Find address of DLL - Same Instance

Hi

How do I get at list of associated dll of another application?
And then get the address of the dll?

The whole idea is I will setup a filter in the list function, so when let's say it will find a dll called "a.dll" it is collect the address.

So when I have the address I can call this dll with a function (GetProcAddress). Then I use the same instance.

DelphiUKAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cebassoCommented:
i think its not possible... using the "handle" of a DLL loaded from another app...
You can use GetModuleHandle, but it works just when the DLL already was loaded by the caller... like "kernel32.dll" for example, that is always loaded by any app
so to use any function from Kernel32.dll, you don't need to load it again dinamically, you can call GetModuleHandle since its already loaded by the app
the method above by @systan you can really load dinamically but, how you will get the DLL handle that was loaded by another app?
i already tried this one time... to share variables and others things... all my answers here and others forums was "not possible" :/
maybe i'm wrong and i hope i'm... but i think its really not possible
regards
0
CodedKCommented:
You can get the list of all dll's that is exported from the application though (...along with the addresses).

Something like this :

dexp.gif
0
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

DelphiUKAuthor Commented:
Ok, but how do I do it??
0
DelphiUKAuthor Commented:
But if I get the exported list, I don't find the same address that the other application has loaded. Because that address could change from time to time when it is loaded. So I don't find the same instance??
0
DelphiUKAuthor Commented:
I have tried to with the code below.
"GetCurrentProcess" is replaced with the handle off the external application.

It works, BUT it only list the system dll's. It don't list any customs dll which the external use (The custom dll is loaded with Loadlibary-Function).
The code below can only recieve the handle number from the custom dll not the file name. So when I only have the dll handle number it could be difficult to find the right handle because I don't know which one??

var mods: array[0..1023] of DWORD;
    need: Cardinal;
    cnt: Integer;
    file_name: array[0..MAX_PATH] of Char;
begin
  FillChar(mods, 1024, 0);
  need := 0;
  EnumProcessModules(GetCurrentProcess, @mods[0], 1024, need);
  for cnt := 0 to need - 1 do begin
    GetModuleFileName(mods[cnt], file_name, MAX_PATH);

    
    Memo1.Lines.Add(ExtractFileName(file_name) + ' ' + (IntToStr(GetModuleHandle(File_Name))));
  end;

Open in new window

0
CodedKCommented:
I can get the list of all the function with Delphi but i cant get relative addresses.
Use NirSoft application if possible.
http://www.nirsoft.net/utils/dll_export_viewer.html
0
DelphiUKAuthor Commented:
Okay, but I need the absolute address. Is there a way maybe to calculate the absolute address, so I get the same instance??

Or is there another way do solve the problem?
0
DelphiUKAuthor Commented:
I way do to it could be to read the Relative Virtual Address in the dll file (PE Format). And then calculate the absolute address by chancing the formular below.


Relative Virtual Address
RVA = Absolute Address in memory – Base address


0
DelphiUKAuthor Commented:
absolute address = module base address + relative address.
0
DelphiUKAuthor Commented:
I have now tried some things. And it seems to me that it is not posible just like "cebasso" was written.

I was able to get the absolute address for a function in a dll which where loaded by another external application.

Then I was thinking, when I try to run the function by assign the address instead of using "GetProcAddress" I get a error.
In assambly it would be look like this
asm
 mov Function_DLL_Address, eax
call eax   <-------- Call function
end

This is not possible because the dll file was loaded by the external application, not the this application. The call function will try to go to this address with in the application memory area. And since the dll isn't in the memory area for this application an error eccour.

That is my version of the problem. Maybe some one has another version of the problem.

"This application" means the application that trying to obtain the absolute address and run the function. So there only are one instance.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
systanCommented:
Hello

Since this post will be deleted,
Just asking, are you trying to make an antivirus or a virus? or like a PE explorer?

and a question for this:
Relative Virtual Address
RVA = Absolute Address in memory – Base address
absolute address = module base address + relative address.

I can't find the RVA in a PE explorer, what do you mean absolute address? is it the Address of Entrypoint?
Base Address? is it the <Image Base> in other words?
Relative address? in other words <entrypoint>?
0
DelphiUKAuthor Commented:
I trying to make a program like  PE explorer.

When I am writting "absolute address" I mean the real address where I can find the address in the memory.

Because the relative address is only where I can find the function IF the dll modul has been loaded into the memory starting with the image bass address.

And it is not possible all the time, so I need to find the absolute address.

0
systanCommented:
So, in other words, you need to know the RVAddress of each functions inside all the .dLLs or the .dLL you want?  I hope this is possible.
0
systanCommented:
Oh!

Your post about "GetProcAddress without LoadLibrary only by knowing handle"
http://www.experts-exchange.com/Programming/Languages/Pascal/Delphi/Q_24765090.html

I've downloaded also the sample code from ThievingSix link, it works fine, but what's the point of the code? where can be applied?  injecting what?  can you give me some detail of what your achieving here.  Why you ask for GetProcAddress, and now the RVA?  Whats going to happen it you get all the codes right?

0
DelphiUKAuthor Commented:
What I was trying to do is to call a function in a dll wich is loaded by another program.

Let's say program "Main.exe" load "test.dll", function "Hello".

Now I have program "a.exe" that wants to call  function "Hello", but with the same instance as "main.exe".

If I use "loadlibrary()" to load "test.dll" in program "a.exe" I don't get the same instance.
So I need to find the address where the program "main.exe" has loaded "test.dll".

To do this I did reading some PE format in "test.dll" to get the relative address for function "hello()".
Then I did find the Image base for the "test.dll" in the memory (EnumProcessModules() ).
By adding thees to values I got the corret address.

The problem occur when program "a.exe" try to call this address directly.
I don't ecsactly sure why I it won't work but I did get a error. And then I did debug it I could see "a.exe" program goes to the correct address. But it didn't work, maybe it is some kind of memory security in windows???

So what it did to solve this program was to allocate some memory in "main.exe" from "a.exe" (VirtualAllocEx() ). And then I injected some code in this memory. Then I just called the correct address (Adding image base and relative address to "hello()" function) and it work!

So now it is working.

Of course you need to know if there are some aguments for "hello()" function. Because it was me who had created the "hello()" function I did know if there where any aguments.

I am only do this to do some experiment. To learn more about windows memory and have it work.
0
systanCommented:
hello

Can you send me a demo of your work, that you said <and it work!
So now it is working.>

You can attach file here, just rename your .EXE and .DLL to bmp, or jpg

I'm interested on your explorations.  Please let me have the files, so I may understand it well, if your willing too.

Thanks
Gook Luck to your project.
0
DelphiUKAuthor Commented:
Okay I will make a demo for you, I will do it tomorrow.
0
systanCommented:
I'm excited to know what you are trying to do,
I'll be waiting...

I hope you can send it before this post is close
0
systanCommented:
Ops!  I don't think I can have the sample .EXE .DLL .DLL .EXE code,  but  I'll  be waiting for the result ... just comment on my open post if you got one.
Thanks
0
systanCommented:
Oh! Sorry, I think you clicked the Object Button to keep this post open, Ok, Thank you again,  I'll wait for the demo, (I'm just to excited),  and  if you haven't found the RVA, just tell me, I can help you find it to close this post.
0
systanCommented:
Ok, I'll wait for the demo, now that has been closed.
0
DelphiUKAuthor Commented:
I will create it tomorrow again... I had been busy today
0
DelphiUKAuthor Commented:
Here you got the sample. You have the rename the file to .RAR.

Demo.bmp
0
systanCommented:
Thanks, I'll view it.
0
systanCommented:
Amazing mine,
I think your building an antivirus, good work.
Thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Delphi

From novice to tech pro — start learning today.