0

I would like to list all exported functions in a DLL and dump their bytes. It's pretty trivial to list all the exports using either dumpbin or rabin2 from the radare2 package. I also found a way to disassemble the whole DLL using dumpbin but there's no way to see function boundaries in the dump.

I'm looking for a way to disassemble (with bytes) or ideally just dump the bytes for for a specific or all functions inside a DLL. I don't mind parsing the output if it's got some other information in it. I've tried all kids of tools and so far I was not able to achieve what I need.

One of the possible directions would be to script radare2 to do that.

detunized
  • 15,059
  • 3
  • 48
  • 64
  • 2
    What you're asking is not necessarily as straightforward as it sounds in a stripped binary. Dumpbin can give you the (primary) entry point address, but how do you define the "end" of the function? First ret? Sure it's the only one? No helper functions or internal calls? Sure nothing jumped past it... or up above the entry? Sure you don't tail call out and never ret from here at all? – l.k Mar 17 '21 at 23:39
  • Makes sense. Maybe disasm from `r2` can do that because it has function detection logic. – detunized Mar 17 '21 at 23:53
  • maybe, I don't know it. I typically end up using a "dumb" tool to disassemble starting at the known entry and just reading for myself – l.k Mar 18 '21 at 00:01
  • I need it for automated testing, don't don't want to read it every time the CI runs =) – detunized Mar 18 '21 at 00:27
  • 1
    oh fair enough. dump to then :p – l.k Mar 18 '21 at 00:47
  • 1
    If you control the build, you can run it on a non-stripped binary, which makes it a lot easier. Every function, even `static` functions, should have symbols, and maybe even a size for each function. (Linux ELF objects have size metadata, IDK if DLLs do.) – Peter Cordes Mar 18 '21 at 19:22

1 Answers1

2

In order to dump a function's bytes, you will have to know where that function ends.
You could do some static analysis which might work or you could do one of the following:

For 64-bit executables, you can parse the .pdata section which contains a list of RUNTIME_FUNCTIONs. DUMPBIN can do that using either the /unwindinfo or /pdata option.
Note that this may not include every exported function, see reference.

The second option, which works for both 32 and 64-bit executables, is to make use of the DIA SDK
(see IDiaSymbol::get_length). This should cover all exported and non-exported functions but requires you to have access to the executable's .pdb file.

Axalo
  • 2,953
  • 4
  • 25
  • 39