Is it possible to call a non-exported function that resides in an exe?

by

It is possible but not trivial. And yes, this is a very dirty hack.

In some cases loading the EXE file with LoadLibrary is enough. The returned HMODULE is actually the base address of the loaded EXE. Cast it to a suitable int type, add your relative function address to that, cast it back to a function pointer and call the function through that pointer.

Unfortunately, the EXE file may have its relocation info stripped. It means that the EXE will be expecting to run from a specific address. In this case, you have to change your own program’s base address to avoid conflict. Check out your linker’s docs, there should be an option to do that. After that, LoadLibrary will load the EXE in its preferred base address and hopefully all should work fine.

There is some very useful info on this here. Make sure to check the update at the end of the page for a different technique that may work better in some cases.

Edit: As Alex correctly stated in the comment below, if the function relies on some initialized value, or it calls such a function, including most C runtime functions, it will be much harder to make it work. One can identify the initialization functions and call them beforehand but using debug API may be your best bet in those situations.

More Related Contents:

  1. Assembly code fsqrt and fmul instructions
  2. Can x86’s MOV really be “free”? Why can’t I reproduce this at all?
  3. Why does mulss take only 3 cycles on Haswell, different from Agner’s instruction tables? (Unrolling FP loops with multiple accumulators)
  4. Using LEA on values that aren’t addresses / pointers?
  5. Can I use Intel syntax of x86 assembly with GCC?
  6. Stack allocation, padding, and alignment
  7. What is exactly the base pointer and stack pointer? To what do they point?
  8. Is it safe to read past the end of a buffer within the same page on x86 and x64?
  9. Syscall implementation of exit()
  10. What is the instruction that gives branchless FP min and max on x86?
  11. Loop with function call faster than an empty loop
  12. How can I do a CPU cache flush in x86 Windows?
  13. Efficient integer compare function
  14. What is the fastest way to convert float to int on x86
  15. What parts of this HelloWorld assembly code are essential if I were to write the program in assembly?
  16. x86_64 ASM – maximum bytes for an instruction?
  17. How to power down the computer from a freestanding environment?
  18. Fastest way to calculate a 128-bit integer modulo a 64-bit integer
  19. multi-word addition using the carry flag
  20. Getting max value in a __m128i vector with SSE?
  21. Why GCC compiled C program needs .eh_frame section?
  22. What’s a good C decompiler? [closed]
  23. How does a mutex lock and unlock functions prevents CPU reordering?
  24. Calling C functions from x86 assembly language
  25. calling assembly function from c
  26. Very fast memcpy for image processing?
  27. Writing a Linux int 80h system-call wrapper in GNU C inline assembly [duplicate]
  28. Convert ASM to C (not reverse engineer)
  29. Bit popcount for large buffer, with Core 2 CPU (SSSE3)
  30. What is the effect of second argument in _builtin_prefetch()?

Leave a Comment