views:

37

answers:

2

I have a long list of all the calls a program I have does. What i need to know is which DLL each call belongs to. How would I find this out?

Thanks,

+1  A: 

Given the executable, the easiest way would probably be dumpbin /imports <exe_name>. This will produce output like this:

KERNEL32.dll
           405020 Import Address Table
           4060FC Import Name Table
                0 time date stamp
                0 Index of first forwarder reference

             126 GetModuleHandleA
             150 GetStartupInfoA

USER32.dll
           405480 Import Address Table
           40655C Import Name Table
                0 time date stamp
                0 Index of first forwarder reference

              F0 GetClientRect
             17A InvalidateRect
              B7 EnableWindow
             291 UpdateWindow

GDI32.dll
           405000 Import Address Table
           4060DC Import Name Table
                0 time date stamp
                0 Index of first forwarder reference

              37 CreateFontIndirectA
             1AF Rectangle
              4D CreateSolidBrush
              44 CreatePen
             1C7 SelectObject
              53 DeleteObject
             14F GetObjectA

Depending on your executable, there's a pretty fair chance that you'll get more extraneous information. Since you already have a list of functions you care about, it should be pretty easy to filter this to get the information you need and leave out the rest.

Jerry Coffin
+1  A: 

hum... your title and your questions point to different things. syscalls mean something very specific, a call to the OS kernel (and those are not in dlls).

As it happens, Windows does not expose those directly, but rather exposes APIs in system DLLs that are responsible to call the syscall themselves.

So let's say you don't actually have a list of syscalls, but a list of calls. Is this list generated from a binary ? binaries actually have a list of the dlls they depend on, and a dumpbin /imports binary.exe will actually list exactly what you're asking for.

Bahbar
Actually they are, all the user-mode portions of the syscalls are in ntdll.dll
Paul Betts