How to obtain the function parameters in DLL

Source: Internet
Author: User

We can know the interface function parameters through disassembly. We recommend that you use w32dsm for analysis, or you can directly use VC for analysis, which is a little more troublesome.
The following describes how to use w32dsm:
1. First open the DLL to be analyzed, and then find the function to be analyzed through the menu function-> export, double-click it.
It can directly locate the function.
2. Check the function entry. Generally, the function uses the following code as the entry point.
Push EBP
MoV EBP, ESP
...
3. Find the exit of the function. Generally, the exit of the function contains the following statements.
...
RET xxxx; // XXXX indicates the number of all bytes of the function difference, which is a multiple of 4. The result is calculated by dividing XXXX by 4.
Is the number of parameters.
Where the parameters are stored:
EBP + 08 // The first parameter
EBP + 0C // The second parameter
EBP + 10 // The third parameter
EBP + 14 // fourth Parameter
EBP + 18 // fifth Parameter
EBP + 1C // The sixth Parameter
....
-------------------------------------------
There is also a frequently seen call method:
Sub ESP, xxxx // start part
// Function content
...
// Function content
Add ESP, xxxx
RET // end
The result of xxxx/4 is also the number of parameters.
-------------------------------------------------
There is also a call method:
Since this function is relatively simple, there is no parameter for the stack pressure process,
Inside
ESP + 04 is the first parameter
ESP + 08 is the second parameter.
...
ESP + XX is the XX/4 Parameter
The result of dividing the maximum number of XX values by 4 is the number of parameters passed by the function.
----------------------------------------------
By now, you can clearly see the number of parameters passed. Further analysis is required for what is passed.
The most convenient way is to find out which software is calling this function, and then find the place where the function is called through the debugging technology. Usually push commands
To pass parameters. At this time, you can see what is pushed into the stack. Generally, if the parameter is an integer, you can see it at first glance,
If it is a string, it is also relatively simple, as long as you go to the address to see it.
If there is no convenient solution to the transmitted structure, you can simply read the assembly. For the above analysis, I am only responsible for the discussion,
I hope it will be helpful to everyone.

Yesterday, I told you how to know the number of interface parameters and simple interfaces. Due to compiler optimization,
Some parameters may not be as simple as I mentioned earlier. Today, let me analyze the DLL called interfaces. If
If an API is called in a function, and one or more parameters of the called API are the same as those of the DLL function.
Then you can easily know the DLL function parameters.
Example: The following assembly code is obtained through w32dsm.
Exported FN (): mytestfunction-ord: 0001 H
: 10001010 8b442410 mov eax, dword ptr [esp + 10]
: 10001014 56 push ESI
: 10001015 8b74240c mov ESI, dword ptr [esp + 0C]
: 10001019 0faf742410 imul ESI, dword ptr [esp + 10]
: 1000101e 85c0 test eax, eax
: 10001020 7414 je 10001036
: 10001022 8b442418 mov eax, dword ptr [esp + 18]
: 10001026 8b4c2408 mov ECx, dword ptr [esp + 08]
: 1000102a 6a63 push 00000000
: 1000102c 50 push eax
: 1000102d 51 push ECx
: 1000102e 6a00 push 00000000

* Reference to: user32.messageboxa, ord: 01beh
|
: 10001030 ff15b0400010 call dword ptr [100040b0]

* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 10001020 (c)
|
: 10001036 8bc6 mov eax, ESI
: 10001038 5E pop ESI
: 10001039 C3 RET
-------------------------------------------------------
Mytestfunction is the function to be analyzed. It calls user32.messageboxa
When calculating the number of parameters for this function, you should note that it is not the result of 0x18/4, because it is the program entry
The second statement is pushed again. The ESP + 10 before pushing is the 4th parameter, that is, 0x10/4 = 4.
Statement ESP + XX after push,
Where (XX-4)/4 corresponds to the first few parameters.
ESP + 0C = 2nd Parameters
ESP + 10 = 3rd Parameters
ESP + 18 = 5th Parameters
ESP + 08 = 1st Parameters
---------------------------- In this way, the total number of parameters is calculated as 5. Note that before pushing ESI and after pushing ESI,
After pushing, the value of ESP is reduced by 4, so pay special attention to it !!! Then, let's look at the RET command in the return part of the function,
Since eax was assigned a value before ret, we can know that this function will definitely return a value. We all know the register of eax.
It is 4 bytes, so we can replace it with long. Now the basic interface of the function is ready,
Long mytestfunction (long P1, long P2, long P3, long P4, long P5 );
However, you still need to adjust the specific parameter type if no parameter is used in the function. Then the Parameter
The parameter type does not matter. Generally, this is rare. Then, how do we get the function's
What about parameters? See the following analysis:
Have you seen the * Reference to: user32.messageboxa, ord: 01beh statement,
This shows that the winapi: MessageBox function is used internally. Let's take a look at its definition:
Int MessageBox (
Hwnd, // handle of owner window
Lptstr lptext, // address of text in message box
Maid, // address of title of message box
Uint utype // style of message box
);
It has four parameters. Generally, we know that the parameters used to call an API function are pushed from right to left into the stack.
Translated as pseudo ASM:
Push utype
Push lpcaption
Push lptext
Push hwnd
Call MessageBox
---------------------------------------
We can figure out the corresponding statement above.
Hwnd = NULL (0)
Lptext = ECx
Lpcaption = eax
Utype = mb_ OK (0)
---------------------------------
As shown above,
The original value of eax is in ESP + 18.
The value in ECx is the content in ESP + 08.

So far we can know
Lptext = ECx = [esp + 08] = 1st Parameters
Lpcaption = eax = [esp + 18] = 5th Parameters

Now we can further write the DLL function interface as follows:
Long mytestfunction (lpctstr lptext, long P2, long P3, long P4, lpctstr lpcaption );

For the 3rd ESP + 10 parameters, and then find the place where this parameter is used, imul ESI, dword ptr [esp + 10] has such an instruction.
Because imul is a multiplication command, we can certainly make the ESP + 10 assumption that long is not wrong. Likewise, we can know the 2nd parameters ESP + 0C.
It certainly won't be wrong to use long. As for the 4th parameters, it only plays a test role,
MoV eax, dword ptr [esp + 10]
Test eax, eax
Je 10001036
Have you seen the usage of this parameter?
The C language for translating it is:
If (P3)
{
// Execute the commands below je 10001036
}
Return;
So far, we can regard 3rd parameters as a pointer! That is, if P3 is null, it will be returned directly. If it is not empty, it will do other things.

Now, you can list the correct interface:
Long mytestfunction (lpctstr lptext, long N1, char * pisnull, long N2, lpctstr lpcaption );
Haha, now it's successful !!!

Long cryptextopencer (long P1, long P2, lpcstr P3, long P4 );
The first parameter may be the file name,
Or pcert_blob
It is determined by cert_query_object_file or cert_query_object_blob.
---------------------------------------------------------------
Today I think of a good way to solve the parameter problem, but it is difficult.
1. Based on the methods mentioned earlier, you can quickly know the number of parameters. Assume that the function
The name is mytestfunc, and the number of parameters is 3.
Therefore, it can be defined as follows:
Long mytestfunc (long P1, long P2, long P3 );
2. Install a hook (DLL)
3. You can use other programs to call, trigger the hook, and debug the hook.
The called parameter, which is a numerical value.
-------------
This method has not been implemented yet. I believe it is acceptable. The obtained parameters are quite accurate.

 

 

 

First, you need to know the function has several parameters, and then refine the parameter type. The detailed analysis process is as follows:
We can know the interface function parameters through disassembly. We recommend that you use w32dsm for analysis, or you can directly use VC for analysis, which is a little more troublesome.
The following describes how to use w32dsm:
1. First open the DLL to be analyzed, and then find the function to be analyzed through the menu function-> export, double-click it. It can directly locate the function.
2. Check the function entry. Generally, the function uses the following code as the entry point.
Push EBP
MoV EBP, ESP
...
3. Find the exit of the function. Generally, the exit of the function contains the following statements.
...
RET xxxx; // XXXX indicates the number of all bytes of the function difference, which is a multiple of 4. The result is calculated by dividing XXXX by 4.
Is the number of parameters.
Where the parameters are stored:
EBP + 08 // The first parameter
EBP + 0C // The second parameter
EBP + 10 // The third parameter
EBP + 14 // fourth Parameter
EBP + 18 // fifth Parameter
EBP + 1C // The sixth Parameter
....
-------------------------------------------
There is also a frequently seen call method:
Sub ESP, xxxx // start part
// Function content
...
// Function content
Add ESP, xxxx
RET // end
The result of xxxx/4 is also the number of parameters.
-------------------------------------------------
There is also a call method:
Since this function is relatively simple, there is no parameter for the stack pressure process,
Inside
ESP + 04 is the first parameter
ESP + 08 is the second parameter.
...
ESP + XX is the XX/4 Parameter
The result of dividing the maximum number of XX values by 4 is the number of parameters passed by the function.
----------------------------------------------
By now, you can clearly see the number of parameters passed. Further analysis is required for what is passed.
The most convenient way is to find out which software is calling this function, and then find the place where the function is called through the debugging technology. Usually push commands
To pass parameters. At this time, you can see what is pushed into the stack. Generally, if the parameter is an integer, you can see it at first glance,
If it is a string, it is also relatively simple, as long as you go to the address to see it.
If there is no convenient solution to the transmitted structure, you can simply read the assembly.

 

 

In addition, due to compiler optimization, some parameters may not be as simple as I mentioned earlier. If an API is called in a function of the DLL,
In addition, if one or more of the parameters for calling the API are the same as those of the DLL function. Then you can easily know the DLL function parameters.
Example: The following assembly code is obtained through w32dsm.
Exported FN (): mytestfunction-ord: 0001 H
: 10001010 8b442410 mov eax, dword ptr [esp + 10]
: 10001014 56 push ESI
: 10001015 8b74240c mov ESI, dword ptr [esp + 0C]
: 10001019 0faf742410 imul ESI, dword ptr [esp + 10]
: 1000101e 85c0 test eax, eax
: 10001020 7414 je 10001036
: 10001022 8b442418 mov eax, dword ptr [esp + 18]
: 10001026 8b4c2408 mov ECx, dword ptr [esp + 08]
: 1000102a 6a63 push 00000000
: 1000102c 50 push eax
: 1000102d 51 push ECx
: 1000102e 6a00 push 00000000

* Reference to: user32.messageboxa, ord: 01beh
|
: 10001030 ff15b0400010 call dword ptr [100040b0]

* Referenced by a (u) nconditional or (c) onditional jump at address:
|: 10001020 (c)
|
: 10001036 8bc6 mov eax, ESI
: 10001038 5E pop ESI
: 10001039 C3 RET
-------------------------------------------------------
Mytestfunction is the function to be analyzed. It calls user32.messageboxa
When calculating the number of parameters for this function, you should note that it is not the result of 0x18/4, because it is the program entry
The second statement is pushed again. The ESP + 10 before pushing is the 4th parameter, that is, 0x10/4 = 4.
Statement ESP + XX after push,
Where (XX-4)/4 corresponds to the first few parameters.
ESP + 0C = 2nd Parameters
ESP + 10 = 3rd Parameters
ESP + 18 = 5th Parameters
ESP + 08 = 1st Parameters
---------------------------- In this way, the total number of parameters is calculated as 5. Note that before pushing ESI and after pushing ESI,
After pushing, the value of ESP is reduced by 4, so pay special attention to it !!! Then, let's look at the RET command in the return part of the function,
Since eax was assigned a value before ret, we can know that this function will definitely return a value. We all know the register of eax.
It is 4 bytes, so we can replace it with long. Now the basic interface of the function is ready,
Long mytestfunction (long P1, long P2, long P3, long P4, long P5 );
However, you still need to adjust the specific parameter type if no parameter is used in the function. Then the Parameter
The parameter type does not matter. Generally, this is rare. Then, how do we get the function's
What about parameters? See the following analysis:
Have you seen the * Reference to: user32.messageboxa, ord: 01beh statement,
This shows that the winapi: MessageBox function is used internally. Let's take a look at its definition:
Int MessageBox (
Hwnd, // handle of owner window
Lptstr lptext, // address of text in message box
Maid, // address of title of message box
Uint utype // style of message box
);
It has four parameters. Generally, we know that the parameters used to call an API function are pushed from right to left into the stack.
Translated as pseudo ASM:
Push utype
Push lpcaption
Push lptext
Push hwnd
Call MessageBox
---------------------------------------
We can figure out the corresponding statement above.
Hwnd = NULL (0)
Lptext = ECx
Lpcaption = eax
Utype = mb_ OK (0)
---------------------------------
As shown above,
The original value of eax is in ESP + 18.
The value in ECx is the content in ESP + 08.

So far we can know
Lptext = ECx = [esp + 08] = 1st Parameters
Lpcaption = eax = [esp + 18] = 5th Parameters

Now we can further write the DLL function interface as follows:
Long mytestfunction (lpctstr lptext, long P2, long P3, long P4, lpctstr lpcaption );

For the 3rd ESP + 10 parameters, and then find the place where this parameter is used, imul ESI, dword ptr [esp + 10] has such an instruction.
Because imul is a multiplication command, we can certainly make the ESP + 10 assumption that long is not wrong. Likewise, we can know the 2nd parameters ESP + 0C.
It certainly won't be wrong to use long. As for the 4th parameters, it only plays a test role,
MoV eax, dword ptr [esp + 10]
Test eax, eax
Je 10001036
Have you seen the usage of this parameter?
The C language for translating it is:
If (P3)
{
// Execute the commands below je 10001036
}
Return;
So far, we can regard 3rd parameters as a pointer! That is, if P3 is null, it will be returned directly. If it is not empty, it will do other things.

Now, you can list the correct interface:
Long mytestfunction (lpctstr lptext, long N1, char * pisnull, long N2, lpctstr lpcaption );

// --------------- The above content is organized from http://www.csdn.net/expert/topic/636/637973.xml --------------------

 

The following uses apihook2.0 to analyze this parameter, which is quite convenient. In order for you to better understand the following program, here is a MessageBox example,
Assume that you do not know the number and type of parameters of the function.
First obtain apihook2.0(on-the-net, you can find the desired region and open the corresponding apihooks.exe and apihooks. dll.
In the system directory or in the path. Put apihooks. lib and apihooks. h In your project. You need to create one by yourself, for example, myapihook,
Type Win32 dynamic-link library (null), and then add myapihook. cpp. The content in this file is as follows:
// -------------------------------- Myapihook. cpp file start -----------------------------------------
// Myapihook. cpp: defines the entry point for the DLL application.

// Function: inject myapihook.dllinto the path testdlg.exe, Replace the API in the DLL called in testdlg.exe
// Use the following code:
// C: //> apihooks-NQ myapihook. dll testdlg.exe
// Apihooks = apihook.exe and apihooks. dll
//-Enable a new NQ program (testdlg.exe). Q does not display any information.
// Myapihook. dll = by this file create
// Testdlg.exe = program to be replaced

# Include <stdio. h>

# Define win32_lean_and_mean
# Include <windows. h>
# Include "apihooks. H"

INT (winapi * pfunction) (long P1, long P2, long P3, long P4 );
Typedef int (winapi function) (long P1, long P2, long P3, long P4 );

Int winapi mymessageboxa (long P1, long P2, long P3, long P4)
{
Const ncountparam = 4;
Long PP [ncountparam];
PP [0] = p1, PP [1] = P2, PP [2] = P3, PP [3] = P4;

File * fp = fopen ("C: // 1.txt"," W ");
Char szbuf [1024];

Sprintf (szbuf, "List of parameter content, it is easy to judge whether it is a string or is null/N ");
Fputs (szbuf, FP );

For (long I = 0; I <ncountparam; I ++)
{
Sprintf (szbuf, "[P % d] = 0x00000000 (0)/n", I );
_ Try {
If (PP [I])
Sprintf (szbuf, "[P % d] = 0x % 08x (% d)/T/" % S/"/N", I, PP [I], PP [I], PP [I]);
} _ Random t)
{
Sprintf (szbuf, "[P % d] = 0x % 08x (% d)/n", I, PP [I], PP [I]);
}
Fputs (szbuf, FP );
}
Fclose (FP );

Return (pfunction (P1, P2, P3, P4 ));
}

Extern "C" _ declspec (dllexport) api_hook apihookchain [2] = {
{"User32.dll", "messageboxa", hook_exact, null, null, mymessageboxa },
{Hooks_end}
};

Bool apientry dllmain (handle hmodule, DWORD ul_reason_for_call, lpvoid lpreserved)
{
Hmodule hdll = loadlibrary ("user32.dll ");
If (hdll)
{
Pfunction = (function *) getprocaddress (hdll, "messageboxa ");
Freelibrary (hdll );
}
Return true;
}
// -------------------------------- Myapihook. cpp file ended -----------------------------------------
The above example analyzes the MessageBox that everyone is familiar with. If you do not know the parameters of the function, you can easily know it through the method described above.
The function has a total of four parameters and returns a number.
So we can define this function:
Int winapi MessageBox (long P1, long P2, long P3, long P4 );
Then define a mymessageboxa function (this function can easily determine whether the parameter is a string)
Int winapi mymessageboxa (long P1, long P2, long P3, long P4)
The actual call content of the function that can be generated through this function,

// ------------ The following information is obtained on the author's machine -----------
List of parameter content, it is easy to determine whether it is a string, or is null
[P0] = 0x00000000 (0)
[P1] = 0x00416698 (4286104) "test dialog box"
[P2] = 0x004166a0 (4286112) "information"
[P3] = 0x00000040 (64)
//-------------------------------
Based on the above information, it is easy to know that the second and second parameters are strings. Then, you can easily know the actual usage of the parameter based on the content.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.