PDA

View Full Version : finding a a function by name

hernan
January 13th, 2005, 15:17
how can I find a function by its name?

lets say kernel32.dll:createfilea?

i'm trying to use findlabelbyname and findimportbyname but both
have the arguments

addr0 - start of address range (included);

addr1 - end of address range (not included).


I have no idea what this range is. i tried with 0-ffffffff but it does't work.
any help will be appreciated.
thanks
bye
blabberer
January 14th, 2005, 02:50
click on cpu pane (top left )
right click and
select search for ---> names in current module
a new window will open
start typing CreateFile
if it exists in you exe olly will show and entry
now right click and select find referances to import
it will pop another window with all calls in your exe that calls CreateFile()
global short cut to names window is
ctrl+n

and reading ,understanding and experimenting with the methods in the help file might solve many other problems like this
hernan
January 14th, 2005, 11:13
mm, man, i'm trying to do it programatically, from a plugin in C/C++.
I already know how to do it using the GUI.

if you answer me with the right answer this time, please I would appreciate if you can save for yourself your smart-ass comments.

thanks.
hernan
January 14th, 2005, 17:52
now I'm trying the following:

char mybuff[2048];
Findname( 0, NM_ANYNAME, &mybuff[0]);

while( Findnextname( mybuff ) ) {
MessageBox(NULL, mybuff, mybuff, MB_OK);
}

but it is not working either
hernan
January 14th, 2005, 20:26
ok, I think I now how to doit

with plugingetvalue(VAL_MODULES)
then go thru each module and obtain the proper t_module
using base and size, use findlabelbyname, with
arg0=base
arg1=base+size

lets see if it works
hernan
January 14th, 2005, 20:37
OK, i did it, finally!
man, I love ollydbg, but the api and lack of documentation sucks


here's the code, you can pass a name, and the func will go thru the list of loaded modules and try to find the name of the function.
You can modify and/or create another version to look for function naames in specifid modules (aka dlls).


ulong getnameaddress( char *name )
{
t_table *t_modulelist =(t_table *)Plugingetvalue(VAL_MODULES);
t_module* tmodule;
ulong addr;

int numentries = t_modulelist->data.n;
tmodule = (t_module*)t_modulelist->data.data;

for(int n=0; n < numentries; n++) {
if( Findlabelbyname(name,&addr,tmodule->base,tmodule->base+tmodule->size) )
return addr;
tmodule++;
}

}

I'm adding this kind of stuff in dropzone.redirecme.net, you can go check it out.
thanks, bye