Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   where are second level dll functions (https://forum.exetools.com/showthread.php?t=6495)

raygun 01-21-2005 10:02
where are second level dll functions
 
how to find where the pointers to Indirect dll functions reside in your exe (when a dll you call calls another dll) They are not in the import table yet programs like Dependency Walker, Ollydbg etc. can find them. How does it do this?

doug 01-21-2005 12:58
Dependency Walker does what its name implies and _walks_ through your import table looking for DLLs, then through all imports of the DLLs in your import table and repeats this process recursively until it stops discovering new modules.

This is the same thing as listing files/directories. When you find a directory, you open it, and start over the search process from there.

=> Search the import tables, when you find a new DLL, you open that DLL and start hunting for more new DLLs.

Why do you need to find this?

raygun 01-24-2005 05:56
Some indidrect dll stuff is in rdata area
 
That can't be all. I know the dlls have their own import tables that reference other dlls functions etc. But yet in exe files compiled with vc++6.0 I see the
IAT at the start of rdata section, the import table (dll names and function names) at the end of the rdata section and between -- among all the tables of function pointers for functions called by the program --- what seems to be references to other dlls called by the dlls listed in the import table. Eg. reference to the c runtime library used by one of the dlls in the import table etc. etc.

Why I need to know this: for reenabling demo-disabled items like print, save, many demo programs use a common technique of thunks - the program calls a vbl (memory location) with call dword ptr at this location it gets an address in the rdata section. At this adress in the rdata area is the address of the routine needed. So another call dword ptr on this address in the rdata area gets the function called in the program. In other words - the rdata area array is the address of the actual function to call - that is an address back in the program .text area. But the problem is finding the boundaries of the array of thunks - (function pointers for the C people). And sorting out the indirect dll function stuff - which somehow seems to be in there as well.


All times are GMT +8. The time now is 14:39.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX