The MASM Forum Archive 2004 to 2012

Hi

I have a little question to GetProcAddress

I have source found this get the procedur adress from a dll via ordinal

invoke  GetProcAddress,eax,3      ; Ordinal number

I have read the msdn

FARPROC WINAPI GetProcAddress(
  __in  HMODULE hModule,
  __in  LPCSTR lpProcName     ;this uses a procedurname or is this same?
);

and how i can get the ordinals number of a dll?

Thanks in forward

Quote from: msdnlpProcName [in]

    The function or variable name, or the function's ordinal value. If this parameter is an ordinal value, it must be in the low-order word; the high-order word must be zero.

http://msdn.microsoft.com/en-us/library/ms683212%28VS.85%29.aspx

To obtain the ordinal numbers exported from the DLL, you can use a PE viewer that allows you to view exports, I generally like PEBrowsePro. (http://www.smidgeonsoft.prohosting.com/)

I should note that imports by ordinal are pretty dangerous, most DLL's in Windows use a sequentially generated ordinal number and from one version to another the values are pretty much the same for named exports and always the same for ordinal only exports. However this tends to break down once a function is deprecated or a new function is inserted, for example in Common Controls, version 5.8 has the function CreatePropertySheetPageA at ordinal location 18, in version 6.1 it is an unnamed ordinal (CreatePropertySheetPageA is at ordinal 19 in that version). However calling GetProcAddress for ordinal 18 will succeed in both cases but give 2 different functions and will likely crash your program or lead to some pretty bizarre behaviour. If you need a list of static Windows API exports by ordinal you can check my header project which has a pretty extensive list of them in various header files (mostly in Commctrl.h and shellapi.h).

I guess the lesson is to always use named exports whenever possible and only use ordinal exports that you are fairly certain are static but avoid them if you can.

Thanks for you replys

I use not a windows dll for this

greets

To find the ordinal numbers, you can use the dumpbin tool :

\masm32\bin\dumpbin /exports c:\WINDOWS\system32\kernel32.dll >dump.txt

dump.txt :


Microsoft (R) COFF Binary File Dumper Version 5.12.8078
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.


Dump of file c:\WINDOWS\system32\kernel32.dll

File Type: DLL

  Section contains the following exports for KERNEL32.dll

           0 characteristics
    49C4D12E time date stamp Sat Mar 21 13:36:14 2009
        0.00 version
           1 ordinal base
         954 number of functions
         954 number of names

    ordinal hint RVA      name

          1    0 0000A6E4 ActivateActCtx
          2    1 0003551D AddAtomA
          3    2 000326F1 AddAtomW
          4    3 00071DFF AddConsoleAliasA
          5    4 00071DC1 AddConsoleAliasW
          6    5 00059412 AddLocalAlternateComputerNameA
          7    6 000592F6 AddLocalAlternateComputerNameW
          8    7 0002BF11 AddRefActCtx
          9    8          AddVectoredExceptionHandler (forwarded to NTDLL.RtlAddVectoredExceptionHandler)
         10    9 00072451 AllocConsole
         11    A 0005F6D4 AllocateUserPhysicalPages
         12    B 0003597F AreFileApisANSI
         13    C 0002E45A AssignProcessToJobObject
         14    D 00072639 AttachConsole

Pelle's podump tool can be used for the same purpose :

\masm32\bin\podump.exe