exe version of GetProcAddress
Author
I was wondering if there is something similar to GetProcAddress(), except for finding the entry point of a function in an executable.
Basically, I have an exe running and would like to be able to get a function pointer to some method in that exe, knowing the name and type of the function i would be searching for. I can do any linking witchcraft neccesary to facilitate this if anyone knows a means. I'm just kind of curious if it is reasonably possible.
Thanks
It is not possible.
The reason is simple. GetProcAddress relies on a table being in the binary which maps function names to code locations. Only exported functions are written to that table. No entry (or indeed no table at all), no way to find it.
The reason is simple. GetProcAddress relies on a table being in the binary which maps function names to code locations. Only exported functions are written to that table. No entry (or indeed no table at all), no way to find it.
IAICR, you can use GetProcAddress() on the main application instance, just like you can on a DLL. Just make sure that those symbols are marked dllexport when compiling, or use a .def map file when linking to say what symbols should be available.
While you can export the symbols from the executable with dllexport, it's more portable to manually build a map or other symbol table that connects the symbol names with the function pointers, or function objects. This way you're also less likely to lose the type information on the function pointers.
Quote:It is not possible.
The reason is simple. GetProcAddress relies on a table being in the binary which maps function names to code locations. Only exported functions are written to that table. No entry (or indeed no table at all), no way to find it.
EXE and DLL have the exact same file format (PE).
For more info on the topic, see FuBi.
Aside: what is "IAICR"? (typo?)
If you're trying to do this on an executable that doesn't have debugging information at all (i.e. "someone else's" .exe) and doesn't have an export table, you'll have to do some disassembly. Here's how this works:
- Open the PE and read in the entry point address (this is straightforward using PE format docs).
- Start disassembling at the entry point. (Translating machine bytes into assembly is a pain, so I'm not going to describe that here)
- Any time you see a relative or immediate value, and it ends up falling in the .text area of the executable, you can usually assume that it's a function or label address. If the value is an operand of CALL, then it's definately a function. If it's an operand of Jcc, then it's definately a label. If it's an operand of JMP, then it might be a label, or it might be a "return functioncall();" pattern.
- Have the disassembler follow all branches until your trace is exhausted.
- For each "might be label-or-function" address, disassemble the first instruction. If it's "SUB ESP, imm" then it's definately a function. Otherwise you'll pretty much have to guess.
Figuring out how many parameters the function takes is possible, but figuring out what type they are requires user intervention.
- Open the PE and read in the entry point address (this is straightforward using PE format docs).
- Start disassembling at the entry point. (Translating machine bytes into assembly is a pain, so I'm not going to describe that here)
- Any time you see a relative or immediate value, and it ends up falling in the .text area of the executable, you can usually assume that it's a function or label address. If the value is an operand of CALL, then it's definately a function. If it's an operand of Jcc, then it's definately a label. If it's an operand of JMP, then it might be a label, or it might be a "return functioncall();" pattern.
- Have the disassembler follow all branches until your trace is exhausted.
- For each "might be label-or-function" address, disassemble the first instruction. If it's "SUB ESP, imm" then it's definately a function. Otherwise you'll pretty much have to guess.
Figuring out how many parameters the function takes is possible, but figuring out what type they are requires user intervention.
Author
Thanks hplus, just using GetProcAddress on the exe worked like a charm. I'm not worried about functions being of the wrong type so this was quite the simple solution. I've always wondered about the anatomy of an exe, and that Fubi article is very interesting too.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
