Dumping out notepad.exe and ntdll.dll
I tried to dump out the headers and data sections of notepad.exe and ntdll.dll to figure out what are their dependents and what are the functions and services provided by ntdll.dll along with service numbers which are used in kernel mode.
Microsoft (R) COFF/PE Dumper Version 7.10.2179
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file c:\windows\system32\notepad.exe---this is what you see when you dump the notepad.exe using link tool from sdk..these are all the dll's that notepad.exe may use and use along with all their functions.
File Type: EXECUTABLE IMAGE
Section contains the following imports:
ADVAPI32.dll---these are the functions of advapi32.dll that notepad.exe image uses.
1001000 Import Address Table
1008DC8 Import Name Table
FFFFFFFF time date stamp
FFFFFFFF Index of first forwarder reference
77CD632E 268 RegQueryValueExW
77CD64CC 22A RegCloseKey
77CA8229 236 RegCreateKeyW
77CBE8F0 17A IsTextUnicode
77CC802D 278 RegSetValueExW
KERNEL32.dll
1001018 Import Address Table
1008DE0 Import Name Table
FFFFFFFF time date stamp
FFFFFFFF Index of first forwarder reference
77E1D22A 1D0 GetFileInformationByHandle
77E5280F 12B FindNLSString
77E2068A 285 GlobalAlloc
77E2087D 297 GlobalUnlock
77E207CB 290 GlobalLock
77E2444D 7C CreateFileMappingW
77E45CBB 1B0 GetDateFormatW
77E1EDBA 1E7 GetLocalTime
77E23672 303 LocalUnlock
77E2737E 30A MapViewOfFile
77E442A7 31A MultiByteToWideChar
77E48DB6 441 UnmapViewOfFile
77E47CEE 300 LocalReAlloc
77E29BEE 152 GetACP
77E1AD23 C3 DeleteFileW
77E1644C 3CD SetEndOfFile
77E2373F 2FF LocalLock
77E45358 148 FormatMessageW
77E48A32 47A WideCharToMultiByte
77E47940 3EC SetLastError
77E483D2 48D WriteFile
77E48129 1E6 GetLastError
77E23842 302 LocalSize
77E4464E 1DF GetFullPathNameW
77E473C0 319 MulDiv
77E2AA46 170 GetCommandLineW
77E2D36B 2A5 HeapSetInformation
77E47B0D 1AA GetCurrentProcessId
77E5614A 146 FoldStringW
77E4337B 4AA lstrcmpW
77E449CA 1CE GetFileAttributesW
77E44E2A 124 FindFirstFileW
77E44EBF 119 FindClose
77E4B29A 26A GetTimeFormatW
77E29145 1A9 GetCurrentProcess
77E018E0 42D TerminateProcess
77E01890 24F GetSystemTimeAsFileTime
77E47A1D 1AD GetCurrentThreadId
77E47652 266 GetTickCount
77E482B0 354 QueryPerformanceCounter
77E4427B 1F6 GetModuleHandleA
77E2D187 415 SetUnhandledExceptionFilter
77E019B8 239 GetStartupInfoA
77E4739C 2BA InterlockedCompareExchange
77E01D91 421 Sleep
77E47388 2BD InterlockedExchange
77E49D35 4B6 lstrlenW
77E44801 1EA GetLocaleInfoW
77E20725 28C GlobalFree
77E44572 4AD lstrcmpiW
77E44A49 3D2 SetErrorMode
77E4866C 7F CreateFileW
77E484CC 368 ReadFile
77E47A2C 43 CloseHandle
77E43B21 2F9 LocalAlloc
77E47374 2BC InterlockedDecrement
77E43A9D 2FD LocalFree
77E47360 2C0 InterlockedIncrement
77E4D9BE 270 GetUserDefaultUILanguage
77E95984 43E UnhandledExceptionFilter
GDI32.dll
100110C Import Address Table
1008ED4 Import Name Table
FFFFFFFF time date stamp
FFFFFFFF Index of first forwarder reference
77B75FC0 25E SelectObject
77B781E7 27B SetMapMode
77B812F2 28F SetViewportExtEx
77B81EA7 293 SetWindowExtEx
77B78600 21B LPtoDP
77B76390 266 SetBkMode
77B7720B 20D GetTextMetricsW
77B870AC 260 SetAbortProc
77BA3C3B 297 StartDocW
77BA31C8 299 StartPage
77B87101 DD EndPage
77BA2D8C 0 AbortDoc
77BA30DD DB EndDoc
77B769A5 CD DeleteDC
77B81550 2A0 TextOutW
77B7ABB5 205 GetTextExtentPoint32W
77B7BE99 30 CreateDCW
77B7A788 20B GetTextFaceW
77B86C04 113 EnumFontsW
77B759F0 1F4 GetStockObject
77B765B6 1E4 GetObjectW
77B75EA6 1B5 GetDeviceCaps
77B7AE17 3E CreateFontIndirectW
77B75A1F D0 DeleteObject
USER32.dll
1001170 Import Address Table
1008F38 Import Name Table
FFFFFFFF time date stamp
FFFFFFFF Index of first forwarder reference
77D7B38E 10D GetClientRect
77D8380D 270 SetCursor
77D7B8EC 24C ReleaseDC
77D7B8D8 11A GetDC
77D9129F A6 DialogBoxParamW
77D732D3 266 SetActiveWindow
77D78781 132 GetKeyboardLayout
77D721DF 220 PostQuitMessage
77D81D90 96 DefWindowProcW
77D7965E 125 GetForegroundWindow
77D7A5A6 1BD IsIconic
77D78C26 A0 DestroyWindow
77D68A4E 1F7 MessageBeep
77D67B2A 187 GetWindowPlacement
77D6D382 3A CharUpperW
77D78671 235 RegisterClassExW
77D6D3C5 1D9 LoadImageW
77D7862C 1D5 LoadCursorW
77D8244A 2A5 SetWindowLongW
77D69DE5 1CF LoadAcceleratorsW
77D719F6 16E GetSystemMenu
77D674D9 2A6 SetWindowPlacement
77D785F0 68 CreateWindowExW
77D6F801 24A RegisterWindowMessageW
77D6CBB7 28B SetProcessDPIAware
77D9D86E 294 SetScrollPos
77D78B84 2B8 ShowWindow
77D8250E 182 GetWindowLongW
77D825BC 21C PeekMessageW
77D7282F D1 EnableWindow
77D7BEB6 C7 DrawTextExW
77D9A500 5D CreateDialogParamW
77D7031A 18F GetWindowTextW
77D6B2CA 205 MoveWindow
77D82DA7 1AA InvalidateRect
77D82B71 263 SendMessageW
77D6F82E 2F CharNextW
77D996E6 3D CheckMenuItem
77D9CA35 47 CloseClipboard
77D9CAC8 1B6 IsClipboardFormatAvailable
77D9CA47 20F OpenClipboard
77D6BC72 147 GetMenuState
77D6BE00 CF EnableMenuItem
77D6B8F9 16B GetSubMenu
77D67B3E 13C GetMenu
77D79C65 2A2 SetWinEventHook
77D819A2 14E GetMessageW
77D83915 21F PostMessageW
77DBFBD5 1FF MessageBoxW
77D796AB 124 GetFocus
77D911FF 300 WinHelpW
77D8340C 11E GetDlgCtrlID
77D73023 D3 EndDialog
77D70866 18E GetWindowTextLengthW
77D786D8 1D7 LoadIconW
77D7B102 1B9 IsDialogMessageW
77D7B569 2D3 TranslateAcceleratorW
77D82AA1 2D5 TranslateMessage
77D82A89 A9 DispatchMessageW
77D78B98 2E9 UpdateWindow
77D72C64 2D7 UnhookWinEvent
77D8ACBE 41 ChildWindowFromPoint
77D994BD 122 GetDlgItemTextW
77D993E1 277 SetDlgItemTextW
77D796B8 279 SetFocus
77D75DF4 2AC SetWindowTextW
77D82E91 155 GetParent
77D7AC9B 1E4 LoadStringW
77D91D1C 25A SendDlgItemMessageW
77D7C65C 119 GetCursorPos
77D7C1D0 254 ScreenToClient
msvcrt.dll
1001290 Import Address Table
1009058 Import Name Table
FFFFFFFF time date stamp
FFFFFFFF Index of first forwarder reference
70D65BC2 37 <?terminate@@YAXXZ>
70D1E116 127 _controlfp
70D1C032 3CE _vsnwprintf
70D19860 4EE memset
70D1BE1E 46D _wtol
70D198D0 4EA memcpy
70D1BA09 4CC iswctype
70D37B87 4DA localtime
70D36599 159 _except_handler4_common
70D223B6 D2 __set_app_type
70D223AB BE __p__fmode
70D223A0 B9 __p__commode
70DB18B4 F5 _adjust_fdiv
70D7A161 101 _amsg_exit
70D1BBD2 1D5 _initterm
70DAE4DC E7 _acmdln
70D220F7 48F exit
70D1D39A 534 time
70D234D9 91 __getmainargs
70D1E342 1F4 _ismbblead
70D74EFE 6A _XcptFilter
70D7A2E3 162 _exit
70D221CC 114 _cexit
70DA5C1D D4 __setusermatherr
COMDLG32.dll
10012F4 Import Address Table
10090BC Import Name Table
FFFFFFFF time date stamp
FFFFFFFF Index of first forwarder reference
7181D9D0 E GetSaveFileNameW
71833E86 8 FindTextW
71833EBA 17 ReplaceTextW
71839307 11 PageSetupDlgW
71842EED 14 PrintDlgExW
718128DF C GetOpenFileNameW
71802517 4 CommDlgExtendedError
71837CD1 3 ChooseFontW
71802E37 A GetFileTitleW
SHELL32.dll
100131C Import Address Table
10090E4 Import Name Table
FFFFFFFF time date stamp
FFFFFFFF Index of first forwarder reference
7669D635 1B DragAcceptFiles
7658A7D3 20 DragQueryFileW
766FB803 1C DragFinish
7661AFE6 8D SHCreateItemFromParsingName
766EA0A5 110 ShellAboutW
WINSPOOL.DRV
1001334 Import Address Table
10090FC Import Name Table
FFFFFFFF time date stamp
FFFFFFFF Index of first forwarder reference
6E19121B 85 GetPrinterDriverW
6E199539 1D ClosePrinter
6E187359 8F OpenPrinterW
ole32.dll
1001344 Import Address Table
100910C Import Name Table
FFFFFFFF time date stamp
FFFFFFFF Index of first forwarder reference
72C6D569 66 CoTaskMemAlloc
72C6DD8F 10 CoCreateInstance
72C6DE1E 67 CoTaskMemFree
72C69BD8 6B CoUninitialize
72C6885D 3E CoInitializeEx
SHLWAPI.dll
100135C Import Address Table
1009124 Import Name Table
FFFFFFFF time date stamp
FFFFFFFF Index of first forwarder reference
6ED6E534 5D PathIsFileSpecW
6ED7E468 FD SHStrDupW
COMCTL32.dll
1001368 Import Address Table
1009130 Import Name Table
FFFFFFFF time date stamp
FFFFFFFF Index of first forwarder reference
7493FDC3 C CreateStatusWindowW
748B3E05 Ordinal 345
OLEAUT32.dll
1001374 Import Address Table
100913C Import Name Table
FFFFFFFF time date stamp
FFFFFFFF Index of first forwarder reference
702E41AB Ordinal 2
702E3DAB Ordinal 6
ntdll.dll
1001380 Import Address Table
1009148 Import Name Table
FFFFFFFF time date stamp
FFFFFFFF Index of first forwarder reference
77F0850D 548 WinSqmAddToStream
Header contains the following bound import information:
Bound to ADVAPI32.dll [4549BCD2] Thu Nov 02 15:09:30 2006---------------this refers to when this image was build...this is windows vista thats why showing 2006
Bound to KERNEL32.dll [4549BD80] Thu Nov 02 15:12:24 2006
Bound to GDI32.dll [4549BCD3] Thu Nov 02 15:09:31 2006
Bound to USER32.dll [4549BDE0] Thu Nov 02 15:14:00 2006
Bound to msvcrt.dll [4549BD61] Thu Nov 02 15:11:53 2006
Bound to COMDLG32.dll [4549BD09] Thu Nov 02 15:10:25 2006
Bound to SHELL32.dll [4549BDB4] Thu Nov 02 15:13:16 2006
Bound to WINSPOOL.DRV [4549BE2A] Thu Nov 02 15:15:14 2006
Bound to ole32.dll [4549BD92] Thu Nov 02 15:12:42 2006
Bound to SHLWAPI.dll [4549BDB9] Thu Nov 02 15:13:21 2006
Bound to COMCTL32.dll [4549BD09] Thu Nov 02 15:10:25 2006
Bound to OLEAUT32.dll [4549BD95] Thu Nov 02 15:12:45 2006
Bound to ntdll.dll [4549BDC9] Thu Nov 02 15:13:37 2006
Summary
3000 .data
1000 .reloc
1A000 .rsrc
9000 .text
next i dumped out the data section show in summary--------------
C:\Users\ganand\Desktop\internals\TOOLS>link.exe -dump -section:".data" -all c:\
windows\system32\notepad.exe >c:\notepaddump2.txt
Microsoft (R) COFF/PE Dumper Version 7.10.2179
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file c:\windows\system32\notepad.exe
PE signature found------this is windows pe format image
File Type: EXECUTABLE IMAGE-----------------------------
FILE HEADER VALUES
14C machine (x86)
4 number of sections
4549B0BE time date stamp Thu Nov 02 14:17:58 2006--------------------------when this image was build
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
102 characteristics
Executable
32 bit word machine
OPTIONAL HEADER VALUES
10B magic # (PE32)
8.00 linker version
9000 size of code
1CC00 size of initialized data
0 size of uninitialized data
31F8 entry point (010031F8)
1000 base of code
D000 base of data
1000000 image base (01000000 to 01027FFF)
1000 section alignment
200 file alignment
6.00 operating system version---------------------
6.00 image version--------------------------
6.00 subsystem version
0 Win32 version
28000 size of image
400 size of headers
2A84B checksum
2 subsystem (Windows GUI)-----------------------------
8140 DLL characteristics
RESERVED - UNKNOWN
RESERVED - UNKNOWN
Terminal Server Aware----------------------------------------
40000 size of stack reserve
11000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags-------------------------------------------------
10 number of directories
0 [ 0] RVA [size] of Export Directory
8C0C [ 118] RVA [size] of Import Directory
D000 [ 19A10] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
0 [ 0] RVA [size] of Certificates Directory
27000 [ D20] RVA [size] of Base Relocation Directory
9EF8 [ 38] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
0 [ 0] RVA [size] of Thread Storage Directory
5010 [ 40] RVA [size] of Load Configuration Directory
278 [ 10C] RVA [size] of Bound Import Directory
1000 [ 388] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory
SECTION HEADER #2
.data name
2124 virtual size
A000 virtual address (0100A000 to 0100C123)
1000 size of raw data
9400 file pointer to raw data (00009400 to 0000A3FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
Read Write
RAW DATA #2
0100A000: 00 00 00 00 78 00 00 00 01 00 00 00 FF FF FF FF ....x.......ÿÿÿÿ
0100A010: 4E E6 40 BB B1 19 BF 44 00 00 00 00 00 00 00 00 <Næ@»±.¿D>........
0100A020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A0A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A0B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A0C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A0D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A0E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A0F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A1A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A1B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A1C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A1D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A1E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A1F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A220: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
0100A230: 02 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00 ................
0100A240: 06 00 00 00 07 00 00 00 08 00 00 00 09 00 00 00 ................
0100A250: 0A 00 00 00 0B 00 00 00 0C 00 00 00 0D 00 00 00 ................
0100A260: 0E 00 00 00 2F 00 00 00 0F 00 00 00 10 00 00 00 ..../...........
0100A270: 11 00 00 00 12 00 00 00 13 00 00 00 2D 00 00 00 ............-...
0100A280: 14 00 00 00 15 00 00 00 16 00 00 00 17 00 00 00 ................
0100A290: 18 00 00 00 19 00 00 00 1A 00 00 00 1B 00 00 00 ................
0100A2A0: 1C 00 00 00 1D 00 00 00 1E 00 00 00 1F 00 00 00 ................
0100A2B0: 20 00 00 00 21 00 00 00 22 00 00 00 23 00 00 00 ...!..."...#...
0100A2C0: 24 00 00 00 25 00 00 00 26 00 00 00 27 00 00 00 $...%...&...'...
0100A2D0: 28 00 00 00 29 00 00 00 2A 00 00 00 2B 00 00 00 (...)...*...+...
0100A2E0: 2C 00 00 00 2E 00 00 00 CC 2F 00 01 00 00 00 00 ,.......Ì/......
0100A2F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A3A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A3B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A3C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A3D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A3E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A3F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A4A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A4B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A4C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A4D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A4E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A4F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A5A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A5B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A5C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A5D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A5E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A5F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A6A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A6B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A6C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A6D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A6E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A6F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A7A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A7B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A7C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A7D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A7E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A7F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A800: 2C A2 00 01 30 A2 00 01 34 A2 00 01 38 A2 00 01 ,¢..0¢..4¢..8¢..
0100A810: 44 A2 00 01 40 A2 00 01 3C A2 00 01 48 A2 00 01 D¢..@¢..<¢..H¢..
0100A820: 4C A2 00 01 50 A2 00 01 54 A2 00 01 58 A2 00 01 L¢..P¢..T¢..X¢..
0100A830: 5C A2 00 01 60 A2 00 01 68 A2 00 01 6C A2 00 01 \¢..`¢..h¢..l¢..
0100A840: 70 A2 00 01 80 A2 00 01 84 A2 00 01 88 A2 00 01 p¢...¢...¢...¢..
0100A850: 8C A2 00 01 90 A2 00 01 94 A2 00 01 98 A2 00 01 .¢...¢...¢...¢..
0100A860: 9C A2 00 01 A4 A2 00 01 A0 A2 00 01 A8 A2 00 01 .¢..¤¢.. ¢..¨¢..
0100A870: AC A2 00 01 B0 A2 00 01 B4 A2 00 01 B8 A2 00 01 ¬¢..°¢..´¢..¸¢..
0100A880: BC A2 00 01 C0 A2 00 01 74 A2 00 01 78 A2 00 01 ¼¢..À¢..t¢..x¢..
0100A890: C4 A2 00 01 C8 A2 00 01 CC A2 00 01 D0 A2 00 01 Ģ..Ȣ..̢..Т..
0100A8A0: D4 A2 00 01 D8 A2 00 01 DC A2 00 01 E0 A2 00 01 Ô¢..Ø¢..Ü¢..à¢..
0100A8B0: 7C A2 00 01 E4 A2 00 01 64 A2 00 01 00 00 00 00 |¢..ä¢..d¢......
0100A8C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A8D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A8E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A8F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A9A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A9B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A9C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A9D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A9E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100A9F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AA00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AA10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AA20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AA30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AA40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AA50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AA60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AA70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AA80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AA90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AAA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AAB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AAC0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AAD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AAE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AAF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AB00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AB10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AB20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AB30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AB40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AB50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AB60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AB70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AB80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AB90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ABA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ABB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ABC0: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
0100ABD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ABE0: 00 00 00 00 00 00 00 00 2D 51 00 01 61 50 00 01 ........-Q..aP..
0100ABF0: 7C 50 00 01 AA 50 00 01 13 51 00 01 B4 50 00 01 |P..ªP...Q..´P..
0100AC00: 71 53 00 01 20 51 00 01 B4 50 00 01 20 51 00 01 qS.. Q..´P.. Q..
0100AC10: BD 51 00 01 C1 50 00 01 DB 50 00 01 F5 50 00 01 ½Q..ÁP..ÛP..õP..
0100AC20: 13 51 00 01 20 51 00 01 13 51 00 01 00 00 00 00 .Q.. Q...Q......
0100AC30: FF FF 00 00 44 A2 00 01 02 00 00 00 50 A2 00 01 ÿÿ..D¢......P¢..
0100AC40: 0A 00 00 00 54 A2 00 01 05 00 00 00 44 A2 00 01 ....T¢......D¢..
0100AC50: 06 00 00 00 44 A2 00 01 04 10 00 00 94 A2 00 01 ....D¢.......¢..
0100AC60: 05 10 00 00 44 A2 00 01 08 10 00 00 E8 A2 00 01 ....D¢......è¢..
0100AC70: EF BB BF 00 FF FE 00 00 FE FF 00 00 00 00 00 00 .ÿþ..þÿ......
0100AC80: 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Y...............
0100AC90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ACA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ACB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ACC0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ACD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ACE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ACF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AD00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AD10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AD20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AD30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AD40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AD50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AD60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AD70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AD80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AD90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ADA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ADB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ADC0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ADD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ADE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100ADF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AE00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AE10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AE20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AE30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AE40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AE50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AE60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AE70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AE80: 00 00 00 00 00 00 00 00 59 00 00 00 00 00 00 00 ........Y.......
0100AE90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AEA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AEB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AEC0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AED0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AEE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AEF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AF00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AF10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AF20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AF30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AF40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AF50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AF60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AF70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AF80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AF90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AFA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AFB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AFC0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AFD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AFE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100AFF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Summary
3000 .data
C:\Users\ganand\Desktop\internals\TOOLS>link.exe -dump -dependents c:\windows\sy
stem32\notepad.exe
Microsoft (R) COFF/PE Dumper Version 7.10.2179
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file c:\windows\system32\notepad.exe
File Type: EXECUTABLE IMAGE
Image has the following dependencies:
ADVAPI32.dll
KERNEL32.dll
GDI32.dll
USER32.dll
msvcrt.dll
COMDLG32.dll
SHELL32.dll
WINSPOOL.DRV
ole32.dll
SHLWAPI.dll
COMCTL32.dll
OLEAUT32.dll
ntdll.dll
====
C:\Users\ganand\Desktop\internals\TOOLS>link.exe -dump -exports c:\windows\syst
em32\ntdll.dll >c:\ntdll.txt
Dump of file c:\windows\system32\ntdll.dll
File Type: DLL
Section contains the following exports for ntdll.dll
00000000 characteristics
4549ACD4 time date stamp Thu Nov 02 14:01:16 2006
0.00 version
1 ordinal base
1902 number of functions
1902 number of names
ordinal hint RVA name
10 0 000246E0 A_SHAFinal--this dumps out all the functions of ntdll.dll with their service numbers
11 1 000245D8 A_SHAInit
12 2 0002462E A_SHAUpdate
13 3 0000A956 AlpcAdjustCompletionListConcurrencyCount
14 4 0000B0C0 AlpcFreeCompletionListMessage
15 5 00097D6D AlpcGetCompletionListLastMessageInformation
16 6 00097D39 AlpcGetCompletionListMessageAttributes
17 7 0006637A AlpcGetHeaderSize
18 8 00066343 AlpcGetMessageAttribute
19 9 0000AF0D AlpcGetMessageFromCompletionList
20 A 00070C93 AlpcGetOutstandingCompletionListMessageCount
21 B 00022DEB AlpcInitializeMessageAttribute
22 C 00011135 AlpcMaxAllowedMessageLength
23 D 0000AD39 AlpcRegisterCompletionList
24 E 0000AE5A AlpcRegisterCompletionListWorkerThread
25 F 00070CB2 AlpcUnregisterCompletionList
26 10 0000AD95 AlpcUnregisterCompletionListWorkerThread
27 11 0003DCE5 CsrAllocateCaptureBuffer
28 12 0003DD78 CsrAllocateMessagePointer
29 13 0003EF49 CsrCaptureMessageBuffer
30 14 00038FFA CsrCaptureMessageMultiUnicodeStringsInPlace
31 15 00038F9A CsrCaptureMessageString
32 16 0008EC13 CsrCaptureTimeout
33 17 00067F66 CsrClientCallServer
34 18 00034C8C CsrClientConnectToServer
35 19 0003DDBE CsrFreeCaptureBuffer
36 1A 0008EC08 CsrGetProcessId
37 1B 0008EBF3 CsrIdentifyAlertableThread
38 1C 0008EBF3 CsrNewThread
39 1D 0008EBFB CsrSetPriorityClass
40 1E 0008EC46 CsrVerifyRegion
41 1F 00042EA8 DbgBreakPoint
42 20 0001544A DbgPrint
43 21 000214D5 DbgPrintEx
44 22 00097ED7 DbgPrintReturnControlC
45 23 00097E12 DbgPrompt
46 24 00097E58 DbgQueryDebugFilterState
47 25 00097E68 DbgSetDebugFilterState
48 26 0008EF7E DbgUiConnectToDbg
49 27 0008F026 DbgUiContinue
50 28 0008F158 DbgUiConvertStateChangeStructure
51 29 0008F116 DbgUiDebugActiveProcess
52 2A 0008EFD0 DbgUiGetThreadDebugObject
53 2B 0008F0D0 DbgUiIssueRemoteBreakin
54 2C 0008F06D DbgUiRemoteBreakin
55 2D 0008EFE2 DbgUiSetThreadDebugObject
---long list..................................................................
Comments
- Anonymous
January 01, 2003
PingBack from http://geeklectures.info/2007/12/23/dumping-out-notepadexe-and-ntdlldll/