DLL ordinals lookup

[jmb]

I'm using PE Explorer to look at an executable which uses DLLs which have only ordinal exports - however, some of these DLLs are open source and can be reproduced, including their DEF files to map ordinals to names.

Is there any way to make PE Explorer reference a DEF file to provide readable symbols in the disassembly?  If it's not built in, does the plugin API have the power to let me write the feature?

regards,
James

[TechMan]

No, it is not built in. And no, the plug-in API has no power. The plug-in API has been designed for creating START-UP plug-ins for crypted files handling and unpacking the packed files.

The good news is that we are working on adding that feature in the future. However, I do not have a date for when this option may become available.

[jmb]

Thanks for the speedy answer!

Now I'm thinking, perhaps there's another tool available somewhere which can post-process a DLL and a matched DEF file (with any NONAMEs removed) to produce a new DLL identical but for having symbols exported.

-jmb

[jmb]

While looking for this workaround, I used http://utilitymill.com/utility/Exe_Dump_Utility to examine the DLL, and it appears that it does have symbolic exports after all - it's just the the EXE using it is importing by ordinals rather than names.

Seems to me that the symbols will already be available to PE Explorer, perhaps picking them up from the export table might be more easily implementable than incorporating a separate DEF file?

cheers,
-jmb

[TechMan]

Hard to say without looking into the file itself.

[jmb]

Is this something that you would normally expect to work?

ie if PROGRAM.EXE loads LIBRARY.DLL and is linked by ordinal, but LIBRARY.DLL does have names as well, should those names be visible in PE Explorer? (I presume that if it's linked by name, it does already)

-jmb

[TechMan]

How are we supposed to view names from LIBRARY.DLL if we read PROGRAM.EXE? Sure if it's linked by name, we see names -- but what if there's no LIBRARY.DLL on disk at all? If I hear somebody call you 101 how do I guess your name is JMB?

[jmb]

Sorry, a late-at-night brain-o there, I was imagining that you were loading referenced DLLs recusively to show symbols they]/b] referenced, etc, but of course the EXE is the only thing you're looking at. You're not a debugger.

The DLL is on disk, so the export table with names is there for reference, but if the EXE is the only code you load, no, I wouldn't expect to see names.

I guess though that if you wanted to add the feature at some point, you already have code in place for reading an export table. I wonder what the prevalence is in commercial releases of linking-by-ordinal compared to by-name?

cheers,
-jmb

[TechMan]

I saw this quite often in comtrl32.dll - a pretty commercial release.  '>

Ok. To make the story short: it can be done, and we most likely will add this option (manually load the referenced DLL) in v2. At least, that's easier than referencing a DEF file.

Thanks for the interesting idea! If you have any more suggestions on how we can improve PE Explorer please keep posting.