Geek Answers Handbook

Determine if the caller is being called from an EXE or DLL

I need to determine the caller code coming from an exe or dll.

Dll

#ifdef DLL_EXPORTS __declspec(dllexport) void say_hello(); __declspec(dllexport) void getCurrentModuleName(); #else __declspec(dllimport) void say_hello(); __declspec(dllexport) void getCurrentModuleName(); #endif #include <cstdio> #include <windows.h> #include <Dbghelp.h> #include <iostream> #include <tchar.h> #include "dll.h" #include "Psapi.h" __declspec(naked) void *GetStackPointer() { __asm { mov eax, esp ret } } void getCurrentModuleName() { BOOL result = SymInitialize(GetCurrentProcess(), NULL , TRUE); DWORD64 dwBaseAddress = SymGetModuleBase64(GetCurrentProcess(), (DWORD64)GetStackPointer()); TCHAR szBuffer[50]; GetModuleBaseName(GetCurrentProcess(), (HMODULE) dwBaseAddress, szBuffer, sizeof(szBuffer)); std::wcout << _T("--->") << szBuffer << std::endl; } void say_hello() { getCurrentModuleName(); }

Exe

 #include <windows.h> #include <cstdio> #include "dll.h" int main() { printf ("ENTERING EXE CODE...\n"); getCurrentModuleName(); printf ("ENTERING DLL CODE...\n"); say_hello(); getchar(); }

Here is the result.

 ENTERING EXE CODE... --->exe.exe ENTERING DLL CODE... --->exe.exe

I'm sorry I can't get

 ENTERING EXE CODE... --->exe.exe ENTERING DLL CODE... --->dll.dll

Like the last caller code from the DLL itself (say_hello in the DLL)

Is there any way to achieve this?

+4
source share
5 answers

Here is the solution. The limitation is that it is capable of tracking up to 62 frames.

 // Must have in order for us to turned address into module name. SymInitialize(GetCurrentProcess(), NULL , TRUE); // Limitation of RtlCaptureStackBackTrace. const int kMaxCallers = 62; void* callers[kMaxCallers]; int count = RtlCaptureStackBackTrace(0, kMaxCallers, callers, NULL); for (int i = 0; i < count; i++) { TCHAR szBuffer[50]; DWORD64 dwBaseAddress = SymGetModuleBase64(GetCurrentProcess(), (DWORD64)callers[i]); GetModuleBaseName(GetCurrentProcess(), (HMODULE) dwBaseAddress, szBuffer, sizeof(szBuffer)); std::wcout << _T("--->") << szBuffer << std::endl; }
0
source

GetStackAddress returns an ESP value that is a reference to the stack. The stack is allocated to the thread, regardless of any modules loaded into the process. What you need to do is retrieve the value of the return address from the stack, which will be the address in the calling module.

Given that a regular prefix code in a function:

 push ebp mov ebp,esp sub esp, bytes_of_local_variables

esp will be somewhat random, but [ebp] should point to the previous ebp, and [ebp + 4] should point to the current frame return address.

So you can try the following:

 __declspec(naked) void *GetReturnAddressAssumingStandardFramePointers() { __asm { mov eax, [ebp+4] ret } }

Just make sure that the functions that are called that are not compiled with / Oy

+3
source

In this case, use the return address of the function that you can find by looking directly at the stack. The rest of the answer is still applicable.

+1
source

You get a pointer to the stack inside getCurrentModuleName() , which is in the DLL, but you need to get the return address from the stack at the beginning of getCurrentModuleName() , which shows you where getCurrentModuleName() was called getCurrentModuleName() .

0
source

Use EnumProcessModules (). For each call to GetModuleInformation (). Compare the address of the function you are executing (using the function pointer) with the lpBaseOfDll and SizeOfImage members of the MODULEINFO structure. If it falls into a range, you know what the current module is. If so, use GetModuleBaseName to get the module name.

0
source

More articles:


All Articles