This view immediately tells you the Key4.exeis a “lone gunner,” appar-
ently with no extra DLLs other than the system DLLs. You know this because
other than the Key4.exemodule, the rest of the modules are all operating sys-
tem components. This is easy to tell because they are all in the C:\WINDOWS\
SYSTEM32directory, and also because at some point you just learn to recog-
nize the names of the popular operating system components. Of course,
if you’re not sure it’s always possible to just look up a binary executable’s
properties in Windows and obtain some details on it such as who created it
and the like. For example, if you’re not sure what lpk.dllis, just go to
C:\WINDOWS\SYSTEM32and look up its properties. In the Version tab you
can see its version resource information, which gives you some basic details on
the executable (assuming such details were put in place by the module’s
author). Figure 11.4 shows the Version tab for lpk.from Windows XP Service
Pack 2, and it is quite clearly an operating system component.
You can proceed to examine which APIs are directly called by Key4.exeby
clicking View Names on Key4.exein the Executable Modules window. This
brings you to the list of functions imported and exported from Key4.exe.
This screen is shown in Figure 11.5.Figure 11.4 Version information for lpk.dll.360 Chapter 11