Get external commands of a DLL file

Question

I have a DLL file that is being used by a video player application, this video player uses that DLL file to export the videos as AVI file format, what is the way to know how that application uses the DLL file so that I can execute it externally?

I have a copy of the file here on Dropbox.

Answer 1

As Raymond said, there's no formal way to inspect the interfaces supported by a DLL.

At best you have these options:

1. Type dumpbin /exports lkExport.dll to see what functions are exported. You won't see the function signatures or return types, but perhaps you'll recognize it as some well known plugin interface standard for your particular application. Perhaps the media player application itself has a plugin SDK where these functions are documented. In your case, I see what appears to be Java bindings also exported by this DLL... that might be an avenue to explore.

2. Try seeing if the DLL is for COM and exports a type library. I didn't see any of the usual COM functions exported, but you can load the DLL in Visual Studio with the resource editior and look for one.

3. The resource editor didn't reveal a type library, so that likely rules out COM. But it does reveal an art resource showing hints showing the name of the product or company that made the DLL. I see both "Linktivity" and "Inter-Tel (Delaware), Inc." listed. A quick web search reveals they may be out of business, but you're probably a smart and resourceful person...

4. The only think left to do is attempt to hook up a debugger (e.g. windbg) to the application that loads the DLL and set breakpoints on the exported functions and disassemble the stack and try to infer the function parameter types, return values, and meaning of each. I suspect that's going to be very hard to do if you don't have the PDB symbol file that corresponds to the build of that DLL. (Maybe you can sent a bp on an exported DLL funtion without symbols? I've never tried...) There are some folks out there that can do this type of stuff...

Some hints:

dumpbin /exports lkExport.dll

C:\Users\jselbie\Downloads>dumpbin /exports lkExport.dll
Microsoft (R) COFF/PE Dumper Version 14.11.25506.0
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file lkExport.dll

File Type: DLL

  Section contains the following exports for lkExport.dll

    00000000 characteristics
    47606859 time date stamp Wed Dec 12 15:01:45 2007
        0.00 version
           1 ordinal base
          14 number of functions
          14 number of names

    ordinal hint RVA      name

          1    0 00001A80 DispatchMsg
          2    1 00001AD0 Init
         10    2 00001D00 ReceiveMsg
         11    3 00001D90 SendMsg
         12    4 00001DB0 SendMsgProc
         13    5 00001B70 Start
         14    6 00001C40 Stop
          3    7 00001A40 _Java_linktivity_nativecontrols_ExportAppletDll_DispatchMsg@20
          4    8 000018B0 _Java_linktivity_nativecontrols_ExportAppletDll_Initialize@24
          5    9 00001980 _Java_linktivity_nativecontrols_ExportAppletDll_ReceiveMsg@16
          6    A 00001920 _Java_linktivity_nativecontrols_ExportAppletDll_ReceiveNodeMsg@20
          7    B 000019C0 _Java_linktivity_nativecontrols_ExportAppletDll_SendMsgProc@16
          8    C 00001900 _Java_linktivity_nativecontrols_ExportAppletDll_Start@8
          9    D 00001910 _Java_linktivity_nativecontrols_ExportAppletDll_Stop@8

Answer 2

I think you could succeed with WinAPIOverride.

It allows you to inspect all the calls to the DLL and see what goes in and what goes out of each call. You use this live, almost like a debugger, but it's explicitly made to help understand how a DLL works.