GetProcAddress by Ordinal number

ragdog · March 13, 2010, 11:16:57 PM

Hi

I have a little question to GetProcAddress

I have source found this get the procedur adress from a dll via ordinal

invoke GetProcAddress,eax,3 ; Ordinal number

I have read the msdn

FARPROC WINAPI GetProcAddress(
__in HMODULE hModule,
__in LPCSTR lpProcName ;this uses a procedurname or is this same?
);

and how i can get the ordinals number of a dll?

Thanks in forward

donkey · March 13, 2010, 11:21:04 PM

Quote from: msdnlpProcName [in]

The function or variable name, or the function's ordinal value. If this parameter is an ordinal value, it must be in the low-order word; the high-order word must be zero.

http://msdn.microsoft.com/en-us/library/ms683212%28VS.85%29.aspx

To obtain the ordinal numbers exported from the DLL, you can use a PE viewer that allows you to view exports, I generally like PEBrowsePro.

donkey · March 13, 2010, 11:50:41 PM

I should note that imports by ordinal are pretty dangerous, most DLL's in Windows use a sequentially generated ordinal number and from one version to another the values are pretty much the same for named exports and always the same for ordinal only exports. However this tends to break down once a function is deprecated or a new function is inserted, for example in Common Controls, version 5.8 has the function CreatePropertySheetPageA at ordinal location 18, in version 6.1 it is an unnamed ordinal (CreatePropertySheetPageA is at ordinal 19 in that version). However calling GetProcAddress for ordinal 18 will succeed in both cases but give 2 different functions and will likely crash your program or lead to some pretty bizarre behaviour. If you need a list of static Windows API exports by ordinal you can check my header project which has a pretty extensive list of them in various header files (mostly in Commctrl.h and shellapi.h).

I guess the lesson is to always use named exports whenever possible and only use ordinal exports that you are fairly certain are static but avoid them if you can.

ragdog · March 14, 2010, 12:37:33 AM

Thanks for you replys

I use not a windows dll for this

greets

Vortex · March 14, 2010, 09:51:12 AM

To find the ordinal numbers, you can use the dumpbin tool :

Code Select

\masm32\bin\dumpbin /exports c:\WINDOWS\system32\kernel32.dll >dump.txt

dump.txt :

Code Select


Microsoft (R) COFF Binary File Dumper Version 5.12.8078
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.


Dump of file c:\WINDOWS\system32\kernel32.dll

File Type: DLL

  Section contains the following exports for KERNEL32.dll

           0 characteristics
    49C4D12E time date stamp Sat Mar 21 13:36:14 2009
        0.00 version
           1 ordinal base
         954 number of functions
         954 number of names

    ordinal hint RVA      name

          1    0 0000A6E4 ActivateActCtx
          2    1 0003551D AddAtomA
          3    2 000326F1 AddAtomW
          4    3 00071DFF AddConsoleAliasA
          5    4 00071DC1 AddConsoleAliasW
          6    5 00059412 AddLocalAlternateComputerNameA
          7    6 000592F6 AddLocalAlternateComputerNameW
          8    7 0002BF11 AddRefActCtx
          9    8          AddVectoredExceptionHandler (forwarded to NTDLL.RtlAddVectoredExceptionHandler)
         10    9 00072451 AllocConsole
         11    A 0005F6D4 AllocateUserPhysicalPages
         12    B 0003597F AreFileApisANSI
         13    C 0002E45A AssignProcessToJobObject
         14    D 00072639 AttachConsole

Pelle's podump tool can be used for the same purpose :

Code Select

\masm32\bin\podump.exe

News:

GetProcAddress by Ordinal number

ragdog

donkey

donkey

ragdog

Vortex