How to check whether a PE file (DLL,EXE) i

2019-02-24 09:12发布

问题:

I need to write a stub module which, when given a PE (DLL/EXE) as input, will determine whether it is a normal Win32 DLL/EXE or COM DLL/EXE. I need to determine this programatically.

Are there any Windows APIs for this purpose?

回答1:

I suspect that this is something that would be very hard to do with near 100% accuracy. Some thoughts though:

  • A COM DLL will export functions like DllRegisterServer and DllUnregisterServer. You could use LoadLibrary() to load the Dll, and then GetProcAddress() to check for the presence of these functions. If they're there then its highly likely that its a COM dll.

  • A plain win32 Dll will export DllMain. You could use the same technique to check for that. If you find it then its very likely that its win32.

  • I'm not aware of a way to discover if an exe is a COM server. Servers written using ATL often have a registration script embedded in their resource table, but they don't have to. And you don't need to use ATL to write a COM server. Services using "registry-less com" will similarly have an embedded manifest. You could scan the registry (below HKLM/Classes/Software/) to see if the exe is registered, but it may be that the exe is using registry-less com or just hasn't been regisered yet.

Hope that helps.



回答2:

For traditional COM DLL, you can look for the wellknown exported methods (search on msdn for these methods)

  1. DllGetClassObject
  2. DllRegisterServer
  3. DllUnregisterServer
  4. DllCanUnloadNow

I am not sure about EXE COM servers though because they generally use command line parameters for registration/unregistration and for class object usually calls CoRegisterClassObject when the EXE starts.

Most of the COM servers traditionally also registered in the Registry but you can create registration free servers now.

Are you also looking for a .NET assembly with some COM visible classes?