模块,所以比较多,有些模块根本就没使用过,有些模块不重要,这个需要自行判断。api多了也没关系,summary窗格中有一个望远镜,点击一下可以搜索,搜索自己觉得重要的数据,不仅api的名字,api的参数也可以被搜索,还比较方便,就是数据量太大了。
api monitor默认会连子进程一起监控,还是比较方便的
如果只想知道程序调用了哪些动态库和函数,可以使用visual studio提供的dumpbin工具查看
D:\Program Files (x86)\Microsoft Visual Studio 9.0\VC>dumpbin /dependents f:\acad.exe
Microsoft (R) COFF/PE Dumper Version 9.00.21022.08
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file f:\acad.exe
File Type: EXECUTABLE IMAGE
Image has the following dependencies:
gdiplus.dll
MSIMG32.dll
ac1st23.dll
AcGe23.dll
acdb23.dll
acui23.dll
adui23.dll
anav.dll
dswhip.dll
heidi15.dll
UserData.dll
IMM32.dll
MPR.dll
acbol.dll
adhostableui.dll
WTSAPI32.dll
AcPal.dll
UIAutomationCore.DLL
AcUt.dll
ADCtrls.dll
accore.dll
MSVCP140.dll
mfc140u.dll
KERNEL32.dll
USER32.dll
GDI32.dll
COMDLG32.dll
ADVAPI32.dll
SHELL32.dll
COMCTL32.dll
SHLWAPI.dll
ole32.dll
OLEAUT32.dll
oledlg.dll
CRYPT32.dll
VCRUNTIME140.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-time-l1-1-0.dll
api-ms-win-crt-filesystem-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-environment-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-convert-l1-1-0.dll
api-ms-win-crt-utility-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-process-l1-1-0.dll
CRYPTUI.dll
Image has the following delay load dependencies:
ShareMFC.dll
plotcfg15.dll
color.dll
AcSceneOE.dbx
AdApplicationFrame.dll
AdWebServicesUI.dll
AdIntImgServices.dll
AdImaging.dll
AdDownloaderCore.dll
AcDrawBridge.dll
Summary
1000 .acMemLo
24000 .data
28000 .pdata
1D2000 .rdata
1A000 .reloc
3D000 .rsrc
300000 .text
1000 .tls
1000 ACAD_STA
apimonotor查看的是api调用顺序,重复太多,动辄几十万几百万次的总调用量,如果只想查看依赖哪些api,也可以使用dumpbin查看
dumpbin /imports f:\FNPLicensingService64.exe
Microsoft (R) COFF/PE Dumper Version 9.00.21022.08
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file f:\FNPLicensingService64.exe
File Type: EXECUTABLE IMAGE
Section contains the following imports:
KERNEL32.dll
1402114B0 Import Address Table
1402EAC00 Import Name Table
0 time date stamp
0 Index of first forwarder reference
D7 DeleteFileW
1F1 GetFileAttributesW
406 RemoveDirectoryW
1EE GetFileAttributesExW
362 MoveFileExW
15 AreFileApisANSI
1CD GetDateFormatA
。。。。。。。。。。。。。。。。。。。。。。。。。
534 WriteFile
2AB GetVersionExA
208 GetLastError
474 SetFilePointer
3C3 ReadFile
88 CreateFileA
E1 DeviceIoControl
52 CloseHandle
29C GetTimeFormatA
USER32.dll
140211BB8 Import Address Table
1402EB308 Import Name Table
0 time date stamp
0 Index of first forwarder reference
C8 DrawIconEx
CB DrawStateA
211 MessageBeep
268 ReleaseCapture
284 SetCapture
17F GetSystemMenu
1FB LoadMenuW
288 SetClassLongPtrA
。。。。。。。。。。。。。。。。。。。。。。。。。
22A OpenClipboard
189 GetUpdateRect
FD FrameRect
15E GetMessageTime
1CE IsClipboardFormatAvailable
GDI32.dll
140211188 Import Address Table
1402EA8D8 Import Name Table
0 time date stamp
0 Index of first forwarder reference
20D GetStockObject
278 SelectPalette
1FC GetObjectType
4B CreatePen
54 CreateSolidBrush
。。。。。。。。。。。。。。。
2A6 SetTextColor
29 CreateBitmap
31 CreateDCA
25C RealizePalette
1CB GetDeviceCaps
27 CopyMetaFileA
MSIMG32.dll
140211AA0 Import Address Table
1402EB1F0 Import Name Table
0 time date stamp
0 Index of first forwarder reference
0 AlphaBlend
3 TransparentBlt
COMDLG32.dll
140211178 Import Address Table
1402EA8C8 Import Name Table
0 time date stamp
0 Index of first forwarder reference
9 GetFileTitleA
WINSPOOL.DRV
1402122D0 Import Address Table
1402EBA20 Import Name Table
0 time date stamp
0 Index of first forwarder reference
4D DocumentPropertiesA
8F OpenPrinterA
1D ClosePrinter
ADVAPI32.dll
140211000 Import Address Table
1402EA750 Import Name Table
0 time date stamp
0 Index of first forwarder reference
156 GetSidLengthRequired
26D RegQueryValueExA
。。。。。。。。。。。。。
124 GetAclInformation
176 InitializeAcl
16 AddAce
223 QueryServiceConfigA
24E RegEnumKeyExA
SHELL32.dll
140211B30 Import Address Table
1402EB280 Import Name Table
0 time date stamp
0 Index of first forwarder reference
BC SHGetFileInfoA
B6 SHGetDesktopFolder
D5 SHGetPathFromIDListA
DF SHGetSpecialFolderLocation
Ordinal 680
7A SHBrowseForFolderA
72 SHAppBarMessage
1D DragQueryFileA
1B DragFinish
11E ShellExecuteA
COMCTL32.dll
140211168 Import Address Table
1402EA8B8 Import Name Table
0 time date stamp
0 Index of first forwarder reference
64 ImageList_GetIconSize
SHLWAPI.dll
140211B88 Import Address Table
1402EB2D8 Import Name Table
0 time date stamp
0 Index of first forwarder reference
6C PathIsUNCA
48 PathFindFileNameA
46 PathFindExtensionA
96 PathStripToRootA
8B PathRemoveFileSpecW
ole32.dll
140212430 Import Address Table
1402EBB80 Import Name Table
0 time date stamp
0 Index of first forwarder reference
15D OleDestroyMenuDescriptor
15B OleCreateMenuDescriptor
43 CoInitializeEx
70 CoUninitialize
42 CoInitialize
14 CoCreateInstance
160 OleDuplicateData
6B CoTaskMemAlloc
18C ReleaseStgMedium
17C OleTranslateAccelerator
18D RevokeDragDrop
4B CoLockObjectExternal
18B RegisterDragDrop
163 OleGetClipboard
102 IsAccelerator
16C OleLockRunning
8A CreateStreamOnHGlobal
90 DoDragDrop
44 CoInitializeSecurity
67 CoSetProxyBlanket
6C CoTaskMemFree
OLEAUT32.dll
140211AD8 Import Address Table
1402EB228 Import Name Table
0 time date stamp
0 Index of first forwarder reference
Ordinal 9
Ordinal 12
Ordinal 4
Ordinal 185
Ordinal 184
Ordinal 114
Ordinal 8
Ordinal 2
Ordinal 7
Ordinal 6
WS2_32.dll
1402122F0 Import Address Table
1402EBA40 Import Name Table
0 time date stamp
0 Index of first forwarder reference
Ordinal 111
Ordinal 16
Ordinal 115
Ordinal 116
Ordinal 9
Ordinal 11
Ordinal 23
Ordinal 4
Ordinal 3
Ordinal 18
Ordinal 151
Ordinal 7
Ordinal 10
Ordinal 19
OLEACC.dll
140211AB8 Import Address Table
1402EB208 Import Name Table
0 time date stamp
0 Index of first forwarder reference
3 AccessibleObjectFromWindow
4 CreateStdAccessibleObject
14 LresultFromObject
gdiplus.dll
140212378 Import Address Table
1402EBAC8 Import Name Table
0 time date stamp
0 Index of first forwarder reference
121 GdipGetImageGraphicsContext
2E GdipBitmapUnlockBits
2B GdipBitmapLockBits
50 GdipCreateBitmapFromScan0
51 GdipCreateBitmapFromStream
125 GdipGetImagePalette
126 GdipGetImagePaletteSize
127 GdipGetImagePixelFormat
122 GdipGetImageHeight
12C GdipGetImageWidth
36 GdipCloneImage
B8 GdipDrawImageRectI
218 GdipSetInterpolationMode
5B GdipCreateFromHDC
274 GdiplusShutdown
275 GdiplusStartup
4D GdipCreateBitmapFromHBITMAP
98 GdipDisposeImage
90 GdipDeleteGraphics
21 GdipAlloc
ED GdipFree
B0 GdipDrawImageI
IMM32.dll
140211490 Import Address Table
1402EABE0 Import Name Table
0 time date stamp
0 Index of first forwarder reference
68 ImmReleaseContext
38 ImmGetContext
4A ImmGetOpenStatus
WINMM.dll
1402122C0 Import Address Table
1402EBA10 Import Name Table
0 time date stamp
0 Index of first forwarder reference
7 PlaySoundA
dhcpcsvc.DLL
140212368 Import Address Table
1402EBAB8 Import Name Table
0 time date stamp
0 Index of first forwarder reference
31 DhcpRequestParams
Summary
2B000 .data
1A000 .pdata
DE000 .rdata
18000 .reloc
A000 .rsrc
1F6000 .text
1A000 .textidx
5000 data
2000 text
这里列举了依赖哪些动态库里面的哪些接口。顺序不固定
如果只想看其中依赖的一个dll里面的接口
dumpbin /imports:kernel32.dll f:\acad.exe
最好提前看一下是否依赖这个dll,免得自以为依赖了,结果什么都没找到