![phraseexpress parent folder phraseexpress parent folder](https://static.filehorse.com/screenshots/office-and-business-tools/phraseexpress-screenshot-02.png)
![phraseexpress parent folder phraseexpress parent folder](https://news-cdn.softpedia.com/images/news2/PhraseExpress-Review-459662-8.jpg)
Note that until now we focused on the actual GetDesktopWindow function from user32.dll.
#Phraseexpress parent folder driver#
You could build a driver that does this from kernel-mode instead, but now we are getting really deep.(You could also do some tricks with acting like a debugger and setting a hardware breakpoint on the first instruction of GetDesktopWindow, but yet again there would be ways to detect or circumvent that since the target could also modify the debug registers.) This method of detection can be circumvented if the target notices the hook and removes it before calling, since its in its own process space.You could dynamically observe whether the GetDesktopWindow function gets called by registering an AppInit_DLL or a global hook which is injected into every new process and hook the GetDesktopWindow function from inside the process by overwriting its first bytes with a jump to your own code, notifying your detection component somehow, executing the original bytes and jumping back.This method of detection can be easily circumvented by packing, encrypting or otherwise obfuscating the name of the dynamically imported function.You could scan the file for the string GetDesktopWindow to detect possible usage for dynamic import.This method of detection can be easily circumvented by dynamically importing the function using LoadLibrary and GetProcAddress.Research the PE file structure to find out more. You could statically determine whether the function is imported by looking at the import directory.It's essentially a game of cat and mouse - bad actors will attempt to find new ways to circumvent your detection by jumping through some obscure hoops, you will add more sophisticated detection methods for those tricks, they will think of new tricks, and so on.Īlso, it depends on whether you want to statically or dynamically determine that, and whether you actually want to know if GetDesktopWindow is called or if "the program gets a handle to the desktop window" (which can be achieved in other ways as well). It depends to what lengths you want to go doing that.