How to determine what DLL's a binary depends on using programmatic methods?
To be clear, I am not trying to determine the DLL dependencies of the running exec, but of any arbitrary exec (that may be missing a required DLL). I'm looking for a solution to implement in a C/C++ application. This is something that needs to be done by my application at runtime and can't be done by a third party app (like depends).
Take a look at the IMAGE_LOAD_FUNCTION API. It will return a pointer to a LOADED_IMAGE structure, which you can use to access the various sections of a PE file.
You can find some articles that describe how the structures are laid out here, and here. You can download the source code for the articles here.
I think this should give you everything you need.
Update:
I just downloaded the source code for the article. If you open up EXEDUMP.CPP and take a look at DumpImportsSection it should have the code you need.
76 lines to do that based on pedump code (don't forget to add Imagehlp.lib as dependancy):
#include <stdio.h>
#include "windows.h" //DONT REMOVE IT
#include "ImageHlp.h"
#include "stdafx.h"
template <class T> PIMAGE_SECTION_HEADER GetEnclosingSectionHeader(DWORD rva, T* pNTHeader) // 'T' == PIMAGE_NT_HEADERS
{
PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(pNTHeader);
unsigned i;
for ( i=0; i < pNTHeader->FileHeader.NumberOfSections; i++, section++ )
{
// This 3 line idiocy is because Watcom's linker actually sets the
// Misc.VirtualSize field to 0. (!!! - Retards....!!!)
DWORD size = section->Misc.VirtualSize;
if ( 0 == size )
size = section->SizeOfRawData;
// Is the RVA within this section?
if ( (rva >= section->VirtualAddress) &&
(rva < (section->VirtualAddress + size)))
return section;
}
return 0;
}
template <class T> LPVOID GetPtrFromRVA( DWORD rva, T* pNTHeader, PBYTE imageBase ) // 'T' = PIMAGE_NT_HEADERS
{
PIMAGE_SECTION_HEADER pSectionHdr;
INT delta;
pSectionHdr = GetEnclosingSectionHeader( rva, pNTHeader );
if ( !pSectionHdr )
return 0;
delta = (INT)(pSectionHdr->VirtualAddress-pSectionHdr->PointerToRawData);
return (PVOID) ( imageBase + rva - delta );
}
void DumpDllFromPath(wchar_t* path) {
char name[300];
wcstombs(name,path,300);
PLOADED_IMAGE image=ImageLoad(name,0);
if (image->FileHeader->OptionalHeader.NumberOfRvaAndSizes>=2) {
PIMAGE_IMPORT_DESCRIPTOR importDesc=
(PIMAGE_IMPORT_DESCRIPTOR)GetPtrFromRVA(
image->FileHeader->OptionalHeader.DataDirectory[1].VirtualAddress,
image->FileHeader,image->MappedAddress);
while ( 1 )
{
// See if we've reached an empty IMAGE_IMPORT_DESCRIPTOR
if ( (importDesc->TimeDateStamp==0 ) && (importDesc->Name==0) )
break;
printf(" %s\n", GetPtrFromRVA(importDesc->Name,
image->FileHeader,
image->MappedAddress) );
importDesc++;
}
}
ImageUnload(image);
}
//Pass exe or dll as argument
int _tmain(int argc, _TCHAR* argv[])
{
DumpDllFromPath(argv[1]);
return 0;
}
That's not possible to determine. At least not without a whole lot of work. Any binary can call LoadLibrary to load a DLL. Even if you were to scan the code for all calls to LoadLibrary, you would have to determine what strings were being used to ID the library. Tracking down where in dynamic memory the string has been placed is going to be harder than you want to tackle.
Dependency Walker can do this by using the profile menu, if you have a target executable. Simply load the executable, tell it to start profiling, and it'll list all the modules loaded while executing the program.
In a nutshell, you need to scan the PE file's imports section for each DLL used by the executable. Then recursively locate and scan each dll until you've found all the dependencies.
Of course, apps can use the LoadLibrary family of functions for required or optional functionality. That won't be detected with this method.
How about a DLL that you can call to calculate all this information for you and pass back the answer as an array of CStrings?
PE Format DLL can do this for you. Supplied with source code, no GPL restrictions. PE File Explorer is a GUI app that uses the DLL, also supplied with source (no GPL).
