Click here to Skip to main content
15,888,610 members
Search within:


How to get list of all imported functions invoked via GetProcAddress
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C++
Hi,

I have a requirement to list all imported functions by parsing PE.
If an exe or dll implicitly links a dll (using import library), I can get all the invoked functions from import table. But if any dll or exe explicitly links a dll, then the import table will not have an entry for that dll which is linked explicitly.

Kindly let me know how to get the list of all external functions invoked when the dll is explicitly loaded.
Posted
Add a Solution
Comments
Richard MacCutchan 2-Mar-12 3:05am    
Unless you can identify each point in the code where GetProcAddress() is invoked there is no way to do it.

2 solutions

The previous solution entry deals only with the libraries that are linked statically (you called it 'implicitly'). These can easily be found by looking at the PE file with the before mentioned tools.

But I understand that you also want a list of all libraries and functions that are loaded at runtime by calls to LoadLibrary and GetProcAddress. To my best knowledge there is no reliable way of finding those. For example, a program could compile the name of a library by concatenating several strings and then call LoadLibrary. In that case you won't even find the library name in the PE file. The only way of detecting these reference is to search the program for calls to LoadLibrary, then reverse engineer the code that constructs the library name, then analyze all GetProcAddress calls for that library in the same way. That can be as easy as looking up a string or as difficult as analyzing cryptographic code when the name is encoded in some secret way.

In summary: If a developer wants to hide, which libraries are being used at runtime, he can very well do that and you won't be able to find out by just statically analyzing the PE file.
 
Share this answer
 
Posted
You can get complete specification of PE here:
http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx[^].

You can find other documents in references to the Wikipedia article:
http://en.wikipedia.org/wiki/Portable_Executable[^].

This information is enough to make a list of entry names in exports as well as dependencies (explicitly imported DLLs and entry points).

This CodeProject article provides some description and source code for PE parsing, but some readers criticized this work for some problems and code quality. At least it could help you the get the idea of what's involved:
Parse a PE (EXE, DLL, OCX Files ) and New Dependency Walker[^].

Some parsing is also shown in this CodeProject article, but I don't see that it looks for exports or imports. Good to take a look, anyway:
XPEInfo - a non-MFC class to get info from PE file[^].

See also:
http://www.csn.ul.ie/~caolan/pub/winresdump/winresdump/doc/pefile2.html[^] — a very detailed article,
XPEInfo - a non-MFC class to get info from PE file[^].

—SA
 
Share this answer
 
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
C++/CLI: create a delegate via reflection
How to list all the databases in elasticsearch in Python?
c# application that invokes a JavaScript function on the server - directly via .js file
How do I invoke a C++ compiler from a running program
Error import functions inside another function
Hello! I have problems with importing CSV files in C.
How do I import a datatable into another file?
P/Invoke, Passing a structure of char* pointers to unmanged function.
JQGRID is not invoking the ASPX Page function
Invoking a method via reflection using parameter names?

Advertise
Privacy
Cookies
Terms of Use
Last Updated 2 Mar 2012
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web03 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900