DLL Export Viewer

Post your working scripts, libraries and tools
User avatar
jNizM
Posts: 2580
Joined: 30 Sep 2013, 01:33
GitHub: jNizM
Contact:

DLL Export Viewer

10 Jul 2017, 04:43

DLL Export Viewer
Displays a list of all exported functions for the specified Dll files.


Source
DllExport.ahk (GitHub)


Examples
Image
Image
Image
Image


References
- MapAndLoad function (msdn)
- UnMapAndLoad function (msdn)
- ImageDirectoryEntryToData function (msdn)
- ImageRvaToVa function (msdn)
- LoadLibrary function (msdn)
- LoadLibraryEx function (msdn)
- FreeLibrary function (msdn)
- PE Format Layout
- Export Table
- PE Format
- Peering Inside the PE A Tour of the Win32 Portable Executable File Format


Contributing
- thanks Bentschi for LoadLibrary()
- thanks SKAN for DllListExports()
- thanks 'just me' for GetNamedDllExports() and testing
- thanks Alguimist for his gui ideas


Inspired by
- Dependency Walker
- DLL Export Viewer by NirSoft


Questions / Bugs / Issues
If you notice any kind of bugs or issues, report them here. Same for any kind of questions.


Copyright and License
MIT License
[AHK] 1.1.30.03 x64 Unicode | [WIN] 10 Pro (Version 1909) x64 | [GitHub] Profile
Donations are appreciated if I could help you
User avatar
jNizM
Posts: 2580
Joined: 30 Sep 2013, 01:33
GitHub: jNizM
Contact:

Re: DLLExport

10 Jul 2017, 04:59

Function
GetDllExports

Code: Select all

; ===============================================================================================================================
; Name ............: GetDllExports
; Description .....: Gets the functions exported by name from the specified DLL file
; Returns .........: an object containing the following keys:
;                    ModuleName      - The name of the loaded module
;                    Total           - The total amount of exported functions
;                    Names           - The number of functions exported by name
;                    OrdBase         - The ordinal base
;                    Bitness         - The bitness of the DLL file (32 / 64)
;                    Functions       - An array containing an object for each named function containing the following keys:
;                       Name         - The name of the function
;                       EntryPoint   - Entry point - the relative address of the function or its forward string
;                       Ordianl      - The ordinal of the function
; Authors..........: LoadLibrary()        by Bentschi
;                    DllListExports()     by SKAN
;                    GetNamedDllExports() by 'just me'
;                    DllExport()          by jNizM
; ===============================================================================================================================
GetDllExports(DllFile)
{
    static IMAGE_FILE_MACHINE_I386  := 0x014c
    static IMAGE_FILE_MACHINE_AMD64 := 0x8664

    VarSetCapacity(LOADED_IMAGE, 88, 0), Export := { ModuleName: "", Total: 0, Names: 0, OrdBase: 0, Bitness: 0, Functions: [] }
    if (DllCall("imagehlp\MapAndLoad", "astr", DllFile, "ptr", 0, "ptr", &LOADED_IMAGE, "int", 1, "int", 1))
    {
        Export.ModuleName := StrGet(NumGet(LOADED_IMAGE, 0, "ptr"), "cp0")
        MappedAddress     := NumGet(LOADED_IMAGE, A_PtrSize * 2, "uptr")
        IMAGE_NT_HEADERS  := NumGet(LOADED_IMAGE, A_PtrSize * 3, "uptr")
        Machine           := NumGet(IMAGE_NT_HEADERS + 4, "ushort")
        if (Machine = IMAGE_FILE_MACHINE_I386) || (Machine = IMAGE_FILE_MACHINE_AMD64)
        {
            if (IMAGE_EXPORT_DIRECTORY := DllCall("imagehlp\ImageDirectoryEntryToData", "ptr", MappedAddress, "int", 0, "ushort", 0, "uint*", size, "uptr"))
            {
                AddressOfFunctions := NumGet(IMAGE_EXPORT_DIRECTORY + 0x1c, "uint")
                if (AddressTbl := DllCall("imagehlp\ImageRvaToVa", "ptr", IMAGE_NT_HEADERS, "ptr", MappedAddress, "uint", AddressOfFunctions, "ptr", 0, "uptr"))
                {
                    RvaOffset             := AddressTbl - AddressOfFunctions
                    EndOfSection          := IMAGE_EXPORT_DIRECTORY + size
                    OrdinalBase           := NumGet(IMAGE_EXPORT_DIRECTORY + 0x10, "uint")
                    NumberOfFunctions     := NumGet(IMAGE_EXPORT_DIRECTORY + 0x14, "uint")
                    NumberOfNames         := NumGet(IMAGE_EXPORT_DIRECTORY + 0x18, "uint")
                    AddressOfNames        := NumGet(IMAGE_EXPORT_DIRECTORY + 0x20, "uint") + RvaOffset
                    AddressOfNameOrdinals := NumGet(IMAGE_EXPORT_DIRECTORY + 0x24, "uint") + RvaOffset
                    Export.Total          := NumberOfFunctions
                    Export.OrdBase        := OrdinalBase
                    Export.Bitness        := (Machine = IMAGE_FILE_MACHINE_I386) ? 32 : 64
                    loop % NumberOfNames
                    {
                        NamePtr := NumGet(AddressOfNames + 0, "uint") + RvaOffset
                        Ordinal := NumGet(AddressOfNameOrdinals + 0, "ushort")
                        Address := NumGet(AddressTbl + 0, Ordinal * 4, "uint") + RvaOffset
                        EntryPt := (Address > IMAGE_EXPORT_DIRECTORY) && (Address < EndOfSection) ? StrGet(Address, "cp0") : Format("0x{:08x}", Address - RvaOffset)
                        Export.Functions.Push( { Name: StrGet(NamePtr, "cp0"), EntryPoint: EntryPt, Ordinal: Ordinal + OrdinalBase } )
                        AddressOfNames += 4, AddressOfNameOrdinals += 2
                    }
                }
            }
        }
        DllCall("imagehlp\UnMapAndLoad", "ptr", &LOADED_IMAGE)
    }
    Export.Names := Export.Functions.Length()
    return Export
}
; ===============================================================================================================================
References
LOADED_IMAGE

Code: Select all

typedef struct _LOADED_IMAGE {
    PSTR                  ModuleName;                                            // 0x00
    HANDLE                hFile;                                                 // 0x08
    PUCHAR                MappedAddress;                                         // 0x10
    PIMAGE_NT_HEADERS32   FileHeader;                                            // 0x18
    PIMAGE_SECTION_HEADER LastRvaSection;                                        // 0x20
    ULONG                 NumberOfSections;                                      // 0x28
    PIMAGE_SECTION_HEADER Sections;                                              // 0x30
    ULONG                 Characteristics;                                       // 0x38
    BOOLEAN               fSystemImage;                                          // 0x3c
    BOOLEAN               fDOSImage;                                             // 0x3d
    BOOLEAN               fReadOnly;                                             // 0x3f
    UCHAR                 Version;                                               // 0x3e
    LIST_ENTRY            Links;                                                 // 0x40
    ULONG                 SizeOfImage;                                           // 0x50
} LOADED_IMAGE, *PLOADED_IMAGE;                                                  // 0x58
IMAGE_NT_HEADERS32 / IMAGE_NT_HEADERS64

Code: Select all

typedef struct _IMAGE_NT_HEADERS {
    DWORD Signature;                                                             // 0x00
    IMAGE_FILE_HEADER FileHeader;                                                // 0x04
    IMAGE_OPTIONAL_HEADER32 OptionalHeader;                                      // 0x18
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;

typedef struct _IMAGE_NT_HEADERS64 {
    DWORD Signature;                                                             // 0x00
    IMAGE_FILE_HEADER FileHeader;                                                // 0x04
    IMAGE_OPTIONAL_HEADER64 OptionalHeader;                                      // 0x18
} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
IMAGE_FILE_HEADER

Code: Select all

typedef struct _IMAGE_FILE_HEADER {
    WORD  Machine;                                                               // 0x00
    WORD  NumberOfSections;                                                      // 0x02
    DWORD TimeDateStamp;                                                         // 0x04
    DWORD PointerToSymbolTable;                                                  // 0x08
    DWORD NumberOfSymbols;                                                       // 0x0c
    WORD  SizeOfOptionalHeader;                                                  // 0x10
    WORD  Characteristics;                                                       // 0x12
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
IMAGE_OPTIONAL_HEADER32 / IMAGE_OPTIONAL_HEADER64

Code: Select all

typedef struct _IMAGE_OPTIONAL_HEADER {
    WORD    Magic;                                                               // 0x00
    BYTE    MajorLinkerVersion;                                                  // 0x02
    BYTE    MinorLinkerVersion;                                                  // 0x03
    DWORD   SizeOfCode;                                                          // 0x04
    DWORD   SizeOfInitializedData;                                               // 0x08
    DWORD   SizeOfUninitializedData;                                             // 0x0c
    DWORD   AddressOfEntryPoint;                                                 // 0x10
    DWORD   BaseOfCode;                                                          // 0x14
    DWORD   BaseOfData;                                                          // 0x18
    DWORD   ImageBase;                                                           // 0x1c
    DWORD   SectionAlignment;                                                    // 0x20
    DWORD   FileAlignment;                                                       // 0x24
    WORD    MajorOperatingSystemVersion;                                         // 0x28
    WORD    MinorOperatingSystemVersion;                                         // 0x2a
    WORD    MajorImageVersion;                                                   // 0x2c
    WORD    MinorImageVersion;                                                   // 0x2e
    WORD    MajorSubsystemVersion;                                               // 0x30
    WORD    MinorSubsystemVersion;                                               // 0x32
    DWORD   Win32VersionValue;                                                   // 0x34
    DWORD   SizeOfImage;                                                         // 0x38
    DWORD   SizeOfHeaders;                                                       // 0x3c
    DWORD   CheckSum;                                                            // 0x40
    WORD    Subsystem;                                                           // 0x44
    WORD    DllCharacteristics;                                                  // 0x46
    DWORD   SizeOfStackReserve;                                                  // 0x48
    DWORD   SizeOfStackCommit;                                                   // 0x4c
    DWORD   SizeOfHeapReserve;                                                   // 0x50
    DWORD   SizeOfHeapCommit;                                                    // 0x54
    DWORD   LoaderFlags;                                                         // 0x58
    DWORD   NumberOfRvaAndSizes;                                                 // 0x5c
    IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];        // 0x60
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;                            // 0x64

typedef struct _IMAGE_OPTIONAL_HEADER64 {
    WORD        Magic;                                                           // 0x00
    BYTE        MajorLinkerVersion;                                              // 0x02
    BYTE        MinorLinkerVersion;                                              // 0x03
    DWORD       SizeOfCode;                                                      // 0x04
    DWORD       SizeOfInitializedData;                                           // 0x08
    DWORD       SizeOfUninitializedData;                                         // 0x0c
    DWORD       AddressOfEntryPoint;                                             // 0x10
    DWORD       BaseOfCode;                                                      // 0x14
    ULONGLONG   ImageBase;                                                       // 0x18
    DWORD       SectionAlignment;                                                // 0x20
    DWORD       FileAlignment;                                                   // 0x24
    WORD        MajorOperatingSystemVersion;                                     // 0x28
    WORD        MinorOperatingSystemVersion;                                     // 0x2a
    WORD        MajorImageVersion;                                               // 0x2c
    WORD        MinorImageVersion;                                               // 0x2e
    WORD        MajorSubsystemVersion;                                           // 0x30
    WORD        MinorSubsystemVersion;                                           // 0x32
    DWORD       Win32VersionValue;                                               // 0x36
    DWORD       SizeOfImage;                                                     // 0x38
    DWORD       SizeOfHeaders;                                                   // 0x3c
    DWORD       CheckSum;                                                        // 0x40
    WORD        Subsystem;                                                       // 0x44
    WORD        DllCharacteristics;                                              // 0x46
    ULONGLONG   SizeOfStackReserve;                                              // 0x48
    ULONGLONG   SizeOfStackCommit;                                               // 0x50
    ULONGLONG   SizeOfHeapReserve;                                               // 0x58
    ULONGLONG   SizeOfHeapCommit;                                                // 0x60
    DWORD       LoaderFlags;                                                     // 0x68
    DWORD       NumberOfRvaAndSizes;                                             // 0x6c
    IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];        // 0x70
} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;                            // 0x74
IMAGE_DATA_DIRECTORY

Code: Select all

typedef struct _IMAGE_DATA_DIRECTORY {
    DWORD   VirtualAddress;                                                      // 0x00
    DWORD   Size;                                                                // 0x04
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
IMAGE_EXPORT_DIRECTORY

Code: Select all

typedef struct _IMAGE_EXPORT_DIRECTORY {
    DWORD   Characteristics;                                                     // 0x00
    DWORD   TimeDateStamp;                                                       // 0x04
    WORD    MajorVersion;                                                        // 0x08
    WORD    MinorVersion;                                                        // 0x0a
    DWORD   Name;                                                                // 0x0c
    DWORD   Base;                                                                // 0x10
    DWORD   NumberOfFunctions;                                                   // 0x14
    DWORD   NumberOfNames;                                                       // 0x18
    DWORD   AddressOfFunctions;                                                  // 0x1c
    DWORD   AddressOfNames;                                                      // 0x20
    DWORD   AddressOfNameOrdinals;                                               // 0x24
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
[AHK] 1.1.30.03 x64 Unicode | [WIN] 10 Pro (Version 1909) x64 | [GitHub] Profile
Donations are appreciated if I could help you
Helgef
Posts: 4160
Joined: 17 Jul 2016, 01:02
Contact:

Re: DLLExport

10 Jul 2017, 07:45

Great, and looks good too! Thanks for sharing. :thumbup:
I really appreciate that you make the effort to also highlight some of the functions used, which are usable on their own. ☕
just me
Posts: 6790
Joined: 02 Oct 2013, 08:51
Location: Germany

Re: DLLExport

11 Jul 2017, 07:45

Hi jNizM,

some thoughts about addresses:
  • All addresses in the export data section are RVA's, i.e. relative / offsets to the base address. Bentschi's LoadLibrary() function is designed to provide absolute function addresses to the runnning script after loading the DLL, if needed. SKAN's DllListExports() function and your DLLExport skript are DLL viewers. So IMO, they don't need to output addresses.
    I don't know whether all DLLs are always loaded to the same base address on all systems respectively OS versions. Also, the RVAs contained in the address table most probably depend on the DLL's version and bitness. So the addresses shown by your script might be useless, especially when you use them in a script you want to share.
  • DLL function calls can be forwarded to other DLLs. In the case, the address contained in the address table points to a string within the export data section containing the forward information. To check whether the address is within the export data section you can use code like this:

    Code: Select all

        if !(IMAGE_EXPORT_DIRECTORY := DllCall("imagehlp\ImageDirectoryEntryToData", "ptr", hModule, "int", true, "ushort", 0, "uint*", s, "ptr"))
            throw Exception("ImageDirectoryEntryToData failed: " A_LastError, -1)
        StartOfSection := IMAGE_EXPORT_DIRECTORY - hModule
        EndOfSection := StartOfSection + s
        ...
        ...
            Address := NumGet(AddressOfFunctions + (o * 4), "UInt")
            Forward := ((Address > StartOfSection) && (Address < EndOfSection)) ? StrGet(hModule + Address, "CP0") : ""
User avatar
jNizM
Posts: 2580
Joined: 30 Sep 2013, 01:33
GitHub: jNizM
Contact:

Re: DLLExport

11 Jul 2017, 08:24

Hi Helgef,

thank you =)

Hi 'just me',

thanks for the input.

Update:
- Removed addresses
- Added entry points
[AHK] 1.1.30.03 x64 Unicode | [WIN] 10 Pro (Version 1909) x64 | [GitHub] Profile
Donations are appreciated if I could help you
User avatar
Drugwash
Posts: 745
Joined: 29 May 2014, 21:07
Location: Ploieşti, Romania

Re: DLLExport

12 Jul 2017, 07:06

IIRC, LoadLibrary() may be dangerous if the loaded module is malicious or any of its dependencies are malicious.
Can't LoadLibraryEx() with LOAD_LIBRARY_AS_DATAFILE (and maybe DONT_RESOLVE_DLL_REFERENCES too) be used instead?
Just asking.

Oh and GitHub hates my QtWeb browser, the Clone or Download button does squat so I can't get the script(s). Tough luck for me.

Keep up the good work!
I've deleted my CloudMe account because of GDPR - the now legal base for privacy invasion and data theft.
User avatar
jNizM
Posts: 2580
Joined: 30 Sep 2013, 01:33
GitHub: jNizM
Contact:

Re: DLLExport

12 Jul 2017, 07:40

Hi drugwash,

I found out, that dll's in system32 are working so far with LoadLibraryEx and LOAD_LIBRARY_AS_DATAFILE flag.
But AHK crashes, when I try to get the function names from sqlite3.dll. With 0 (same like LoadLibrary) it works.

Added Download Link from GitHub. Should be always the same type of links:
https://github.com/USERNAME/REPOSITORIE ... master.zip (Download)
https://github.com/USERNAME/REPOSITORIE.git (Clone)
[AHK] 1.1.30.03 x64 Unicode | [WIN] 10 Pro (Version 1909) x64 | [GitHub] Profile
Donations are appreciated if I could help you
User avatar
Drugwash
Posts: 745
Joined: 29 May 2014, 21:07
Location: Ploieşti, Romania

Re: DLLExport

12 Jul 2017, 08:06

Thank you very much for the new links! :)

I have an old script that deals with library exports/imports (actually it does a comparison of these between two or more libraries) and I just looked through the code; apparently sqlite.dll can be loaded with LOAD_WITH_ALTERED_SEARCH_PATH and DONT_RESOLVE_DLL_REFERENCES, at least in AHK Basic and sqlite.dll v3.12.1 (that's the version I found at hand) under win98SE. Unfortunately that script does not work well in XP and/or under AHK 1.1+ and I haven't found the time to try and fix it yet.

I believe the odd library may act up, that's why any such script should have alternative ways of loading libraries while avoiding as much as possible the launching of any possible malicious modules. :)
I've deleted my CloudMe account because of GDPR - the now legal base for privacy invasion and data theft.
just me
Posts: 6790
Joined: 02 Oct 2013, 08:51
Location: Germany

Re: DLLExport

12 Jul 2017, 11:05

SKAN is calling MapAndLoad to load the DLL. I don't know if this is more safe, but it is working for the sqlite3.dll.
Also, LoadLibraryEx() with the 'deprecated' flag DONT_RESOLVE_DLL_REFERENCES 0x00000001 works for the sqlite3.dll on Win 10, but I don't know if it is actually doing what it should.
User avatar
Drugwash
Posts: 745
Joined: 29 May 2014, 21:07
Location: Ploieşti, Romania

Re: DLLExport

12 Jul 2017, 12:05

Mapping the library can be an alternative, yes. Anything to avoid direct loading would do.
Also MapAndLoad() should work in 9x, I've been using it years ago to read data from Miranda IM plug-ins.

To be on the safe side you can build parallel versions that test a bunch of standard and nonstandard libraries and then compare results. The final script may then use one or more fallbacks, if necessary (and available).

EDIT:
Forgot to say imageres.dll does not exist anywhere in Windows on an XP machine - you may wanna try another more common library for the script icon.
I've deleted my CloudMe account because of GDPR - the now legal base for privacy invasion and data theft.
User avatar
Delta Pythagorean
Posts: 509
Joined: 13 Feb 2017, 13:44
GitHub: DelPyth
Location: Somewhere in the US

Re: DLLExport

12 Jul 2017, 20:12

So, I added another ListView and allowed you to double click on the item in the second ListView to load it into the first one.
I also fixed the code up a bit and added an about Gui with just the contributors.
I don't know if this is any use but this is all I got.
Spoiler
Enjoy!

- [AHK].......: 1.1.32.00 Unicode 64-bit
- [OS].........: Windows 10.0.18362
- [GITHUB]...: github.com/DeltaPyth
- [PAYPAL]....: paypal.me/DelPyth
- [DISCORD]..: Delta#3324

Remember to use [code]CODE[/code] for your multi-line scripts.
Stay safe, stay inside, and remember to wash your hands for 20 seconds!
sancarn
Posts: 224
Joined: 01 Mar 2016, 14:52

Re: DLLExport

13 Jul 2017, 08:10

It seems as if this works fine on Win32 DLLs however load library fails to load other DLLs.

I have used DumpBinGUI successfully in the past...

You can find DumpBinGUI here:
https://www.mediafire.com/?w61ymch8stzaa0k

However I can't seem to download it for some reason... If I can't find the download link I will upload it later when I get home. I believe DumpBin.exe is a Microsoft tool though, and can be downloaded from many places (although it's a command line tool)
Last edited by sancarn on 13 Jul 2017, 13:30, edited 1 time in total.
just me
Posts: 6790
Joined: 02 Oct 2013, 08:51
Location: Germany

Re: DLLExport

13 Jul 2017, 11:33

I managed to change the function to use MapAndLoad(). As a side-effect, you can view 32-bit DLLs with AHK 64 and vice versa. This is my personal version, feel free to take what you want:

Code: Select all

; ================================================================================================================================
; Gets the functions exported by name from the specified DLL file.
; Based on DllListExports() by SKAN    - autohotkey.com/boards/viewtopic.php?f=6&t=4563
; and      DLLExport()      by jNizM   - autohotkey.com/boards/viewtopic.php?p=158582#p158582
; Returns an object containing the following keys:
;     Total:      The total number of exported functions.
;     Names:      The number of functions exported by name.
;     OrdBase:    The ordinal base.
;     Bitness:    The bitness of the DLL file (32/64).
;     Funcs:      An array containing an object for each named function containing the following keys:
;                 E:    Entry point - the relative address of the function or its forward string.
;                 N:    The name of the function.
;                 O:    The ordinal of the function.
; ================================================================================================================================
GetNamedDllExports(DllFile) {
   Static IDETD := "ImageHlp.dll\ImageDirectoryEntryToData" ; get the pointer to the IMAGE_EXPORT_DIRECTORY (0), if any.
        , IRTV  := "ImageHlp.dll\ImageRvaToVa"
   Functions := {Total: 0, Names: 0, OrdBase: 0, Bitness: 0, Funcs: []}
   VarSetCapacity(LoadedImage, 88, 0) ; 64-bit size
   If DllCall("ImageHlp.dll\MapAndLoad", "AStr", DllFile, "Ptr", 0, "Ptr", &LoadedImage, "Int", True, "Int", True) {
      MappedAddr := NumGet(LoadedImage, A_PtrSize * 2, "UPtr")
      FileHeader := NumGet(LoadedImage, A_PtrSize * 3, "UPtr")
      Machine    := NumGet(FileHeader + 4, , "UShort")
      If (Machine = 0x014C) || (Machine = 0x8664) {
         If ((ImgExpDir := DllCall(IDETD, "Ptr", MappedAddr, "Int", 0, "Short", 0, "UIntP", Size := 0, "UPtr")) && Size) {
            AddressRVA := NumGet(ImgExpDir + 28, "UInt")                   ; address of the export address table (RVA)
            If (AddressTbl := DllCall(IRTV, "Ptr", FileHeader, "Ptr", MappedAddr, "UInt", AddressRVA, "Ptr", 0, "UPtr")) {
               RvaOffset   := AddressTbl - AddressRVA                      ; offset to add to RVAs
               EndOfSect   := ImgExpDir + Size                             ; end of the export data section
               OrdinalBase := NumGet(ImgExpDir + 16, "Int")                ; ordinal base
               TotalFuncs  := NumGet(ImgExpDir + 20, "Int")                ; number of entries in the export address table
               NumOfNames  := NumGet(ImgExpDir + 24, "Int")                ; number of entries in the name pointer table
               NamePtrTbl  := NumGet(ImgExpDir + 32, "UInt") + RvaOffset   ; address of the name pointer table
               OrdinalTbl  := NumGet(ImgExpDir + 36, "UInt") + RvaOffset   ; address of the ordinal table
               Functions.Total := TotalFuncs
               Functions.OrdBase := OrdinalBase
               Functions.Bitness := (Machine = 0x014c) ? 32 : 64
               Loop, %NumOfNames% {
                  NamePtr  := NumGet(NamePtrTbl + 0, "UInt") + RvaOffset
                  Ordinal  := NumGet(OrdinalTbl + 0, "UShort")
                  Address  := NumGet(AddressTbl + 0, Ordinal * 4, "UInt") + RvaOffset
                  EntryPt  := (Address > ImgExpDir) && (Address < EndOfSect) ? StrGet(Address, "CP0")
                                                                             : Format("0x{:08X}", Address - RvaOffset)
                  Functions.Funcs.Push({E: EntryPt, N: StrGet(NamePtr, "CP0"), O: Ordinal + OrdinalBase})
                  NamePtrTbl += 4
                  OrdinalTbl += 2
               }
            }
         }
      }
      DllCall("ImageHlp.dll\UnMapAndLoad", "Ptr", &LoadedImage)
   }
   Functions.Names := Functions.Funcs.Length() ; redundant
   Return Functions
}
User avatar
jNizM
Posts: 2580
Joined: 30 Sep 2013, 01:33
GitHub: jNizM
Contact:

Re: DLLExport

14 Jul 2017, 06:29

Update:
Integrated 'just me's function (thanks like always) - Minimum supported client: Windows XP

Todo:
Some gui stuff (idea by Delta Pythagorean and others)
[AHK] 1.1.30.03 x64 Unicode | [WIN] 10 Pro (Version 1909) x64 | [GitHub] Profile
Donations are appreciated if I could help you
sancarn
Posts: 224
Joined: 01 Mar 2016, 14:52

Re: DLLExport

14 Jul 2017, 08:34

jNizM wrote:Update:
Integrated 'just me's function (thanks like always)

Todo:
Some gui stuff (idea by Delta Pythagorean and others)
It appears that fixed the issue I was having also.

Edit:

As I understand it, there is no way to find out what the parameters to the functions are... Right?

Edit2: It may be helpful if names were undecorated when dealing with non system32 DLLs: https://msdn.microsoft.com/en-us/librar ... s.85).aspx

Here's a site which does the same job: http://demangler.com/

Example conversion:

[email protected]@@[email protected]@[email protected]@[email protected][email protected]@[email protected]@@[email protected]@[email protected]

to

public: static BOOL __cdecl CIActions::AddHardCodedDamage(class CDamageFunctionBlobAccessor & __ptr64,class CNString,class CNString,double,int,BOOL,class std::vector<double,class std::allocator<double> >,class CNString,BOOL,BOOL & __ptr64,BOOL)
just me
Posts: 6790
Joined: 02 Oct 2013, 08:51
Location: Germany

Re: DLLExport

15 Jul 2017, 12:13

sancarn wrote:Edit2: It may be helpful if names were undecorated when dealing with non system32 DLLs ...
You can do it easily, if you need it:

Code: Select all

FuncName := "[email protected]@@[email protected]@[email protected]@[email protected][email protected]@[email protected]@@[email protected]@[email protected]"

MsgBox, 0, UnDecorateSymbolName, % FuncName . "`n`n" . UnDecorateSymbolName(FuncName)

UnDecorateSymbolName(Decorated) {
   Static UDSN := "Imagehlp.dll\UnDecorateSymbolName"
   VarSetCapacity(Undecorated, 2048, 0) ; should be sufficient
   If (Size := DllCall(UDSN, "AStr", Decorated, "Ptr", &Undecorated, "UInt", 2048, "UInt", 0, "UInt"))
      Return StrGet(&Undecorated, Size, "CP0")
   Else
      Return Decorated
}
Edit: Changed the function to return the passed name on failure.
Last edited by just me on 16 Jul 2017, 05:32, edited 1 time in total.
sancarn
Posts: 224
Joined: 01 Mar 2016, 14:52

Re: DLLExport

15 Jul 2017, 15:42

Thanks @just me :) Will have a go at integrating that somehow :D
User avatar
jNizM
Posts: 2580
Joined: 30 Sep 2013, 01:33
GitHub: jNizM
Contact:

Re: DLLExport

25 Jul 2017, 01:17

Big update!
[AHK] 1.1.30.03 x64 Unicode | [WIN] 10 Pro (Version 1909) x64 | [GitHub] Profile
Donations are appreciated if I could help you
User avatar
Drugwash
Posts: 745
Joined: 29 May 2014, 21:07
Location: Ploieşti, Romania

Re: DLLExport

25 Jul 2017, 05:30

There's something wrong with the last (July 25) release.
Any library I choose from the expanded view crashes the script immediately in kernel32.
DbgView doesn't show anything. Script displays 'Loading functions' at the bottom. Crash is unrecoverable.
XP-SP3, AHK 1.1.25.02 Unicode.
20170725132609.7z
screenshot
(154.62 KiB) Downloaded 57 times
[EDIT]
Thanks to AHK H I found out the crash is inside GetDllExports(), line 384:
Export.ModuleName := StrGet(NumGet(LOADED_IMAGE, 0, "ptr"), "cp0")
which appears to be true because the crash offset 0x00009e8a is somewhere inside MultiByteToWideChar() and I think StrGet() uses it internally.

[EDIT2]
Found the issue: in LOADED_IMAGE first item is a pointer to a pointer. I replaced the offending line with the following and it works fine:
Export.ModuleName := DllCall("MulDiv", "PtrP", NumGet(LOADED_IMAGE, 0, "ptr"), "Int", 1, "Int", 1, "Str")
But now I discovered another issue: the Full Path field in details dialog is wrong. Probably a conversion issue:
20170725142551.png
Full Path issue
20170725142551.png (19.67 KiB) Viewed 3940 times
[EDIT3]
Apparently I couldn't make this work even back in 2008 although I thought so earlier. My bad.
Replaced first image with archived attachment to avoid automatic resizing.
Last edited by Drugwash on 25 Jul 2017, 07:54, edited 1 time in total.
I've deleted my CloudMe account because of GDPR - the now legal base for privacy invasion and data theft.
User avatar
jNizM
Posts: 2580
Joined: 30 Sep 2013, 01:33
GitHub: jNizM
Contact:

Re: DLLExport

25 Jul 2017, 06:29

Hey Drugwash,
your first image is too small to decipher...

Export.ModuleName -> Full Path

Code: Select all

typedef struct _LOADED_IMAGE {
    PSTR                  ModuleName;                                            // 0x00    <--
    HANDLE                hFile;                                                 // 0x08
    PUCHAR                MappedAddress;                                         // 0x10
    // ...
} LOADED_IMAGE, *PLOADED_IMAGE;                                                  // 0x58
LOADED_IMAGE structure
ModuleName -> The file name of the mapped file.
[AHK] 1.1.30.03 x64 Unicode | [WIN] 10 Pro (Version 1909) x64 | [GitHub] Profile
Donations are appreciated if I could help you

Return to “Scripts and Functions”

Who is online

Users browsing this forum: No registered users and 27 guests