DLL Export Viewer
DLL Export Viewer
DLL Export Viewer
Displays a list of all exported functions for the specified Dll files.
Source
DllExport.ahk (GitHub)
Examples
References
- MapAndLoad function (msdn)
- UnMapAndLoad function (msdn)
- ImageDirectoryEntryToData function (msdn)
- ImageRvaToVa function (msdn)
- LoadLibrary function (msdn)
- LoadLibraryEx function (msdn)
- FreeLibrary function (msdn)
- PE Format Layout
- Export Table
- PE Format
- Peering Inside the PE A Tour of the Win32 Portable Executable File Format
Contributing
- thanks Bentschi for LoadLibrary()
- thanks SKAN for DllListExports()
- thanks 'just me' for GetNamedDllExports() and testing
- thanks Alguimist for his gui ideas
Inspired by
- Dependency Walker
- DLL Export Viewer by NirSoft
Questions / Bugs / Issues
If you notice any kind of bugs or issues, report them here. Same for any kind of questions.
Copyright and License
MIT License
Displays a list of all exported functions for the specified Dll files.
Source
DllExport.ahk (GitHub)
Examples
References
- MapAndLoad function (msdn)
- UnMapAndLoad function (msdn)
- ImageDirectoryEntryToData function (msdn)
- ImageRvaToVa function (msdn)
- LoadLibrary function (msdn)
- LoadLibraryEx function (msdn)
- FreeLibrary function (msdn)
- PE Format Layout
- Export Table
- PE Format
- Peering Inside the PE A Tour of the Win32 Portable Executable File Format
Contributing
- thanks Bentschi for LoadLibrary()
- thanks SKAN for DllListExports()
- thanks 'just me' for GetNamedDllExports() and testing
- thanks Alguimist for his gui ideas
Inspired by
- Dependency Walker
- DLL Export Viewer by NirSoft
Questions / Bugs / Issues
If you notice any kind of bugs or issues, report them here. Same for any kind of questions.
Copyright and License
MIT License
[AHK] v2.0.5 | [WIN] 11 Pro (Version 22H2) | [GitHub] Profile
Re: DLLExport
Function
GetDllExports
References
LOADED_IMAGE
IMAGE_NT_HEADERS32 / IMAGE_NT_HEADERS64
IMAGE_FILE_HEADER
IMAGE_OPTIONAL_HEADER32 / IMAGE_OPTIONAL_HEADER64
IMAGE_DATA_DIRECTORY
IMAGE_EXPORT_DIRECTORY
GetDllExports
Code: Select all
; ===============================================================================================================================
; Name ............: GetDllExports
; Description .....: Gets the functions exported by name from the specified DLL file
; Returns .........: an object containing the following keys:
; ModuleName - The name of the loaded module
; Total - The total amount of exported functions
; Names - The number of functions exported by name
; OrdBase - The ordinal base
; Bitness - The bitness of the DLL file (32 / 64)
; Functions - An array containing an object for each named function containing the following keys:
; Name - The name of the function
; EntryPoint - Entry point - the relative address of the function or its forward string
; Ordianl - The ordinal of the function
; Authors..........: LoadLibrary() by Bentschi
; DllListExports() by SKAN
; GetNamedDllExports() by 'just me'
; DllExport() by jNizM
; ===============================================================================================================================
GetDllExports(DllFile)
{
static IMAGE_FILE_MACHINE_I386 := 0x014c
static IMAGE_FILE_MACHINE_AMD64 := 0x8664
VarSetCapacity(LOADED_IMAGE, 88, 0), Export := { ModuleName: "", Total: 0, Names: 0, OrdBase: 0, Bitness: 0, Functions: [] }
if (DllCall("imagehlp\MapAndLoad", "astr", DllFile, "ptr", 0, "ptr", &LOADED_IMAGE, "int", 1, "int", 1))
{
Export.ModuleName := StrGet(NumGet(LOADED_IMAGE, 0, "ptr"), "cp0")
MappedAddress := NumGet(LOADED_IMAGE, A_PtrSize * 2, "uptr")
IMAGE_NT_HEADERS := NumGet(LOADED_IMAGE, A_PtrSize * 3, "uptr")
Machine := NumGet(IMAGE_NT_HEADERS + 4, "ushort")
if (Machine = IMAGE_FILE_MACHINE_I386) || (Machine = IMAGE_FILE_MACHINE_AMD64)
{
if (IMAGE_EXPORT_DIRECTORY := DllCall("imagehlp\ImageDirectoryEntryToData", "ptr", MappedAddress, "int", 0, "ushort", 0, "uint*", size, "uptr"))
{
AddressOfFunctions := NumGet(IMAGE_EXPORT_DIRECTORY + 0x1c, "uint")
if (AddressTbl := DllCall("imagehlp\ImageRvaToVa", "ptr", IMAGE_NT_HEADERS, "ptr", MappedAddress, "uint", AddressOfFunctions, "ptr", 0, "uptr"))
{
RvaOffset := AddressTbl - AddressOfFunctions
EndOfSection := IMAGE_EXPORT_DIRECTORY + size
OrdinalBase := NumGet(IMAGE_EXPORT_DIRECTORY + 0x10, "uint")
NumberOfFunctions := NumGet(IMAGE_EXPORT_DIRECTORY + 0x14, "uint")
NumberOfNames := NumGet(IMAGE_EXPORT_DIRECTORY + 0x18, "uint")
AddressOfNames := NumGet(IMAGE_EXPORT_DIRECTORY + 0x20, "uint") + RvaOffset
AddressOfNameOrdinals := NumGet(IMAGE_EXPORT_DIRECTORY + 0x24, "uint") + RvaOffset
Export.Total := NumberOfFunctions
Export.OrdBase := OrdinalBase
Export.Bitness := (Machine = IMAGE_FILE_MACHINE_I386) ? 32 : 64
loop % NumberOfNames
{
NamePtr := NumGet(AddressOfNames + 0, "uint") + RvaOffset
Ordinal := NumGet(AddressOfNameOrdinals + 0, "ushort")
Address := NumGet(AddressTbl + 0, Ordinal * 4, "uint") + RvaOffset
EntryPt := (Address > IMAGE_EXPORT_DIRECTORY) && (Address < EndOfSection) ? StrGet(Address, "cp0") : Format("0x{:08x}", Address - RvaOffset)
Export.Functions.Push( { Name: StrGet(NamePtr, "cp0"), EntryPoint: EntryPt, Ordinal: Ordinal + OrdinalBase } )
AddressOfNames += 4, AddressOfNameOrdinals += 2
}
}
}
}
DllCall("imagehlp\UnMapAndLoad", "ptr", &LOADED_IMAGE)
}
Export.Names := Export.Functions.Length()
return Export
}
; ===============================================================================================================================
LOADED_IMAGE
Code: Select all
typedef struct _LOADED_IMAGE {
PSTR ModuleName; // 0x00
HANDLE hFile; // 0x08
PUCHAR MappedAddress; // 0x10
PIMAGE_NT_HEADERS32 FileHeader; // 0x18
PIMAGE_SECTION_HEADER LastRvaSection; // 0x20
ULONG NumberOfSections; // 0x28
PIMAGE_SECTION_HEADER Sections; // 0x30
ULONG Characteristics; // 0x38
BOOLEAN fSystemImage; // 0x3c
BOOLEAN fDOSImage; // 0x3d
BOOLEAN fReadOnly; // 0x3f
UCHAR Version; // 0x3e
LIST_ENTRY Links; // 0x40
ULONG SizeOfImage; // 0x50
} LOADED_IMAGE, *PLOADED_IMAGE; // 0x58
Code: Select all
typedef struct _IMAGE_NT_HEADERS {
DWORD Signature; // 0x00
IMAGE_FILE_HEADER FileHeader; // 0x04
IMAGE_OPTIONAL_HEADER32 OptionalHeader; // 0x18
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
typedef struct _IMAGE_NT_HEADERS64 {
DWORD Signature; // 0x00
IMAGE_FILE_HEADER FileHeader; // 0x04
IMAGE_OPTIONAL_HEADER64 OptionalHeader; // 0x18
} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
Code: Select all
typedef struct _IMAGE_FILE_HEADER {
WORD Machine; // 0x00
WORD NumberOfSections; // 0x02
DWORD TimeDateStamp; // 0x04
DWORD PointerToSymbolTable; // 0x08
DWORD NumberOfSymbols; // 0x0c
WORD SizeOfOptionalHeader; // 0x10
WORD Characteristics; // 0x12
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
Code: Select all
typedef struct _IMAGE_OPTIONAL_HEADER {
WORD Magic; // 0x00
BYTE MajorLinkerVersion; // 0x02
BYTE MinorLinkerVersion; // 0x03
DWORD SizeOfCode; // 0x04
DWORD SizeOfInitializedData; // 0x08
DWORD SizeOfUninitializedData; // 0x0c
DWORD AddressOfEntryPoint; // 0x10
DWORD BaseOfCode; // 0x14
DWORD BaseOfData; // 0x18
DWORD ImageBase; // 0x1c
DWORD SectionAlignment; // 0x20
DWORD FileAlignment; // 0x24
WORD MajorOperatingSystemVersion; // 0x28
WORD MinorOperatingSystemVersion; // 0x2a
WORD MajorImageVersion; // 0x2c
WORD MinorImageVersion; // 0x2e
WORD MajorSubsystemVersion; // 0x30
WORD MinorSubsystemVersion; // 0x32
DWORD Win32VersionValue; // 0x34
DWORD SizeOfImage; // 0x38
DWORD SizeOfHeaders; // 0x3c
DWORD CheckSum; // 0x40
WORD Subsystem; // 0x44
WORD DllCharacteristics; // 0x46
DWORD SizeOfStackReserve; // 0x48
DWORD SizeOfStackCommit; // 0x4c
DWORD SizeOfHeapReserve; // 0x50
DWORD SizeOfHeapCommit; // 0x54
DWORD LoaderFlags; // 0x58
DWORD NumberOfRvaAndSizes; // 0x5c
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; // 0x60
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32; // 0x64
typedef struct _IMAGE_OPTIONAL_HEADER64 {
WORD Magic; // 0x00
BYTE MajorLinkerVersion; // 0x02
BYTE MinorLinkerVersion; // 0x03
DWORD SizeOfCode; // 0x04
DWORD SizeOfInitializedData; // 0x08
DWORD SizeOfUninitializedData; // 0x0c
DWORD AddressOfEntryPoint; // 0x10
DWORD BaseOfCode; // 0x14
ULONGLONG ImageBase; // 0x18
DWORD SectionAlignment; // 0x20
DWORD FileAlignment; // 0x24
WORD MajorOperatingSystemVersion; // 0x28
WORD MinorOperatingSystemVersion; // 0x2a
WORD MajorImageVersion; // 0x2c
WORD MinorImageVersion; // 0x2e
WORD MajorSubsystemVersion; // 0x30
WORD MinorSubsystemVersion; // 0x32
DWORD Win32VersionValue; // 0x36
DWORD SizeOfImage; // 0x38
DWORD SizeOfHeaders; // 0x3c
DWORD CheckSum; // 0x40
WORD Subsystem; // 0x44
WORD DllCharacteristics; // 0x46
ULONGLONG SizeOfStackReserve; // 0x48
ULONGLONG SizeOfStackCommit; // 0x50
ULONGLONG SizeOfHeapReserve; // 0x58
ULONGLONG SizeOfHeapCommit; // 0x60
DWORD LoaderFlags; // 0x68
DWORD NumberOfRvaAndSizes; // 0x6c
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; // 0x70
} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64; // 0x74
Code: Select all
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress; // 0x00
DWORD Size; // 0x04
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
Code: Select all
typedef struct _IMAGE_EXPORT_DIRECTORY {
DWORD Characteristics; // 0x00
DWORD TimeDateStamp; // 0x04
WORD MajorVersion; // 0x08
WORD MinorVersion; // 0x0a
DWORD Name; // 0x0c
DWORD Base; // 0x10
DWORD NumberOfFunctions; // 0x14
DWORD NumberOfNames; // 0x18
DWORD AddressOfFunctions; // 0x1c
DWORD AddressOfNames; // 0x20
DWORD AddressOfNameOrdinals; // 0x24
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
[AHK] v2.0.5 | [WIN] 11 Pro (Version 22H2) | [GitHub] Profile
Re: DLLExport
Great, and looks good too! Thanks for sharing.
I really appreciate that you make the effort to also highlight some of the functions used, which are usable on their own.
I really appreciate that you make the effort to also highlight some of the functions used, which are usable on their own.
Re: DLLExport
Hi jNizM,
some thoughts about addresses:
some thoughts about addresses:
- All addresses in the export data section are RVA's, i.e. relative / offsets to the base address. Bentschi's LoadLibrary() function is designed to provide absolute function addresses to the runnning script after loading the DLL, if needed. SKAN's DllListExports() function and your DLLExport skript are DLL viewers. So IMO, they don't need to output addresses.
I don't know whether all DLLs are always loaded to the same base address on all systems respectively OS versions. Also, the RVAs contained in the address table most probably depend on the DLL's version and bitness. So the addresses shown by your script might be useless, especially when you use them in a script you want to share. - DLL function calls can be forwarded to other DLLs. In the case, the address contained in the address table points to a string within the export data section containing the forward information. To check whether the address is within the export data section you can use code like this:
Code: Select all
if !(IMAGE_EXPORT_DIRECTORY := DllCall("imagehlp\ImageDirectoryEntryToData", "ptr", hModule, "int", true, "ushort", 0, "uint*", s, "ptr")) throw Exception("ImageDirectoryEntryToData failed: " A_LastError, -1) StartOfSection := IMAGE_EXPORT_DIRECTORY - hModule EndOfSection := StartOfSection + s ... ... Address := NumGet(AddressOfFunctions + (o * 4), "UInt") Forward := ((Address > StartOfSection) && (Address < EndOfSection)) ? StrGet(hModule + Address, "CP0") : ""
Re: DLLExport
Hi Helgef,
thank you =)
Hi 'just me',
thanks for the input.
Update:
- Removed addresses
- Added entry points
thank you =)
Hi 'just me',
thanks for the input.
Update:
- Removed addresses
- Added entry points
[AHK] v2.0.5 | [WIN] 11 Pro (Version 22H2) | [GitHub] Profile
Re: DLLExport
IIRC, LoadLibrary() may be dangerous if the loaded module is malicious or any of its dependencies are malicious.
Can't LoadLibraryEx() with LOAD_LIBRARY_AS_DATAFILE (and maybe DONT_RESOLVE_DLL_REFERENCES too) be used instead?
Just asking.
Oh and GitHub hates my QtWeb browser, the Clone or Download button does squat so I can't get the script(s). Tough luck for me.
Keep up the good work!
Can't LoadLibraryEx() with LOAD_LIBRARY_AS_DATAFILE (and maybe DONT_RESOLVE_DLL_REFERENCES too) be used instead?
Just asking.
Oh and GitHub hates my QtWeb browser, the Clone or Download button does squat so I can't get the script(s). Tough luck for me.
Keep up the good work!
Part of my AHK work can be found here.
Re: DLLExport
Hi drugwash,
I found out, that dll's in system32 are working so far with LoadLibraryEx and LOAD_LIBRARY_AS_DATAFILE flag.
But AHK crashes, when I try to get the function names from sqlite3.dll. With 0 (same like LoadLibrary) it works.
Added Download Link from GitHub. Should be always the same type of links:
https://github.com/USERNAME/REPOSITORIE ... master.zip (Download)
https://github.com/USERNAME/REPOSITORIE.git (Clone)
I found out, that dll's in system32 are working so far with LoadLibraryEx and LOAD_LIBRARY_AS_DATAFILE flag.
But AHK crashes, when I try to get the function names from sqlite3.dll. With 0 (same like LoadLibrary) it works.
Added Download Link from GitHub. Should be always the same type of links:
https://github.com/USERNAME/REPOSITORIE ... master.zip (Download)
https://github.com/USERNAME/REPOSITORIE.git (Clone)
[AHK] v2.0.5 | [WIN] 11 Pro (Version 22H2) | [GitHub] Profile
Re: DLLExport
Thank you very much for the new links!
I have an old script that deals with library exports/imports (actually it does a comparison of these between two or more libraries) and I just looked through the code; apparently sqlite.dll can be loaded with LOAD_WITH_ALTERED_SEARCH_PATH and DONT_RESOLVE_DLL_REFERENCES, at least in AHK Basic and sqlite.dll v3.12.1 (that's the version I found at hand) under win98SE. Unfortunately that script does not work well in XP and/or under AHK 1.1+ and I haven't found the time to try and fix it yet.
I believe the odd library may act up, that's why any such script should have alternative ways of loading libraries while avoiding as much as possible the launching of any possible malicious modules.
I have an old script that deals with library exports/imports (actually it does a comparison of these between two or more libraries) and I just looked through the code; apparently sqlite.dll can be loaded with LOAD_WITH_ALTERED_SEARCH_PATH and DONT_RESOLVE_DLL_REFERENCES, at least in AHK Basic and sqlite.dll v3.12.1 (that's the version I found at hand) under win98SE. Unfortunately that script does not work well in XP and/or under AHK 1.1+ and I haven't found the time to try and fix it yet.
I believe the odd library may act up, that's why any such script should have alternative ways of loading libraries while avoiding as much as possible the launching of any possible malicious modules.
Part of my AHK work can be found here.
Re: DLLExport
SKAN is calling MapAndLoad to load the DLL. I don't know if this is more safe, but it is working for the sqlite3.dll.
Also, LoadLibraryEx() with the 'deprecated' flag DONT_RESOLVE_DLL_REFERENCES 0x00000001 works for the sqlite3.dll on Win 10, but I don't know if it is actually doing what it should.
Also, LoadLibraryEx() with the 'deprecated' flag DONT_RESOLVE_DLL_REFERENCES 0x00000001 works for the sqlite3.dll on Win 10, but I don't know if it is actually doing what it should.
Re: DLLExport
Mapping the library can be an alternative, yes. Anything to avoid direct loading would do.
Also MapAndLoad() should work in 9x, I've been using it years ago to read data from Miranda IM plug-ins.
To be on the safe side you can build parallel versions that test a bunch of standard and nonstandard libraries and then compare results. The final script may then use one or more fallbacks, if necessary (and available).
EDIT:
Forgot to say imageres.dll does not exist anywhere in Windows on an XP machine - you may wanna try another more common library for the script icon.
Also MapAndLoad() should work in 9x, I've been using it years ago to read data from Miranda IM plug-ins.
To be on the safe side you can build parallel versions that test a bunch of standard and nonstandard libraries and then compare results. The final script may then use one or more fallbacks, if necessary (and available).
EDIT:
Forgot to say imageres.dll does not exist anywhere in Windows on an XP machine - you may wanna try another more common library for the script icon.
Part of my AHK work can be found here.
- Delta Pythagorean
- Posts: 627
- Joined: 13 Feb 2017, 13:44
- Location: Somewhere in the US
- Contact:
Re: DLLExport
So, I added another ListView and allowed you to double click on the item in the second ListView to load it into the first one.
I also fixed the code up a bit and added an about Gui with just the contributors.
I don't know if this is any use but this is all I got.
I also fixed the code up a bit and added an about Gui with just the contributors.
I don't know if this is any use but this is all I got.
Spoiler
Enjoy![AHK]......: v2.0.12 | 64-bit
[OS].......: Windows 11 | 23H2 (OS Build: 22621.3296)
[GITHUB]...: github.com/DelPyth
[PAYPAL]...: paypal.me/DelPyth
[DISCORD]..: tophatcat
Re: DLLExport
It seems as if this works fine on Win32 DLLs however load library fails to load other DLLs.
I have used DumpBinGUI successfully in the past...
You can find DumpBinGUI here:
https://www.mediafire.com/?w61ymch8stzaa0k
However I can't seem to download it for some reason... If I can't find the download link I will upload it later when I get home. I believe DumpBin.exe is a Microsoft tool though, and can be downloaded from many places (although it's a command line tool)
I have used DumpBinGUI successfully in the past...
You can find DumpBinGUI here:
https://www.mediafire.com/?w61ymch8stzaa0k
However I can't seem to download it for some reason... If I can't find the download link I will upload it later when I get home. I believe DumpBin.exe is a Microsoft tool though, and can be downloaded from many places (although it's a command line tool)
Last edited by sancarn on 13 Jul 2017, 13:30, edited 1 time in total.
Re: DLLExport
I managed to change the function to use MapAndLoad(). As a side-effect, you can view 32-bit DLLs with AHK 64 and vice versa. This is my personal version, feel free to take what you want:
Code: Select all
; ================================================================================================================================
; Gets the functions exported by name from the specified DLL file.
; Based on DllListExports() by SKAN - autohotkey.com/boards/viewtopic.php?f=6&t=4563
; and DLLExport() by jNizM - autohotkey.com/boards/viewtopic.php?p=158582#p158582
; Returns an object containing the following keys:
; Total: The total number of exported functions.
; Names: The number of functions exported by name.
; OrdBase: The ordinal base.
; Bitness: The bitness of the DLL file (32/64).
; Funcs: An array containing an object for each named function containing the following keys:
; E: Entry point - the relative address of the function or its forward string.
; N: The name of the function.
; O: The ordinal of the function.
; ================================================================================================================================
GetNamedDllExports(DllFile) {
Static IDETD := "ImageHlp.dll\ImageDirectoryEntryToData" ; get the pointer to the IMAGE_EXPORT_DIRECTORY (0), if any.
, IRTV := "ImageHlp.dll\ImageRvaToVa"
Functions := {Total: 0, Names: 0, OrdBase: 0, Bitness: 0, Funcs: []}
VarSetCapacity(LoadedImage, 88, 0) ; 64-bit size
If DllCall("ImageHlp.dll\MapAndLoad", "AStr", DllFile, "Ptr", 0, "Ptr", &LoadedImage, "Int", True, "Int", True) {
MappedAddr := NumGet(LoadedImage, A_PtrSize * 2, "UPtr")
FileHeader := NumGet(LoadedImage, A_PtrSize * 3, "UPtr")
Machine := NumGet(FileHeader + 4, , "UShort")
If (Machine = 0x014C) || (Machine = 0x8664) {
If ((ImgExpDir := DllCall(IDETD, "Ptr", MappedAddr, "Int", 0, "Short", 0, "UIntP", Size := 0, "UPtr")) && Size) {
AddressRVA := NumGet(ImgExpDir + 28, "UInt") ; address of the export address table (RVA)
If (AddressTbl := DllCall(IRTV, "Ptr", FileHeader, "Ptr", MappedAddr, "UInt", AddressRVA, "Ptr", 0, "UPtr")) {
RvaOffset := AddressTbl - AddressRVA ; offset to add to RVAs
EndOfSect := ImgExpDir + Size ; end of the export data section
OrdinalBase := NumGet(ImgExpDir + 16, "Int") ; ordinal base
TotalFuncs := NumGet(ImgExpDir + 20, "Int") ; number of entries in the export address table
NumOfNames := NumGet(ImgExpDir + 24, "Int") ; number of entries in the name pointer table
NamePtrTbl := NumGet(ImgExpDir + 32, "UInt") + RvaOffset ; address of the name pointer table
OrdinalTbl := NumGet(ImgExpDir + 36, "UInt") + RvaOffset ; address of the ordinal table
Functions.Total := TotalFuncs
Functions.OrdBase := OrdinalBase
Functions.Bitness := (Machine = 0x014c) ? 32 : 64
Loop, %NumOfNames% {
NamePtr := NumGet(NamePtrTbl + 0, "UInt") + RvaOffset
Ordinal := NumGet(OrdinalTbl + 0, "UShort")
Address := NumGet(AddressTbl + 0, Ordinal * 4, "UInt") + RvaOffset
EntryPt := (Address > ImgExpDir) && (Address < EndOfSect) ? StrGet(Address, "CP0")
: Format("0x{:08X}", Address - RvaOffset)
Functions.Funcs.Push({E: EntryPt, N: StrGet(NamePtr, "CP0"), O: Ordinal + OrdinalBase})
NamePtrTbl += 4
OrdinalTbl += 2
}
}
}
}
DllCall("ImageHlp.dll\UnMapAndLoad", "Ptr", &LoadedImage)
}
Functions.Names := Functions.Funcs.Length() ; redundant
Return Functions
}
Re: DLLExport
Update:
Integrated 'just me's function (thanks like always) - Minimum supported client: Windows XP
Todo:
Some gui stuff (idea by Delta Pythagorean and others)
Integrated 'just me's function (thanks like always) - Minimum supported client: Windows XP
Todo:
Some gui stuff (idea by Delta Pythagorean and others)
[AHK] v2.0.5 | [WIN] 11 Pro (Version 22H2) | [GitHub] Profile
Re: DLLExport
It appears that fixed the issue I was having also.jNizM wrote:Update:
Integrated 'just me's function (thanks like always)
Todo:
Some gui stuff (idea by Delta Pythagorean and others)
Edit:
As I understand it, there is no way to find out what the parameters to the functions are... Right?
Edit2: It may be helpful if names were undecorated when dealing with non system32 DLLs: https://msdn.microsoft.com/en-us/librar ... s.85).aspx
Here's a site which does the same job: http://demangler.com/
Example conversion:
?AddHardCodedDamage@CIActions@@SA_NAEAVCDamageFunctionBlobAccessor@@VCNString@@1NH_NV?$vector@NV?$allocator@N@std@@@std@@12AEA_N2@Z
to
public: static BOOL __cdecl CIActions::AddHardCodedDamage(class CDamageFunctionBlobAccessor & __ptr64,class CNString,class CNString,double,int,BOOL,class std::vector<double,class std::allocator<double> >,class CNString,BOOL,BOOL & __ptr64,BOOL)
Re: DLLExport
You can do it easily, if you need it:sancarn wrote:Edit2: It may be helpful if names were undecorated when dealing with non system32 DLLs ...
Code: Select all
FuncName := "?AddHardCodedDamage@CIActions@@SA_NAEAVCDamageFunctionBlobAccessor@@VCNString@@1NH_NV?$vector@NV?$allocator@N@std@@@std@@12AEA_N2@Z"
MsgBox, 0, UnDecorateSymbolName, % FuncName . "`n`n" . UnDecorateSymbolName(FuncName)
UnDecorateSymbolName(Decorated) {
Static UDSN := "Imagehlp.dll\UnDecorateSymbolName"
VarSetCapacity(Undecorated, 2048, 0) ; should be sufficient
If (Size := DllCall(UDSN, "AStr", Decorated, "Ptr", &Undecorated, "UInt", 2048, "UInt", 0, "UInt"))
Return StrGet(&Undecorated, Size, "CP0")
Else
Return Decorated
}
Last edited by just me on 16 Jul 2017, 05:32, edited 1 time in total.
Re: DLLExport
Thanks @just me Will have a go at integrating that somehow
Re: DLLExport
There's something wrong with the last (July 25) release.
Any library I choose from the expanded view crashes the script immediately in kernel32.
DbgView doesn't show anything. Script displays 'Loading functions' at the bottom. Crash is unrecoverable.
XP-SP3, AHK 1.1.25.02 Unicode. [EDIT]
Thanks to AHK H I found out the crash is inside GetDllExports(), line 384:
Export.ModuleName := StrGet(NumGet(LOADED_IMAGE, 0, "ptr"), "cp0")
which appears to be true because the crash offset 0x00009e8a is somewhere inside MultiByteToWideChar() and I think StrGet() uses it internally.
[EDIT2]
Found the issue: in LOADED_IMAGE first item is a pointer to a pointer. I replaced the offending line with the following and it works fine:
Export.ModuleName := DllCall("MulDiv", "PtrP", NumGet(LOADED_IMAGE, 0, "ptr"), "Int", 1, "Int", 1, "Str")
But now I discovered another issue: the Full Path field in details dialog is wrong. Probably a conversion issue:
[EDIT3]
Apparently I couldn't make this work even back in 2008 although I thought so earlier. My bad.
Replaced first image with archived attachment to avoid automatic resizing.
Any library I choose from the expanded view crashes the script immediately in kernel32.
DbgView doesn't show anything. Script displays 'Loading functions' at the bottom. Crash is unrecoverable.
XP-SP3, AHK 1.1.25.02 Unicode. [EDIT]
Thanks to AHK H I found out the crash is inside GetDllExports(), line 384:
Export.ModuleName := StrGet(NumGet(LOADED_IMAGE, 0, "ptr"), "cp0")
which appears to be true because the crash offset 0x00009e8a is somewhere inside MultiByteToWideChar() and I think StrGet() uses it internally.
Found the issue: in LOADED_IMAGE first item is a pointer to a pointer. I replaced the offending line with the following and it works fine:
Export.ModuleName := DllCall("MulDiv", "PtrP", NumGet(LOADED_IMAGE, 0, "ptr"), "Int", 1, "Int", 1, "Str")
But now I discovered another issue: the Full Path field in details dialog is wrong. Probably a conversion issue:
Apparently I couldn't make this work even back in 2008 although I thought so earlier. My bad.
Replaced first image with archived attachment to avoid automatic resizing.
Last edited by Drugwash on 25 Jul 2017, 07:54, edited 1 time in total.
Part of my AHK work can be found here.
Re: DLLExport
Hey Drugwash,
your first image is too small to decipher...
Export.ModuleName -> Full Path
LOADED_IMAGE structure
ModuleName -> The file name of the mapped file.
your first image is too small to decipher...
Export.ModuleName -> Full Path
Code: Select all
typedef struct _LOADED_IMAGE {
PSTR ModuleName; // 0x00 <--
HANDLE hFile; // 0x08
PUCHAR MappedAddress; // 0x10
// ...
} LOADED_IMAGE, *PLOADED_IMAGE; // 0x58
ModuleName -> The file name of the mapped file.
[AHK] v2.0.5 | [WIN] 11 Pro (Version 22H2) | [GitHub] Profile