Clever Geek Handbook

Calling unexposed functions in Win32 C ++

How can I refer to an unexposed function in Win32 C ++?

+2


source to share


3 answers


Calling undefined functions defined in the same module (DLL / EXE) as your code is simple: just call them like any other C ++ function. Obviously, this is not what you are asking for. If you want to call inactive functions in another module, you need to somehow find out their addresses.

One way to do this is for the first module to call the exported function in the second module, which returns a pointer to the function. (Or: a structure containing function pointers, a pointer to an instance of a class, etc.) Think of a factory pattern.



Another way is to export the registration function from the first module and call its second module initialization code, passing it to pointers to the outstanding functions along with some identification information. (It's better to also have a corresponding unregister function that gets called before the second module is unloaded.)

Another way is to interrupt debug symbols using dbghelp.dll

. This is not recommended for a real application because it would require propagation of debug symbols and would be extremely slow, not to mention overly complex.

+6


source


Besides bk1e's answer, there is another method (not recommended either).

  • Get the relative address of this function in the dll (for example, by parsing). This must be done manually and before compilation.
  • In the program, you now need to get the startadress dll in memory (for example using an exported function and some computation).
  • Now you can call this function directly using the function's relative address + startadress of the exported function.

I don't recommend this though. It only works with one specific version of that DLL. Any recompilation and address may change. Or this feature will no longer be needed and will be removed. There must be a reason why this function is NOT exported. In general - you are trying to archive something that the author of the library intentionally did not want you to do and that is "evil" most of the time.



You mentioned ida's name. This name includes startadress.

+3


source


There are no two ways, you need to look at the disassembly to figure out what is being pushed onto the stack and how it is used to define types.

0


source






More articles:


All Articles