Información sobre DLL
ADVAPI32.dll api-ms-win-appmodel-runtime-l1-1-0.dll api-ms-win-appmodel-runtime-l1-1-1.dll api-ms-win-core-apiquery-l1-1-0.dll api-ms-win-core-com-l1-1-0.dll api-ms-win-core-com-l1-1-1.dll api-ms-win-core-com-midlproxystub-l1-1-0.dll api-ms-win-core-debug-l1-1-0.dll api-ms-win-core-delayload-l1-1-0.dll api-ms-win-core-delayload-l1-1-1.dll api-ms-win-core-errorhandling-l1-1-0.dll api-ms-win-core-errorhandling-l1-1-2.dll api-ms-win-core-file-l1-1-0.dll api-ms-win-core-file-l1-2-0.dll api-ms-win-core-file-l2-1-0.dll api-ms-win-core-handle-l1-1-0.dll api-ms-win-core-heap-l1-1-0.dll api-ms-win-core-heap-l2-1-0.dll api-ms-win-core-heap-obsolete-l1-1-0.dll api-ms-win-core-interlocked-l1-1-0.dll api-ms-win-core-io-l1-1-0.dll api-ms-win-core-kernel32-legacy-l1-1-0.dll api-ms-win-core-libraryloader-l1-2-0.dll api-ms-win-core-libraryloader-l1-2-1.dll api-ms-win-core-localization-l1-2-0.dll api-ms-win-core-memory-l1-1-0.dll api-ms-win-core-path-l1-1-0.dll api-ms-win-core-processenvironment-l1-1-0.dll api-ms-win-core-processthreads-l1-1-0.dll api-ms-win-core-processthreads-l1-1-1.dll api-ms-win-core-profile-l1-1-0.dll api-ms-win-core-psapi-l1-1-0.dll api-ms-win-core-registry-l1-1-0.dll api-ms-win-core-registry-l1-1-1.dll api-ms-win-core-registry-l2-1-0.dll api-ms-win-core-rtlsupport-l1-1-0.dll api-ms-win-core-shlwapi-legacy-l1-1-0.dll api-ms-win-core-shlwapi-obsolete-l1-1-0.dll api-ms-win-core-string-l1-1-0.dll api-ms-win-core-string-l2-1-0.dll api-ms-win-core-string-obsolete-l1-1-0.dll api-ms-win-core-synch-l1-1-0.dll api-ms-win-core-synch-l1-2-0.dll api-ms-win-core-synch-l1-2-1.dll api-ms-win-core-sysinfo-l1-1-0.dll api-ms-win-core-sysinfo-l1-2-0.dll api-ms-win-core-threadpool-l1-2-0.dll api-ms-win-core-threadpool-legacy-l1-1-0.dll api-ms-win-core-timezone-l1-1-0.dll api-ms-win-core-util-l1-1-0.dll api-ms-win-core-version-l1-1-0.dll api-ms-win-core-winrt-error-l1-1-0.dll api-ms-win-core-winrt-error-l1-1-1.dll api-ms-win-core-winrt-l1-1-0.dll api-ms-win-core-winrt-string-l1-1-0.dll api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-private-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll api-ms-win-crt-string-l1-1-0.dll api-ms-win-devices-config-l1-1-1.dll api-ms-win-devices-query-l1-1-0.dll api-ms-win-eventing-classicprovider-l1-1-0.dll api-ms-win-eventing-provider-l1-1-0.dll api-ms-win-rtcore-ntuser-window-l1-1-0.dll api-ms-win-security-base-l1-1-0.dll api-ms-win-security-capability-l1-1-0.dll api-ms-win-security-lsalookup-l2-1-0.dll api-ms-win-security-provider-l1-1-0.dll api-ms-win-security-sddl-l1-1-0.dll api-ms-win-service-core-l1-1-0.dll api-ms-win-service-management-l1-1-0.dll api-ms-win-service-management-l2-1-0.dll api-ms-win-service-winsvc-l1-1-0.dll api-ms-win-shcore-stream-l1-1-0.dll api-ms-win-shcore-taskpool-l1-1-0.dll api-ms-win-stateseparation-helpers-l1-1-0.dll bcrypt.dll combase.dll CRYPT32.dll ext-ms-win-session-usermgr-l1-1-0.dll GDI32.dll IPHLPAPI.DLL KERNEL32.dll msvcp_win.dll msvcrt.dll netutils.dll ntdll.dll ole32.dll OLEAUT32.dll PROPSYS.dll RPCRT4.dll setupapi.dll SHELL32.dll SHLWAPI.dll SspiCli.dll USER32.dll USERENV.dll WINHTTP.dll WS2_32.dll XmlLite.dll
Explicación sobre el uso de funciones que están en DLL del sistema operativo
A menudo se utilizan funciones en scripts de PowerShell como por ejemplo (Hacer clic en una posición de la pantalla con PowerShell):
$MouseEventSig=@' [DllImport("user32.dll",CharSet=CharSet.Auto, CallingConvention=CallingConvention.StdCall)] public static extern void mouse_event(long dwFlags, long dx, long dy, long cButtons, long dwExtraInfo); '@ $MouseEvent = Add-Type -memberDefinition $MouseEventSig -name "MouseEventWinApi" -passThru [System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point(10,10) $MouseEvent::mouse_event(0x00000002, 0, 0, 0, 0) $MouseEvent::mouse_event(0x00000004, 0, 0, 0, 0)
Vemos que se usa una dll en concreto user32.dll y luego se hace referencia a la función mouse_event que sirve para tratar con el mouse.
Pongamos otro ejemplo (Escribir texto en el proceso Notepad):
$codigo=' [DllImport("user32.dll", EntryPoint = "FindWindowEx")]public static extern IntPtr FindWindowEx(IntPtr hwndParent, IntPtr hwndChildAfter, string lpszClass, string lpszWindow); [DllImport("User32.dll")]public static extern int SendMessage(IntPtr hWnd, int uMsg, int wParam, string lParam); ' $notepad=Start-Process notepad -PassThru $notepad.WaitForInputIdle() $acciones=Add-Type -MemberDefinition $codigo -Name TextoNotepad -PassThru #FindWindowEx(IntPtr hwndParent, IntPtr hwndChildAfter, string lpszClass, string lpszWindow) #SendMessage(IntPtr hWnd, int uMsg, int wParam, string lParam) $acciones::SendMessage([IntPtr]$acciones::FindWindowEx($notepad.MainWindowHandle, [IntPtr]::Zero, "Edit", $null), 0x000C, 0, "Texto")
En este caso, se usa la dll user32.dll y luego se hace referencia a las funciones FindWindowEx y SendMessage para escribir un texto en el proceso Notepad.
Aplicaciones
La información sobre el uso de las funciones se puede obtener analizando las dll con aplicaciones como por ejemplo:
- https://www.jesusninoc.com/04/15/ejecutar-microsoft-coff-binary-file-dumper-dumpbin-exe-desde-powershell/
- https://www.jesusninoc.com/04/18/ver-las-dependencias-de-un-fichero-dll-con-dumpbin-desde-powershell/
- https://www.jesusninoc.com/04/19/listar-funciones-exportadas-de-un-archivo-dll-con-dumpbin-desde-powershell/
- https://www.jesusninoc.com/01/31/winspy/
- https://www.jesusninoc.com/11/29/dependency-walker/
Información sobre archivos DLL
- https://www.jesusninoc.com/02/02/informacion-sobre-el-archivo-dll-user32-dll/
- https://www.jesusninoc.com/11/29/mostrar-los-procesos-que-estan-ejecutando-una-dll-de-un-listado-de-dlls-con-powershell/
- https://www.jesusninoc.com/11/28/mostrar-la-descripcion-de-un-fichero-filedescription-mediante-el-cmdlet-get-childitem-en-powershell/
- https://www.jesusninoc.com/11/28/mostrar-la-descripcion-filedescription-de-todos-los-ficheros-que-hay-en-una-carpeta-en-windows-mediante-el-cmdlet-get-childitem-en-powershell/
Más ejemplos que ayudan a comprenderlo mejor:
- https://www.jesusninoc.com/04/21/obtener-los-nombres-de-las-funciones-exportadas-de-un-archivo-dll-con-dumpbin-desde-powershell-explicacion-paso-a-paso-del-script/
- https://www.jesusninoc.com/04/26/llamar-con-el-valor-de-la-aplicacion-calculadora-calc-exe-a-cada-funcion-obtenida-con-dumbin-para-cada-dll/
- https://www.jesusninoc.com/04/27/llamar-con-el-valor-de-la-aplicacion-calculadora-calc-exe-a-cada-funcion-obtenida-con-dumbin-para-cada-dll-el-valor-de-la-dll-que-se-analiza-esta-en-una-variable/