DLL

Get DLL Exported Function Address From Memory

March 18, 2020
Delphi, Alternative, DLL, Exported Function, GetProcAddress, Memory

As promised, we will adapt our previous code grab an exported function directly from memory. Serious advantage of this technique: We don’t have to use CreateToolHelp32Snapshot anymore to enumerate modules and catch target module base address. We don’t need to parse PE Header from disk anymore, we will parse PE Header directly from memory. Notice, it is still necessary to use LoadLibrary API to load desired DLL in memory. ...

Get DLL Exported Function Address

March 15, 2020
Windows API, Alternative, DLL, GetProcAddress, Exported Address, Library

This very small snippet is an adaptation of the previously released unit > UntEnumDLLExport.pas with just one goal, retrieve an exported function address by its name from any DLL (both 32 and 64bit). This adaptation is also interesting because it remove the need of having both heavy units Generics.Collections and SysUtils to have a smaller binary. Finally it is also quite interesting for tweaking our GetProcAddress alternative (you will find here) and only have the necesarry code. ...

Enum DLL Exported Functions

March 12, 2020
Delphi, Windows, DLL, Export, Library, PE Header, Exported Functions

This unit demonstrate how to enumerate DLL exported functions through PE Header manipulation. Features Support both 32 and 64bit DLL’s. Identify exported function names. Identify exported function ordinal value. Support and resolve forwarded function. Identify export function address and relative address. Unit Code (******************************************************************************* Author: -> Jean-Pierre LESUEUR (@DarkCoderSc) https://github.com/DarkCoderSc https://gist.github.com/DarkCoderSc https://www.phrozen.io/ License: -> MIT *******************************************************************************) unit UntEnumDLLExport; interface uses Classes, Windows, Generics.Collections, SysUtils; type TExportEntry = class private FName : String; FForwarded : Boolean; FForwardName : String; FRelativeAddr : Cardinal; FAddress : Int64; FOrdinal : Word; {@M} function GetFormatedAddress() : String; function GetFormatedRelativeAddr() : String; public {@C} constructor Create(); {@G/S} property Name : String read FName write FName; property Forwarded : Boolean read FForwarded write FForwarded; property ForwardName : String read FForwardName write FForwardName; property Address : Int64 read FAddress write FAddress; property RelativeAddr : Cardinal read FRelativeAddr write FRelativeAddr; property Ordinal : Word read FOrdinal write FOrdinal; {@G} property FormatedAddress : String read GetFormatedAddress; property FormatedRelativeAddress : String read GetFormatedRelativeAddr; end; TEnumDLLExport = class private FItems : TObjectList<TExportEntry>; FFileName : String; {@M} public {@C} constructor Create(AFileName : String); destructor Destroy(); override; {@M} function Enum() : Integer; {@G} property Items : TObjectList<TExportEntry> read FItems; property FileName : String read FFileName; end; implementation {+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Local Functions +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++} function IntToHexF(AValue : Int64; APad : Word = 0 {0=Auto}) : String; begin if (APad = 0) then begin if (AValue <= High(Word)) then APad := 2 else if (AValue <= High(DWORD)) and (AValue > High(Word)) then APad := 8 else if (AValue <= High(Int64)) and (AValue > High(DWORD)) then APad := 16; end; result := '0x' + IntToHex(AValue, APad); end; {+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ TExportEntry +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++} constructor TExportEntry. ...

Enum Modules Method 1

March 12, 2020
Delphi, Windows, Enumerate, DLL, Libraries, Modules

You will find below an example of how to enumerate process modules using the well known Windows API CreateToolHelp32Snapshot(), I will cover additional methods soon. You may notice that when using CreateToolHelp32Snapshot(), first result (row) is generally the Image Path of the process owning module. I ignore that row by checking the value of szExePath with owner process image path. GetProcessName() is compatible since Windows Vista. It is possible to support Windows XP and below but not in this example. ...