How to inspect a DLL for information

Question

Is there a way to inspect a single(C++ compiled) DLL file and find out what Win32 function calls it makes?

I have MyDll.dll file. I know that somewhere inside this dll, there is a piece of code that is retrieving a information from the Windows Registry.

Is there a way to find out what Registry Keys the DLL is accessing??

Answer 1

You can access the DLL's PE Imports table to determine which Win2 API functions the DLL statically links to, but that is no guarantee that the functions are actually called in the DLL's code, and that also does not account for Win32 API functions that are loaded dynamically via GetProcAddress().

To find out which Registry keys the DLL is accessing, you can:

1. disassemble/decompile the DLL, such as with IDA, and look at all of the places in the code where RegOpenKeyEx(), RegQueryValueEx(), and other Registry functions are being called.
2. write an app that loads the DLL into memory and dynamically patches the Registry function import(s) so it can intercept the input parameter values.
3. use SysInternals Process Monitor, like Ben suggested.

Answer 2

You need to execute the DLL; if you do so then Sysinternals (now part of Microsoft) Process Monitor will show you all registry access made by the process, and capture the stack trace for each (which you can use to find calls made from that DLL).