address in DLL

WINDBG
1

Hello everyone,

I want to prove in DLL, when the DLL is built, the address (e.g. function address, jump instruction address) are absolute address other than the relative address to the preferred load address. Do you have any ideas to prove that? Just give me a brief idea and I am happy to follow-up to do real work and share my results here. :slight_smile:

thanks in advance,
George

2

Hello,

I can’t believe I am joining George’s personal support channel.

* On Wed, Oct 22, 2008 at 04:44:56AM -0700 Lin George wrote:

I want to prove in DLL, when the DLL is built, the address (e.g.
function address, jump instruction address) are absolute address other
than the relative address to the preferred load address. Do you have
any ideas to prove that? Just give me a brief idea and I am happy to
follow-up to do real work and share my results here. :slight_smile:

What about opening the DLL in a binary editor of your choice, and in
your preferred debugger (somehow, WinDBG comes to mind…), and
comparing the results?

Regards,
Spiro.

–
Spiro R. Trikaliotis http://opencbm.sf.net/
http://www.trikaliotis.net/ http://www.viceteam.org/

3

Thanks Spiro,

I could write a process to load an DLL and check its exported function address, but it is very hard to find the address of the exported function if we view the DLL in binary format. Do you have any advice about how to do this task as you mentioned “opening the DLL in a binary editor of your choice”? Using dumpbin is fine?

regards,
George

----- Original Message ----
From: Spiro Trikaliotis
To: Kernel Debugging Interest List
Sent: Wednesday, October 22, 2008 8:32:34 PM
Subject: Re: [windbg] address in DLL

Hello,

I can’t believe I am joining George’s personal support channel.

* On Wed, Oct 22, 2008 at 04:44:56AM -0700 Lin George wrote:

> I want to prove in DLL, when the DLL is built, the address (e.g.
> function address, jump instruction address) are absolute address other
> than the relative address to the preferred load address. Do you have
> any ideas to prove that? Just give me a brief idea and I am happy to
> follow-up to do real work and share my results here. :slight_smile:

What about opening the DLL in a binary editor of your choice, and in
your preferred debugger (somehow, WinDBG comes to mind…), and
comparing the results?

Regards,
Spiro.

–
Spiro R. Trikaliotis? ? ? ? ? ? ? ? ? ? ? ? ? ? ? http://opencbm.sf.net/
http://www.trikaliotis.net/? ? ? ? ? ? ? ? ? ? http://www.viceteam.org/

—
You are currently subscribed to windbg as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

4

Hi Spiro,

Here is my prove from your great ideas. Do you think it is correct prove?

from dumpbin
??? Begin??? End??? Info??? Function Name
? 00000000 00001020 0000102C 000077F4? MyFunc1
? 0000000C 00001040 0000104C 000077FC? MyFunc2

from Windbg

0:000> dt TestDLL2!*MyFunc*
0000000180001020? TestDLL2!MyFunc1
0000000180001040? TestDLL2!MyFunc2

EXE code
#include <windows.h>
int main()
{
?HMODULE a = LoadLibrary (“TestDLL2.dll”);
?return 0;
}

DLL code,
extern “C” __declspec (dllexport) int MyFunc1 (int A) {return 100;}
extern “C”__declspec (dllexport) int __stdcall MyFunc2 (int A) {return 100;}
--------------------

regards,
George

----- Original Message ----
From: Spiro Trikaliotis
To: Kernel Debugging Interest List
Sent: Wednesday, October 22, 2008 8:32:34 PM
Subject: Re: [windbg] address in DLL

Hello,

I can’t believe I am joining George’s personal support channel.

* On Wed, Oct 22, 2008 at 04:44:56AM -0700 Lin George wrote:

> I want to prove in DLL, when the DLL is built, the address (e.g.
> function address, jump instruction address) are absolute address other
> than the relative address to the preferred load address. Do you have
> any ideas to prove that? Just give me a brief idea and I am happy to
> follow-up to do real work and share my results here. :slight_smile:

What about opening the DLL in a binary editor of your choice, and in
your preferred debugger (somehow, WinDBG comes to mind…), and
comparing the results?

Regards,
Spiro.

–
Spiro R. Trikaliotis? ? ? ? ? ? ? ? ? ? ? ? ? ? ? http://opencbm.sf.net/
http://www.trikaliotis.net/? ? ? ? ? ? ? ? ? ? http://www.viceteam.org/

—
You are currently subscribed to windbg as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com</windows.h>