Hello,
I have made further test to outpass this problem.
LoadLibraryEx made the samething,except used like that:
Quote
invoke LoadLibraryEx,pchemin,NULL,LOAD_LIBRARY_AS_DATAFILE
I want just a list of is functions.Loaded like that,the normal PE way to find them is out:
Quote
mov edi,hModule
add edi,[edi].IMAGE_DOS_HEADER.e_lfanew
mov edi,[edi].IMAGE_NT_HEADERS32.OptionalHeader.DataDirectory.VirtualAddress
add edi,hModule
mov ebx,edi
mov eax,[edi].IMAGE_EXPORT_DIRECTORY.NumberOfNames
mov esi,[edi].IMAGE_EXPORT_DIRECTORY.AddressOfNames ;tableau d'adresses
add esi,hModule
mov counter,eax
Perhaps someone have experimented the same thing?.
i just use the dependancy walker :t
one of Vortex's utilities does it, also, i think
invoke CreateFile,offset szExeName,GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0
mov hFile,eax
invoke CreateFileMapping,eax,0,SEC_IMAGE or PAGE_READONLY,0,0,offset szMappingName
mov hMapping,eax
invoke MapViewOfFile,eax,FILE_MAP_READ,0,0,0
EAX - pointer to a properly mapped but not processed PE file.
Thanks for answers
It's ok now
You can get the PeHeader with LoadLibraryEx
and parsing to the Import and export table ;)
; Load the requested library, without executing it.
invoke LoadLibraryEx,CTEXT ("xxx.dll"),NULL,DONT_RESOLVE_DLL_REFERENCES
Eax is now the pointer to the Pe-header
10000000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF MZ.......ÿ
Now can you parsing to the import or export table
Regards,
Quote
You can get the PeHeader with LoadLibraryEx
and parsing to the Import and export table
Helas!!!! This don't work,some dll crashes just in the loadlibrary.
The bootvid.dll is one of them ++ there is also the no read memory dll.
This proc made a test after loadlibrary don't failed.
Quote
;################################################################
Autorise PROC pchain:DWORD
Local mem_basic_inf:MEMORY_BASIC_INFORMATION
Local retour:DWORD
mov retour,0
mov edx,pchain
invoke VirtualQuery,pchain,addr mem_basic_inf,sizeof mem_basic_inf
.if eax != 0
mov eax,mem_basic_inf.AllocationProtect
.if eax == 0
jmp fin
.endif
and eax,PAGE_NOACCESS
jnz fin
mov eax,mem_basic_inf.AllocationProtect
and eax,PAGE_EXECUTE
jnz fin
mov eax,mem_basic_inf.AllocationProtect
and eax,PAGE_GUARD
jnz fin
mov retour,1
.endif
fin:
FindeAutorise:
mov eax,retour
ret
Autorise endp
Think as me it was simple to made a list of functions of all the dll ?.
It isn't.
Try this one "nv4_disp.dll" with CreateFileMapping or other things.....
i am curious...
what are you doing with bootvid.dll ?
are you trying to modify the splash screen (boot screen) ?
I am just trying to get a data base of all functions with there dll,library,include files ..and so on.
No more.
i believe that file provides a basic video driver for use during boot - prior to loading of the real video driver
it allows the system to display the splash screen while the other drivers are being loaded
under XP, it is a 16-color 640x480 image - stretched out to 800x600, i think
it may also provide basic video capabilities during safe mode
I think the BOOTVID.DLL functions are likely to require, as a minium, a prior call to the InbvAcquireDisplayOwnership function in NTOSKERNEL.EXE. My attempt to call the VidInitialize function triggered an access violation in RtlAllocateHeap (running under Windows 2000).
The attachment contains what I have. I used BOOTVID.DLL version 5.1.2600.0 from my XP SP3 system.
I have made a search to find a prog making just a failed instead of a crash when loading the library.
It is this one.
http://msdn.microsoft.com/en-us/library/ms177531(v=vs.80).aspx (http://msdn.microsoft.com/en-us/library/ms177531(v=vs.80).aspx)
I have try to made it work without the crt,in masm,but failed.
An object file,written in masm,loading the library, is able to just failed when inserted in this prog.
The easy way to get a list of exported functions from a dll..
link /dump /exports C:\WINDOWS\system32\bootvid.dll
You'll probably want to edit the output a little, but it's simple enough. Using "*.dll" will also work ;)
Assuming you just want the list. If you want to do it yourself there's a little more work, but it's just a case of parsing the PE structure, finding the exports table, and parsing it. You don't need to load the dll, and you shouldn't really (dllentry will be executed.)
nice, Tedd :t
here's what i get under XP MCE2005 SP3
Microsoft (R) COFF Binary File Dumper Version 5.12.8078
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.
Dump of file C:\WINDOWS\system32\bootvid.dll
File Type: DLL
Section contains the following exports for BOOTVID.dll
0 characteristics
3B7D7304 time date stamp Fri Aug 17 12:39:48 2001
0.00 version
1 ordinal base
11 number of functions
11 number of names
ordinal hint RVA name
1 0 000017D6 VidBitBlt
2 1 000014CC VidBufferToScreenBlt
3 2 0000166A VidCleanUp
4 3 00001694 VidDisplayString
5 4 000017B2 VidDisplayStringXY
6 5 00000834 VidInitialize
7 6 0000094E VidResetDisplay
8 7 000013A0 VidScreenToBufferBlt
9 8 00001634 VidSetScrollRegion
10 9 00000C2E VidSetTextColor
11 A 00000A7C VidSolidColorFill
Summary
E00 .data
180 .edata
180 .reloc
400 .rsrc
1600 .text
200 INIT
I generate DEF files directly with pexports.exe from a MinGW installation. Although I don't use it this way, it has the ability to parse header files to get the correct decoration for stdcall symbols. The file format is generally usable with the Microsoft tools, but sometimes it's necessary to massage the export definitions to sort everything out.
Here is a test prog to get the exported functions of the system32 dll.
He use the CreateFileMapping fonction.
He show no trouble with the dll in win xp (system32).
A messagebox (10s),prompt you when it is finish
He write dllsystem.txt in the current directory.