现在阅读
A tool to view a LIB
0

A tool to view a LIB

由 ultracpy2018年1月26日

Sample Image - LibView.jpg

Introduction

Have you ever wondered to know what are the things a library (.Lib) is exporting? Sometimes, a library can export hidden functions that are not given to you on a header file, or did you ever wanted to verify the function syntax against the header files, given to you with a LIB file? If could be a mismatch. In that case, here is the solution for you.

This simple tool can go through the LIB file and show the functions it exports, and it can generate a header (.h) file based on the finding. It is much useful for Visual C++ developers. There are some limitations, for that see under the heading “Limitations”.

Background

You could have seen some junk characters in place of any C++ function. Somewhere like in Depends (a tool that comes with the Visual Studio, showing the functions inside a DLL). This is called “Name mangling”. The function in the junk format is called “Decorated name”. C++ compilers encode the names of symbols in C++ programs to include type information in the name. So later, the linker can check the exact function and ensure type-safe linking. C compilers don’t need this since only one function can exist in the entire executable linkage. However, in C++, there can exist several functions with the same name in different classes and with different parameters. Therefore, C++ needs this to resolve the function names.

In here, I’m exploiting that feature of the compiler. What the tool does here is gather the decorated names in the library (.Lib) file and decode into undecorated names. This undecorated form is the form that exists in our normal header files.

Name Mangling

Microsoft™ Visual C++ compiler encodes the names of symbols in C++ programs in this fashion. This is not published by Microsoft™. It is one of their compiler secrets. However, in some cases, you will need the undecorated form. For those purposes, Microsoft™ has supplied a few APIs to decode. That comes in “Debug Help Library” (DbgHelp.DLL).

C++ decorated symbols starts with a question ‘?‘ mark. On processing the LIB, if you gather the symbols starting with ‘?‘ and ending with the NULL character, you can get the decorated name in whole. Feed this to the UnDecorateSymbolName function, a function in the “Debug Help Library”, and you will get the undecorated name. That is it. For example, if you feed:

?MyFunc@@YAHD@Z

you will get:

<PRE lang=mc++>int __cdecl MyFunc(char)

C symbols are not like their counterpart C++. It always starts with “__imp__” mark in front of an exported function. It doesn’t provide parameter type specification. It provides only the number of bytes in the parameters after the ‘@‘ mark. For example, the function:

<PRE lang=mc++>int __stdcall func (int a, double b)

will look like this after encoding:

__imp__func@12

Therefore, in C LIBs, it is not possible to get the header files out. Here only the function names can be retrieved, i.e., by gathering “__imp__” mark to the ‘@‘ character. That’s what the tool does.

Core Code

Here I have encapsulated the LIB file symbol extraction in to a class called CLibContent. When passed with the LIB file path, it extracts and stores the decorated and undecorated names in an array of strings which can be later retrieved. Here is the code that depicts the core extraction:

...
...
    HANDLE hLibFile = CreateFile("C:\Libfiles\adme.lib",
                GENERIC_READ,
                FILE_SHARE_READ|FILE_SHARE_WRITE,
                NULL,
                OPEN_EXISTING,
                0,
                NULL);

...
...
    for(i=0;i<dwFileSize;i++)
    {
        SetFilePointer(hLibFile,i,0,FILE_BEGIN);

        nRet = ReadFile(hLibFile,&szChar,32,&dwBytes,NULL);
        if(!nRet)
            return GetLastError();
        
        if((szChar[0] == '?')||(bCollect))
        {// the symbol is C++ type collect it
            szBuff[dwBuffPos] = szChar[0];
            dwBuffPos++;
            bCollect = true;
        }
        else if(!memcmp(szChar,C_STYLE,7))
        // check if it is C style (ie. "__imp__")
        {
            dwBytes = strlen(szChar);
            nRet = ExtractCSymbol(szChar,dwBytes);
            // if it is succ then 0 else non zero

            if(!nRet)    // if failed then pass on to next char
                i += dwBytes; // if passed skip the string
        }

        if((szChar[0] == 0)&&(bCollect))
        { // finish and pass the buffer to decode
            szBuff[dwBuffPos] = szChar[0];
            dwBuffPos++;

            nRet = ExtractCppSymbol(szBuff, dwBuffPos);
            
            dwBuffPos = 0;
            bCollect = false;
        }
    }
...
...

The following function decodes the CPP style decorated names:

int CLibContent::ExtractCppSymbol(char *szDecoratedName, DWORD dwLen)
{
    char szFunc[512];
    int nRet;
    
    nRet = UnDecorateSymbolName(szDecoratedName, szFunc, 512, 
                     UNDNAME_COMPLETE|UNDNAME_32_BIT_DECODE);
    if(!nRet)
        return GetLastError(); // failure

    if(!memcmp(szDecoratedName,szFunc,nRet)) 
        return ERROR_INVALID_DATA;
        // since it is not decoded, this cud b some junk

    if(!memcmp("`string'",szFunc,nRet))
    // this cud b imported functions and constants
        return ERROR_INVALID_DATA; // so v don't need this

    //storing strings in a array and returnig nothing else
    return  m_cMemStore.Add(szDecoratedName,szFunc);    
}

This following function decodes the C style decorated names:

int CLibContent::ExtractCSymbol(char *szDecoratedName, DWORD dwLen)
{
    char szFunc[512];
    DWORD dwBuffPos;
    int i = 0;
    dwBuffPos = 0;

    if(memcmp(szDecoratedName,C_STYLE,7))
        return  ERROR_INVALID_DATA;

    i += strlen(C_STYLE);
    
    for(;i<dwLen;i++)
    {
        szFunc[dwBuffPos] = szDecoratedName[i];
        
        if(szFunc[dwBuffPos] == '@')
        {
            szFunc[dwBuffPos] = 0;
            
            //storing strings in a array nothing else
            m_cMemStore.Add(szDecoratedName, szFunc); 

            return ERROR_SUCCESS;
        }

        dwBuffPos++;
    }

    return  ERROR_INVALID_DATA;;    
}

Points of Interest

While doing this, I happened to experiment on BSC SDK (Browser Toolkit). It’s a useful SDK when you want to browse the BSC (browser information) file produced by VC++. VC++ IDE uses this file to point out the function or variable definition when you right click and click the “Go to Definition of …” menu item. Using this SDK, you can get the minute details of symbols used in your project. A function exists in this toolkit to get undecorated symbols from BSC file specific decorated names. Kind of UnDecorateSymbolName function 🙂

Limitations

When thinking of LIBs, it seems very simple and pictures all are in the same category. It is not like that. Every compiler and every version of the compiler may produce different types of LIBs and name mangle. If you see in this context, this tool will/may not work on the LIBs produced by a compiler other than VC++ 6.0.

In the exported header file, the functions exported belonging to a class will not appear in a class. It will appear more like a complete function. Another thing is, the C function parameters cannot be retrieved or exported to a header file.

Conclusion

If you want to know VC++ decoration format, check out this site. It provides the VC++ 6.0 name-mangling format.

Importantly note that this format can be changed without any notice. This tool also I’m not sure will work on VC++ 7.0 LIB files. It would be helpful if someone can test and tell me. I tested this on LIBs produced by eVC++ 3.0, eVC++4.0 and VC++ 6.0 compilers.

Hope you find this useful. Thanks.

出处:https://www.codeproject.com/Articles/9310/A-tool-to-view-a-LIB

关于作者
ultracpy
评论

    你必须 登录 提交评论