Hello,
Looking at a disk/memory image from a Win7sp1x64 host. The intent was to determine if software running on the device had the capability to monitor the end user via a integrated camera. Upon review I focused on the following
1. Identification of the relevant hardware and drivers in the live registry and on disk
2. Identification of loaded modules/drivers and open handles
3. Identification of prefetch files
4. Analysis of 2,3 for reference to identified items in 1
5. Checked for API Hooks and analyzed the results
This did not net an answer to the original inquiry. I am researching msdn (given the platform) for information around api calls necessary for this type of access/capability. If anyone has documented the api calls or has identified such a capability in running software please share. I will post more information here as my research is better developed on what to do next.
Thanks.
Upon review I focused on the following …
None of those seem to examine what .DLLs are referenced by the application (I'm assuming an .EXE, but I may be mistaken), and what API calls in those .DLLs are referenced.
Dependencywalker would be a useful tool for that, but locating relevant APIs beforehand is usually required to cut down later research into what all the .DLLs do. But you should at least be able to decide if it's a Win API, .NET or something else, which would help directing your search for possible API calls.
If the application is not a normal .EXE file, other techniques are required.
Added Looks like the APIs used for scanning (TWAIN, WIA, DirectShow, etc) also can be used for camera capture.
You might take a known and small camera capture app, and analyze what it uses as a starting point.
However … any application that can do a LoadLibrary() call (or later equivalent) can load *any* DLL, and so get access to functionality provided by that .DLL. To decide if that's going on, you obviously need dynamic examination. ('tasklist /m' might do fo the simplest kind of check.) But you seem to have that covered already, to some degree.
I am researching msdn (given the platform) for information around api calls necessary for this type of access/capability.
Here is an idea download programs that has this capability, compare Win32 api calls. Also, forums like Stack Overflow may have code that does this, complete with includes/imports and dll references.
Upon review I focused on the following …
None of those seem to examine what .DLLs are referenced by the application (I'm assuming an .EXE, but I may be mistaken), and what API calls in those .DLLs are referenced.
Dependencywalker would be a useful tool for that, but locating relevant APIs beforehand is usually required to cut down later research into what all the .DLLs do. But you should at least be able to decide if it's a Win API, .NET or something else, which would help directing your search for possible API calls.
If the application is not a normal .EXE file, other techniques are required.
Added Looks like the APIs used for scanning (TWAIN, WIA, DirectShow, etc) also can be used for camera capture.
You might take a known and small camera capture app, and analyze what it uses as a starting point.
However … any application that can do a LoadLibrary() call (or later equivalent) can load *any* DLL, and so get access to functionality provided by that .DLL. To decide if that's going on, you obviously need dynamic examination. ('tasklist /m' might do fo the simplest kind of check.) But you seem to have that covered already, to some degree.
Thanks for this post.
Checking all running processes to make sure I did not miss anything with respect to WebCam monitoring.
I am researching msdn (given the platform) for information around api calls necessary for this type of access/capability.
Here is an idea download programs that has this capability, compare Win32 api calls. Also, forums like Stack Overflow may have code that does this, complete with includes/imports and dll references.
That's a good point as well. Thank you for posting.