Alex Ionescu wrote:
nslookup on Windows uses DNSAPI exclusively for DNS resolution, and the Rtl* network APIs for IP processing.
I'm just not seeing it. This is a query:
ChildEBP RetAddr 0013ee7c 00fbb3af WS2_32!send 0013f1e4 00fba369 nslookup!SendRequest+0x19b 0014f250 00fbae10 nslookup!MergeHostInfoPtr+0xc0 0015f48c 00fbb017 nslookup!GetHostDomainPrivate+0x13f 0015f4d8 00fbb192 nslookup!GetHostDomain+0x67 0015f54c 00fb54f3 nslookup!GetHostInfoByName+0x107 0015f5bc 00fb56a7 nslookup!DoLookup+0xcd 0015f7e0 00fb72ee nslookup!LookupHost+0x114 0015f804 00fb66ab nslookup!yylex+0x6e8 0015f878 00fbc6b9 nslookup!main+0x531 0015f8bc 758dd0e9 nslookup!_initterm_e+0x163 0015f8c8 772219bb kernel32!BaseThreadInitThunk+0xe 0015f908 7722198e ntdll!__RtlUserThreadStart+0x23 0015f920 00000000 ntdll!_RtlUserThreadStart+0x1b
(I especially like the "yylex" routine suggesting nslookup's main loop is a hand-made parser on top of a lex lexer)
The only two dnsapi.dll routines imported by nslookup.exe are DnsQueryConfigAllocEx and DnsFreeConfigStructure, which are only called at startup:
ChildEBP RetAddr 000dfb58 00fb6431 DNSAPI!DnsQueryConfigAllocEx 000dfbd8 00fbc6b9 nslookup!main+0x2b7 000dfc1c 758dd0e9 nslookup!_initterm_e+0x163 000dfc28 772219bb kernel32!BaseThreadInitThunk+0xe 000dfc68 7722198e ntdll!__RtlUserThreadStart+0x23 000dfc80 00000000 ntdll!_RtlUserThreadStart+0x1b
ChildEBP RetAddr 000dfb5c 00fb659b DNSAPI!DnsFreeConfigStructure 000dfbd8 00fbc6b9 nslookup!main+0x421 000dfc1c 758dd0e9 nslookup!_initterm_e+0x163 000dfc28 772219bb kernel32!BaseThreadInitThunk+0xe 000dfc68 7722198e ntdll!__RtlUserThreadStart+0x23 000dfc80 00000000 ntdll!_RtlUserThreadStart+0x1b
After the call to DnsFreeConfigStructure, dnsapi is never called again