Dependency Walker instructions

Reprint address: http://blog.csdn.net/swort_177/article/details/5426848? Reload

 

In the Windows world, when there are several active continents, they all have a common name-dynamic link library. Now let's go into these magical activity continents and find out the secrets they have been hiding for a long time!

First glance: the cornerstone of Windows

Open a system directory and you will see a lot of dll extension files at a glance. These are what we often call "Dynamic Link Library ", DLL is the abbreviation of dynamic link library ("Dynamic Link Library. Since Microsoft launched its first version of Windows, the dynamic link library has been the basis of this operating system.

1. check what is in the DLL.

To solve what DLL is, let's first look at what dll has. Like the EXE file, the DLL file contains the binary code of the program and the resources required by the program (such as the comparison mark, dialog box, and string). Why do you need to put the code in the DLL file, instead of EXE? In fact, the DLL code appears in the form of API functions. In other words, the program code contained in the DLL is made into small modules, and the application presses the specific button in the required DLL, to call the Functions Represented by this button in the DLL. When using a program such as Notepad, if you want to save or open the file, a general file dialog box will pop up. Let's select the file location. As you know, this is the interface that calls the General dialog box in the underlying DLL of the system.

2. Several important DLL files in the system

Windows has three very important underlying dll: kernel32.dll, user32.dll, and gdi32.dll. Kernel32.dll, as its name implies, is a kernel-related function. It mainly includes functions used to manage memory, processes, and threads. user32.dll contains functions used to execute User Interface tasks, for example, you can pass the user's mouse-click operation to the window so that the window can execute the scheduled event based on the user's click. The gdi32.dll name is abbreviated, the full name is graphical device interface, which contains functions used for drawing and displaying text. For example, to display a program window, you call the function to draw the window.

3. Why use DLL?

When talking about this issue, we just explained the principle of DLL encapsulating program code into functions. Why is it possible to encapsulate a function into a large number of DLL resources in the system?

① Extend the application

The dll can be dynamically loaded into the memory by the application. Therefore, the application can load the DLL into the memory only when needed, which makes the maintainability of the program very high. For example, if the video function of QQ needs to be upgraded, programmers responsible for compiling QQ do not have to rewrite all QQ code. They only need to rewrite DLL files related to the video function.

② Facilitates coders to cooperate

This has little to do with our end users and is only for your understanding. We all know that there are many programming tools, such as VB, Vc, and Delphi. If several people work together to compile a large program, some may use VB and others use VC, each person is responsible for different programming languages. Which compiler is used for compilation? This is better than a group of people from different countries writing an article together. If they use different languages, how can the written articles be written together? With the DLL, the VC programmer can write a DLL, and then the VB programmer calls it in the program, without worrying about how to compile them into a separate exe.

③ Memory saving

If multiple applications call the same dynamic link library, the DLL file will not be repeatedly loaded into the memory, instead, these applications share the same DLL with loaded memory. In an office, a water dispenser is rarely configured for every employee. Instead, a water dispenser is placed in a public location. All employees who need water can share the water dispenser, reduces costs and saves space.

④ Sharing program resources

Including the general file dialog box mentioned above, DLL files provide the possibility of sharing resources between applications. Resources can be program dialogs, strings, icons, or sound files.

⑤ Solve application localization problems

After downloading the Chinese package of a program, open the Chinese description. you can often see that the DLL file in the downloaded package overwrites the original DLL of the program. These programs are compiled separately from the Execution Code and application interface. Therefore, the Chinese users only need to simply compile and release the DLL related to the program interface.

Curious: Exploring the truth about DLL
Who knows how many functions are in the DLL, and who knows which DLL functions are called by the EXE? In fact, this problem is not difficult to solve. I still can't remember the dependency Walker (depends) tool used to analyze the EXE file introduced in the 6th issue of "no thieves IV -- thieves and thieves". Today we will use it as an adventure tool, discover the DLL truth.
　　1. Check the number of functions in the DLL.
Step 1: Download and decompress depends, run depends.exe, select "File> open" (File> open), select the DLL file to be analyzed in the file selection box, and open it. Select qqzip In the QQ directory. DLL.
Step 2: In the tree column on the left of the program, it lists the functions of other DLL used by the DLL (Other DLL ^ o ^ can be called in the original DLL ), the two column lists on the right show the function input and output tables respectively. The function output table is the total list of functions provided by the DLL to other EXE or DLL calls.
Step 3: In the function column of the function output table, it is the name of the output function (see figure 1). Two functions are found in qqzip. dll: unzip and zip. Therefore, it can be determined that the DLL is responsible for the compression and decompression tasks in the QQ program.

2. Review the DLL used by the EXE
The list of DLL files called by the dig command (see figure 2). If you expand these DLL branches, you will find other DLL files. This shows that these DLL files called by QQ are still possible (almost certainly) call another DLL. This is like buying a new DVD machine, where the core may be Sony, and a small capacitor in this movement may be owned by another company. This is the same principle.

3. Use DLL to see the true face of exe
I just got the list of DLL used by qq.exe. In fact, this list can also analyze a lot of other information. Similar to mfc42.dll, you can use visual c ++ to compile qq.exe. wsock32.dll indicates that this program has the network communication function (nonsense! If QQ cannot communicate via the Internet, what's the use ......). The following is a simple table. When analyzing other EXE files, you can use the DLL to preliminarily judge its functions.
The EXE information that can be determined by the DLL file name
Mfc42.dll is written using vc5.0/6.0.
Vbrun *. dll "*" indicates the digital version, which is written in vb3.0/4.0.
Msvbvm50.dll is written in VB5.0 and comes with this DLL on Windows 98 (SE.
Msvbvm60.dll is written in VB6.0 and is provided on Windows ME/2000/XP and other systems.
Advapi32.dll may perform registry operations.
Wsock32.dll supports network communication.
Ws2_32.dll supports network communication.
Wininet. dll provides HTTP browsing and downloading functions. Typical examples are browsers and download tools.
Winmm. dll supports multimedia playback.
Ddraw. dll games and advanced image processing tools.
D3d *. dll 3D games, or animation processing tools.
　　4. dll is a big treasure
In addition to the DLL used by the program to call functions, there is another DLL used to save resources, such as qqres under the QQ directory. DLL, opened with depends and found that there is no output function, is it a chicken-rib DLL? However, use the resource hacker (: http://www.mydown.com/soft/42/42058.html) to open this DLL, it is found that the original save so many QQ resources, including icons, music, pictures, strings, dialog box ...... (See figure 3)

Root question: the fable of DLL
DLL-induced faults are very common. Why do they cause faults? How to solve the fault? Hush ~ Listen to the DLL conversation and you will understand it.
　　1. Discuss interface compatibility from the porter
On the Windows site, there was a contractor named EXE who had many construction workers called DLL. One of them is a DLL (temporarily called "Porter a") that is specially responsible for transporting cement. Every time the contractor needs to carry cement, the EXE just needs to shout to him: "Come! Move ."
After a while, Porter a felt that his efficiency was too low, so he changed from 1 bag of cement to 3 bags of cement each time. After the handling method is improved, the EXE package still calls "Come!" at a time! Move ." But I do not know that Porter a has changed the handling method.
However, after a while, the contractor's exe dismissed the porter a and found another DLL from another construction site (now called "Porter B "). When the porter was at another construction site, the shipping was very fast, so the contractor's exe decided to "Upgrade" the handling work. But when I started my work, the contractor came up with a problem ...... No matter how many times "Come! Move ." The new porter B does not know what to move.
In the above example, Porter a improves the handling method, but the method called by EXE remains unchanged. This is the principle of DLL upgrade. It improves the internal implementation method, but the called interface remains unchanged, in this way, the new dll version can be called without upgrading the EXE file. The story of Porter B tells us that no matter how efficient the new dll version is, if the interface (which can be understood as the name of the function output in the DLL) is different from the original one, then, the EXE cannot be called.
　　2. register the DLL of the ID card
Many of the system faults are caused by the absence of DLL file registration. For example, if the compression folder function of Windows XP fails, zipfldr may be used in the system directory. if the DLL is not registered, most of the solutions to such faults are to run the following command:
　　Regsvr32 DLL file name
Many people do not understand why it is necessary to do this. Is it true that all DLL files can do this?
In fact, there are two types of DLL in the system, one is to use without registration, the other is to be used after the system login (that is, registration. It's like a temporary employee, just like a long-term contractor on the employee list. How can we distinguish the two DLL types? The method is very simple. Open the DLL with depends just now and look at the function output table. If it contains the following two functions (the former is the DLL registration, and the latter is the DLL registration ), then it must be the DLL that must be registered for use.
Dllregisterserver
Dllunregisterserver
The regsvr32 Command actually calls the two functions in the DLL ("regsvr32/u DLL file name" calls the dllunregisterserver anti-registration function ).
　　3. Secrets of plug-in DLL
Winamp, foobar 2000, and many other software have plug-in functions. Download a DLL from the Internet and put it in the plug-in directory so that the program can support new functions. How can this be done? Let's take the popular playing software "quiet listening" as an example.
The plug-in directory of "quiet listening" is located in The addin sub-directory under the software installation directory. The plug-in directory of the program is generally named "plugins" and "addin. There are many DLL files in the plug-in directory of "quiet listening", such as tt_asf.dll and tt_rm.dll. We can see from the file name that these DLL are used to make the player support various types of audio files. Similarly, when you open these files with depends, you will find that the output function tables of these files contain the same function: ttpgetsoundaddin (see figure 4 ).

This is the secret of plug-ins. Various programs that support plug-in functions will publish a plug-in protocol at the same time, the Protocol specifies the function names and related parameter rules that must be included in the plug-in DLL to be called by the program, third-party plug-in programmers compile the DLL output functions according to the plug-in standards when writing the plug-in of this program.
① For the plug-in tt_asf.dll
Ttplayer.exe (main program of "listener") said to tt_asf.dll, "I want to call your ttpgetsoundaddin Function !"
Tt_asf.dll replied: "OK ."
② If unrelated DLL is put into the addin directory
Ttplayer.exe says to the unknown dll: "I want to call your ttpgetsoundaddin Function !"
Tt_asf.dll replied: "What is that function? I have never heard of it !"