live_dont_exist
February 21st, 2012, 14:28
Hi All,
I was trying to get a list of all the DLLs that are loaded by an executable using the PeFile module in Python. So I took up 'Minesweeper'. I read the PE header and got all the DLLs that minesweeper imported; and all the dependencies for each of these DLLs as well. For e.g winmine.exe had 9 DLLs in its IMPORT DIRECTORY TABLE. Of these some DLLs again had their own imports. So I got those as well. Here is my output:
This is a list of all the DLL's imported by winmine.exe
But now when I look in Olly there are 4 or 5 more DLLs marked in red for some reason
...here is a full list...
The ones marked in Bold above were not visible in the Import Directory Table in PeView or extracted by my Python code. However they were visible in LordPe and ProcessExplorer and of course Olly 1.10 too.
Why is this? Where else does an EXE get its list of DLLs from if not from the IMPORT DIRECTORY TABLE?
Do let me know.
Thanks
Arvind
I was trying to get a list of all the DLLs that are loaded by an executable using the PeFile module in Python. So I took up 'Minesweeper'. I read the PE header and got all the DLLs that minesweeper imported; and all the dependencies for each of these DLLs as well. For e.g winmine.exe had 9 DLLs in its IMPORT DIRECTORY TABLE. Of these some DLLs again had their own imports. So I got those as well. Here is my output:
This is a list of all the DLL's imported by winmine.exe
Code:
['WINMM.dll', 'GDI32.dll', 'SHELL32.dll', 'KERNEL32.dll', 'msvcrt.dll', 'RPCRT4.dll', 'ADVAPI32.dll', 'ntdll.dll', 'SHLWAPI.dll', 'USER32.dll', 'COMCTL32.dll']
>>>
But now when I look in Olly there are 4 or 5 more DLLs marked in red for some reason

Code:
Executable modules
Base Size Entry Name File version Path
01000000 00020000 01003E21 winmine 5.1.2600.0 (xpcl C:\WINDOWS\system32\winmine.exe
5AD70000 00038000 5AD71626 UxTheme 6.00.2900.2180 ( C:\WINDOWS\system32\UxTheme.dll
5CB70000 00026000 5CB78E39 ShimEng 5.1.2600.2180 (x C:\WINDOWS\system32\ShimEng.dll
6F880000 001CA000 6F8A5E1A AcGenral 5.1.2600.2180 (x C:\WINDOWS\AppPatch\AcGenral.DLL
76390000 0001D000 763912C0 IMM32 5.1.2600.2180 (x C:\WINDOWS\system32\IMM32.DLL
769C0000 000B3000 769C15D4 USERENV 5.1.2600.2180 (x C:\WINDOWS\system32\USERENV.dll
76B40000 0002D000 76B42B69 WINMM 5.1.2600.2180 (x C:\WINDOWS\system32\WINMM.dll
77120000 0008C000 77121558 OLEAUT32 5.1.2600.2180 C:\WINDOWS\system32\OLEAUT32.dll
773D0000 00102000 773D42B3 COMCTL32 6.0 (xpsp_sp2_rt C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\COMCTL32.dll
774E0000 0013C000 774F20C1 ole32 5.1.2600.2180 (x C:\WINDOWS\system32\ole32.dll
77BE0000 00015000 77BE1292 MSACM32 5.1.2600.2180 (x C:\WINDOWS\system32\MSACM32.dll
77C00000 00008000 77C01135 VERSION 5.1.2600.2180 (x C:\WINDOWS\system32\VERSION.dll
77C10000 00058000 77C1F2A1 msvcrt 7.0.2600.2180 (x C:\WINDOWS\system32\msvcrt.dll
77D40000 00090000 77D50EB9 USER32 5.1.2600.2180 (x C:\WINDOWS\system32\USER32.dll
77DD0000 0009B000 77DD70D4 ADVAPI32 5.1.2600.2180 (x C:\WINDOWS\system32\ADVAPI32.dll
77E70000 00091000 77E76284 RPCRT4 5.1.2600.2180 (x C:\WINDOWS\system32\RPCRT4.dll
77F10000 00046000 77F163CA GDI32 5.1.2600.2180 (x C:\WINDOWS\system32\GDI32.dll
77F60000 00076000 77F651D3 SHLWAPI 6.00.2900.2180 ( C:\WINDOWS\system32\SHLWAPI.dll
7C800000 000F4000 7C80B436 kernel32 5.1.2600.2180 (x C:\WINDOWS\system32\kernel32.dll
7C900000 000B0000 7C913156 ntdll 5.1.2600.2180 (x C:\WINDOWS\system32\ntdll.dll
7C9C0000 00814000 7C9DFA10 SHELL32 6.00.2900.2180 ( C:\WINDOWS\system32\SHELL32.dll
The ones marked in Bold above were not visible in the Import Directory Table in PeView or extracted by my Python code. However they were visible in LordPe and ProcessExplorer and of course Olly 1.10 too.
Why is this? Where else does an EXE get its list of DLLs from if not from the IMPORT DIRECTORY TABLE?
Do let me know.
Thanks
Arvind