如何获取通过GetProcAddress调用的所有导入函数的列表 [英] How to get list of all imported functions invoked via GetProcAddress

问题描述

我需要通过解析PE列出所有导入的函数.
如果一个exe或dll隐式链接一个dll(使用导入库)，我可以从导入表中获取所有调用的函数.但是，如果任何dll或exe显式链接了一个dll，则导入表将没有该dll的条目，该条目已显式链接.

请让我知道如何获取显式加载dll时调用的所有外部函数的列表.

Hi,

I have a requirement to list all imported functions by parsing PE.
If an exe or dll implicitly links a dll (using import library), I can get all the invoked functions from import table. But if any dll or exe explicitly links a dll, then the import table will not have an entry for that dll which is linked explicitly.

Kindly let me know how to get the list of all external functions invoked when the dll is explicitly loaded.

推荐答案

上一个解决方案条目仅处理链接的库静态地(您称其为隐式").通过使用前面提到的工具查看PE文件，可以轻松找到这些文件.

但我知道您还希望获得通过调用LoadLibrary和GetProcAddress在运行时加载的所有库和函数的列表.据我所知，没有找到这些方法的可靠方法.例如，程序可以通过串联多个字符串来编译库的名称，然后调用LoadLibrary.在这种情况下，您甚至都不会在PE文件中找到库名称.检测这些引用的唯一方法是在程序中搜索对LoadLibrary的调用，然后对构成库名称的代码进行反向工程，然后以相同的方式分析该库的所有GetProcAddress调用.当以某种秘密方式对名称进行编码时，就像查找字符串一样容易，或者像分析密码一样困难.

总结:如果开发人员想隐藏运行时正在使用的库，那么他可以很好地做到这一点，而您仅通过静态分析PE文件就无法找到.

The previous solution entry deals only with the libraries that are linked statically (you called it ''implicitly''). These can easily be found by looking at the PE file with the before mentioned tools.

But I understand that you also want a list of all libraries and functions that are loaded at runtime by calls to LoadLibrary and GetProcAddress. To my best knowledge there is no reliable way of finding those. For example, a program could compile the name of a library by concatenating several strings and then call LoadLibrary. In that case you won''t even find the library name in the PE file. The only way of detecting these reference is to search the program for calls to LoadLibrary, then reverse engineer the code that constructs the library name, then analyze all GetProcAddress calls for that library in the same way. That can be as easy as looking up a string or as difficult as analyzing cryptographic code when the name is encoded in some secret way.

In summary: If a developer wants to hide, which libraries are being used at runtime, he can very well do that and you won''t be able to find out by just statically analyzing the PE file.

您可以在这里获得完整的PE规格:
http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx [ ^ ].

您可以在对Wikipedia文章的引用中找到其他文档:
http://en.wikipedia.org/wiki/Portable_Executable [解析PE(EXE，DLL， OCX文件)和新的Dependency Walker [ XPEInfo-非MFC类从PE文件中获取信息 [ http://www.csn.ul.ie/~caolan/pub/winresdump/winresdump/doc/pefile2.html [ XPEInfo-非MFC类从PE文件中获取信息 [

You can get complete specification of PE here:
http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx[^].

You can find other documents in references to the Wikipedia article:
http://en.wikipedia.org/wiki/Portable_Executable[^].

This information is enough to make a list of entry names in exports as well as dependencies (explicitly imported DLLs and entry points).

This CodeProject article provides some description and source code for PE parsing, but some readers criticized this work for some problems and code quality. At least it could help you the get the idea of what''s involved:
Parse a PE (EXE, DLL, OCX Files ) and New Dependency Walker[^].

Some parsing is also shown in this CodeProject article, but I don''t see that it looks for exports or imports. Good to take a look, anyway:
XPEInfo - a non-MFC class to get info from PE file[^].

See also:
http://www.csn.ul.ie/~caolan/pub/winresdump/winresdump/doc/pefile2.html[^] — a very detailed article,
XPEInfo - a non-MFC class to get info from PE file[^].

—SA

这篇关于如何获取通过GetProcAddress调用的所有导入函数的列表的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！