I have the start address of a loaded DLL, how can I discover and call its exports?

Question

I'm writing an add-in that runs in-process. I'm reliably able to discover the memory address of a DLL that is already loaded in that process. The memory at the offset clearly shows an "MZ" DOS header and a "PE" header. Later, there appears to be the names of exported functions etc. This walks and talks like a loaded DLL.

So, now, I'd like to discover more about what the DLL is, and more interestingly, what I might be able to do with it.

I've used PE utilities in the past, but they've always worked with file-based DLLs. How can I list the exported functions of an in-memory DLL, other than by inspecting the process in a hex editor? Is there any way to discover the file-based DLL that is currently loaded? (I'm not overly familiar with the linking that I think takes place when the dll is loaded.)

If I have the names of the exported functions, is it just a matter of trying to call those functions, and guessing their arguments and return values? Or is there some more robust reverse engineering that could be performed?

Given the starting address of the DLL, and a function name, how would I go about making a call in C#?

Answer 1

There are actually many questions here (and some are pretty vast). I'll try providing answers to some.

• To get the handle of a module ( .dll ) loaded in the current process use [MSDN]: GetModuleHandleEx function , whether its name or address is known ( GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS flag)

• To get the file name containing the code of a loaded .dll use [MSDN]: GetModuleFileName function . At this point you'll be able to use PE utilities that you mentioned ( Dependency Walker or [MSDN]: Sysinternals Suite can be very useful)

Apparently, getting the functions signatures from a .dll is not a trivial task (sometimes it's quite impossible). Here are 3 URLs, but Google would yield tons of results on this topic:

• [MSDN]: how can I get metadata (signature with parameters and return type) of C++ dll
• [SO]: Is there any native DLL export functions viewer?
• [SO]: Get signatures of exported functions in a DLL

But a .dll comes with one or more header file(s) that contain(s) (among other things) the functions/classes declarations. Lacking the header(s) would mean that either:

• The .dll symbols are for internal purposes only (and not to be called "manually")
• They are private (eg protected by a license), and in that case reverse engineering them wouldn't be very ethical

Anyway, considering that one way or another you get the functions names and signatures, you can load the functions via [MSDN]: GetProcAddress function , and then call them.

Doing everything from .NET ( C# ) (again, function names and signatures are required), only adds an extra level of complexity because C# code runs in managed environment, while C / C++ runs in native environment, and when data is exchanged between the 2 environments it needs to be marshalled / unmarshalled ( [MSDN]: Overview of Marshaling in C++ ).
Below are 3 URLs, but again, Internet is full of information:

• [MSDN]: Calling Native Functions from Managed Code
• [SO]: Is it possible to call a C function from C#.Net
• [SO]: Calling C DLL from C#