Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page where are second level dll functions
Register Forum Rules FAQ Calendar

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-21-2005, 10:02
raygun
 
Posts: n/a
where are second level dll functions
how to find where the pointers to Indirect dll functions reside in your exe (when a dll you call calls another dll) They are not in the import table yet programs like Dependency Walker, Ollydbg etc. can find them. How does it do this?
Reply With Quote
  #2  
Old 01-21-2005, 12:58
doug
 
Posts: n/a
Dependency Walker does what its name implies and _walks_ through your import table looking for DLLs, then through all imports of the DLLs in your import table and repeats this process recursively until it stops discovering new modules.

This is the same thing as listing files/directories. When you find a directory, you open it, and start over the search process from there.

=> Search the import tables, when you find a new DLL, you open that DLL and start hunting for more new DLLs.

Why do you need to find this?
Reply With Quote
  #3  
Old 01-24-2005, 05:56
raygun
 
Posts: n/a
Some indidrect dll stuff is in rdata area
That can't be all. I know the dlls have their own import tables that reference other dlls functions etc. But yet in exe files compiled with vc++6.0 I see the
IAT at the start of rdata section, the import table (dll names and function names) at the end of the rdata section and between -- among all the tables of function pointers for functions called by the program --- what seems to be references to other dlls called by the dlls listed in the import table. Eg. reference to the c runtime library used by one of the dlls in the import table etc. etc.

Why I need to know this: for reenabling demo-disabled items like print, save, many demo programs use a common technique of thunks - the program calls a vbl (memory location) with call dword ptr at this location it gets an address in the rdata section. At this adress in the rdata area is the address of the routine needed. So another call dword ptr on this address in the rdata area gets the function called in the program. In other words - the rdata area array is the address of the actual function to call - that is an address back in the program .text area. But the problem is finding the boundaries of the array of thunks - (function pointers for the C people). And sorting out the indirect dll function stuff - which somehow seems to be in there as well.
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
about level Utshiha General Discussion 2 09-26-2014 15:20
How to?-How to mark a file at the OS level SOLAR General Discussion 7 05-30-2005 21:28
Low level WinNT debugger auroras General Discussion 30 08-15-2004 22:55


All times are GMT +8. The time now is 11:10.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )