none
DLL export table - Exported functions list and addresses! RRS feed

  • Question

  • Hello

     

    Can we extract exported functions list from a dll and their asociated addresses using windbg?

    Can we determine what dlls's functions are used by an application? for exemple:    myapp.exe is just calling MessageBoxA from user32 dll.

     

    Merci !




    Thursday, August 25, 2011 9:42 AM

All replies

  • , but if you have a pdb file, you can list the symbols in the dll, like: x dllname!*

    I don’t think you need .pdb to see the export functions
     NB: You can use windbg –z to load your dll without having an .exe which use it. or use File->Open Crash Dump

    0:000> .reload
    .*** ERROR: Symbol file could not be found.  Defaulted to export symbols for user32.dll -

    0:000> x user32!Acti*
    7dc79485 user32!ActivateKeyboardLayout (<no parameter info>)

    Regards
    Kjell Gunnar

     

    Friday, August 26, 2011 7:25 AM
  • You can find both the exports and imports of an image by parsing the PE header. Symbols are not necessary.

    You can find the exports using the method that Kjell suggested if you do *not* have symbols, because in that case WinDBG will default to showing the exports when you use the x command. However, if you *do* have symbols and you're debugging a crash dump or something, x will show you lots more than just the exports. In that case, you can parse the export directory in the PE header:

    0:005> !dh ntdll -f
    ...

         140  DLL characteristics
                Dynamic base
                NX compatible
      106270 [    F17C] address [size] of Export Directory
    0:005> * Export directory found at offset 106270 of image
    0:005> dc ntdll+106270
    00000000`774c6270  00000000 4ce79322 00000000 0010b038  ...."..L....8...
    00000000`774c6280  00000001 000007c8 000007c0 00106298  .............b..
    00000000`774c6290  001081b8 0010a0b8 000e8260 000e80e0  ........`.......

    The format of that data is described here:

    http://win32assembly.online.fr/pe-tut7.html

    And you could write a script to find the named exports using that data. For example:

    0:005> dc ntdll+001081b8
    00000000`774c81b8  0010b042 0010b04d 0010b057 0010b063  B...M...W...c...
    ...
    0:005> da ntdll+0010b042
    00000000`774cb042  "A_SHAFinal"
    0:005> da ntdll+0010b04d 
    00000000`774cb04d  "A_SHAInit"
    0:005> da ntdll+0010b057  
    00000000`774cb057  "A_SHAUpdate"

    (Note that I'm leaving a lot as an exercise for the reader, though using the article mentioned above that should all make sense)

    The import table is much easier to parse and I already wrote about finding imports of a module here:

     

    http://www.osronline.com/article.cfm?article=522

     

    -scott

     


    OSR Online
    Friday, August 26, 2011 2:10 PM
  • you can use windbgs undocumented bang  commands

    !showimports and !showexports to see the imports and exports of a module like below

    0:000> !showimports user32

    Import: user32
          gdi32.dll
          kernel32.dll
          ntdll.dll
    gdi32.dll
    kernel32.dll
    ntdll.dll

    0:000> !showexports user32

    USER32!AdjustWindowRect
    USER32!AdjustWindowRectEx
    USER32!AlignRects
    USER32!AllowForegroundActivation
    USER32!AllowSetForegroundWindow
    USER32!AnimateWindow
    USER32!AnyPopup
    USER32!AppendMenuA

    Sunday, March 25, 2012 2:09 PM