Hi everybody!
How can I extract functions headers from a compiled DLL? I mean function name and its full parameters (names and types) and, of course, its return value. I need that information to use madCodeHook correctly.
Any suggestions are welcome.
[]'s
How to extract functions headers from a DLL?
Code: Select all
uses
ImageHlp;
procedure ListDLLExports(const FileName: string; List: TStrings);
type
TDWordArray = array [0..$FFFFF] of DWORD;
var
imageinfo: LoadedImage;
pExportDirectory: PImageExportDirectory;
dirsize: Cardinal;
pDummy: PImageSectionHeader;
i: Cardinal;
pNameRVAs: ^TDWordArray;
Name: string;
begin
List.Clear;
if MapAndLoad(PChar(FileName), nil, @imageinfo, True, True) then
begin
try
pExportDirectory := ImageDirectoryEntryToData(imageinfo.MappedAddress,
False, IMAGE_DIRECTORY_ENTRY_EXPORT, dirsize);
if (pExportDirectory <> nil) then
begin
pNameRVAs := ImageRvaToVa(imageinfo.FileHeader, imageinfo.MappedAddress,
DWORD(pExportDirectory^.AddressOfNames), pDummy);
for i := 0 to pExportDirectory^.NumberOfNames - 1 do
begin
Name := PChar(ImageRvaToVa(imageinfo.FileHeader, imageinfo.MappedAddress,
pNameRVAs^[i], pDummy));
List.Add(Name);
end;
end;
finally
UnMapAndLoad(@imageinfo);
end;
end;
end;
procedure TForm1.Button1Click(Sender: TObject);
var
List: TStrings;
i: Integer;
s: string;
begin
List := TStringList.Create;
try
ListDLLExports('C:\WINDOWS\SYSTEM32\browseui.dll', List);
ShowMessage(IntToStr(list.Count) + ' functions in dll');
s := 'List of functions:';
for i := 0 to List.Count - 1 do
s := s + #13#10 + List[i];
ShowMessage(S);
finally
List.Free
end;
end;
if its a stdcall function you can look at the RET value
ret 0, ret 4 ret 8 ....
this value div 4 is the count of parameters
you cant get the complete header (for example pchar pwidechar etc.)
but each parameter and the return value is 4 bytes long (dword)
example:
kernel.FormatMessageA
RETN 1C = 28 div 4 = 7 parameter
the header is something like this
function FormatMessageA(a,b,c,d,e,f,g: dword): dword; stdcall;
the A tells u that at least one of the paremter is a pchar
a W would tell u that one of it is a widechar
then u have to debug a program which calls this function and must look which one it is, and waht the others are
if u dont need the parameters you can do something like this:
if the dll is one of the windows, dll search on google or MSDN
for this example:
http://msdn.microsoft.com/library/defau ... essage.asp
ret 0, ret 4 ret 8 ....
this value div 4 is the count of parameters
you cant get the complete header (for example pchar pwidechar etc.)
but each parameter and the return value is 4 bytes long (dword)
example:
kernel.FormatMessageA
Code: Select all
7C825F62 > 8BFF MOV EDI,EDI
7C825F64 55 PUSH EBP
7C825F65 8BEC MOV EBP,ESP
7C825F67 83EC 14 SUB ESP,14
7C825F6A 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
7C825F6D 53 PUSH EBX
7C825F6E 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
7C825F71 F6C7 04 TEST BH,4
7C825F74 0F85 40AA0100 JNZ kernel32.7C8409BA
7C825F7A 56 PUSH ESI
7C825F7B 8B75 18 MOV ESI,DWORD PTR SS:[EBP+18]
7C825F7E 895D 08 MOV DWORD PTR SS:[EBP+8],EBX
7C825F81 8165 08 00010000 AND DWORD PTR SS:[EBP+8],100
7C825F88 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
7C825F8B 57 PUSH EDI
7C825F8C 74 4E JE SHORT kernel32.7C825FDC
7C825F8E 8BFE MOV EDI,ESI
7C825F90 85FF TEST EDI,EDI
7C825F92 0F84 72AA0100 JE kernel32.7C840A0A
7C825F98 FF75 20 PUSH DWORD PTR SS:[EBP+20]
7C825F9B FF75 1C PUSH DWORD PTR SS:[EBP+1C]
7C825F9E 57 PUSH EDI
7C825F9F FF75 14 PUSH DWORD PTR SS:[EBP+14]
7C825FA2 FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C825FA5 FF75 FC PUSH DWORD PTR SS:[EBP-4]
7C825FA8 53 PUSH EBX
7C825FA9 6A 01 PUSH 1
7C825FAB E8 E42E0000 CALL kernel32.7C828E94
7C825FB0 8BD8 MOV EBX,EAX
7C825FB2 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
7C825FB5 3945 FC CMP DWORD PTR SS:[EBP-4],EAX
7C825FB8 0F85 5DAA0100 JNZ kernel32.7C840A1B
7C825FBE 33C9 XOR ECX,ECX
7C825FC0 3BD9 CMP EBX,ECX
7C825FC2 75 3A JNZ SHORT kernel32.7C825FFE
7C825FC4 394D 08 CMP DWORD PTR SS:[EBP+8],ECX
7C825FC7 74 02 JE SHORT kernel32.7C825FCB
7C825FC9 33FF XOR EDI,EDI
7C825FCB 3BF9 CMP EDI,ECX
7C825FCD 0F85 85000000 JNZ kernel32.7C826058
7C825FD3 5F POP EDI
7C825FD4 8BC3 MOV EAX,EBX
7C825FD6 5E POP ESI
7C825FD7 5B POP EBX
7C825FD8 C9 LEAVE
7C825FD9 C2 1C00 RETN 1C
the header is something like this
function FormatMessageA(a,b,c,d,e,f,g: dword): dword; stdcall;
the A tells u that at least one of the paremter is a pchar
a W would tell u that one of it is a widechar
then u have to debug a program which calls this function and must look which one it is, and waht the others are
if u dont need the parameters you can do something like this:
Code: Select all
var nextfunction: procedure;
procedure dosomething;
begin
//something which should happen when the function is called
end;
procedure mycallback;
asm
dosomething;
pop eax
jmp nextfunction
end;
for this example:
http://msdn.microsoft.com/library/defau ... essage.asp