Hello.
I'm trying to make 'the ultimate response CD' on the chapter 16 of the 'REAL DIGITAL FORENSICS published by Addison Wesley' and now a question has arisen.
After I run 'Process Monitor(upgrade version of file monitor(filemon.exe)' to determine what DLL files are Dependency Files of 'netcat', I moved all dll files having dependecy to netcat. Nevertheless, I noticed that some dll files in the default directory(%windir%\system32) was still loaded by netcat
The below is result.
Process Name PID Operation Path Result
nc.exe 2472 Process Start SUCCESS
nc.exe 2472 Thread Create SUCCESS
nc.exe 2472 Load Image E\DF Programs\nc111nt\nc.exe SUCCESS
nc.exe 2472 Load Image C\WINDOWS\system32\ntdll.dll SUCCESS
nc.exe 2472 Load Image C\WINDOWS\system32\kernel32.dll SUCCESS
nc.exe 2472 Load Image E\DF Programs\nc111nt\ws2_32.dll SUCCESS
nc.exe 2472 Load Image C\WINDOWS\system32\advapi32.dll SUCCESS
nc.exe 2472 Load Image C\WINDOWS\system32\rpcrt4.dll SUCCESS
nc.exe 2472 Load Image C\WINDOWS\system32\secur32.dll SUCCESS
nc.exe 2472 Load Image C\WINDOWS\system32\msvcrt.dll SUCCESS
nc.exe 2472 Load Image E\DF Programs\nc111nt\ws2help.dll SUCCESS
As you can see, Only 2 dll files in E\DF programs\nc111nt was loaded by netcat.
Despite the moving of all dll files to nc folder(E\Programs\nc111nt), why some dll files like
ntdll.dll in the default directory are still loaded?
Is it Impossible to eliminate all redendency of execution files by moving dll files?
If not, Why?
thanks )
Finally, I got the answer all by my self
"Known-DLLs". that was the answer.
Windows Internals 5th edition is helpful. )