I have a long list of all the calls a program I have does. What i need to know is which DLL each call belongs to. How would I find this out?
Thanks,
+1
A:
Given the executable, the easiest way would probably be dumpbin /imports <exe_name>. This will produce output like this:
KERNEL32.dll
405020 Import Address Table
4060FC Import Name Table
0 time date stamp
0 Index of first forwarder reference
126 GetModuleHandleA
150 GetStartupInfoA
USER32.dll
405480 Import Address Table
40655C Import Name Table
0 time date stamp
0 Index of first forwarder reference
F0 GetClientRect
17A InvalidateRect
B7 EnableWindow
291 UpdateWindow
GDI32.dll
405000 Import Address Table
4060DC Import Name Table
0 time date stamp
0 Index of first forwarder reference
37 CreateFontIndirectA
1AF Rectangle
4D CreateSolidBrush
44 CreatePen
1C7 SelectObject
53 DeleteObject
14F GetObjectA
Depending on your executable, there's a pretty fair chance that you'll get more extraneous information. Since you already have a list of functions you care about, it should be pretty easy to filter this to get the information you need and leave out the rest.
Jerry Coffin
2010-04-06 18:50:26
+1
A:
hum... your title and your questions point to different things. syscalls mean something very specific, a call to the OS kernel (and those are not in dlls).
As it happens, Windows does not expose those directly, but rather exposes APIs in system DLLs that are responsible to call the syscall themselves.
So let's say you don't actually have a list of syscalls, but a list of calls. Is this list generated from a binary ? binaries actually have a list of the dlls they depend on, and a dumpbin /imports binary.exe will actually list exactly what you're asking for.
Bahbar
2010-04-06 18:50:28
Actually they are, all the user-mode portions of the syscalls are in ntdll.dll
Paul Betts
2010-04-07 15:49:46