Look inside of unknown library or DLL - IL DASM

Abstract

When using a DLL, if a list of provided properties and methods is provided, we can get an idea of what DLL provides, even without documentation. If there is not even such information, one way is to refer the information Intellisense provides in Visual Studio. However, information in browsable style as a catalogue is ideally preferable. And it is available with following tools.

 IL DASM (Intermediate Language Disassembler)Command ”ildasm” .Net Framework library PowerShell command”Add-Type””Get-Member” .Net Framework library Command ”dumpbin” Libraries other than .Net FrameworkWin32, COM

”ildasm” and ”dumpbin” are included in Windows SDK, and their usage is almost similar. This post focuses ”ildasm”. ”dumpbin” and PowerShell are touched a little as off-topic.

WindowsSDK

This post is based on the assumption that

1. Visual Studio is installed.
1. Community 2019 Version 16.10.0
2. Windows 10 SDK is installed.

Windows 10 SDK can be installed with Visual Studio as its bundle, or unbundled. In concrete terms, select "Desktop development with C++" and check ”Windows 10 SDK” as the next image.

Image: select "Desktop development with C++" and check ”Windows 10 SDK

IL DASM - ildasm

In advance of executing the command, identify the location of the DLL file where the desired library is stored. The easiest way is to create a project in Visual Studio that refers to the desired library and identify the path from there.
In this case, it refers the library "MagicWandWin", and its path is shown in the properties. This path will be used to call the library from "ildasm", so make a note of it somewhere.

Image: its path is shown in the properties

"ildasm" is a command tool, so it can be launched from a command prompt or PowerShell. This time, it is launched from Visual Studio." Launch "Developer PowerShell".

Image: File menu > Tools > Command Line

Input next command in PowerShell, then IL DASM is launched. Expanding a package and class, method information is listed. Important thing is that not all listed items are callable.

ildasm /all [path of DLL]


Image: IL DASM

 On IntellisenseOn ildasm public method Collable NOT on IntellisenseOn ildasm private method NOT collable

For example, "GetWeatherJsonText" is a function that receives String type argument and returns String type value. This is not displayed in Intellisense. From the relationship between the method name, arguments, and return value, the following process is imagined.

• Receives a URL, and returns the JSON as the response from URL.
• Receives a keyword, and search value in JSON corresponding to the keyword.
• Returns the value.

In any case, it can be inferred that this is the method as internal process to acquire the necessary information, and no need to call it directly by user.
With double-clicking the method for further deep dive, more detailed information is provided. But this post doesn't go into it any further.

Image: GetWeatherJsonText

Off-topic - dumpbin

I used "ildasm" from the beginning in this post, since I knew that this library uses .Net Framework. In case that a library with other technologies as Win32, use "dumpbin".
Its usage is the same as "ildasm", except that it is limited to text output via CUI. Just input command with necessary options and a path of a library as following. Due to long output, the option "/out" is recommended to redirect output to a text file.

dumpbin /all [path of DLL] /out:[path of text file]


Off-topic - PowerShell

If the name of class is already known, and it is provided with .Net framework library, it is possible to study inside of this library with PowerShell. The next topic introduces this topic.
impsbl.hatenablog.jp