Phrozen
Timeline
This unit demonstrate how to enumerate DLL exported functions through PE Header manipulation.
Features
- Support both 32 and 64bit DLL's.
- Identify exported function names.
- Identify exported function ordinal value.
- Support and resolve forwarded function.
- Identify export function address and relative address.
This very small snippet is an adaptation of the previously released unit > UntEnumDLLExport.pas with just one goal, retrieve an exported function address by its name from any DLL (both 32 and 64bit).
This adaptation is also interesting because it remove the need of having both heavy units Generics.Collections and SysUtils to have a smaller binary.
Finally it is also quite interesting for tweaking our GetProcAddress alternative (you will find here) and only have the necesarry code.
As promised, we will adapt our previous code grab an exported function directly from memory.
Serious advantage of this technique:
- We don't have to use
CreateToolHelp32Snapshotanymore to enumerate modules and catch target module base address. - We don't need to parse PE Header from disk anymore, we will parse PE Header directly from memory.
Notice, it is still necessary to use
Read more...
LoadLibrary API to load desired DLL in memory. An alternative of LoadLibrary would be to create our own PE Loader. We will cover that subject in a near future.