Поделиться через


Dumping out notepad.exe and ntdll.dll

I tried to dump out the headers and data sections of notepad.exe and ntdll.dll to figure out what are their dependents and what are the functions and services provided by ntdll.dll along with service numbers which are used in kernel mode.

 Microsoft (R) COFF/PE Dumper Version 7.10.2179
Copyright (C) Microsoft Corporation.  All rights reserved.

Dump of file c:\windows\system32\notepad.exe---this is what you see when you dump the notepad.exe using link tool from sdk..these are all the dll's that notepad.exe may use and use along with all their functions.

File Type: EXECUTABLE IMAGE

  Section contains the following imports:

    ADVAPI32.dll---these are the functions of advapi32.dll that notepad.exe image uses.
               1001000 Import Address Table
               1008DC8 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      77CD632E    268 RegQueryValueExW
      77CD64CC    22A RegCloseKey
      77CA8229    236 RegCreateKeyW
      77CBE8F0    17A IsTextUnicode
      77CC802D    278 RegSetValueExW

    KERNEL32.dll
               1001018 Import Address Table
               1008DE0 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      77E1D22A    1D0 GetFileInformationByHandle
      77E5280F    12B FindNLSString
      77E2068A    285 GlobalAlloc
      77E2087D    297 GlobalUnlock
      77E207CB    290 GlobalLock
      77E2444D     7C CreateFileMappingW
      77E45CBB    1B0 GetDateFormatW
      77E1EDBA    1E7 GetLocalTime
      77E23672    303 LocalUnlock
      77E2737E    30A MapViewOfFile
      77E442A7    31A MultiByteToWideChar
      77E48DB6    441 UnmapViewOfFile
      77E47CEE    300 LocalReAlloc
      77E29BEE    152 GetACP
      77E1AD23     C3 DeleteFileW
      77E1644C    3CD SetEndOfFile
      77E2373F    2FF LocalLock
      77E45358    148 FormatMessageW
      77E48A32    47A WideCharToMultiByte
      77E47940    3EC SetLastError
      77E483D2    48D WriteFile
      77E48129    1E6 GetLastError
      77E23842    302 LocalSize
      77E4464E    1DF GetFullPathNameW
      77E473C0    319 MulDiv
      77E2AA46    170 GetCommandLineW
      77E2D36B    2A5 HeapSetInformation
      77E47B0D    1AA GetCurrentProcessId
      77E5614A    146 FoldStringW
      77E4337B    4AA lstrcmpW
      77E449CA    1CE GetFileAttributesW
      77E44E2A    124 FindFirstFileW
      77E44EBF    119 FindClose
      77E4B29A    26A GetTimeFormatW
      77E29145    1A9 GetCurrentProcess
      77E018E0    42D TerminateProcess
      77E01890    24F GetSystemTimeAsFileTime
      77E47A1D    1AD GetCurrentThreadId
      77E47652    266 GetTickCount
      77E482B0    354 QueryPerformanceCounter
      77E4427B    1F6 GetModuleHandleA
      77E2D187    415 SetUnhandledExceptionFilter
      77E019B8    239 GetStartupInfoA
      77E4739C    2BA InterlockedCompareExchange
      77E01D91    421 Sleep
      77E47388    2BD InterlockedExchange
      77E49D35    4B6 lstrlenW
      77E44801    1EA GetLocaleInfoW
      77E20725    28C GlobalFree
      77E44572    4AD lstrcmpiW
      77E44A49    3D2 SetErrorMode
      77E4866C     7F CreateFileW
      77E484CC    368 ReadFile
      77E47A2C     43 CloseHandle
      77E43B21    2F9 LocalAlloc
      77E47374    2BC InterlockedDecrement
      77E43A9D    2FD LocalFree
      77E47360    2C0 InterlockedIncrement
      77E4D9BE    270 GetUserDefaultUILanguage
      77E95984    43E UnhandledExceptionFilter

    GDI32.dll
               100110C Import Address Table
               1008ED4 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      77B75FC0    25E SelectObject
      77B781E7    27B SetMapMode
      77B812F2    28F SetViewportExtEx
      77B81EA7    293 SetWindowExtEx
      77B78600    21B LPtoDP
      77B76390    266 SetBkMode
      77B7720B    20D GetTextMetricsW
      77B870AC    260 SetAbortProc
      77BA3C3B    297 StartDocW
      77BA31C8    299 StartPage
      77B87101     DD EndPage
      77BA2D8C      0 AbortDoc
      77BA30DD     DB EndDoc
      77B769A5     CD DeleteDC
      77B81550    2A0 TextOutW
      77B7ABB5    205 GetTextExtentPoint32W
      77B7BE99     30 CreateDCW
      77B7A788    20B GetTextFaceW
      77B86C04    113 EnumFontsW
      77B759F0    1F4 GetStockObject
      77B765B6    1E4 GetObjectW
      77B75EA6    1B5 GetDeviceCaps
      77B7AE17     3E CreateFontIndirectW
      77B75A1F     D0 DeleteObject

    USER32.dll
               1001170 Import Address Table
               1008F38 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      77D7B38E    10D GetClientRect
      77D8380D    270 SetCursor
      77D7B8EC    24C ReleaseDC
      77D7B8D8    11A GetDC
      77D9129F     A6 DialogBoxParamW
      77D732D3    266 SetActiveWindow
      77D78781    132 GetKeyboardLayout
      77D721DF    220 PostQuitMessage
      77D81D90     96 DefWindowProcW
      77D7965E    125 GetForegroundWindow
      77D7A5A6    1BD IsIconic
      77D78C26     A0 DestroyWindow
      77D68A4E    1F7 MessageBeep
      77D67B2A    187 GetWindowPlacement
      77D6D382     3A CharUpperW
      77D78671    235 RegisterClassExW
      77D6D3C5    1D9 LoadImageW
      77D7862C    1D5 LoadCursorW
      77D8244A    2A5 SetWindowLongW
      77D69DE5    1CF LoadAcceleratorsW
      77D719F6    16E GetSystemMenu
      77D674D9    2A6 SetWindowPlacement
      77D785F0     68 CreateWindowExW
      77D6F801    24A RegisterWindowMessageW
      77D6CBB7    28B SetProcessDPIAware
      77D9D86E    294 SetScrollPos
      77D78B84    2B8 ShowWindow
      77D8250E    182 GetWindowLongW
      77D825BC    21C PeekMessageW
      77D7282F     D1 EnableWindow
      77D7BEB6     C7 DrawTextExW
      77D9A500     5D CreateDialogParamW
      77D7031A    18F GetWindowTextW
      77D6B2CA    205 MoveWindow
      77D82DA7    1AA InvalidateRect
      77D82B71    263 SendMessageW
      77D6F82E     2F CharNextW
      77D996E6     3D CheckMenuItem
      77D9CA35     47 CloseClipboard
      77D9CAC8    1B6 IsClipboardFormatAvailable
      77D9CA47    20F OpenClipboard
      77D6BC72    147 GetMenuState
      77D6BE00     CF EnableMenuItem
      77D6B8F9    16B GetSubMenu
      77D67B3E    13C GetMenu
      77D79C65    2A2 SetWinEventHook
      77D819A2    14E GetMessageW
      77D83915    21F PostMessageW
      77DBFBD5    1FF MessageBoxW
      77D796AB    124 GetFocus
      77D911FF    300 WinHelpW
      77D8340C    11E GetDlgCtrlID
      77D73023     D3 EndDialog
      77D70866    18E GetWindowTextLengthW
      77D786D8    1D7 LoadIconW
      77D7B102    1B9 IsDialogMessageW
      77D7B569    2D3 TranslateAcceleratorW
      77D82AA1    2D5 TranslateMessage
      77D82A89     A9 DispatchMessageW
      77D78B98    2E9 UpdateWindow
      77D72C64    2D7 UnhookWinEvent
      77D8ACBE     41 ChildWindowFromPoint
      77D994BD    122 GetDlgItemTextW
      77D993E1    277 SetDlgItemTextW
      77D796B8    279 SetFocus
      77D75DF4    2AC SetWindowTextW
      77D82E91    155 GetParent
      77D7AC9B    1E4 LoadStringW
      77D91D1C    25A SendDlgItemMessageW
      77D7C65C    119 GetCursorPos
      77D7C1D0    254 ScreenToClient

    msvcrt.dll
               1001290 Import Address Table
               1009058 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      70D65BC2     37 <?terminate@@YAXXZ>
      70D1E116    127 _controlfp
      70D1C032    3CE _vsnwprintf
      70D19860    4EE memset
      70D1BE1E    46D _wtol
      70D198D0    4EA memcpy
      70D1BA09    4CC iswctype
      70D37B87    4DA localtime
      70D36599    159 _except_handler4_common
      70D223B6     D2 __set_app_type
      70D223AB     BE __p__fmode
      70D223A0     B9 __p__commode
      70DB18B4     F5 _adjust_fdiv
      70D7A161    101 _amsg_exit
      70D1BBD2    1D5 _initterm
      70DAE4DC     E7 _acmdln
      70D220F7    48F exit
      70D1D39A    534 time
      70D234D9     91 __getmainargs
      70D1E342    1F4 _ismbblead
      70D74EFE     6A _XcptFilter
      70D7A2E3    162 _exit
      70D221CC    114 _cexit
      70DA5C1D     D4 __setusermatherr

    COMDLG32.dll
               10012F4 Import Address Table
               10090BC Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      7181D9D0      E GetSaveFileNameW
      71833E86      8 FindTextW
      71833EBA     17 ReplaceTextW
      71839307     11 PageSetupDlgW
      71842EED     14 PrintDlgExW
      718128DF      C GetOpenFileNameW
      71802517      4 CommDlgExtendedError
      71837CD1      3 ChooseFontW
      71802E37      A GetFileTitleW

    SHELL32.dll
               100131C Import Address Table
               10090E4 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      7669D635     1B DragAcceptFiles
      7658A7D3     20 DragQueryFileW
      766FB803     1C DragFinish
      7661AFE6     8D SHCreateItemFromParsingName
      766EA0A5    110 ShellAboutW

    WINSPOOL.DRV
               1001334 Import Address Table
               10090FC Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      6E19121B     85 GetPrinterDriverW
      6E199539     1D ClosePrinter
      6E187359     8F OpenPrinterW

    ole32.dll
               1001344 Import Address Table
               100910C Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      72C6D569     66 CoTaskMemAlloc
      72C6DD8F     10 CoCreateInstance
      72C6DE1E     67 CoTaskMemFree
      72C69BD8     6B CoUninitialize
      72C6885D     3E CoInitializeEx

    SHLWAPI.dll
               100135C Import Address Table
               1009124 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      6ED6E534     5D PathIsFileSpecW
      6ED7E468     FD SHStrDupW

    COMCTL32.dll
               1001368 Import Address Table
               1009130 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      7493FDC3      C CreateStatusWindowW
      748B3E05        Ordinal   345

    OLEAUT32.dll
               1001374 Import Address Table
               100913C Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      702E41AB        Ordinal     2
      702E3DAB        Ordinal     6

    ntdll.dll
               1001380 Import Address Table
               1009148 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      77F0850D    548 WinSqmAddToStream

  Header contains the following bound import information:
    Bound to ADVAPI32.dll [4549BCD2] Thu Nov 02 15:09:30 2006---------------this refers to when this image was build...this is windows vista thats why showing 2006

    Bound to KERNEL32.dll [4549BD80] Thu Nov 02 15:12:24 2006
    Bound to GDI32.dll [4549BCD3] Thu Nov 02 15:09:31 2006
    Bound to USER32.dll [4549BDE0] Thu Nov 02 15:14:00 2006
    Bound to msvcrt.dll [4549BD61] Thu Nov 02 15:11:53 2006
    Bound to COMDLG32.dll [4549BD09] Thu Nov 02 15:10:25 2006
    Bound to SHELL32.dll [4549BDB4] Thu Nov 02 15:13:16 2006
    Bound to WINSPOOL.DRV [4549BE2A] Thu Nov 02 15:15:14 2006
    Bound to ole32.dll [4549BD92] Thu Nov 02 15:12:42 2006
    Bound to SHLWAPI.dll [4549BDB9] Thu Nov 02 15:13:21 2006
    Bound to COMCTL32.dll [4549BD09] Thu Nov 02 15:10:25 2006
    Bound to OLEAUT32.dll [4549BD95] Thu Nov 02 15:12:45 2006
    Bound to ntdll.dll [4549BDC9] Thu Nov 02 15:13:37 2006

  Summary

        3000 .data
        1000 .reloc
       1A000 .rsrc
        9000 .text

next i dumped out the data section show in summary--------------

 C:\Users\ganand\Desktop\internals\TOOLS>link.exe -dump -section:".data" -all c:\
windows\system32\notepad.exe >c:\notepaddump2.txt

Microsoft (R) COFF/PE Dumper Version 7.10.2179
Copyright (C) Microsoft Corporation.  All rights reserved.

Dump of file c:\windows\system32\notepad.exe

PE signature found------this is windows pe format image

File Type: EXECUTABLE IMAGE-----------------------------

FILE HEADER VALUES
             14C machine (x86)
               4 number of sections
        4549B0BE time date stamp Thu Nov 02 14:17:58 2006--------------------------when this image was build
               0 file pointer to symbol table
               0 number of symbols
              E0 size of optional header
             102 characteristics
                   Executable
                   32 bit word machine

OPTIONAL HEADER VALUES
             10B magic # (PE32)
            8.00 linker version
            9000 size of code
           1CC00 size of initialized data
               0 size of uninitialized data
            31F8 entry point (010031F8)
            1000 base of code
            D000 base of data
         1000000 image base (01000000 to 01027FFF)
            1000 section alignment
             200 file alignment
            6.00 operating system version---------------------
            6.00 image version--------------------------
            6.00 subsystem version
               0 Win32 version
           28000 size of image
             400 size of headers
           2A84B checksum
               2 subsystem (Windows GUI)-----------------------------
            8140 DLL characteristics
                   RESERVED - UNKNOWN
                   RESERVED - UNKNOWN
                   Terminal Server Aware----------------------------------------
           40000 size of stack reserve
           11000 size of stack commit
          100000 size of heap reserve
            1000 size of heap commit
               0 loader flags-------------------------------------------------
              10 number of directories
               0 [       0] RVA [size] of Export Directory
            8C0C [     118] RVA [size] of Import Directory
            D000 [   19A10] RVA [size] of Resource Directory
               0 [       0] RVA [size] of Exception Directory
               0 [       0] RVA [size] of Certificates Directory
           27000 [     D20] RVA [size] of Base Relocation Directory
            9EF8 [      38] RVA [size] of Debug Directory
               0 [       0] RVA [size] of Architecture Directory
               0 [       0] RVA [size] of Global Pointer Directory
               0 [       0] RVA [size] of Thread Storage Directory
            5010 [      40] RVA [size] of Load Configuration Directory
             278 [     10C] RVA [size] of Bound Import Directory
            1000 [     388] RVA [size] of Import Address Table Directory
               0 [       0] RVA [size] of Delay Import Directory
               0 [       0] RVA [size] of COM Descriptor Directory
               0 [       0] RVA [size] of Reserved Directory

SECTION HEADER #2
   .data name
    2124 virtual size
    A000 virtual address (0100A000 to 0100C123)
    1000 size of raw data
    9400 file pointer to raw data (00009400 to 0000A3FF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0000040 flags
         Initialized Data
         Read Write

RAW DATA #2
  0100A000: 00 00 00 00 78 00 00 00 01 00 00 00 FF FF FF FF  ....x.......ÿÿÿÿ
  0100A010: 4E E6 40 BB B1 19 BF 44 00 00 00 00 00 00 00 00  <Næ@»±.¿D>........
  0100A020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A0A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A0B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A0C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A0D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A0E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A0F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A1A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A1B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A1C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A1D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A1E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A1F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A220: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00  ................
  0100A230: 02 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00  ................
  0100A240: 06 00 00 00 07 00 00 00 08 00 00 00 09 00 00 00  ................
  0100A250: 0A 00 00 00 0B 00 00 00 0C 00 00 00 0D 00 00 00  ................
  0100A260: 0E 00 00 00 2F 00 00 00 0F 00 00 00 10 00 00 00  ..../...........
  0100A270: 11 00 00 00 12 00 00 00 13 00 00 00 2D 00 00 00  ............-...
  0100A280: 14 00 00 00 15 00 00 00 16 00 00 00 17 00 00 00  ................
  0100A290: 18 00 00 00 19 00 00 00 1A 00 00 00 1B 00 00 00  ................
  0100A2A0: 1C 00 00 00 1D 00 00 00 1E 00 00 00 1F 00 00 00  ................
  0100A2B0: 20 00 00 00 21 00 00 00 22 00 00 00 23 00 00 00   ...!..."...#...
  0100A2C0: 24 00 00 00 25 00 00 00 26 00 00 00 27 00 00 00  $...%...&...'...
  0100A2D0: 28 00 00 00 29 00 00 00 2A 00 00 00 2B 00 00 00  (...)...*...+...
  0100A2E0: 2C 00 00 00 2E 00 00 00 CC 2F 00 01 00 00 00 00  ,.......Ì/......
  0100A2F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A3A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A3B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A3C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A3D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A3E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A3F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A4A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A4B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A4C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A4D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A4E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A4F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A5A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A5B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A5C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A5D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A5E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A5F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A6A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A6B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A6C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A6D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A6E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A6F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A7A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A7B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A7C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A7D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A7E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A7F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A800: 2C A2 00 01 30 A2 00 01 34 A2 00 01 38 A2 00 01  ,¢..0¢..4¢..8¢..
  0100A810: 44 A2 00 01 40 A2 00 01 3C A2 00 01 48 A2 00 01  D¢..@¢..<¢..H¢..
  0100A820: 4C A2 00 01 50 A2 00 01 54 A2 00 01 58 A2 00 01  L¢..P¢..T¢..X¢..
  0100A830: 5C A2 00 01 60 A2 00 01 68 A2 00 01 6C A2 00 01  \¢..`¢..h¢..l¢..
  0100A840: 70 A2 00 01 80 A2 00 01 84 A2 00 01 88 A2 00 01  p¢...¢...¢...¢..
  0100A850: 8C A2 00 01 90 A2 00 01 94 A2 00 01 98 A2 00 01  .¢...¢...¢...¢..
  0100A860: 9C A2 00 01 A4 A2 00 01 A0 A2 00 01 A8 A2 00 01  .¢..¤¢.. ¢..¨¢..
  0100A870: AC A2 00 01 B0 A2 00 01 B4 A2 00 01 B8 A2 00 01  ¬¢..°¢..´¢..¸¢..
  0100A880: BC A2 00 01 C0 A2 00 01 74 A2 00 01 78 A2 00 01  ¼¢..À¢..t¢..x¢..
  0100A890: C4 A2 00 01 C8 A2 00 01 CC A2 00 01 D0 A2 00 01  Ä¢..È¢..Ì¢..Т..
  0100A8A0: D4 A2 00 01 D8 A2 00 01 DC A2 00 01 E0 A2 00 01  Ô¢..Ø¢..Ü¢..à¢..
  0100A8B0: 7C A2 00 01 E4 A2 00 01 64 A2 00 01 00 00 00 00  |¢..ä¢..d¢......
  0100A8C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A8D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A8E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A8F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A9A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A9B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A9C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A9D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A9E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100A9F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AA00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AA10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AA20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AA30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AA40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AA50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AA60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AA70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AA80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AA90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AAA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AAB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AAC0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AAD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AAE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AAF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AB00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AB10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AB20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AB30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AB40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AB50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AB60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AB70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AB80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AB90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100ABA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100ABB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100ABC0: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00  ................
  0100ABD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100ABE0: 00 00 00 00 00 00 00 00 2D 51 00 01 61 50 00 01  ........-Q..aP..
  0100ABF0: 7C 50 00 01 AA 50 00 01 13 51 00 01 B4 50 00 01  |P..ªP...Q..´P..
  0100AC00: 71 53 00 01 20 51 00 01 B4 50 00 01 20 51 00 01  qS.. Q..´P.. Q..
  0100AC10: BD 51 00 01 C1 50 00 01 DB 50 00 01 F5 50 00 01  ½Q..ÁP..ÛP..õP..
  0100AC20: 13 51 00 01 20 51 00 01 13 51 00 01 00 00 00 00  .Q.. Q...Q......
  0100AC30: FF FF 00 00 44 A2 00 01 02 00 00 00 50 A2 00 01  ÿÿ..D¢......P¢..
  0100AC40: 0A 00 00 00 54 A2 00 01 05 00 00 00 44 A2 00 01  ....T¢......D¢..
  0100AC50: 06 00 00 00 44 A2 00 01 04 10 00 00 94 A2 00 01  ....D¢.......¢..
  0100AC60: 05 10 00 00 44 A2 00 01 08 10 00 00 E8 A2 00 01  ....D¢......è¢..
  0100AC70: EF BB BF 00 FF FE 00 00 FE FF 00 00 00 00 00 00  .ÿþ..þÿ......
  0100AC80: 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  Y...............
  0100AC90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100ACA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100ACB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100ACC0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100ACD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100ACE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100ACF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AD00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AD10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AD20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AD30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AD40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AD50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AD60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AD70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AD80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AD90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100ADA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100ADB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100ADC0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100ADD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100ADE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100ADF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AE00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AE10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AE20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AE30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AE40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AE50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AE60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AE70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AE80: 00 00 00 00 00 00 00 00 59 00 00 00 00 00 00 00  ........Y.......
  0100AE90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AEA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AEB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AEC0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AED0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AEE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AEF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AF00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AF10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AF20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AF30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AF40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AF50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AF60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AF70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AF80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AF90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AFA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AFB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AFC0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AFD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AFE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  0100AFF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

  Summary

        3000 .data

C:\Users\ganand\Desktop\internals\TOOLS>link.exe -dump -dependents c:\windows\sy
stem32\notepad.exe
Microsoft (R) COFF/PE Dumper Version 7.10.2179
Copyright (C) Microsoft Corporation.  All rights reserved.

Dump of file c:\windows\system32\notepad.exe

File Type: EXECUTABLE IMAGE

  Image has the following dependencies:

    ADVAPI32.dll
    KERNEL32.dll
    GDI32.dll
    USER32.dll
    msvcrt.dll
    COMDLG32.dll
    SHELL32.dll
    WINSPOOL.DRV
    ole32.dll
    SHLWAPI.dll
    COMCTL32.dll
    OLEAUT32.dll
    ntdll.dll 

====
C:\Users\ganand\Desktop\internals\TOOLS>link.exe -dump -exports  c:\windows\syst
em32\ntdll.dll >c:\ntdll.txt

 Dump of file c:\windows\system32\ntdll.dll

File Type: DLL

  Section contains the following exports for ntdll.dll

    00000000 characteristics
    4549ACD4 time date stamp Thu Nov 02 14:01:16 2006
        0.00 version
           1 ordinal base
        1902 number of functions
        1902 number of names

    ordinal hint RVA      name

         10    0 000246E0 A_SHAFinal--this dumps out all the functions of ntdll.dll with their service numbers
         11    1 000245D8 A_SHAInit
         12    2 0002462E A_SHAUpdate
         13    3 0000A956 AlpcAdjustCompletionListConcurrencyCount
         14    4 0000B0C0 AlpcFreeCompletionListMessage
         15    5 00097D6D AlpcGetCompletionListLastMessageInformation
         16    6 00097D39 AlpcGetCompletionListMessageAttributes
         17    7 0006637A AlpcGetHeaderSize
         18    8 00066343 AlpcGetMessageAttribute
         19    9 0000AF0D AlpcGetMessageFromCompletionList
         20    A 00070C93 AlpcGetOutstandingCompletionListMessageCount
         21    B 00022DEB AlpcInitializeMessageAttribute
         22    C 00011135 AlpcMaxAllowedMessageLength
         23    D 0000AD39 AlpcRegisterCompletionList
         24    E 0000AE5A AlpcRegisterCompletionListWorkerThread
         25    F 00070CB2 AlpcUnregisterCompletionList
         26   10 0000AD95 AlpcUnregisterCompletionListWorkerThread
         27   11 0003DCE5 CsrAllocateCaptureBuffer
         28   12 0003DD78 CsrAllocateMessagePointer
         29   13 0003EF49 CsrCaptureMessageBuffer
         30   14 00038FFA CsrCaptureMessageMultiUnicodeStringsInPlace
         31   15 00038F9A CsrCaptureMessageString
         32   16 0008EC13 CsrCaptureTimeout
         33   17 00067F66 CsrClientCallServer
         34   18 00034C8C CsrClientConnectToServer
         35   19 0003DDBE CsrFreeCaptureBuffer
         36   1A 0008EC08 CsrGetProcessId
         37   1B 0008EBF3 CsrIdentifyAlertableThread
         38   1C 0008EBF3 CsrNewThread
         39   1D 0008EBFB CsrSetPriorityClass
         40   1E 0008EC46 CsrVerifyRegion
         41   1F 00042EA8 DbgBreakPoint
         42   20 0001544A DbgPrint
         43   21 000214D5 DbgPrintEx
         44   22 00097ED7 DbgPrintReturnControlC
         45   23 00097E12 DbgPrompt
         46   24 00097E58 DbgQueryDebugFilterState
         47   25 00097E68 DbgSetDebugFilterState
         48   26 0008EF7E DbgUiConnectToDbg
         49   27 0008F026 DbgUiContinue
         50   28 0008F158 DbgUiConvertStateChangeStructure
         51   29 0008F116 DbgUiDebugActiveProcess
         52   2A 0008EFD0 DbgUiGetThreadDebugObject
         53   2B 0008F0D0 DbgUiIssueRemoteBreakin
         54   2C 0008F06D DbgUiRemoteBreakin
         55   2D 0008EFE2 DbgUiSetThreadDebugObject

---long list..................................................................

Comments