flat assembler
Message board for the users of flat assembler.

Index > Windows > how to list all of the functions inside the running process

Author
Thread Post new topic Reply to topic
extra_12345



Joined: 21 Apr 2020
Posts: 28
extra_12345
hey everyone
i'm been wondering and searching for a long time on how to achieve this.
how to list all of the functions inside the running process?
Post 13 Dec 2020, 16:34
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 1006
Location: Belarus
DimonSoft
What is your definition of “list”? Names? Addresses? What if there’s no name for a function? Which functions are to be listed: imported, exported, both? Should internal ones be on the list too? Methods?
Post 13 Dec 2020, 18:13
View user's profile Send private message Visit poster's website Reply with quote
extra_12345



Joined: 21 Apr 2020
Posts: 28
extra_12345
well,i want to list all of the imported and exported functions with names and addresses inside the running process.
Post 13 Dec 2020, 20:44
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18449
Location: In your JS exploiting you and your system
revolution
1. Start your debugger.
2. Attach to the process.
3. Halt all threads.
4. Analyse all executable sections.
5. Find the target address of every call.
6. Match those addresses to the import/export names in the tables.

Note 1: Not all DLLs and exes use names to bind. Some use only ordinals, so no names are available.
Note 2: This only lists functions currently bound, so future or past (un)binding events won't be shown.
Post 14 Dec 2020, 03:57
View user's profile Send private message Visit poster's website Reply with quote
extra_12345



Joined: 21 Apr 2020
Posts: 28
extra_12345
revolution wrote:
1. Start your debugger.
2. Attach to the process.
3. Halt all threads.
4. Analyse all executable sections.
5. Find the target address of every call.
6. Match those addresses to the import/export names in the tables.

Note 1: Not all DLLs and exes use names to bind. Some use only ordinals, so no names are available.
Note 2: This only lists functions currently bound, so future or past (un)binding events won't be shown.

i want to achieve this with coding otherwise i know how to do it using debugger.
Post 14 Dec 2020, 12:18
View user's profile Send private message Reply with quote
extra_12345



Joined: 21 Apr 2020
Posts: 28
extra_12345
ok let me clarify what i'm after,let's say there is function inside the virtual space of the running process ,i only have the name of this function and i want to get the start address of this function,how can i achieve this with win api?note that the function is running inside the virtual space and there is no modules so getprocaddress is out of choice here.
Post 14 Dec 2020, 17:53
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 479
Location: Czech republic, Slovak republic
Feryno
for microsoft executables you can download pdb from microsoft symbol server, for binary created by you you need to compile it with debug info
then you can use https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-symfromaddr
Post 14 Dec 2020, 18:17
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
extra_12345



Joined: 21 Apr 2020
Posts: 28
extra_12345
i believe this can't be used to retrieve a symbol address from another process's virtual space?
Post 15 Dec 2020, 11:41
View user's profile Send private message Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1764
Furs
Post 15 Dec 2020, 18:39
View user's profile Send private message Reply with quote
Ali.Z



Joined: 08 Jan 2018
Posts: 509
Ali.Z
extra_12345 wrote:
ok let me clarify what i'm after,let's say there is function inside the virtual space of the running process ,i only have the name of this function and i want to get the start address of this function,how can i achieve this with win api?note that the function is running inside the virtual space and there is no modules so getprocaddress is out of choice here.


"ok let me clarify what i'm after,let's say there is function inside the virtual space of the running process ,i only have the name of this function and i want to get the start address of this function"

if the function is exported then you retrieve the address using the name.

~

"note that the function is running inside the virtual space and there is no modules so getprocaddress is out of choice here."

every user mode process have at least 3 modules if the OS is older than Windows 7, otherwise at least 4 modules.

beside all that you did not provide any information about what you are trying to achieve, is the module DLL or EXE? do you want to call that function externally/internally? do you want to hook that function?

regardless of what you are trying to do, there are always multiple ways to do most things.

~

Ali.Z wrote:
if the function is exported then you retrieve the address using the name.

otherwise you can get its address by subtracting image base from function address to get the offset.

_________________
Asm For Wise Humans
Post 16 Dec 2020, 03:38
View user's profile Send private message Reply with quote
extra_12345



Joined: 21 Apr 2020
Posts: 28
extra_12345
ok let me explain it more thoroughly what i'm after by providing an example.

let's say there's symbol or function named "GetItemVal' inside the virtual space of another running process and this symbol or function isn't located inside any type of module including executable during runtime and it gets created and written to a different random virtual memory each time application runs and this makes GetProcAddress useless since the symbol or function isn't located inside any module,now how can i retrieve the address of this symbol or function?
Post 20 Dec 2020, 11:10
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18449
Location: In your JS exploiting you and your system
revolution
When you say "module" do you mean a DLL?

If the function isn't named in a DLL or an exe then how/where is it named? Are you asking about the name in the source file?
Code:
;...
GetItemVal: ; <--- this name never appears in the exe or DLL, it is just a raw address
 ;do stuff
 ret
;...    
Post 20 Dec 2020, 11:15
View user's profile Send private message Visit poster's website Reply with quote
extra_12345



Joined: 21 Apr 2020
Posts: 28
extra_12345
with module i meant dll and executable.
let's say the function "GetItemVal" isn't located inside a dll or executable during runtime instead it's located in some random allocated memory and all i have is the function name "GetItemVal" and i want to retrieve the base address of this function.

Code:
proc GetItemVal ;=is located at random memory

;do stuff
ret

endp    


Code:
proc CreateToolhelp32Snapshot ;=is located at kernel32.dll and therefore "GetProcAddress" would retrieve the start address of "CreateToolhelp32Snapshot'"

;do stuff
ret

endp
    
Post 20 Dec 2020, 12:18
View user's profile Send private message Reply with quote
Ali.Z



Joined: 08 Jan 2018
Posts: 509
Ali.Z
extra_12345 wrote:
isn't located inside any type of module including executable during runtime and it gets created and written to a different random virtual memory each time application runs

extra_12345 wrote:
isn't located inside a dll or executable during runtime instead it's located in some random allocated memory


its still inside a module, which is the executable; in other words the main image.

Ali.Z wrote:
otherwise you can get its address by subtracting image base from function address to get the offset.


run your target program inside a debugger, go to that function .. grab it address then subtract that address from allocation base to get your function offset, then find a pointer in your target that points to the new memory allocation, finally subtract the pointer address from image base to get an offset.

then next time from YOUR application you can use CreateToolhelp32Snapshot and Process32First, Process32Next and then finally Module32First.

you will get the image base for your target module (your target process), so use read process memory and pass it imagebase+pointerOFFSET, you will get whatever inside that pointer which should be the address of the newly allocated memory for code, then just add the function offset to allocation base you got and thats the final address.

_________________
Asm For Wise Humans
Post 20 Dec 2020, 12:45
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18449
Location: In your JS exploiting you and your system
revolution
If you search the binary file for "GetItemVal" as text, is it there? If not then there is no way to know its name, you will have to look at the source code, or get the debug symbols dump.

Usually executable files only publish export names when they need to, else all functions are anonymous with no name attached.
Post 20 Dec 2020, 12:51
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1764
Furs
extra_12345 wrote:
with module i meant dll and executable.
let's say the function "GetItemVal" isn't located inside a dll or executable during runtime instead it's located in some random allocated memory and all i have is the function name "GetItemVal" and i want to retrieve the base address of this function.

Code:
proc GetItemVal ;=is located at random memory

;do stuff
ret

endp    
If you don't export the symbol, it will not be present anywhere. When you "call" it, the instruction is simply a numeric offset from the call to the label. The label only exists in source code, unless it is exported.
Post 20 Dec 2020, 14:04
View user's profile Send private message Reply with quote
extra_12345



Joined: 21 Apr 2020
Posts: 28
extra_12345
guess I failed to explain myself or my English isn't good enough or maybe i lack enough knowledge so imma explain myself with pictures.

this exported function,FPSCounter:OnGUI,it is created during runtime of the application and written to some random memory location,of course the original code is located in some dll or executable but that's not what i'm looking for,i'm looking for on how to retrieve the address of this exported function.


Description:
Filesize: 89.77 KB
Viewed: 5156 Time(s)

Capture.PNG


Post 20 Dec 2020, 19:38
View user's profile Send private message Reply with quote
Ali.Z



Joined: 08 Jan 2018
Posts: 509
Ali.Z
this is mono C#, cheat engine forums have resources to dynamically grab the address of JIT code and it requires mono features to be turned on from within cheat engine.

so you better go and ask there, besides that you could have used cheat engine's pattern scanner to scan for byte pattern and return the address.

_________________
Asm For Wise Humans
Post 20 Dec 2020, 23:23
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.