Click here to Skip to main content
15,065,328 members
Articles / Programming Languages / C#
Posted 12 Nov 2001


98 bookmarked

Late binding on native DLLs with C#

Rate me:
Please Sign up or sign in to vote.
4.89/5 (51 votes)
12 Nov 2001BSD4 min read
Delaying which DLL export to call until runtime is not possible with C#. This article shows you how to make it possible.

Sample Image - DynInvok.gif


Consider the situation where the native, Win32 DLL is unknown at compile time. Perhaps its name or location is stored in the Windows Registry, or is selected by the user from a FileOpen dialog. How can we call a function exported from this library, but only resolved at runtime? The prescribed way to call native functions from the CLR is through PInvoke, using the DllImport attribute, but this must be declared at compile time or, at the very least, generated on the fly using Reflection.Emit. This article will show an alternative way which requires the use of a little x86 assembler to meet our goal.


Windows provides two ways to load DLLs into the process of an executable. Either, the DLL can be specified in the imports table and the Windows Loader will map the DLL automatically or the LoadLibrary() Win32 API call can be used. These are called implicit linking and explicit linking respectively. Both these types can be seen in action using Dependency Walker available from The CLR, Visual BASIC 6 and the /delayload feature of MSVC6 all use explicit linking to call DLL functions.

We can quite happily call

from C# to load a DLL into our address space. The problem comes when we try to call a function in the DLL. Win32 provides the GetProcAddress() function to return the memory address of a function exported from the given DLL and we can easily obtain this memory address, but we can do nothing with it. It is simply an integer. The CLR provides no way to jump to this location in memory, passing appropriate parameters too.

The CLR does allow us to do the reverse and pass a pointer to a managed function to a DLL using the delegate keyword, but there is no way to specify that a value returned from an unmanaged API call should be treated as a delegate. Perhaps we may see this in .Net version 2, but for now we need to find another way to call the function.

Going low-level

One solution would be to write a small C++ DLL which merely forwards the call on. In other words, the C++ DLL is acting as a proxy for our intended function. The downside is that a new C++ DLL would have to be created every time a different DLL function needs to be called. The proxy function needs the exact number of parameters that the real function takes. Every C# programmer needs to know C++ to be able to do this.

A much better solution is to write a small, reusable DLL in x86 assembly language which can forward function calls to any location. This is trivial to write if we know a bit about how Win32 DLLs are called. All DLLs are called using the stdcall calling convention. This means that parameters are pushed onto the stack beginning at the right-most parameter. Thus, the first in the parameter list will be at the top of the stack. The return address is then placed on the stack and control is transferred to the callee. It is the callee's responsibility to pop all the parameters off the stack and not fiddle with more registers than absolutely necessary.

Consider the following function declaration:

[DllImport("Invoke", CharSet=CharSet.Unicode)]
public extern static int InvokeFunc(int funcptr, int hwnd, 
                                    string message, string title, int flags);
It is implemented in a DLL called Invoke.dll and has the export name InvokeFunc. It also takes five parameters, of which the last four are the exact parameters taken by the MessageBox() function. The first parameter is an address of a function. We will leave the implementation of InvokeFunc for now and look at code which can call this.
int hmod=LoadLibrary("User32");
int funcaddr=GetProcAddress(hmod, "MessageBoxW");
int result=InvokeFunc(funcaddr, 0, "Hello World", 
                      ".Net dynamic export invocation", 1 /*MB_OKCANCEL*/);
Console.WriteLine("Result of invocation is " + result);

This code loads the DLL into our process space, finds the address of a function we wish to call, then uses our special
function to call a function through a function pointer.

Screenshot of Dependency Walker watching this taking place

In the screenshot above, notice how GetProcAddress() is being used to find the address of GetProcAddress()! This is because PInvoke uses GetProcAddress to find the address of any function specified by the DllImport attribute.

InvokeFunc Implementation

As we discussed earlier, the stdcall calling conventions places parameters onto the stack in reverse order. Thus, our function pointer will be at the top of the stack because it is first in the parameter list. If we can take this parameter off the stack, then jump to that location in memory, it would be the equivalent of calling that function without the intermediate proxy function.

The following fragment of x86 assembler achieves this

pop ecx		; save return address
pop edx		; Get function pointer
push ecx	; Restore return address
jmp edx		; Transfer control to the function pointer
Because we've used a jmp instruction rather than a call instruction, control will be transferred directly from the called function back to the CLR, passing any return value directly back.


Everything needed to compile and run this code is included with Visual Studio .Net. The x86 DLL built can be reused for calling any function pointer, not just a function with a specific signature and is only 2,560 bytes.

It turns out that if you are not running .Net on Windows XP, there is a DLL with an equivalent proxy function to the one we built. That DLL is msjava.dll, which of course is missing from Windows XP due to the Microsoft-Sun agreement on Java technology. msjava.dll provides an export with the name call() which duplicates this functionality.


This article, along with any associated source code and files, is licensed under The BSD License


About the Author

Richard Birkby
Web Developer
United Kingdom United Kingdom
Richard Birkby is a software engineer from London, UK, specializing in .Net. Richard has coded for many different sized companies from small venture-capital funded start-ups, to multi-national corporations (ie Microsoft). When he's not programming, he enjoys driving his sports car or eating curry (although never at the same time!).

Richard helps run and has several other covert ventures in development. Stay tuned!

Comments and Discussions

QuestionHow to work on X64? Pin
jg@jy1-Oct-13 22:46
Memberjg@jy1-Oct-13 22:46 
AnswerRe: How to work on X64? Pin
TheGreatAndPowerfulOz11-Oct-13 0:14
MemberTheGreatAndPowerfulOz11-Oct-13 0:14 
QuestionLoading unmanaged DLL from memory Pin
FlyersWeb5-Nov-12 10:19
MemberFlyersWeb5-Nov-12 10:19 
AnswerRe: Loading unmanaged DLL from memory Pin
Shawn-USA5-Aug-13 15:11
MemberShawn-USA5-Aug-13 15:11 
SuggestionDynamically calling an unmanaged dll from .NET (C#) Pin
Damavand2-Mar-12 4:08
MemberDamavand2-Mar-12 4:08 
GeneralRe: Dynamically calling an unmanaged dll from .NET (C#) Pin
Richard Birkby2-Mar-12 6:09
MemberRichard Birkby2-Mar-12 6:09 
QuestionI had to change the makefile a bit to path to Csc.exe Pin
dcarl66117-Aug-11 6:19
Memberdcarl66117-Aug-11 6:19 
GeneralLoading User dlls Pin
Debojyoti Majumder14-Jan-11 1:46
MemberDebojyoti Majumder14-Jan-11 1:46 
QuestionCreate invoke.dll on 64-bit machines Pin
Alexander Pikus3-Oct-10 3:58
MemberAlexander Pikus3-Oct-10 3:58 
AnswerRe: Create invoke.dll on 64-bit machines Pin
jg@jy1-Oct-13 13:47
Memberjg@jy1-Oct-13 13:47 
GeneralDon't do this any more PinPopular
Moxxis7-Jun-10 8:42
MemberMoxxis7-Jun-10 8:42 
Questionwithout asm? Pin
Huisheng Chen18-Dec-09 1:59
MemberHuisheng Chen18-Dec-09 1:59 
GeneralEasy way (.Net Marshaling) Pin
JonyRocketCZ25-Nov-09 3:42
MemberJonyRocketCZ25-Nov-09 3:42 
GeneralRe: Easy way (.Net Marshaling) Pin
Richard Birkby25-Nov-09 3:49
MemberRichard Birkby25-Nov-09 3:49 
GeneralRe: Easy way (.Net Marshaling) Pin
Huisheng Chen18-Dec-09 1:58
MemberHuisheng Chen18-Dec-09 1:58 
Questioncall fun when not add references Pin
huuchau8419-Mar-09 19:07
Memberhuuchau8419-Mar-09 19:07 
AnswerExcellent article Pin
defconhaya7-Mar-09 4:03
Memberdefconhaya7-Mar-09 4:03 
GeneralRe: Excellent article Pin
jg@jy1-Oct-13 13:49
Memberjg@jy1-Oct-13 13:49 
GeneralDynamicly load a DLL functions Pin
Member 453941111-Feb-09 6:41
MemberMember 453941111-Feb-09 6:41 
QuestionLINK: error LNK2001: unresolved external symbol _DLLMain Pin
nate alwine12-Nov-08 11:33
Membernate alwine12-Nov-08 11:33 
QuestionDLLImport Pin
gclopes18-Sep-08 7:24
Membergclopes18-Sep-08 7:24 
QuestionHow to compile code written in assembler language? Pin
Member 6628769-Jul-08 22:19
MemberMember 6628769-Jul-08 22:19 
GeneralIs it possible to elevate this process for Vista Pin
yincekara11-Jun-08 6:12
Memberyincekara11-Jun-08 6:12 
GeneralCompile time linking of dll Pin
harsh290414-Apr-08 22:31
Memberharsh290414-Apr-08 22:31 
GeneralRe: Compile time linking of dll Pin
Mike_Silver_A2-Oct-08 0:53
MemberMike_Silver_A2-Oct-08 0:53 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.