Skip to content

Instantly share code, notes, and snippets.

@rmi1974

rmi1974/how_to_recursively_find_dllimports_using_winedump.md

Last active March 30, 2020 10:26
Show Gist options
  • Save rmi1974/8c079cca8e657c93e5914d3d397a81c6 to your computer and use it in GitHub Desktop.
Save rmi1974/8c079cca8e657c93e5914d3d397a81c6 to your computer and use it in GitHub Desktop.
Download ZIP
How to recursively find dll imports using winedump #wine #debug #commandlinefu
Raw
how_to_recursively_find_dllimports_using_winedump.md

How to recursively find dll imports using winedump

Find a specific import in WINEPREFIX

$ grep -ralZ _SetWinRTOutOfMemoryExceptionCallback .wine/drive_c | \
      xargs -r0i bash -c "echo \"{}\" && winedump -j import \"{}\" | \
      grep _SetWinRTOutOfMemoryExceptionCallback"

.wine/drive_c/windows/syswow64/msvcr120.dll
.wine/drive_c/windows/syswow64/vccorlib120.dll
   357  _SetWinRTOutOfMemoryExceptionCallback 340e8
.wine/drive_c/windows/syswow64/msvcr120_clr0400.dll
.wine/drive_c/windows/syswow64/vcruntime140.dll
.wine/drive_c/windows/syswow64/ucrtbase.dll
.wine/drive_c/windows/syswow64/vccorlib140.dll
     8  _SetWinRTOutOfMemoryExceptionCallback 380bc
.wine/drive_c/windows/syswow64/api-ms-win-crt-private-l1-1-0.dll
.wine/drive_c/windows/Microsoft.NET/Framework64/v4.0.30319/SetupCache/v4.6.00081/NetFx_Full.mzz
.wine/drive_c/windows/system32/msvcr120_clr0400.dll
.wine/drive_c/windows/system32/vcruntime140.dll
.wine/drive_c/windows/system32/ucrtbase.dll
.wine/drive_c/windows/system32/vccorlib140.dll
     4  _SetWinRTOutOfMemoryExceptionCallback 52eda
.wine/drive_c/Program Files (x86)/Common Files/ArcGIS/bin/msvcr120.dll
.wine/drive_c/Program Files (x86)/Common Files/ArcGIS/bin/vccorlib120.dll
   357  _SetWinRTOutOfMemoryExceptionCallback 340e8
.wine/drive_c/Program Files (x86)/ArcGIS/Desktop10.6/java/jre/bin/msvcr120.dll
.wine/drive_c/Program Files (x86)/ArcGIS/Desktop10.6/java/jre/bin/vcruntime140.dll
.wine/drive_c/Program Files (x86)/ArcGIS/Desktop10.6/java/jre/bin/ucrtbase.dll
.wine/drive_c/Program Files (x86)/ArcGIS/Desktop10.6/java/jre/bin/api-ms-win-crt-private-l1-1-0.dll

Find all imports for specific dll in current folder and subfolders

$ grep -ralZ RTWorkQ . | xargs -r0i bash -c "echo \"{}\" && winedump -j import \"{}\" | \
       sed -n '/RTWorkQ.DLL/,/^$/p'"

./x86_microsoft-windows-m..ation-mfmediaengine_31bf3856ad364e35_10.0.17134.1_none_89b70aa01d752673/MFMediaEngine.dll
  offset 003bbc94 RTWorkQ.DLL
  Hint/Name Table: 003BF8BC
  TimeDateStamp:   00000000 (Thu Jan  1 01:00:00 1970)
  ForwarderChain:  00000000
  First thunk RVA: 003BF000
   Thunk    Ordn  Name
  003bf000    29  RtwqSetLongRunning
  ...
$ grep -ralZi msvcrt .wine/drive_c | xargs -r0i bash -c "echo \"{}\" && winedump -j import \"{}\" | \
       sed -n '/msvcrt.dll/,/^$/Ip'" | grep -i -B1 msvcrt.dll

.wine/drive_c/windows/syswow64/msvcirt.dll
  offset 00018d1c msvcrt.dll
--
.wine/drive_c/windows/syswow64/msvcrt20.dll
  offset 0000dc59 msvcrt.dll
--
.wine/drive_c/windows/syswow64/gecko/2.47.1/wine_gecko/browser/components/browsercomps.dll
  offset 00037464 msvcrt.dll
--
.wine/drive_c/windows/syswow64/gecko/2.47.1/wine_gecko/mozglue.dll
  offset 000e5814 msvcrt.dll
...
--
.wine/drive_c/windows/syswow64/gecko/2.47.1/wine_gecko/mozavcodec.dll
  offset 001aec28 msvcrt.dll
--
.wine/drive_c/windows/syswow64/msvcp60.dll
  offset 000a9f0b msvcrt.dll
--
.wine/drive_c/windows/syswow64/ntoskrnl.exe
  offset 000294ef msvcrt.dll
--
.wine/drive_c/windows/system32/msvcirt.dll
  offset 00018bce msvcrt.dll
--
.wine/drive_c/windows/system32/msvcrt20.dll
  offset 0000cb47 msvcrt.dll
--
.wine/drive_c/windows/system32/gecko/2.47.1/wine_gecko/browser/components/browsercomps.dll
  offset 00036864 msvcrt.dll
...
--
.wine/drive_c/windows/system32/gecko/2.47.1/wine_gecko/nssckbi.dll
  offset 00078a28 msvcrt.dll
--
.wine/drive_c/windows/system32/gecko/2.47.1/wine_gecko/mozavcodec.dll
  offset 001ada28 msvcrt.dll
--
.wine/drive_c/windows/system32/msvcp60.dll
  offset 000ae05d msvcrt.dll
--
.wine/drive_c/windows/system32/ntoskrnl.exe
  offset 0002c636 msvcrt.dll
--
.wine/drive_c/windows/winsxs/x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_deadbeef/msvcr80.dll
  offset 00086350 msvcrt.dll
--
.wine/drive_c/Program Files (x86)/PTC/Creo Elements/Direct Modeling Express 6.0/binNT/dbghelp.dll
  offset 00093464 msvcrt.dll
--
.wine/drive_c/Program Files (x86)/PTC/Creo Elements/Direct Modeling Express 6.0/help/installation/scripts/uninstall.exe
  offset 00005c28 msvcrt.dll
--
.wine/drive_c/Program Files (x86)/PTC/Creo Elements/Direct Modeling Express 6.0/help/modeling_help.exe
  offset 00005c28 msvcrt.dll

Links

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment