Using dumpbin utility

[plutocat]

I guess my question is not directly related to masm programming but anyway...
Using dumpbin I can get a complete list of all functions exported from a dll (dumpbin /EXPORTS) and a full disassembly of a dll's code (dumpbin /DISASM).
But how to get a disassembled code of a particular dll only?.
I can of course redirect the output into a file and examine it, but with, say, ntdll.dll the listing is huge...
Also, how does dumpbin determine where all the symbols are stored? Does it examine _NT_SYMBOL_PATH by default or you need to tell it to do so? Is there way to specify a different behavior (say, User Supplied)?
Thanks a lot in advance!

[clive]

You mean particular exports, or range, within the DLL?

DumpPE (included with MASM32) can take ranges for disassembly, and you can post-process listings with tools like AWK.

[Vortex]

Hi plutocat,

Have look also at objconv by Agner Fog :

http://agner.org/optimize/#objconv

It can disassemble DLLs.

[plutocat]

But how to get a disassembled code of a particular dll only?.

CORRECTION: Just noticed that there was an error in my question.

It should read:
But how to get a disassembled code of a particular function in a dll?.
Hope this makes more sense. Sorry for any confusion...

[hutch--]

Clive's DumpPE is supplied with MASM32 and is set up in the editor. Disassembler the entire DLL then isolate and select the function you require, then use the "Tools" menu option "Format DumpPE Output" to format the selected function so it is close to form that can be assembled.

[plutocat]

I want to thank everyone who responded to my post!
Thank you, gentlemen!

[plutocat]

When I try to Dis-assemble  abc.DLL  in MASM Editor, I get a message that it cannot open abc.exe file.
What I am doing wrong here?

[hutch--]

Take the next option down, disassemble DLL.

[plutocat]

Unfortunately, that was exactly what I did...
E.g., I open a qsc.dll file, then select "Dis-assembly DLL" option (the one right below "Dis-assemble EXE file). Then I see cmd.exe console with DumpPE copyright info in it, then disasm.txt window tells me : "Can't open file 'C:\masm32\qsc.exe'"
Obviously I go wrong somewhere... But I'd like to learn...

[mineiro]

qsc.exe doesn't exist in that folder, but qsc.dll yes.
dumppe c:\masm32\q<hit tab to autocomplete name(s) to avoid mistake>

[hutch--]

There are a couple of things you will run into here, QE is a text editor, not a binary editor and it is not suitable for editing a binary file. The menu options for disassembly are for binary files that you have opened the source code for in the editor. IE if you have the source code for one of your own DLLs opened and have assembled it, these options will disassemble it for you using DumpPE.

Now in the case of QSC.DLL which is a component to support the legacy scripting in QE, it has been compressed with an EXE compressor and will not routinely disassemble. If you have some need to disassemble an assembled or compiled PE binary file (EXE or DLL) then use DumpPE directly.

Code Select Expand


drv:\path\dumppe -disasm kernel32.dll  ; or any other you are interested in


[clive]

You can also specify at starting symbol (import, export, debug) using -disasm:!exportedname

It is also possible to disassemble a range, but you'd need to figure out how long the code in question is, because that doesn't get automatically determined.

[plutocat]

Ah, it makes much more sense now!
I really appreciate, gentlemen, your taking time and helping me!
Thank you all once more!