Windowsのdllはバイナリなので基本的にはそのままでは何が何だかわかりませんが、Visual Studioについてくるdumpbin.exeを使用すると様々な情報をテキストとして表示することが出来ます. その使い方やオプションについてまとめました. 以下ホストはx64を想定し、アンマネージ言語で作成されたdllとします. また、dumpbin.exeはexeに対しても同様に使用することが出来ます.
実行環境
| 項目 | 説明 |
|---|---|
| OS | Windows11 |
| Visual Studio | VS2017 |
dumpbin.exeの種類と位置
dumpbin.exeはVisual Studioのバージョンごとに存在します.また、ターゲットごとに異なるものを使用しなければなりません.
| ターゲット | dumpbin.exeの位置 |
|---|---|
| x86 | C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\bin\Hostx64\x86\dumpbin.exe |
| x64 | C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\bin\Hostx64\x64\dumpbin.exe |
| Arm32 | C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\bin\Hostx64\arm\dumpbin.exe |
| Arm64 | C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\bin\Hostx64\arm64\dumpbin.exe |
dumpbinの使い方
オプションなし
dumpbinコマンドをオプションなしで実行すると、オプションの一覧が表示されます.
C:\Users>dumpbin
Microsoft (R) COFF/PE Dumper Version 14.16.27048.0
Copyright (C) Microsoft Corporation. All rights reserved.
使い方: DUMPBIN [オプション] [ファイル]
オプション:
/ALL
/ARCHIVEMEMBERS
/CLRHEADER
/DEPENDENTS
/DIRECTIVES
/DISASM[:{BYTES|NOBYTES}]
/ERRORREPORT:{NONE|PROMPT|QUEUE|SEND}
/EXPORTS
/FPO
/HEADERS
/IMPORTS[:ファイル名]
/LINENUMBERS
/LINKERMEMBER[:{1|2}]
/LOADCONFIG
/NOLOGO
/OUT:filename
/PDATA
/PDBPATH[:VERBOSE]
/RANGE:vaMin[,vaMax]
/RAWDATA[:{NONE|1|2|4|8}[,#]]
/RELOCATIONS
/SECTION:名前
/SUMMARY
/SYMBOLS
/TLS
([return] キーを押すと継続)
/UNWINDINFO
/all
/allオプションはdumpbinコマンドで見られる内容のすべてを表示します. 表示される内容が膨大すぎるため、あまり使いどころがないかもしれません.
/dependents
対象のdllがインポートしているdll、すなわち依存しているdllを表示します. プログラムが実行時にエラーになるときなどに役に立ちます.
C:\Users>dumpbin.exe /dependents C:\Windows\System32\kernel32.dll
Microsoft (R) COFF/PE Dumper Version 14.16.27048.0
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file C:\Windows\System32\kernel32.dll
File Type: DLL
Image has the following dependencies:
api-ms-win-core-rtlsupport-l1-1-0.dll
api-ms-win-core-rtlsupport-l1-2-2.dll
ntdll.dll
KERNELBASE.dll
api-ms-win-core-processthreads-l1-1-0.dll
api-ms-win-core-processthreads-l1-1-3.dll
api-ms-win-core-processthreads-l1-1-2.dll
api-ms-win-core-processthreads-l1-1-1.dll
api-ms-win-core-registry-l1-1-0.dll
api-ms-win-core-heap-l1-1-0.dll
api-ms-win-core-heap-l2-1-0.dll
api-ms-win-core-memory-l1-1-1.dll
api-ms-win-core-memory-l1-1-0.dll
api-ms-win-core-memory-l1-1-2.dll
api-ms-win-core-handle-l1-1-0.dll
api-ms-win-core-synch-l1-1-0.dll
api-ms-win-core-synch-l1-2-1.dll
api-ms-win-core-synch-l1-2-0.dll
api-ms-win-core-file-l1-1-0.dll
api-ms-win-core-file-l1-2-0.dll
api-ms-win-core-file-l1-2-2.dll
api-ms-win-core-file-l1-2-4.dll
api-ms-win-core-file-l1-2-1.dll
api-ms-win-core-delayload-l1-1-0.dll
api-ms-win-core-io-l1-1-0.dll
api-ms-win-core-io-l1-1-1.dll
api-ms-win-core-job-l1-1-0.dll
api-ms-win-core-threadpool-legacy-l1-1-0.dll
api-ms-win-core-threadpool-private-l1-1-0.dll
api-ms-win-core-largeinteger-l1-1-0.dll
api-ms-win-core-libraryloader-l1-2-3.dll
api-ms-win-core-libraryloader-l1-2-2.dll
api-ms-win-core-libraryloader-l1-2-0.dll
api-ms-win-core-libraryloader-l1-2-1.dll
api-ms-win-core-libraryloader-l2-1-0.dll
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
api-ms-win-core-console-l1-1-0.dll
api-ms-win-core-console-l1-2-0.dll
api-ms-win-core-console-l1-2-1.dll
api-ms-win-core-console-l2-1-0.dll
api-ms-win-core-console-l2-2-0.dll
api-ms-win-core-console-l3-2-0.dll
api-ms-win-core-psapi-l1-1-0.dll
api-ms-win-core-psapi-ansi-l1-1-0.dll
api-ms-win-eventing-provider-l1-1-0.dll
api-ms-win-core-apiquery-l1-1-0.dll
api-ms-win-core-delayload-l1-1-1.dll
api-ms-win-core-appcompat-l1-1-1.dll
Image has the following delay load dependencies:
ext-ms-win-oobe-query-l1-1-0.dll
ext-ms-win-packagevirtualizationcontext-l1-1-0.dll
RPCRT4.dll
Summary
2000 .data
1000 .didat
6000 .pdata
37000 .rdata
1000 .reloc
1000 .rsrc
81000 .text
/disasm
dllを逆アセンブルしたものを表示します.
/exports
dll内のexportされている定義を表示します.
C:\Users>dumpbin /exports C:\Windows\System32\kernel32.dll
Microsoft (R) COFF/PE Dumper Version 14.16.27048.0
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file C:\Windows\System32\kernel32.dll
File Type: DLL
Section contains the following exports for KERNEL32.dll
00000000 characteristics
C024139A time date stamp
0.00 version
1 ordinal base
1671 number of functions
1671 number of names
ordinal hint RVA name
1 0 AcquireSRWLockExclusive (forwarded to NTDLL.RtlAcquireSRWLockExclusive)
2 1 AcquireSRWLockShared (forwarded to NTDLL.RtlAcquireSRWLockShared)
3 2 00018D90 ActivateActCtx
4 3 00014A50 ActivateActCtxWorker
5 4 00021580 ActivatePackageVirtualizationContext
6 5 0005AE30 AddAtomA
7 6 000045E0 AddAtomW
8 7 00021290 AddConsoleAliasA
9 8 000212A0 AddConsoleAliasW
10 9 AddDllDirectory (forwarded to api-ms-win-core-libraryloader-l1-1-0.AddDllDirectory)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1632 65F 00015620 _hread
1633 660 0001FA50 _hwrite
1634 661 00018900 _lclose
1635 662 0006B0B0 _lcreat
1636 663 00015660 _llseek
1637 664 _local_unwind (forwarded to NTDLL._local_unwind)
1638 665 0006B120 _lopen
1639 666 00015620 _lread
1640 667 0001FA50 _lwrite
1641 668 0006B1A0 lstrcat
1642 669 0006B1A0 lstrcatA
1643 66A 00027D10 lstrcatW
1644 66B 00017F90 lstrcmp
1645 66C 00017F90 lstrcmpA
1646 66D 00014790 lstrcmpW
1647 66E 000149A0 lstrcmpi
1648 66F 000149A0 lstrcmpiA
1649 670 00013F30 lstrcmpiW
1650 671 00027D60 lstrcpy
1651 672 00027D60 lstrcpyA
1652 673 00027DA0 lstrcpyW
1653 674 000273B0 lstrcpyn
1654 675 000273B0 lstrcpynA
1655 676 0001F8B0 lstrcpynW
1656 677 00013630 lstrlen
1657 678 00013630 lstrlenA
1658 679 00013570 lstrlenW
1659 67A 00016360 timeBeginPeriod
1660 67B 00015450 timeEndPeriod
1661 67C 0001DD50 timeGetDevCaps
1662 67D 00027DE0 timeGetSystemTime
1663 67E 000183C0 timeGetTime
1664 67F 00014790 uaw_lstrcmpW
1665 680 00013F30 uaw_lstrcmpiW
1666 681 000370E0 uaw_lstrlenW
1667 682 00037130 uaw_wcschr
1668 683 00037160 uaw_wcscpy
1669 684 000371A0 uaw_wcsicmp
1670 685 000371C0 uaw_wcslen
1671 686 000371F0 uaw_wcsrchr
Summary
2000 .data
1000 .didat
6000 .pdata
37000 .rdata
1000 .reloc
1000 .rsrc
81000 .text
/headers
dllのヘッダーや各セクションのヘッダーの情報を表示します.
C:\Users>dumpbin /headers C:\Windows\System32\kernel32.dll
Microsoft (R) COFF/PE Dumper Version 14.16.27048.0
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file C:\Windows\System32\kernel32.dll
PE signature found
File Type: DLL
FILE HEADER VALUES
8664 machine (x64)
7 number of sections
C024139A time date stamp
0 file pointer to symbol table
0 number of symbols
F0 size of optional header
2022 characteristics
Executable
Application can handle large (>2GB) addresses
DLL
OPTIONAL HEADER VALUES
20B magic # (PE32+)
14.30 linker version
81000 size of code
42000 size of initialized data
0 size of uninitialized data
12710 entry point (0000000180012710)
1000 base of code
180000000 image base (0000000180000000 to 00000001800C3FFF)
1000 section alignment
1000 file alignment
10.00 operating system version
10.00 image version
10.00 subsystem version
0 Win32 version
C4000 size of image
1000 size of headers
CF3BA checksum
3 subsystem (Windows CUI)
4160 DLL characteristics
High Entropy Virtual Addresses
Dynamic base
NX compatible
Control Flow Guard
40000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
9E840 [ E8F4] RVA [size] of Export Directory
AD134 [ 7F8] RVA [size] of Import Directory
C2000 [ 520] RVA [size] of Resource Directory
BB000 [ 5514] RVA [size] of Exception Directory
C3000 [ 2D00] RVA [size] of Certificates Directory
C3000 [ 3B0] RVA [size] of Base Relocation Directory
8ADA0 [ 70] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
0 [ 0] RVA [size] of Thread Storage Directory
824C0 [ 140] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
83C30 [ 2AB8] RVA [size] of Import Address Table Directory
9E448 [ 80] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory
SECTION HEADER #1
.text name
805DD virtual size
1000 virtual address (0000000180001000 to 00000001800815DC)
81000 size of raw data
1000 file pointer to raw data (00001000 to 00081FFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
SECTION HEADER #2
.rdata name
361F0 virtual size
82000 virtual address (0000000180082000 to 00000001800B81EF)
37000 size of raw data
82000 file pointer to raw data (00082000 to 000B8FFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only
Debug Directories
Time Type Size RVA Pointer
-------- ------- -------- -------- --------
C024139A cv 25 00097EA0 97EA0 Format: RSDS, {71C18D4B-68EA-D795-962D-154F0DA8C595}, 1, kernel32.pdb
C024139A coffgrp 5F0 00097EC8 97EC8 50475500 (PGU)
C024139A repro 24 000984B8 984B8 4B 8D C1 71 EA 68 95 D7 96 2D 15 4F 0D A8 C5 95 37 53 FE C9 4D BE 50 D1 EE 14 AE 52 9A 13 24 C0
C024139A ( 14) 4 000984DC 984DC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SECTION HEADER #7
.reloc name
3B0 virtual size
C3000 virtual address (00000001800C3000 to 00000001800C33AF)
1000 size of raw data
C2000 file pointer to raw data (000C2000 to 000C2FFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
Read Only
Summary
2000 .data
1000 .didat
6000 .pdata
37000 .rdata
1000 .reloc
1000 .rsrc
81000 .text
/imports /imports:hoge.dll
/dependentsと同様に、対象のdllが依存しているdll内の定義を表示します. つまり、/dependentsは依存しているファイルを表示するのに対し、/importsは依存している関数名などを表示します. /importsオプションをつけた場合は依存するすべてのdllのすべての定義を表示します. /imports:hoge.dllとすると指定したdll内の依存する定義を抜粋して表示します.
C:\Users>dumpbin.exe /imports:ntdll.dll C:\Windows\System32\kernel32.dll
Microsoft (R) COFF/PE Dumper Version 14.16.27048.0
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file C:\Windows\System32\kernel32.dll
File Type: DLL
Section contains the following imports:
ntdll.dll
180085B88 Import Address Table
1800AF888 Import Name Table
0 time date stamp
0 Index of first forwarder reference
61D RtlUnicodeStringToInteger
465 RtlGetUILanguageInfo
39 EtwEventEnabled
680 RtlpConvertLCIDsToCultureNames
15D NtEnumerateKey
4A9 RtlIntegerToUnicodeString
606 RtlTimeToTimeFields
602 RtlTimeFieldsToTime
618 RtlUnhandledExceptionFilter
284 NtTerminateProcess
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
950 cos
952 floor
96D memcmp
96E memcpy
972 memset
9A1 wcscmp
Section contains the following delay load imports:
Summary
2000 .data
1000 .didat
6000 .pdata
37000 .rdata
1000 .reloc
1000 .rsrc
81000 .text
/section:.sectionName
指定したセクションの情報のみを整理して表示します.
C:\Users>dumpbin.exe /section:.data C:\Windows\System32\kernel32.dll
Microsoft (R) COFF/PE Dumper Version 14.16.27048.0
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file C:\Windows\System32\kernel32.dll
File Type: DLL
SECTION HEADER #3
.data name
1394 virtual size
B9000 virtual address (00000001800B9000 to 00000001800BA393)
1000 size of raw data
B9000 file pointer to raw data (000B9000 to 000B9FFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
Read Write
Summary
2000 .data
/summary
セクションに関する最低限の情報を整理して表示します.
C:\Users>dumpbin.exe /summary C:\Windows\System32\kernel32.dll
Microsoft (R) COFF/PE Dumper Version 14.16.27048.0
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file C:\Windows\System32\kernel32.dll
File Type: DLL
Summary
2000 .data
1000 .didat
6000 .pdata
37000 .rdata
1000 .reloc
1000 .rsrc
81000 .text
/symbols
デバッグビルドのdllのシンボル情報を整理して表示する. セクション名の左の数値は各セクションのサイズを表す. セクションのサイズはどうやら1000の倍数で確保する模様.
