How to call non-exported functions of a DLL? - dll

I need to call (get) non-exported functions of a DLL. Unlike PE export table, non-exports do not have any table having entries for these. More over, all disassembler like IDAPro and other debuggers only show exported function names with decorated names (After Shift+F3 in case of IDA) and show all other functions like sub_000FF sorts of.
Any idea how to get and call non-exported functions of DLL programmatically? (GetProcAddress after LoadLibrary only calls decorated exported functions not designed for non exports.)

I solved the problem myself after usage of of DIA SDK .
I collected the function address from there and then via assembly rotuines I am able to call the function directly.
Thanks everybody for comments.

Related

Is it possible to record data being passed from a program to a library or a function using DLL injection

Is it possible to use DLL injection to record the data passed in a function call and can this system be used for internal calls and external calls aswell? And how would one achieve that in rough terms?
Thanks in advance
Yes its possible. When a call is hooked, you can take the arguments and record as you like. For internal calls, you will probably need to know the VTables to hook those calls by their index in VTable.

Get library interface from dll

i have a compiled dll library but i have no documentation about it. There is a way to get the public interface of a dll (at least function names, params numbers and type).
Thanks
You would have to decompile it and analyze each function, its calling convention, parametrs count, parameters meaning (unless it comes with some PDB, but I doubt it), I've done something like this before, it's complicated work, but it can be done.
In order to retrieve the public symbols (functions and variables) exported by a Dynamic-Link Library, one can use the well-known dependency walker. Parameters and Types are only available when the associated PDB file is available (which does not seems to be your case).
You could use the OLEViewer that comes with Visual Studio to view the TypeLib of the DLL if it is a COM library. This would give you the information you need.

Can I use MSVCRT functions in my DLL Delay-Load Handler function?

I have already added delay loading to my project, using the instructions in
http://msdn.microsoft.com/en-us/library/151kt790.aspx
In the "delayhlp.cpp" (a sample implementation of the DLL load helper) __HrLoadAllImportsForDll, I saw that the writer avoids using any Standard C Library (MSVCRT) functions. Do I need to do the same in my handler function, which will be called by the sample DLL load helper?
I think the writer's reason is that someone might try to delay-load MSVCRT itself. I'm not going to do this. Will it then be safe for me to use MSVCRT functions?
Background Info. The reason for delay-loading the 3rd party DLL is because there is a function signature change between two versions, and I need to run my program using either version. I then provide a simple wrapper function to adapt the DLL's function signature to the one needed. This function is registered by the Delay-Load Handler (__pfnDliFailureHook2), when GetProcAddress fails.
Some testing. I added a breakpoint at the beginning of my handler function. I found that when the breakpoint is hit, the msvcrt.dll and msvcr90d.dll etc are already loaded (from Visual Studio's Modules pane). Does it mean that I can call CRT functions safely?
// Check to see if it is the DLL we want to load.
// Intentionally case sensitive to avoid complication of using the CRT
// for those that don't use the CRT...the user can replace this with
// a variant of a case insenstive comparison routine.
//
That's the more relevant comment, for those that don't use the CRT. You won't have a problem, the CRT is always loaded by the startup code.

What's the principle of LOADDLL.EXE?

It can be used to run arbitary Dynamic Link Library in windows,
how can it possibly know the entry point of an arbitary dll?
The answer depends on how much details you need. Basically, it comes down to this:
A DLL can optionally specify an entry-point function. If present, the system calls the entry-point function whenever a process or thread loads or unloads the DLL.
[...] If you are providing your own entry-point, see the DllMain function. The name DllMain is a placeholder for a user-defined function. You must specify the actual name you use when you build your DLL.
(Taken from the MSDN article Dynamic-Link Library Entry-Point Function.)
So basically, the entry point can be specified inside the DLL, and the operating system's DLL loader knows how to look this up.
The IMAGE_OPTIONAL_HEADER (part of the portable executable's header on Windows machines) contains an RVA of the AddressOfEntryPoint that is called by programs looking for an entry point to call (e.g., the loader).
More information on the IMAGE_OPTIONAL_HEADER can be found here. And this paper is good for just general PE knowledge.
What do you mean by "run a DLL"? DLLs aren't normal programs, they are just a collection of functions. The entry point itself usually doesn't do much apart from initializing stuff required by other functions in the DLL. The entry point is automatically called when the DLL is loaded (you can use LoadLibrary to do this).
If you want to call a specific function after loading the DLL, you can use GetProcAddress to get a pointer to the function you want.

How to get function name against function address by reading co-classs'es vtable?

I need to call the co-class function by reading its address from vtable of COM exposed interface methods. I need some generic way to read addresses.
Now I need to call the function, which would have specific address(NOT KNOWN) arguments(parameters) which I have collected from TLB, and name as well. How that address corresponds to that function name to which I am going to call.
For this I need to traverse vtable which is holding functional addresses, LASTLY need to correspond function address with NAME of that function. This is I dont know. How? More over one function with the same name may appear in vtable(Overloading case). In that case we need to distinguish function names w.r.t their addresses. How to tackle ?
Regards
Usman
Respectfully Sir.!!
I am designing a Unit Testing framework for which I need to pull out all function signatures of certain COM Exe or COM DLL to show in the grid or whatever interface to user, so that later by selecting certain function signature from that list, He/She can execute that function after providing the arguments(data as parameters) to that function. All this would be done dynamically at runtime, on runtime function will be called whatever user wants.
This can be achieved from various ways.
By providing TLB(Type libraries) we can pull every function signature and can show every signature to Grid control or on Tree control. Second step is to call these functions at runtime by providing data. Calling require data and address of functions(or Names). I would have some GUI panel or control which will take the data from user and that data would then become as arguments.
Now real problem comes for which I posted earlier. Call to functions/methods of that interface exposed by COM component implemented by co-class. This requires to trail down vtable of interface exposed by component , finding the address of that function and then need to know IS IT REALLY THAT ADDRESS TO WHICH I AM GOING TO CALL AS FUNCTION? So this requires to translate that address to function name and then comparison some string comparison would decide that whether it was really that function name which USER CLICKED from Tree Control showing signatures.
Suggestions or reccommendations?
Call ITypeInfo::GetFuncDesc for each function and the FUNCDESC structure you get back contains the vtable index in the oVft member. Cast an interfaces vtable to void** and just use it as an index.
Of course quite why you need to do this I do not know :)