Get external commands of a DLL file

Question

I have a DLL file that is being used by a video player application, this video player uses that DLL file to export the videos as AVI file format, what is the way to know how that application uses the DLL file so that I can execute it externally?

I have a copy of the file here on Dropbox.

You consult the documentation for the DLL. Anything more is just guessing. — Raymond Chen, Oct 05 '17 at 04:44
There is no documentation for that file, it is a custom helper DLL file. — tinyCoder, Oct 05 '17 at 10:50
What do you mean by guessing? I already have the application that uses the DLL file, can't we "spy" on the app while it is calling the DLL to know what commands is it executing to it? — tinyCoder, Oct 05 '17 at 22:53
There is nothing in the DLL that tells you how to use it. You will have to reverse-engineer it somehow. — Raymond Chen, Oct 06 '17 at 00:26
I used http://www.dependencywalker.com/ and found some info about functions, but I didn't know how to use them :( — tinyCoder, Oct 06 '17 at 00:27
https://stackoverflow.com/questions/311268/monitoring-application-calls-to-dll — Prof. Falken, Oct 09 '17 at 21:11

score 4 · Answer 1 · answered Oct 06 '17 at 16:12

As Raymond said, there's no formal way to inspect the interfaces supported by a DLL.

At best you have these options:

Type dumpbin /exports lkExport.dll to see what functions are exported. You won't see the function signatures or return types, but perhaps you'll recognize it as some well known plugin interface standard for your particular application. Perhaps the media player application itself has a plugin SDK where these functions are documented. In your case, I see what appears to be Java bindings also exported by this DLL... that might be an avenue to explore.
Try seeing if the DLL is for COM and exports a type library. I didn't see any of the usual COM functions exported, but you can load the DLL in Visual Studio with the resource editior and look for one.
The resource editor didn't reveal a type library, so that likely rules out COM. But it does reveal an art resource showing hints showing the name of the product or company that made the DLL. I see both "Linktivity" and "Inter-Tel (Delaware), Inc." listed. A quick web search reveals they may be out of business, but you're probably a smart and resourceful person...
The only think left to do is attempt to hook up a debugger (e.g. windbg) to the application that loads the DLL and set breakpoints on the exported functions and disassemble the stack and try to infer the function parameter types, return values, and meaning of each. I suspect that's going to be very hard to do if you don't have the PDB symbol file that corresponds to the build of that DLL. (Maybe you can sent a bp on an exported DLL funtion without symbols? I've never tried...) There are some folks out there that can do this type of stuff...

Some hints:

dumpbin /exports lkExport.dll

C:\Users\jselbie\Downloads>dumpbin /exports lkExport.dll
Microsoft (R) COFF/PE Dumper Version 14.11.25506.0
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file lkExport.dll

File Type: DLL

  Section contains the following exports for lkExport.dll

    00000000 characteristics
    47606859 time date stamp Wed Dec 12 15:01:45 2007
        0.00 version
           1 ordinal base
          14 number of functions
          14 number of names

    ordinal hint RVA      name

          1    0 00001A80 DispatchMsg
          2    1 00001AD0 Init
         10    2 00001D00 ReceiveMsg
         11    3 00001D90 SendMsg
         12    4 00001DB0 SendMsgProc
         13    5 00001B70 Start
         14    6 00001C40 Stop
          3    7 00001A40 _Java_linktivity_nativecontrols_ExportAppletDll_DispatchMsg@20
          4    8 000018B0 _Java_linktivity_nativecontrols_ExportAppletDll_Initialize@24
          5    9 00001980 _Java_linktivity_nativecontrols_ExportAppletDll_ReceiveMsg@16
          6    A 00001920 _Java_linktivity_nativecontrols_ExportAppletDll_ReceiveNodeMsg@20
          7    B 000019C0 _Java_linktivity_nativecontrols_ExportAppletDll_SendMsgProc@16
          8    C 00001900 _Java_linktivity_nativecontrols_ExportAppletDll_Start@8
          9    D 00001910 _Java_linktivity_nativecontrols_ExportAppletDll_Stop@8

See https://stackoverflow.com/questions/437432/is-there-a-way-to-find-all-the-functions-exposed-by-a-dll to find the exposed dll functions and if you want to see how the application uses the dll file you can wrap the dll (or even hijack it) with your own proxy dll (just rename the original dll and place your own build of it to pass through and record/log the calls to origin dll). — Wolfgang, Oct 06 '17 at 18:44
@Wolfgang - how would you implement a proxy DLL if you didn't know the function signature or return type of each exported function? — selbie, Oct 06 '17 at 21:20
@selbie thank you very much for your detailed answer, here is the actual problem that lead me after deep investigations to find the DLL that could help me, thought might be useful to tell you, please have a look: https://stackoverflow.com/questions/43306959/create-lrec-file-extension-reader-for-mobile — tinyCoder, Oct 06 '17 at 21:31
Does this mean anything? I recorded it while exporting the video from the application using that DLL: https://imgur.com/a/2HXV5 — tinyCoder, Oct 06 '17 at 22:29
@selbie, https://stackoverflow.com/questions/437432/is-there-a-way-to-find-all-the-functions-exposed-by-a-dll — Wolfgang, Oct 07 '17 at 19:43
@Wolfgang - unless it's a .NET DLL, to the best of my knowledge, none of those solutions discussed at the link you provided will detect the function signature and return type of an exported DLL function. Otherwise, getting the names of the functions are about the only thing possible when dealing with native code DLLs. But I encourage you to prove me wrong. Go get tinyCoder's DLL from the link he provides and show me the function signatures of all the exported functions returned by the `dumpbin` output above. You'll not only impress me, you'll get all of tinyCoder's bounty. :) — selbie, Oct 08 '17 at 02:08
@selbie, you are saying we can not go any further than of what we found? — tinyCoder, Oct 08 '17 at 18:02
I don't know how to go further. There's the possibility of attaching windbg and setting breakpoints on the exported function. I would love to see that Wolfgang guy above who keeps commenting with the same link show something that I'm missing. But what I see exported from the DLL is not the codec interface, but what appears to be the functions to host the GUI dialog. So even if we did get the function signatures figured out, that would only enable use to bring up the same dialog as the Linktivity app itself shows. — selbie, Oct 09 '17 at 21:08
Thank you all, I didn't get my desired answer yet and still trying to find a way, but thanks to @selbie for the detailed explanation, bounty is ending and I need to award it. — tinyCoder, Oct 13 '17 at 12:58

Prof. Falken · Answer 2 · 2018-06-07T07:41:16.723

2

I think you could succeed with WinAPIOverride.

It allows you to inspect all the calls to the DLL and see what goes in and what goes out of each call. You use this live, almost like a debugger, but it's explicitly made to help understand how a DLL works.

edited Jun 07 '18 at 07:41

answered Oct 09 '17 at 21:13

Prof. Falken

24,226
19
100
173

It would really help if you could explain *how* using WinAPIOverride would help. – Robert Columbia Oct 11 '17 at 13:08

score 1 · Answer 3 · answered Oct 12 '17 at 19:00

1

Well, when we are talking about DLL's and how to implement it, it necessary to have the documentation of this DLL and even more if it is and private library, which is not an open product to be used.

In this case, with the library that you shared, you are talking about a standard library which can be analyzed with several tool, for example Dependency Walker, and check what interfaces are available in the DLL, but you can get the information of how to use it with parameters and the if the interfaces return some type. Also you can see what other libraries are required by this file, as can you see in the image below.

So, in your case you should have the documentation to see how to use and implement the library in your code.

answered Oct 12 '17 at 19:00

Jorge Omar Medra

978
1
9
19

Thank you, but as you see in the comments above, I am already using Dependency Walker, but it didn't provide me of what I can use. – tinyCoder Oct 12 '17 at 21:26
Yes and also the information that throw Dependency Walker is the same that @selbie is shared us. The main point is that you want to know how to invoke each method of this DLL and what they (methods) return. You may try reversing code with IDA Pro, or another software like that. It is used to decompile the DLL and try to understand the code. Check this answer https://stackoverflow.com/questions/15148950/how-to-reverse-a-dll-into-c-code – Jorge Omar Medra Oct 12 '17 at 21:37

Get external commands of a DLL file

3 Answers3