Best IT Recipes

Is there any way to find all functions open by dll

I was looking for a way to get all strings that map to function names in a dll.

I mean all lines for which you can call GetProcAddress. If you are executing a hex dll dump, there are characters (strings), but I suppose I need a system call to get these names.

+50
c ++ c dll winapi
Jan 12 '09 at 23:20
source share
13 answers

It takes a little work, but you can do it programmatically using Microsoft's DbgHelp library,

Debugging applications for Microsoft.Net and Microsoft Windows by John Robbins is a great (if a little older) book that contains usage information and a complete source. And you can pick it up on Amazon for cheap!

+7
Jan 14 '09 at 16:42
source share
β€” -

If you have MS Visual Studio, there is a command line tool called DUMPBIN.

  dumpbin / exports <nameofdll>
+65
Jan 12 '09 at 23:22
source share

On Windows, there are three different types of DLLs:

  • Classic DLL files that expose every available function in a DLL export table. You can use dumpbin.exe or depend.exe from Visual Studio or a free dependent walker to learn these types. Matt Pietrek has written many articles and utilities for digging into Win32 PE files. Take a look at his classic MSDN magazine article . C ++ DLLs that contain exported classes will export each method to a class. Unfortunately, it exports the changed names, so dumpbin output is almost unreadable. You will need to use a program such as vC ++ _ filt.exe to demonstrate the output.

  • COM libraries that expose COM objects. These DLLs expose several regular exported functions (DllRegisterServer, etc.) that allow the COM system to create objects. There are many utilities that can look at these DLLs, but if they do not have built-in type libraries, they can be quite difficult to learn. 4Developers have some good COM / ActiveX tools

  • .NET DLLs that contain .NET assemblies. Usually you need to use a tool like .NET Reflector .

+29
Jan 13 '09 at 11:01
source share

There is also a DEPENDs program at http://www.dependencywalker.com/

+24
Jan 12 '09 at 23:24
source share

Try this (Linux) C code:

#include <fcntl.h> #include <stdio.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/types.h> #include <unistd.h> unsigned int vpe2offset(void * base, unsigned int vpe) { unsigned int * ptr = base; unsigned int pe_offset; unsigned short num_sections; pe_offset = ptr[0x3c/4]; //PE header offset ptr = base + pe_offset; //PE header address num_sections = ((unsigned short*)ptr)[6/2]; //Section count ptr = ((void*)base) + 0x18 + 0x60 + 16*8 + pe_offset;//Address of first section while (num_sections--) { if (vpe >= ptr[0x0c/4] && vpe < ptr[0x0c/4] + ptr[0x10/4]) { return vpe - ptr[0x0c/4] + ptr[0x14/4]; } ptr += 0x28/4; } return 0; } void iterate_exports(void * base, int(*iterator)(char*)) { unsigned int * ptr = base; unsigned int pe_offset, exports_offset, number_of_names, address_of_names; pe_offset = ptr[0x3c/4]; ptr = base + pe_offset; exports_offset = ptr[0x78/4]; ptr = base + vpe2offset(base, exports_offset); number_of_names = ptr[0x18/4]; address_of_names = ptr[0x20/4]; ptr = base + vpe2offset(base, address_of_names); while (number_of_names-- && iterator((char*)(base + vpe2offset(base, ptr++[0])))) { /* Do nothing */ } } int print_symbol_name(char * name) { printf("%s\n", name); return 1; } int main(int argc, char const *argv[]) { int fd; struct stat st; void * base; if (argc == 1) { printf("Usage: %s <dll>\n", argv[0]); } else if (stat(argv[1], &st) == 0 && (fd = open(argv[1], O_RDONLY)) >= 0) { base = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0); if (base != MAP_FAILED) { iterate_exports(base, print_symbol_name); munmap(base, st.st_size); } else { fprintf(stderr, "Could not map \"%s\".\n", argv[1]); } close(fd); } else { fprintf(stderr, "Could not open \"%s\" for reading.\n", argv[1]); } return 0; }

It refers to the links inside the PE file and finally calls the callback function for each exported character. For an overview of the PE file format, see This: http://www.openrce.org/reference_library/files/reference/PE%20Format.pdf

+11
Jun 04 2018-12-12T00:
source share

I don’t know about this WIn32 API: instead you (or one of the tools mentioned in other posts) do this by knowing the binary format of the PE file and browsing the file: see http://msdn.microsoft.com/en-us /magazine/cc301808.aspx (and the "PEDUMP" utility is mentioned in this article).

+10
Jan 12 '09 at 23:33
source share

I use dumpbinGUI , which gives you an export list (and much more) from a right-click in Windows Explorer. dumpbin and depends also provide you with lists.

+7
Jan 12 '09 at 23:25
source share

You need to check the PE header of the DLL, as Windows ultimately does.

Assuming you have a pointer to the .dll IMAGE_OPTIONAL_HEADER (you can use the dbghelp ImageNtHeader function with the .dll handle loaded via LoadLibrary , or try to find it yourself if you know the .dll layout), you need to look at optional_header->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT] , find the export table relative to the optional header with an offset in it, then look at the export table (this is a IMAGE_EXPORT_DIRECTORY ).

For funsies, a backward compatible PE image starts with IMAGE_DOS_HEADER ; the offset to IMAGE_NT_HEADER is IMAGE_DOS_HEADER::e_lfanew , and IMAGE_OPTIONAL_HEADER embedded in the NT header.

+5
Jan 13 '09 at 0:42
source share

there is a program called dll export viewer that you can use: http://www.nirsoft.net/utils/dll_export_viewer.html

+2
Jan 13 '09 at 2:28
source share

I always have to do this. I just go to one of these sites. They contain the information that we usually need.

Windows 7 DLL File Information

Windows XP DLL File Information

+1
Aug 06 '10 at
source share

I assume that you will finish parsing the PE file and do demarcation if you want to find the function names of an unknown DLL at runtime or an extremely useless system ("dumpbin"); magic.

It should be more clear to you what you want.

The BFD library does what you want (and the kitchen sink), which is the main component of several GNU binutils tools. I cannot be sure that this will fit your problem.

0
Jan 12 '09 at 23:59
source share

You do not need a tool, and you do not need to disassemble PE. Just use standard Win32 api (D)

The code (in C) has been published many times on the Adv.Win32 api ng (news: //comp.os.ms-windows.programmer.win32) (since 1992)

0
Jan 13 '09 at 6:17
source share

You can also use the linux "objdump" tool under windows, but you may have to install cygwin first.

I use the following commands:

 # feed the output to less objdump -x nameOfThe.Dll| less # or use egrep to filter objdump -x /cygdrive/c/Windows/system32/user32.dll | \ egrep "^\s*\[[ [:digit:]]{4}\] \w{1,}" | less
0
Apr 7 '17 at 18:08
source share


More articles:


All Articles