Listing all LoadLibrary and GetProcAddress calls in a PE file

Question

I need a sample code/tools which parses the PE file and lists all LoadLibrary and GetProcAddress calls. Along with that I also need the DLL name passed to LoadLibrary and function name passed to each of the listed GetProcAddress calls.

Answer 1

In some cases on 64-bit Windows you won't be able to use Dependency Walker. In that case use this in WinDbg:

bu KERNELBASE!LoadLibraryExW "du/c100 rcx;g;"

Answer 2

You can also use Dependency walker. This tool shows the all types (implicit, delay-loaded, forwarded) dependencies. Using this tool you can even test the dynamic dependencies (the ones that are made by invoking LoadLibrary/GetProcAddress)! To make the later, you must run Dependency walker in profiling mode.

Answer 3

There is no way to statically check for the calls made to LoadLibrary/GetProcAddress.

To get a list of imports and exports from the PE file statically, use PEDUMP (or you can use this online utility: http://pedump.me).

To profile an application for LoadLibrary/GetProcAddress you'll want something like WinDbg. Attach WinDbg to the process you want to profile and put a breakpoint on LoadLibrary/GetProcAddress. You'll then be able to see the parameter. For example:

• bp kernel32!LoadLibraryA "da poi(esp+4); g;"

will print out all calls to LoadLibraryA as they happen.