http://bugs.winehq.org/show_bug.cgi?id=26284
--- Comment #3 from Anastasius Focht focht@gmx.net 2011-03-02 18:16:46 CST --- Hello,
[priv email]
What sort of tools?
well it's not secret knowledge, hence I answer in public as others might be interested too...
Tools like LordPE and Imprec. They are discontinued for some time now but still very useful for various tasks. Fortunately, these tools work decently with Wine ;-)
If you are only after import address table/imported functions in dynamic memory without dumping/reconstructing the PE file, "Imprec" might be your friend. I maintain appdb entries for some of these tools.
Imprec: http://appdb.winehq.org/objectManager.php?sClass=application&iId=8554
LordPE: http://appdb.winehq.org/objectManager.php?sClass=application&iId=8541
You need to operate on the "live" process, e.g. you need to keep the process in memory before it gets terminated due to unimpl stub handling (using crash handler/debugger/fault reporting tool). Most likely you will have enough time to attach after startup without resorting to trickery.
Imprec: attach to the desired process using process list - make sure you use same WINEPREFIX/wineserver. These tools usually work by injecting helper dlls into remote process address space or by reading remote process memory directly.
Select the PE dll from attached process you want to investigate. Use "auto search" in "IAT infos needed". If you get an error message "Could not find anything ..." the original entry point address (taken from PE header) is most likely not suitable, e.g. points to startup code or initial protection code. Adjust the OEP field to a low offset like 0x1000 and do auto search again. If it succeeds, use "get imports" and you will be presented a list of imported dlls and functions gathered by using various sophisticated methods (you can apply even more methods manually thereafter to get better results). You can save the imports list to a text file using "Save tree".
Unfortunately you need to manually search the saved tree or use a script to find the unimpl Wine stubs among all the imports.
It should be possible to get the "Mscodescan" script to work for these dlls but that requires a bit more work. Basically you need to dump the PE at runtime from memory (using LordPE) and reconstruct/rebuild a new (valid) import table (using Imprec) and then run the script on it.
Regards