Sign in to follow this  
Followers 0
Ascend4nt

File + Process Imports and Exports - DLL, EXE etc

17 posts in this topic

#1 ·  Posted (edited)

File + Process Imports/Exports Information UDFs

Posted ImagePosted Image

Forwarder String Support, C++ Name Undecorating Added!!

(Extreme case of string forwarding from wsock32.dll example in this post)

This UDF gets Function Imports and Exports for any Windows PE file (.DLL, .EXE), both 32-bit and 64-bit (unlike most programs out there), and from either a 32-bit or 64-bit Process.

I created this due to my frustration with other programs either working only *some* of the time, or having a common inability to read PE32+ (x64) file format tables properly.

There's just two functions in the main UDF - _FileGetWinPEImports or _FileGetWinPEExports. The bundled TestImportExportsList program lets you explore files on your system.

*Newly included are: _ProcessGetWinPEImports, _ProcessGetWinPEExports and TestProcessImportExportsList program (requires my Process Functions UDF).

NOTE: *Compressed* executable files will only give the Import information for the 'decompressor'. The only way to get the compressed executable's Import information is to decompress the executable.

Anyway, enjoy my hard work. Either read on for more information about some of the features, or see below for the License agreement and Download link.

Information on 'Virtual Offset of Thunk':

These address offsets you see are offsets from the base of the .DLL or .EXE file (uncompressed only!), where the actual function location of an 'Import' gets placed. All calls to these functions load addresses from these Thunk locations in order to correctly place a call to the right DLL function. (This is totally different than the old Import fixup location lists of earlier pre-NT systems). Technically, you could overwrite these Thunks with addresses to your own functions, but this is a dangerous thing to do. Its a neat tool to have though.

Forwarder functions? An explanation:

The whole 'DLLNAME.Functionname' string might be confusing to you, but here's an explanation of why an address can not and should not be returned. To better understand all this, grab a copy of DLL Export Viewer, (which doesn't report Relative/Function addresses correctly for Forwarded functions) and then follow along: *update: as of v1.50, DLL Export Viewer now reports forwarder string info (I was the one that reported the bug heh)

Okay, open up DLL Export Viewer and look at (for this example) KERNEL32.DLL - lets pick 'HeapFree', a known Forwarded function. DLL Export Viewer reports the following (on XP SP3):Relative Address: 0x0000910c, 'Loaded' address: 0x7c80910c. *Neither* is the case, though - 0x0000910c is in fact just the virtual address of the forwarder string!

Now, with my Exports function, you'll find that 'HeapFree' is reported (correctly) as a Forwarder string. What you'll see then is 'NTDLL.RtlFreeHeap'. What does that mean? It means that:

  • HeapFree is not a part of KERNEL32.DLL (and hasn't been for a while),
  • When that function is called or the address retrieved via 'GetProcAddress', the function 'RtlFreeHeap' in NTDLL.DLL is the function that's actually called (or returned as an address). Hopefully the 'DLLNAME.FunctionName' structure of a Forwarder string is starting to make sense now?
  • The address you get when you do 'GetProcAddress' does *not* correspond to what you see in DLL Export Viewer - in fact, 'HeapFree's reported address lies entirely OUTSIDE of kernel32.dll's memory space - pointing instead inside of NTDLL.DLL, at (guess what?): RtlFreeHeap.
So, on XP SP3, looking up 'HeapFree' with GetProcAddress, you get: 0x7C90FF2D. Doesn't match what was reported with DLL Export Viewer AT ALL. However - go back, and now look at NTDLL.DLL with DLL Export Viewer, and at function 'RtlFreeHeap' (following the logic of the Forwarder Function string). What is reported for RtlFreeHeap? Relative Address: 0x0000ff2d, 'Loaded' address: 0x7c90ff2d. See now how it lines up with what was reported via GetProcAddress for 'HeapFree' in KERNEL32.DLL?

So, there you have it in a nutshell - Forwarder functions are functions 'rerouted' to another DLL. The DLL's that are being rerouted to are either:

  • A.) Pre-loaded by the system (Important DLL's like NTDLL.DLL, KERNEL32.DLL, USER32.DLL, GDI32.DLL, etc - are all permanently loaded)
  • B.) Loaded upon a program's execution if the function is in its 'Imports' list, or
  • C.) Loaded upon a call to GetProcAddress. To see how this works clearly, list the modules that are loaded (my Process Functions UDF GUI can do this for you), then call GetProcAddress for 'GetServiceW' from WSOCK32.DLL, and then re-list the modules again. You'll see a new module loaded up - MSWSOCK.DLL (the location of the forwarder function). Wa-la, forwarder is set up.
Ascend4nt's AutoIT Code License agreement:

While I provide this source code freely, if you do use the code in your projects, all I ask is that:

  • If you provide source, keep the header as I have put it, OR, if you expand it, then at least acknowledge me as the original author, and any other authors I credit
  • If the program is released, acknowledge me in your credits (it doesn't have to state which functions came from me, though again if the source is provided - see #1)
  • The source on it's own (as opposed to part of a project) can not be posted unless a link to the page(s) where the code were retrieved from is provided and a message stating that the latest updates will be available on the page(s) linked to.
  • Pieces of the code can however be discussed on the threads where Ascend4nt has posted the code without worrying about further linking.

Download the ZIPs from my Site

UPDATES:

7-21-2010:

Added:

  • C++ Function Name Undecorating/Unmangling option. For an example of what this causes function name results to be, check out something like 'msvcrt.dll'. It will report alot more than just a function name! If you choose to do the Undecorating yourself, just call the included function _WinAPI_UndecorateName().

    Example: "??3@YAXPAX@Z" becomes "void __cdecl operator delete(void *)" unmanged/undecorated

  • New _ProcessGetWinPEImportExports module (with Test program) as a separate download - requires use of my Process Functions UDF. The biggest benefits, besides looking into loaded DLL's that might not be on the disk? Addresses reported are real, and Imported function addresses are reported (as pulled from Thunk locations).
7-12-2010:

Fixed:

  • Oops, Big-time logic errors in mapping Export function names to addresses and using ordinals to look them up from pointer tables. Now everything points to where it should!
  • Ordinal #'s are now correctly calculated with the 'Base' # part of the EXPORT DIRECTORY TABLE.
Added:
  • 'Forwarder' string lookup & reporting! Not even DLL Export Viewer does this! Basically, certain function 'pointers' aren't really code offsets, but offsets to Forwarder strings. My function looks those strings up and puts them in the list instead of a phoney address.
7-11-2010:

Fixed:

  • Executables linked with Borland's TLINK32.exe do not set the 'ImportLookupTableRVA' element correctly. This was easy to work around, as the 'Thunks' list also contains pointers to the same information (until an executable/DLL is loaded by the O/S, at least)
Added:
  • Imports: Extra column: Virtual Offset of Thunk ( [3] ). When an .EXE or .DLL is loaded, this is the Offset from the base of the .EXE or .DLL which will hold the actual function address. This could be used for redirection of calls (dangerous though!).

    ...

    An important note on this: Compressed executables are a completely different beast, and in fact the whole Import section is for the Decompressor itself, which disappears once the executable is loaded! The only way to get the actual Imports for Compressed Executables is to Decompress them first.

Edited by Ascend4nt
1 person likes this

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

Nicely done.

To ease your frustration though, you should check out DLL Export Viewer from NirSoft.

Edited by wraithdu

Share this post


Link to post
Share on other sites

Thanks. I've been using DLL Export Viewer actually - But it doesn't report on Imports, and I'd rather not have to rely on using another program just for Exports.

Share this post


Link to post
Share on other sites

Fascinating work.

This is really going to come in handy.


[Not using this account any more. Using "iShafayet" instead]

Share this post


Link to post
Share on other sites

This is a very useful UDF.


Determined -- Devoted -- Delivered Make your mind up -- to seriously apply yourself -- accomplishing the desired results. **** A soft answer turneth away wrath: but grievous words stir up anger. Proverbs 15:1 KJB ****

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

Thanks everyone for the compliments.

I've updated the UDF after reading about Borland's TLINK32 issue. All files should report the right Import information now, though I still have yet to figure out the 'forwarding' thing with certain Exports (that return an Offset of 0).

UPDATES:

7-11-2010:

Fixed:

  • Executables linked with Borland's TLINK32.exe do not set the 'ImportLookupTableRVA' element correctly. This was easy to work around, as the 'Thunks' list also contains pointers to the same information (until an executable/DLL is loaded by the O/S, at least)
Added:

  • Imports: Extra column: Virtual Offset of Thunk ( [3] ). When an .EXE or .DLL is loaded, this is the Offset from the base of the .EXE or .DLL which will hold the actual function address. This could be used for redirection of calls (dangerous though!).

    ...

    An important note on this: Compressed executables are a completely different beast, and in fact the whole Import section is for the Decompressor itself, which disappears once the executable is loaded! The only way to get the actual Imports for Compressed Executables is to Decompress them first.

Edited by Ascend4nt

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

Sorry for the short time between updates, but I found a major issue with my code, and at the same time added something new - not even DLL Export Viewer has Forwarder-String information :blink:

Check out these examples of Forwarder strings inside DLL's (2nd example is an extreme case!)

Posted Image..Posted Image

Onto the updates:

UPDATES:

7-12-2010:

Fixed:

  • Oops, Big-time logic errors in mapping Export function names to addresses and using ordinals to look them up from pointer tables. Now everything points to where it should!
  • Ordinal #'s are now correctly calculated with the 'Base' # part of the EXPORT DIRECTORY TABLE.
Added:

  • 'Forwarder' string lookup & reporting! Not even DLL Export Viewer does this! Basically, certain function 'pointers' aren't really code offsets, but offsets to Forwarder strings. My function looks those strings up and puts them in the list instead of a phoney address.
Edited by Ascend4nt

Share this post


Link to post
Share on other sites

Really Awesome work!

Thxs for share!


[size="5"] [/size]

Share this post


Link to post
Share on other sites

Updated!

7-21-2010:

Added:

  • C++ Function Name Undecorating/Unmangling option. For an example of what this causes function name results to be, check out something like 'msvcrt.dll'. It will report alot more than just a function name! If you choose to do the Undecorating yourself, just call the included function _WinAPI_UndecorateName().

    Example: "??3@YAXPAX@Z" becomes "void __cdecl operator delete(void *)" unmanged/undecorated

  • New _ProcessGetWinPEImportExports module (with Test program) as a separate download - requires use of my Process Functions UDF. The biggest benefits, besides looking into loaded DLL's that might not be on the disk? Addresses reported are real, and Imported function addresses are reported (as pulled from Thunk locations).

Share this post


Link to post
Share on other sites

Would it be possible to use parts of this library to validate that exports of a system DLL have not been dynamically remapped within the process where my script is running?

D.

Share this post


Link to post
Share on other sites

I'm not sure I understand. Do you mean that imports in your process (which are mapped to exports from DLL's) are being redirected to a different address than they should be? Theoretically it would be possible to check them, if the LoadLibrary/GetProcAddress API functions needed by DLLCall() were not themselves remapped to something that prevents them from working correctly.

Probably the best thing for you to do is to use UPX or some other compression utility which makes it more difficult for someone to get and remap the imports for your app.

I would also say that its possible to do using compiled machine code that goes through the PEB and module lists, but machine code still requires a DLLCall() to use from AutoIt..

Share this post


Link to post
Share on other sites

I'm actually trying to detect when aclayers.dll might be redirecting registry writes.

Share this post


Link to post
Share on other sites

Not sure what aclayers is, but sounds easy enough. Use DLLCall to call 'GetProcAddress' for the different registry API calls, and compare those returned values to the process's loaded addresses for those API calls. If there's a difference, then they are being redirected. You can even go further to see where the module address is located by comparing it against the loaded modules' start and 'end' (start+size) addresses.

Share this post


Link to post
Share on other sites

First off, you mean 33.4KB uncompressed (for the File Import/Exports info).

Secondly, NirSoft's DLL Export Viewer incorrectly reports the code address, because that function doesn't actually exist in kernel32.dll. In the PE, it gives an offset that points to a 'forwarder' string. That means that "NTDLL.RtlAddVectoredExceptionHandler" tells you where the function really exists - in NTDLL.DLL, as the function name RtlAddVectoredExceptionHandler. Read my first post, hopefully that will help you understand what forwarding is, and why NirSoft's program reports bad information.

Share this post


Link to post
Share on other sites

How about that - Nirsoft actually listened to feedback :huh2:

DLL Export Viewer finally has forwarder string information reported correctly as of v1.50.

On another note.. I've noticed some .EXE files are putting Imports all over - inside different sections of the PE. wth? Anyway.. causes the program to crash currently, so if anyone sees a crash, this is most likely whats happening. I'd call it non-standard, but Windows handles it fine, as do some other PE viewers (some crash though). That was a very annoying bugger to track down.

What this means is that I need to search for the right section and recalculate RVA Offsets for each and every Import. What a pain.. Anyhoo.. that's on my to-do list for the next version. Just thought I'd at least log the problem here in the meantime and tell y'all to update your copy of DLL Export Viewer as well ;)

Share this post


Link to post
Share on other sites

#16 ·  Posted (edited)

Any sample code how you use export functions of a dll to my own script would appreciated?

Thanks

Edited by mailro

Share this post


Link to post
Share on other sites

You'd need to figure that out for yourself. If you are planning on calling a function in a DLL, you need to know what parameters it takes, as well as the return value. If its a standard Microsoft DLL, you can find the documentation for the function on MSDN. Any other DLL's, you need to know who made it and then check their website for info on calling the functions. I think WinAPIOverride32 lets you explore how certain DLL functions are called, though the program seems to crash more than anything for me.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Similar Content

    • BisherSH
      By BisherSH
      Good day ,
      I have the code below , and i would like to embed SQLite3.dll to the compiled file 
      Is it possible ? 
      Thanks in advance
      #include <SQLite.au3> #include <SQLite.dll.au3> _SQLite_Startup() If @error Then     MsgBox($MB_SYSTEMMODAL, "SQLite Error", "SQLite3.dll Can't be Loaded!")     Exit -1 EndIf $DB = _SQLite_Open("C:\Temp\Test.db") $Action = "TestAction" $Time = @HOUR&":"&@MIN&":"&@SEC $Date = @YEAR&"-"&@MON&"-"&@MDAY $User = @UserName $Computer = @ComputerName $DC = @LogonServer If @error Then     MsgBox($MB_SYSTEMMODAL, "SQLite Error", "Couldnt open Database")     Exit -1 EndIf _SQLite_Exec($DB,"INSERT INTO QLogs (Action,Date,Time,User,Computer,DC) " & _                               "VALUES ("& _SQLite_FastEscape($Action) & "," & _                                           _SQLite_FastEscape($Date) & "," & _                                           _SQLite_FastEscape($Time) & "," & _                                           _SQLite_FastEscape($User) & "," & _                                           _SQLite_FastEscape($Computer) & "," & _                                           _SQLite_FastEscape($DC) & ");") If @error Then     MsgBox($MB_SYSTEMMODAL, "SQLite Error", "Couldnt insert!")     Exit -1 EndIf _SQLite_Shutdown()
    • ur
      By ur
      Hi,
       
      I have a property file format configuration file for our project.
      The sample file is as below.
      BuildLocation:C:\Build BuildExe:erwin Data Modeler r9.7 (64-bit)_2378.exe Release:r9.64.02 Silent:No InstallPath:default Compare :No MartUpgrade :Yes Bit:64 ERwinUpgrade:No License_File:150416-1952 Navigator (ca.com).lic To read this file, I am using below code.
      Func readConfig($sFilePath,$intStartCode) ;Usage: MsgBox(0,"Silent",readConfig(@ScriptDir&"\Config.txt","Silbent")) ;$sReplaceText = "Mani Prakash" ;$sFilePath = "C:\Users\KIRUD01\Desktop\Config.txt" ;$intStartCode = "BuildExe" $arrRetArray = "" $s = _FileReadToArray($sFilePath, $arrRetArray);Reading text file and saving it to array $s will show status of reading file.. For $i = 1 To UBound($arrRetArray)-1 $line = $arrRetArray[$i];retrieves taskengine text line by line If StringInStr($line, $intStartCode) Then ConsoleWrite ("Starting point "& $line & @CRLF) return StringStripWS(StringSplit($line,":")[2],$STR_STRIPLEADING + $STR_STRIPTRAILING ) EndIf if $i = UBound($arrRetArray)-1 then return "Not Found" Next EndFunc The above code is working to read the particular key value.
      But problem is , if I try to read the key "Bit" it is giving the value of key "BuildExe" as the line contains the word "bit"..
      Can you suggest how to do this. 
       
      If possible I need to fix writeConfig also.
       
      Func writeConfig($sFilePath,$intStartCode,$sReplaceText) ;$sReplaceText = "Mani Prakash" ;$sFilePath = "C:\Users\KIRUD01\Desktop\Config.txt" ;$intStartCode = "BuildExe" $arrRetArray = "" $s = _FileReadToArray($sFilePath, $arrRetArray);Reading text file and saving it to array $s will show status of reading file.. $intStartingPointFound = 0 For $i = 1 To UBound($arrRetArray)-1 $line = $arrRetArray[$i];retrieves taskengine text line by line If StringInStr($line, $intStartCode) Then $intStartingPointFound = 1;if found the starting point of the module to copy then set this variable to 1 ConsoleWrite ("Starting point " & @CRLF) $arrRetArray[$i] = $intStartCode & ": " & $sReplaceText ExitLoop EndIf if $i = UBound($arrRetArray)-1 then ConsoleWrite("Not Found" & @CRLF) Next _FileWriteFromArray ($sFilePath, $arrRetArray,1) EndFunc  
    • XOblivion
      By XOblivion
      im some what new to autoit and need help figuring out best way to make a simple clicker for few idle games i play(taptitdue, sakura clicker, elndless frontier etc.) ive played around with autoit recorder to make simple copy mouse clicks. but now i want to make a script that allows me to select multiple functions before starting the script for game ex: click section A or click section A + B to run At set intervals if that makes sense . i dont need scripts made by other just info on what things i should use to make it my self.
       
      need to be able to select between games and be able to select multiple functions to run inconjuntion or independent for each game. thank you in advance
    • ur
      By ur
      I have created below code to run the python file.
      #RequireAdmin #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Icon=icon.ico #AutoIt3Wrapper_Outfile=RunTaskRun.Exe #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #cs ---------------------------------------------------------------------------- AutoIt Version: 3.3.14.0 Author: Uday Kiran Reddy(ur) Script Function: To log python data to a file. #ce ---------------------------------------------------------------------------- #include <MsgBoxConstants.au3> #include "C:\Automation\ISMBuild\Library.au3" #include "ProcessEx_AddedNewEntryForLogging.au3" #include "CheckChangeinCommit.au3" If not NoChangesRequired() Then SendMail("Changes are in commit of erwin-main Repo","Will intimate once binaries are copied to Installshield machine") $hProcessHandle = _Process_RunCommand($PROCESS_RUN, $PROCESS_COMMAND & "C:\Python27\python.exe C:\BuildServer\AutoBuildServer\TaskRun.py") ; Capture the Process Handle $iPID = @extended ; Note the PID $returncode = _Process_DebugLogRunCommand($hProcessHandle, $iPID) ; Display the results in real-time Logging("Completed with ReturnCode "&$returncode) Else SendMail("No Changes are not there in commit of erwin-main Repo","So no Binaries for today.If it is needed, please remove the text file from location: "& @TempDir&"\git_erwin_commit.txt") EndIf When I kill the autoit execution exe in the middle of execution, it is not terminating the python.exe launched from script.
      Can you suggest how to do this?
    • likehu
      By likehu
      Hello,
      I have compiled a reference DLL in VS 2015 Community and this  DLL works fine with project for which it is used. There is an interface from which u can access functions in DLL.
      Developers stated that this DLL is almost universal and can be used with any language with minor changes.
      I am trying to access its function from Autoit script and got an error 3, after calling DLLCall - "function" not found in the DLL file.
      Please have a quick look, I feel I miss something in C++ library with exporting functions and I do not know what to add as I am new to C++.
      Thank you.
      Source files and script also attached.
       
      Here is my script.
      Local $dll = DllOpen("C:\Users\Home\Desktop\dll\user.dll") ConsoleWrite("$dll handle = " & $dll & @CRLF) ;$dll handle = 1 Local $result = DllCall($dll, "double:cdecl", "ProcessQuery", "str", "dll$mynumber") If @error > 0 Then ConsoleWrite("Error: " & @error & @CRLF) ;Error = 3 If IsArray($result) Then ConsoleWrite("Array returned!" & @CRLF & "dll$mynumber: " & result[1]) Else ConsoleWrite("$result is not array. : " & $result & @CRLF) ;$result = 0 EndIf DllClose($dll) And here is dll source. As I understand, function "ProcessQuery" exported with help of DLL_IMPLEMENTS
      user.h
      //****************************************************************************** // // This file is part of the OpenHoldem project // Download page: http://code.google.com/p/openholdembot/ // Forums: http://www.maxinmontreal.com/forums/index.php // Licensed under GPL v3: http://www.gnu.org/licenses/gpl.html // //****************************************************************************** // // Purpose: Very simple user-DLL as a starting-point // // DO NOT CHANGE ANYTHING IN THIS FILE! // // This Header defines an interface // Functions and data-types must exactly match. // //****************************************************************************** #ifndef _INC_USER_H #define _INC_USER_H // Import and export directives // for use by this DLL and by OpenHoldem #ifdef USER_DLL #define DLL_IMPLEMENTS extern "C" __declspec(dllexport) #define EXE_IMPLEMENTS extern "C" __declspec(dllimport) #else #define DLL_IMPLEMENTS extern "C" __declspec(dllimport) #define EXE_IMPLEMENTS extern "C" __declspec(dllexport) #endif // Number of saved table-states // This number must not be changed, as we do a "& 0xFF" // at various places to normalize the index. const int kNumberOfHoldemStatesForDLL = 256; // SHoldemePlayer // used for sequence of 256 consequive table-states // !!!! Needs 2 more cards for Omaha, if not entirely removed struct holdem_player { char m_name[16] ; //player name if known double m_balance ; //player balance double m_currentbet ; //player current bet unsigned char m_cards[2] ; //player cards unsigned char m_name_known : 1 ; //0=no 1=yes unsigned char m_balance_known : 1 ; //0=no 1=yes unsigned char m_fillerbits : 6 ; //filler bits unsigned char m_fillerbyte ; //filler bytes }; struct holdem_state { char m_title[64] ; //table title double m_pot[10] ; //total in each pot unsigned char m_cards[5] ; //common cards unsigned char m_is_playing : 1 ; //0=sitting-out, 1=sitting-in unsigned char m_is_posting : 1 ; //0=autopost-off, 1=autopost-on unsigned char m_fillerbits : 6 ; //filler bits unsigned char m_fillerbyte ; //filler byte unsigned char m_dealer_chair ; //0-9 holdem_player m_player[10] ; //player records }; // Functions implemented and exported by the DLL, // imported by OpenHoldem DLL_IMPLEMENTS double __stdcall ProcessQuery(const char* pquery); DLL_IMPLEMENTS void __stdcall DLLOnLoad(); DLL_IMPLEMENTS void __stdcall DLLOnUnLoad(); // Functions implemented and exported by OpenHoldem, // imported by the DLL EXE_IMPLEMENTS double __stdcall GetSymbol(const char* name_of_single_symbol__not_expression); EXE_IMPLEMENTS void* __stdcall GetPrw1326(); EXE_IMPLEMENTS char* __stdcall GetHandnumber(); EXE_IMPLEMENTS void __stdcall ParseHandList(const char* name_of_list, const char* list_body); EXE_IMPLEMENTS char* __stdcall ScrapeTableMapRegion(char* p_region, int& p_returned_lengh); EXE_IMPLEMENTS void __stdcall SendChatMessage(const char *message); EXE_IMPLEMENTS void __stdcall WriteLog(char* format, ...); // Variables exported by OpenHoldem // avoiding the message-mess of WinHoldem, // no longer sending any state-messages // http://www.maxinmontreal.com/forums/viewtopic.php?f=174&t=18642 EXE_IMPLEMENTS extern holdem_state state[kNumberOfHoldemStatesForDLL]; EXE_IMPLEMENTS extern int state_index; #endif // _INC_USER_H  
      user.cpp    Here is dll$mynumber parameter.
      //****************************************************************************** // // This file is part of the OpenHoldem project // Download page: http://code.google.com/p/openholdembot/ // Forums: http://www.maxinmontreal.com/forums/index.php // Licensed under GPL v3: http://www.gnu.org/licenses/gpl.html // //****************************************************************************** // // Purpose: Very simple user-DLL as a starting-point // // Required OpenHoldem version: 7.7.6 // //****************************************************************************** // Needs to be defined here, before #include "user.h" // to generate proper export- and inport-definitions #define USER_DLL // #define OPT_DEMO_OUTPUT if you are a beginner // who wants to see some message-boxes with output of game-states, etc. // It is disabled upon request, // * as it is not really needed // * as some DLL-users don't have MFC (atlstr.h) installed // http://www.maxinmontreal.com/forums/viewtopic.php?f=156&t=16232 #undef OPT_DEMO_OUTPUT #include "user.h" #include <conio.h> #include <windows.h> #ifdef OPT_DEMO_OUTPUT #include <atlstr.h> #endif OPT_DEMO_OUTPUT // Supporting macros #define HIGH_NIBBLE(c) (((c)>>4)&0x0F) #define LOW_NIBBLE(c) ((c)&0x0F) // Card macro #define RANK(c) ( ISKNOWN(c) ? HIGH_NIBBLE(c) : 0 ) #define SUIT(c) ( ISKNOWN(c) ? LOW_NIBBLE(c) : 0 ) #define ISCARDBACK(c) ((c) == CARD_BACK) #define ISUNKNOWN(c) ((c) == CARD_UNDEFINED) #define ISNOCARD(c) ((c) == CARD_NOCARD) #define ISKNOWN(c) (!ISCARDBACK(c) && !ISUNKNOWN(c) && !ISNOCARD(c)) // ProcessQuery() // Handling the lookup of dll$symbols DLL_IMPLEMENTS double __stdcall ProcessQuery(const char* pquery) { if (pquery==NULL) return 0; if (strncmp(pquery,"dll$mynumber",13)==0) { return 12345.67; } return 0; } // OnLoad and OnUnload() // called once and at the beginning of a session // when the DLL gets loaded / unloaded // Do initilization / finalization here. DLL_IMPLEMENTS void __stdcall DLLOnLoad() { #ifdef OPT_DEMO_OUTPUT MessageBox(NULL, "event-load", "MESSAGE", MB_OK); #endif OPT_DEMO_OUTPUT } DLL_IMPLEMENTS void __stdcall DLLOnUnLoad() { #ifdef OPT_DEMO_OUTPUT MessageBox(NULL, "event-unload", "MESSAGE", MB_OK); #endif OPT_DEMO_OUTPUT } // DLL entry point // Technically required, but don't do anything here. // Initializations belong into the OnLoad() function, // where they get executed at run-time. // Doing things here at load-time is a bad idea, // as some functionalitz might not be properly initialized // (including error/handling). BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: #ifdef OPT_DEMO_OUTPUT AllocConsole(); #endif OPT_DEMO_OUTPUT break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; case DLL_PROCESS_DETACH: #ifdef OPT_DEMO_OUTPUT FreeConsole(); #endif OPT_DEMO_OUTPUT break; } return TRUE; }  
      Source.zip
      DllAccess.au3