Using OllyDbg to log dynamically loaded functions (the easy way)

Posted about 1 year ago, by Ksbunker

 What is the easy way? Read on.
 For there to be an easy way, surely there's a hard way? Yes, hooks. They're redundant in this case... why complicate the process!?!
 What's the easy way? Conditional log breakpoints. 
 
  Example.

 Let's say we're reversing a target that imports LoadLibrary and GetProcAddress. It's a fair
 assumption that because these two functions are present, the target dynamically loads a minimum a 1 function, it may load 50 functions, there's no real way to find out without peaking closely at GetProcAddress during run-time.

 Crack open OllyDbg and load your up your target.

 Right-click the CPU window > View > MODULE "kerne32.dll"

 The CPU window will bring up a list of imported/exported functions, type in GetProcAddress and it will automatically highlight the function for you.

 Right-click > Follow in Dissasembler

 You will land at;

  MOV EDI, EDI

 Right-click on this line > Breakpoint > Conditional log

 Leave the 'Condition' and 'Explanation' fields blank, we're only interested in the 'Expression' edit box. Type "STRING [[ESP+8]]" into the expression field and ensure the following options are set.

  Pause program   > Never
  Log value of expression > Always
  Log function arguments > Never

 Hit 'OK' and execute program as per normal, F9.

 Open the 'Log' (View > Log) window either by, and you will see the following logged strings;

 7C80AE40  COND: EnumDisplayDevicesA
 7C80AE40  COND: GetMonitorInfoA
 7C80AE40  COND: EnumDisplayDevicesA
 7C80AE40  COND: GetMonitorInfoA
 7C80AE40  COND: EnumDisplayDevicesA
 7C80AE40  COND: GetMonitorInfoA
 7C80AE40  COND: glAccum
 7C80AE40  COND: glAlphaFunc
 7C80AE40  COND: glAreTexturesResident
 7C80AE40  COND: glArrayElement
 7C80AE40  COND: glBegin
 7C80AE40  COND: glBindTexture
 7C80AE40  COND: glBitmap
 7C80AE40  COND: glBlendFunc
 7C80AE40  COND: glCallList
 7C80AE40  COND: glCallLists
 7C80AE40  COND: glClear
 7C80AE40  COND: glClearAccum
 7C80AE40  COND: glClearColor
 7C80AE40  COND: glClearDepth
 7C80AE40  COND: glClearIndex
 7C80AE40  COND: glClearStencil
 7C80AE40  COND: glClipPlane
 7C80AE40  COND: glColor3b
 7C80AE40  COND: glColor3bv
 [...]

 There we go, we've logged the functions loaded by the executable and it's modules without the need for any extravagent hooks.

  Untill next time...
  Cheers,
  Ksbunker

You must be logged in to add comments.

Comments

Author Info Comment