views:

165

answers:

2

Hello,

I need to know that all Win32 Exe functions or class's member functions contained inside Export table of that Win 32 exe(PE File)? If not then from how and where I would be able to get all these information? (I know PE file format and all sections of it and know what those sections contained but still help required how to proceeed?)

Regards Muhammad Usman

A: 

Use dumpbin that comes with Visual Studio C++ Express or download the OpenWatcom C/C++ package and in there there is a wdump associated with it...

Open Watcom Executable Image Dump Utility Version 1.8
Portions Copyright (c) 1984-2002 Sybase, Inc. All Rights Reserved.
Source code is available under the Sybase Open Watcom Public License.
See http://www.openwatcom.org/ for details.

Usage: wdump [-?abdefipqrsx] [-A] [-B] [-D] [-S] 
   is a DOS EXE file, a Windows or OS/2 executable or DLL,
            a PharLap executable, NLM, a QNX executable,
            an ELF executable, shared library or object file,
            or a COFF object.

Edit: You cannot extract those export functions directly by programmatic means, the utility above will show the addresses using the command line switches including showing the address of the export functions for the 'LoadLibrary', 'FreeLibrary'. When a call to 'GetProcAddress' is used, internally, it is doing a look up on the export directory to find the relevant address of the exported function prior to returning back a function pointer for that exported function.

Edit#2: @UsMan: You can dump the addresses of the exports functions, but to find the signatures is not easy as you would need to disassemble the relevant EXE's and work out the parameters from looking at the call stack. Other than that, if you have a 3rd party DLL, but does not come with a header file and lib file, to show you the function signatures...you are pretty much out of luck except disassemble the code...If you are talking about a release EXE or DLL, it will be harder as the debugging info would have been stripped thereby, loading it into the debugger to work out the stack, calls used and parameters which would be a moot point.

Can you please edit your question to make it more specifically clearer on what is your objective as I'm shooting myself in the foot and risk getting downvoted as a result of your dis-satisfaction with this answer....is it an MFC, ATL, DLL, what is the EXE, DLL, etc...

tommieb75
What it'll do..To me It will temporary show all the lists of non exported funcs(simple Win32 Exe functions). I need to Extract all of those prgramatically and required addresses of all of those to call them as well.
Usman
@Usman: you DO have Visual Studio ? And no, it is not 'temporary show all the lists of non-exported functions'...
tommieb75
yup Visual Studio 2008.NET , VS.2003.NET .My job is to extract all signatures of Win32 exe(Not Win32 DLL's Exported funcs. I know every export table contains all functions addresses and decorated names).I need to EXTRACT ADDRESSES OF WIN 32 EXE FUNCS and FULL SIGNATURES.
Usman
@tommieb75 : Let say I have simplest Win32 Exe having function say..void TestFunc(int x,int y){cout<<"do nothing"}. I need to test this Exe(name it Test.exe).As this is not the DLL, so I can't it load into my testing(another Exe) exe. What my testing exe need all test.exe's TestFunc signature, so that it should know how much arguments TestFunc have and their types(let say i display signature on MFC GUI and later on user will interact with it). When this function after that needs to be called by other exe(in my case Tester exe), it also need to know about its address along with its params. How?
Usman
So here there are two EXEs. One a tester exe(Which is going to test other EXES) and other one is testing exe(Which one is going to be tested). Tester exe needs to know all function signatures, parameters which it taking and finally the address which it needs to know FOR CALLING that function(it was TestFunc).See how I will call.TESTING.EXEvoid TestFunc(int,x,int y){ cout<<"do nothing";}TESTER.EXE_asm{ push arg_1 push arg_2 push arg_n call proc ; this would be address of that function which is inside another exe(TESTING EXE)}
Usman
@Usman: Use LoadLibrary to load the Executable...see here http://msdn.microsoft.com/en-us/library/ms684175(VS.85).aspx, it is not just confined to just DLLs! You're asking for a very awkward question...signature wise, if you know the signature, then that should not be a problem...you cannot just pull in some EXE and guess what signature that function is...unless you *know* what is the signature as per a header file which clues you in on it...
tommieb75
OK Sir LoadLibrary was'nt actually a problem. by any means we can load the Win 32 Exe(either by spawning a new process or just use any other Win32 API function to execute Win32 Exe in memory)!! I AM TALING ABOUT RUNTIME INVOKING OF METHODS by MY CHOICE.AT ANY TIME USER CAN CLICK MFC GUI(ON which all signatures of methods contained in Win32 Exe). Now user at its own choice can right click on any function signature and select "EXECUTE"...Sir this decision is being at RUNTIME which function user want to execute. So this would be execute handler which needs to know then addresses and all params.
Usman
And at Last !! Executer(Which dynamically on RUNTIME executes functions) is standalon one exe(I called it TESTER.EXE) and another EXE is TESTING Exe(of which all signatures being pulled out on MFC GUI) which will test call all those functions, So here that exe needs to know the addresses of all those functions and parameters as well. THIS PROBLEM IS CALLING FUNCTIONS AT RUNTIME. At RUNTIME USER WILL MADE DECSISION AT WHICH FUNCTION HE/SHE WANTS TO EXECUTE. This is not compile time problem. No code generation is expected here.Just like we call DLL functions via GetProcAddress at runtime.
Usman
In fact this would be kind OF REVERSE ENGINEERING
Usman
A: 

The export table only contains entries for exported functions. If you debugging information available, there will usually be entries for most other functions as well. Without that, chances are pretty good that the executable simply doesn't contain any information about functions that haven't been exported.

Jerry Coffin
I am stripping all debugging information to seperate PDB file and my project compiled as "Release" mode.
Usman
@Usman: Assuming the pdb file is available, you can use Windows' debug functions (especially SymInitialize and company) to get data about the functions (exported or otherwise).
Jerry Coffin
If really is it possible in the presence of dbg files, that we can take all the addresses of non exported, simple win32 exe funcs and addresses then dbghelp api would assist to perform all of those operations? That would be nice enough.
Usman
Usman
Yes, the debug API can use symbols in PDB, DBG, CV, and at least a couple of other formats I don't remember right away. I believe it also allows you to add your own DLL to allow a debugger to access symbols in other fiel formats as well (though I'm going from memory there, and have never done it, so I could be remembering incorrectly).
Jerry Coffin