How to start exe loaded with LoadLibrary?

Mike,

>If I load an executable with LoadLibrary, how can I determine the function
>name for GetProcAddress to actually run the application? Are there any tools
>that list the exported DLL functions for a DLL/EXE?

The exported function names are stamped in the executable, using the
PE format for Win32 applications. That means that you just have to
open the file, and dig around for the data that you need.

That said, if you think it is going to be easy to call the functions
declared dynamically, think again. It is possible, by changing the
entry in a standard vtable to the new function address, but it is not
easy. See old copies of VBPJ for any article by William Storage or
Matt Curland.

Ciao, Craig

>The exported function names are stamped in the executable, using the
>PE format for Win32 applications. That means that you just have to
>open the file, and dig around for the data that you need.

Craig,

What tool do I use to open the executable and look for the data? Probably
not just any old hex editor? Also, do you have any more reference information
about the PE format?

Mike

> What tool do I use to open the executable and look for the data? Probably
> not just any old hex editor?

You can do it with VB and some API calls (there's a sample on my site).

> Also, do you have any more reference information
> about the PE format?

In Microsoft's site.

--
Eduardo A. Morcillo
http://www.domaindlx.com/e_morcillo

Mike,

>What tool do I use to open the executable and look for the data? Probably
>not just any old hex editor? Also, do you have any more reference information
>about the PE format?

Open it as a file. I don't have any VB lying around, but here's some C
code:

BOOL __stdcall GetExportedFunctions (TCHAR * sFileName,
int * plNumberOfExports)
{
BOOL bReturn = FALSE;
HANDLE hFile = INVALID_HANDLE_VALUE;
HANDLE hFileMapping = NULL;
LPVOID pFile = NULL;
SYSTEM_INFO uSystem;
DWORD lFileLength = 0L;

/* Zero out Memory */
memset(&uSystem, '\0', sizeof(uSystem));

hFile = CreateFile(sFileName,
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
0L,
NULL);
if (hFile != INVALID_HANDLE_VALUE)
{
lFileLength = GetFileSize(hFile,
NULL);
if (lFileLength != 0xFFFFFFFF)
{
hFileMapping = CreateFileMapping(hFile,
NULL,
PAGE_READONLY,
0L,
0L,
NULL);
if (hFileMapping != NULL)
{
//GetSystemInfo(&uSystem);
pFile = MapViewOfFile(hFileMapping,
FILE_MAP_READ,
0L,
0L,
0L);
if (pFile != NULL)
{
if (ReadExportedFunctions(pFile,
lFileLength))
{
bReturn = TRUE;
}
UnmapViewOfFile(pFile);
}
CloseHandle(hFileMapping);
}
}
CloseHandle(hFile);
}

return bReturn;
}

static DWORD ImageFileType (LPVOID pFile,
DWORD lFileLength)
{
DWORD dwImage = 0L;
LPVOID pNTSignature = NULL;

if (pFile != NULL)
{
/* dos file signature comes first */
if (*(USHORT *)pFile == IMAGE_DOS_SIGNATURE)
{
pNTSignature = NTSIGNATURE(pFile);
if ((DWORD) pFile <= (DWORD) pNTSignature &&
(DWORD) pFile + lFileLength >= (DWORD) pNTSignature +
SIZE_OF_NT_SIGNATURE)
{
/* determine location of PE File header from dos
header */
if (LOWORD (*(DWORD *)pNTSignature) ==
IMAGE_OS2_SIGNATURE)
{
dwImage = IMAGE_OS2_SIGNATURE;
}
else if (LOWORD (*(DWORD *)pNTSignature) ==
IMAGE_OS2_SIGNATURE_LE)
{
dwImage = IMAGE_OS2_SIGNATURE_LE;
}
else if (*(DWORD *)pNTSignature == IMAGE_NT_SIGNATURE)
{
dwImage = IMAGE_NT_SIGNATURE;
}
else
{
dwImage = IMAGE_DOS_SIGNATURE;
}
}
else
{
dwImage = IMAGE_DOS_SIGNATURE;
}
}
}

return(dwImage);
}

static BOOL ReadExportedFunctions (LPVOID pFile,
DWORD lFileLength)
{
BOOL bReturn = FALSE;
PIMAGE_EXPORT_DIRECTORY puExports = NULL;
LPVOID pOffset = NULL;

if (ImageFileType(pFile, lFileLength) == IMAGE_NT_SIGNATURE)
{
/* get section header and pointer to data directory for .edata
section */
if (ImageDirectoryOffset(pFile,
lFileLength,
IMAGE_DIRECTORY_ENTRY_EXPORT,
pOffset))
{
if (puExports != NULL)
{
bReturn = TRUE;
}
}
}

return(bReturn);
}

static BOOL ImageDirectoryOffset (LPVOID pFile,
DWORD lFileLength,
DWORD dwIMAGE_DIRECTORY,
LPVOID pOffset)
{
BOOL bReturn = FALSE;
PIMAGE_OPTIONAL_HEADER puOptional = NULL;
PIMAGE_SECTION_HEADER puSection = NULL;
DWORD lNumberSections = 0L;

//int i = 0;
//LPVOID VAImageDir;
puOptional = (PIMAGE_OPTIONAL_HEADER)OPTHDROFFSET (pFile);
if ((DWORD) puOptional >= (DWORD) pFile &&
(DWORD) puOptional + sizeof(IMAGE_OPTIONAL_HEADER) <= (DWORD)
pFile + lFileLength)
{
puSection = (PIMAGE_SECTION_HEADER)SECHDROFFSET (pFile);
if ((DWORD) puSection >= (DWORD) pFile &&
(DWORD) puSection + sizeof(IMAGE_SECTION_HEADER) <=
(DWORD) pFile + lFileLength)
{
/* must be 0 thru (NumberOfRvaAndSizes-1) */
if (dwIMAGE_DIRECTORY < puOptional->NumberOfRvaAndSizes)
{
if (NumOfSections(pFile,
lFileLength,
&lNumberSections))
{
if (lNumberSections > 0L)
{
bReturn = TRUE;
}
}
}
}
}

return(bReturn);
}

Overall, all you are doing is looking at the file, and traversing it,
reading as you go. The PE format is documented in MSDN.

Ciao, Craig

--
I've a terrible errible lot todue todie todue tootorribleday.
-- James Joyce

Mike,

> What tool do I use to open the executable and look for the data? Probably
> not just any old hex editor? Also, do you have any more reference
information
> about the PE format?

I've got some *old* code to determine the type of executable, including the
PE format at http://home.flash.net/~ljjohnsn/Code/wp0197p.zip. It gives you
a good introduction to munging thru the data found in the file header.

If you have the VBPJ CD archives, I have an article on this in the Jan 1997
issues (the web site only seems to go back to 1998 -- Phil?) You'll probably
want to look at the MSDN article "The Portable Executable File Format From
Top To Bottom"

--
L.J. Johnson, Slightly Tilted Software
Microsoft MVP (Visual Basic)
LJJohnsn@Flash.Net or LJJohnson@mvps.org
<http://www.flash.net/~ljjohnsn>
Ask The NT Pro at <http://www.inquiry.com>

> The Web site only seems to go back to 1998 -- Phil?

L.J.: Where are you looking? When I look at the VBPJ archives page
( http://www.dev-archive.com/premier/archives/default.asp?PubId=1 ), I can see all
the way back to 1991.
--
Phil Weber
dev-archive.com, Inc.

Phil,

> L.J.: Where are you looking? When I look at the VBPJ archives page
> ( http://www.dev-archive.com/premier/archives/default.asp?PubId=1 ), I can see
all
> the way back to 1991.

Well, when I looked, it only went back to 1998 with a blank folder where
1997 would be. ****, ya'll have moved VBPJ from the last time I was there
(it used to be second on the list). Being a creature of habit, I clicked
there (which is now exchange/outlook). Do I have to *read* the entries every
time to see where they've moved to <g>? Yes, you are absolutely correct, it
goes back to 1991.

--
L.J. Johnson, Slightly Tilted Software
Microsoft MVP (Visual Basic)
LJJohnsn@Flash.Net or LJJohnson@mvps.org
<http://www.flash.net/~ljjohnsn>
Ask The NT Pro at <http://www.inquiry.com>