Thursday, June 23, 2011

DLL Export Viewer 1.50 (Freeware)

DLL Export Viewer displays the list of all exported functions and their virtual memory addresses for the specified DLL files. You can easily copy the memory address of the desired function, paste it into your debugger and set a breakpoint for this memory address. When this function is called, the debugger will stop in the beginning of this function.

For example: If you want to break each time that a message box is going to be displayed, simply put breakpoints on the memory addresses of message-box functions: MessageBoxExA, MessageBoxA and MessageBoxIndirectA (or MessageBoxExW, MessageBoxW and Message

When one of the message-box functions is called, your debugger should break in the entry point of that function, and then you can look at call stack and go backward into the code that initiated this API call.

DLL Export Viewer doesn't require any installation process or additional DLLs, in order to start using it, just run the executable file - dllexp.exe

When DLL Export Viewer is loaded, you have to choose one of the following options:
? Load all functions from standard system DLLs: This is the default option. If you select it, the exported API functions of standard Windows DLLs (kernel32.dll, user32.dll, and so on...) will be displayed.
? Load functions from the specified DLL file: If you select this option, you have to specify the DLL file that you want to load in the text-box below this option. You can also specify a wildcard for loading multiple DLL files. If for some reason, you want to view all API functions on your system, you can specify something like 'c:windowssystem32*.dll' - but I must warn you... You'll get a very long functions list, probably more than 50,000 functions !
? Load functions from the DLL files specified in the following text file: If you select this option, the specified text file should contain a list of DLL files, separated by Enter characters (CR-LF). All exported functions from the specified DLLs will be loaded.
? Load functions from all DLLs attached to the selected process: This is the most useful option if you want to use this utility for debugging. Select the process that you are currently debugging, and the exported functions of all DLLs attached to the selected process will be displayed. 

What's New in This Release: [ read full changelog ]

· When API export entry is forwarded function that points to another function in another dll (like in wsock32.dll and some functions in kernel32.dll and kernelbase.dll), DLL Export Viewer now displays the forwarder string that specifies external function name, instead of the memory address.


View the original article here

No comments:

Post a Comment