查找Dll函数参数

发布于 2024-07-08 06:23:39 字数 128 浏览 11 评论 0原文

如何找到未记录 Dll 函数的参数?

我在互联网上进行了搜索,最终找到了一种方法:它涉及装饰函数。 但是,我找不到获得这些的方法。

如有任何帮助,我们将不胜感激。

How can I find the parameters of an undocumented Dll function?

I have searched all over the internet and ended up finding one way: it involves decorated functions. However, I cannot find a way to get those.

Any help would be appreciated.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(7

酸甜透明夹心 2024-07-15 06:23:39

正如 Paul 指出的,您需要使用 IDA Pro(或其免费版本)之类的工具来反汇编该应用程序。

Wikibook 是一个很好的介绍性资源,x86 反汇编。 具体来说,请查看函数和堆栈框架部分。 对于采用一些标准类型参数的简单函数来说,推导函数参数可以很简单。

开始处理此类事情的最佳方法可能是创建一个小型测试 DLL,创建一些具有已知参数的函数,然后反汇编 DLL 以查看模式。 从您自己的函数(您拥有源代码并知道完整的签名)中学习反汇编,而不是一头扎进反汇编第三方的东西。

You need to disassemble the application using, as Paul noted, something like IDA Pro (or the free version of the same).

A good introductory resource is the Wikibook, x86 Disassembly. Specifically, take a look at the section on functions and stack frames. Deducing function parameters can be straightforward for simple functions taking a few parameters of standard type.

Probably the best way to get started with this sort of thing is to create a small test DLL, create a few functions with known parameters, and then disassemble your DLL to see the patterns. Learn disassembly from your own functions (for which you have the source code and know the full signature) rather than plunging into disassembling third-party stuff.

亚希 2024-07-15 06:23:39

我做了一个相当深入的回答这里,ReactOS是你最好的再次打赌,这里每个人都有点偏离事实。

强烈反对尝试反汇编系统 DLL。

一种更具冒险性的技术(从表面上看,我认为到目前为止还没有讨论过),技术是枚举 PDB 的内容。

如您所知,PDB 文件是调试符号,但是,由于反垄断法庭案件的诉讼,微软需要发布大量其他未记录的信息。

大量 Windows API 的完全准确、可用和更新的信息通过 PDB 文件记录。 调用约定、参数计数甚至参数类型和名称都记录在案(但不是有关使用的细节:)。

查看DIA SDK,dia2dump是与Visual Studio一起分发的一个很好的示例,为了进一步研究,它还提供了一个取消装饰函数的解决方案,专门针对您的问题。

另外,kernel32 提供了 UnDecorateSymbolName,因此如果您不想链接到调试 sdk 库,也可以使用它。

I did a fairly in-depth answer here, ReactOS is your best bet as it seems again, everybody here is a bit off base.

I would strongly discourage attempting to disassemble system DLL's.

A MUCH more adventagious (and I do not believe discussed so far from the looks of things), technique is to enumerate the contents of PDB's.

PDB files are debug symbols as you may know, however, Microsoft is required, due to the action from anti-trust court cases, to release great volumes of otherwise un-documented information.

Fully accurate, usable and updated information for massive amount's of the Windows API is only documented via PDB file's. The calling convention, argument count and even argument types and names are documented their (however not the specifics regarding the use of course:).

Review the DIA SDK, dia2dump is a good example distributed with Visual Studio, to investigate further, it also provides a solution to undecorate function's, to speak specifically to your question.

Also, kernel32 provides UnDecorateSymbolName, so you can use that also if you do not wish to link to the debug sdk libraries.

南风起 2024-07-15 06:23:39

做到这一点的唯一方法是反汇编该函数并查看它如何使用寄存器和堆栈。 IDA Pro 是执行此操作的最佳工具,但这并不是一件小事。

The only way to do this is by disassembling the function and seeing how it uses the registers and stack. IDA Pro is the best tool to do this, but it's not something that is trivial.

碍人泪离人颜 2024-07-15 06:23:39

是 COM Dll 吗? 如果是COM Dll,则注册它,使用OLE视图了解接口和参数。

Is it COM Dll? If it is a COM Dll, then register it, use OLE view to know the Interafaces and parameters.

过气美图社 2024-07-15 06:23:39

首先,下载 Dependency Walker 并在其中打开 DLL。 您将看到导出和导入的符号。 如果你的函数名称看起来像 _MyFunction - 它是“C”风格(未修饰)并且你与它没有太多关系(可能如之前所述进行反汇编)

如果它更像 ?_MyFunction@LoNgSetOfSome@_StrangeChAracTers 它是 C++ - 已装饰,您可以尝试使用此处

First of all, download Dependency Walker and open your DLL in it. You will see symbols exported and imported. If your function name looks like _MyFunction - it is "C" style (not decorated) and you have not too much to do with it (may be disassemble as said before)

If it is more like ?_MyFunction@LoNgSetOfSome@_StrangeChAracTers it is C++ - decorated and you may try to "undecorate" it using {unofficial} info from here

时间海 2024-07-15 06:23:39

如果您拥有的唯一信息是未修饰的函数名称,那么不幸的是,无法仅从该名称推断出函数参数。

如果您擅长汇编,则可以反汇编该函数的机器代码并对其进行逆向工程。 但对于除了最简单的函数之外的所有函数来说,这都相当困难。

If the only piece of information you have is the undecorated function name, then unfortunately it's not possible to deduce the function parameters from that alone.

If you're good with assembly it might be possible to disassemble the machine code for the function and reverse engineer it. But that's reasonably hard to do for all but the simplest functions.

此刻的回忆 2024-07-15 06:23:39

我不太熟悉 Windows 使用的 PE 格式,但我很确定没有真正简单的方法来做到这一点。 如果符号表尚未被剥离,您可能能够找到一些信息(不确定 Windows 如何在 PE 中存储调试信息),但它几乎肯定不会帮助您了解参数类型。 最好的办法是将 DLL 加载到调试器中并进行试验...监视堆栈帧上的原始内存,发送各种变量类型等。

即使您在 PE 文件中找到了有关调试信息的良好资源,几乎肯定不会有任何私有函数的信息。

I'm not really familiar with the PE format that Windows uses, but I'm pretty sure there is no real easy way to do this. If the symbol table has not been stripped you may be able to find some information (not sure how Windows stores debugging information in PE) but it almost certainly wouldn't help you with parameter types. The best thing to do is load the DLL into a debugger and experiment with it... monitor the raw memory on the stack frames, send various variable types, etc.

Even if you find a good resource on the debugging information in a PE file, there almost certainly won't be any information for a private function.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文