2

这是 Windows 中内置的 dll,odbc32.dll。该函数称为 LoadTraceDll()

Visual Studio 2008 中的堆栈帧是:

odbc32.dll!LoadTraceDll() + 0x42f 字节

我使用了 PE 分析器,但在 odbc32.dll 的导出列表中没有看到它。

我的问题如下:

  • 如何确定参数类型和返回类型(方法签名)?
  • 我怎么称呼它?我可以避免调用它的相对地址吗?

完整的堆栈跟踪如下:

ODBCTracer.dll!TraceVersion()  Line 2259    C++
odbc32.dll!LoadTraceDll()  + 0x42f bytes    
odbc32.dll!FInitTrace()  + 0xf3 bytes   
odbc32.dll!DllMain()  + 0x14692 bytes   
odbc32.dll!_CRT_INIT()  - 0x3e3 bytes   
ntdll.dll!LdrpRunInitializeRoutines()  + 0x1e8 bytes    
ntdll.dll!LdrpLoadDll()  - 0x336 bytes  
ntdll.dll!LdrLoadDll()  + 0x9e bytes    
KernelBase.dll!LoadLibraryExW()  + 0x13f bytes  
odbccp32.dll!LoadDM()  + 0x2a bytes 
odbccp32.dll!TracingPageProc()  + 0xc46 bytes   
user32.dll!UserCallDlgProcCheckWow()  - 0x180d bytes    
user32.dll!DefDlgProcWorker()  + 0xba bytes 
user32.dll!DefDlgProcW()  + 0x36 bytes  
user32.dll!UserCallWinProcCheckWow()  + 0x11d bytes 
user32.dll!InternalCreateDialog()  - 0xc7 bytes 
user32.dll!CreateDialogIndirectParamAorW()  + 0x5b bytes    
user32.dll!CreateDialogIndirectParamW()  + 0x18 bytes   
comctl32.dll!_CreatePageDialog()  + 0xb1 bytes  
comctl32.dll!_CreatePage()  + 0x161 bytes   
comctl32.dll!PageChange()  + 0xca bytes 
comctl32.dll!PropSheetDlgProc()  + 0x36e bytes  
user32.dll!UserCallDlgProcCheckWow()  + 0x11b bytes 
user32.dll!DefDlgProcWorker()  + 0xba bytes 
user32.dll!DefDlgProcW()  + 0x36 bytes  
user32.dll!UserCallWinProcCheckWow()  + 0x11d bytes 
user32.dll!SendMessageWorker()  + 0x158 bytes   
user32.dll!SendMessageW()  + 0x5d bytes 
comctl32.dll!CCSendNotify()  + 0xfbd bytes  
comctl32.dll!SendNotifyEx()  + 0x80 bytes   
comctl32.dll!ChangeSel()  + 0x2dc bytes 
comctl32.dll!Tab_OnLButtonDown()  + 0xfc bytes  
comctl32.dll!Tab_WndProc()  + 0x56d bytes   
user32.dll!UserCallWinProcCheckWow()  + 0x11d bytes 
user32.dll!DispatchMessageWorker()  + 0x12a bytes   
user32.dll!IsDialogMessageW()  + 0x102 bytes    
comctl32.dll!Prop_IsDialogMessage()  + 0x1f0 bytes  
comctl32.dll!_RealPropertySheet()  + 0x31b bytes    
comctl32.dll!_PropertySheet()  + 0x55 bytes 
odbccp32.dll!MainSheet()  + 0x18c bytes 
odbccp32.dll!SQLManageDataSources()  + 0x4b bytes   
odbcad32.exe!WinMain()  + 0x25b bytes   
odbcad32.exe!ODBC___GetSetupProc()  + 0x4ae bytes   
kernel32.dll!BaseThreadInitThunk()  + 0xd bytes 
ntdll.dll!RtlUserThreadStart()  + 0x21 bytes
4

2 回答 2

1

如果您有图像的符号(PDB 文件),则可以检索未导出的符号及其签名(如果这些符号是公开的(用 PDB 公开与私有的说法)。使用DIA,您可以将符号与关联的图像文件匹配。有关PDB 符号和图像之间的映射如何工作的示例,请参见此处。

于 2012-09-07T11:32:48.160 回答
1

如何确定参数类型和返回类型(方法签名)?

你不能。

(嗯,你可以,有一定的信心,但它需要强大的逆向工程技能。你必须反汇编库,找到函数是如何定义和调用的,从典型的操作序列和参数/变量大小,你可以推断出参数的类型和返回值可以是什么

我怎么称呼它?我可以避免调用它的相对地址吗?

您可以dlopen()...呃... LoadLibrary()DLL,然后使用 获取其地址GetProcAddres(),将其存储在函数指针中,然后调用它:

HMODULE hndl = LoadLibrary("My.DLL");
void (*func)() = GetProcAddress(hndl, "MyFunction");
func();
于 2012-09-06T21:27:31.903 回答