right click -> search for all intermodular calls --> right click --> set log break point on every command
if log function arguments radio button is greyed out
analyse the exe or dll or module first
after that you will see the log function arguments radio button is enabled
for example ollydbg -> calc.exe -> alt+e comctl32.dll -> right click follow entry point + ctrl+a --> right click -> search for all intermodular calls -> right click set log break point on every command -> log function arguments -->
log window -> right click --> log to file --> f9
result
01012475 Program entry point
Analysing calc
158 heuristical procedures
273 calls to known, 167 calls to guessed functions
91 loops, 22 switches
71950000 Module C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll
Analysing comctl32
2338 heuristical procedures
6475 calls to known, 3224 calls to guessed functions
739 loops, 260 switches
5AD70000 Module C:\WINDOWS\System32\uxtheme.dll
7197E147 CALL to GetWindowLongW
hWnd = 001001D8 (class='Edit')
Index = 0.
7197E165 CALL to DefWindowProcW
hWnd = 001001D8 (class='Edit')
Message = WM_GETMINMAXINFO
wParam = 0
pMinMax = 0006F840
7197E147 CALL to GetWindowLongW
hWnd = 001001D8 (class='Edit')
Index = 0.
7197E5AB CALL to GetProcessHeap
7197E5B2 CALL to HeapAlloc
hHeap = 00090000
Flags = HEAP_ZERO_MEMORY
HeapSize = 124 (292.)
7197E5C7 CALL to SetWindowLongW
hWnd = 001001D8 (class='Edit')
Index = 0.
NewValue = 94978
719A9C93 CALL to GetWindowLongW
hWnd = 001001D8 (class='Edit')
Index = -1.
7197C096 CALL to GetVersionExW
pVersionInformation = 0006F58C
719A9D8E CALL to LocalAlloc
Flags = LHND
Size = 40 (64.)
71954296 CALL to LoadLibraryA
FileName = "UxTheme.dll"
719542F7 CALL to GetProcAddress
hModule = 5AD70000 (uxtheme)
ProcNameOrOrdinal = "OpenThemeData"
719A9DD7 CALL to DefWindowProcW
hWnd = 001001D8 (class='Edit')
Message = WM_NCCREATE
wParam = 0
pCreate = 0006F838
7197E147 CALL to GetWindowLongW
hWnd = 001001D8 ('CalcMsgPumpWnd',class='Edit')
Index = 0.
719B7B46 CALL to DefWindowProcW
hWnd = 001001D8 ('CalcMsgPumpWnd',class='Edit')
Message = WM_NCCALCSIZE
CalcFlag = FALSE
Data = 0006F860
7197E147 CALL to GetWindowLongW
hWnd = 001001D8 ('CalcMsgPumpWnd',class='Edit')
Index = 0.
7197CDB1 CALL to GetDC
hWnd = 001001D8 ('CalcMsgPumpWnd',class='Edit')
7197CD03 CALL to CopyRect
pRectDst = 0006F568
pRectSrc = 000949B8 {0.,0.,0.,0.}
7197CD42 CALL to GetClientRect
hWnd = 001001D8 ('CalcMsgPumpWnd',class='Edit')
pRect = 0006F558
7197CD78 CALL to IntersectRect
pRectDst = 0006F558
pRect1 = 0006F558 {0.,0.,762.,498.}
pRect2 = 0006F568 {0.,0.,0.,0.}
7197CD8D CALL to IntersectClipRect
hDC = 34010635
Left = 0
Top = 0
Right = 0
Bottom = 0
719AAB9F CALL to GetTextCharset
hDC = 34010635
7197CDF2 CALL to ReleaseDC
hWnd = 001001D8 ('CalcMsgPumpWnd',class='Edit')
hDC = 34010635
719AABB6 CALL to GetKeyboardLayout
ThreadID = 0
719AAD57 CALL to GetDC
hWnd = 001001D8 ('CalcMsgPumpWnd',class='Edit')
719A9B87 CALL to GetTextFaceW
hDC = 34010635
MaxFaceName = 20 (32.)
pFaceName = 0006F4D8
7197D434 CALL to GetTextCharsetInfo
hDC = 34010635
pSignature = 0006F50C
Flags = 0
stripped off 453 kb of further garbage
--------------------------------------------------------------------------------------------------------------
bmazic:
Expanding on my previous post, here is a solution to creating custom breakpoint sets for OllyDbg.
The procedure is as follows:
A) Using OllyDbg, export a list of names in a DLL. To do that, do the following:
1. Alt-E (View|Executable modules)
2. Select the module you are interested in
3. Ctrl-N (Right click|View names)
4. Right click|Copy to clipboard|Whole table
5. Paste the copied text to a text editor, then add the module's base address to the first line saying, e.g.
Names in kernel32, Base=7C800000
NOTE: Make sure you resize all columns properly (so all text in a column becomes clearly visible) before copying the function names to the clipboard.
B) With the file created, you can now run the provided python script to generate the *.obp file (Pedram Amini's Breakpoint Manager file format), e.g.
python names2obp.py < kernel32.txt > kernel32.obp
C) Modify the provided python script to change the breakpoint type or filter out the exports you want breakpoints on
Tweak the expresion parameter in the source of the python script to change the type of breakpoints generated. The 'Q' means conditional log breakpoint with the following options selected (Pause program: Never, Log value of expression:Never, Log function arguments: Always).
Modify the not_filtered() function to change the way the input list is filtered. The current implementation will filter out all but file management functions from kernel32.dll. Keep that in mind when you run it for the first time.
D) Having made sure you have Pedram Amini's Breakpoint Manager plugin already installed, run the target and load the breakpoint set(s)
Alt-B (View|Breakpoints)
Right-click|Breakpoint Manager|Import Breakpoints
That's it.
Boris
The python script source follows:
%<------%<------%<--CUT_HERE----%<------%<------%<------%<
###
# File: names2obp.py
# Author: Boris Mazic
# Date: 19/02/2008
##
"""
Convert OllyDbg's module name list (a list of exported and forwarded functions)
to Pedram Amini's Breakpoint Manager *.obp file format. You can filter out
the list to include only certain exports by modifying the script below.
To create a list of exported functions do the following in OllyDbg:
1. Alt-E (View|Executable modules)
2. Select the module you are interested in
3. Ctrl-N (Right click|View names)
4. Right click|Copy to clipboard|Whole table
5. Paste the copied text to a text editor, then add the module's base
address to the first line saying, e.g.
Names in kernel32, Base=7C800000
With the file created, you can now run this python script to generate the
*.obp file, e.g.
names2obp.py < kernel32.txt > kernel32.obp
Tweak the expresion parameter in the source below to change the type of
breakpoint generated. The 'Q' means conditional log breakpoint with the
following options selected (Pause program: Never, Log value of expression:
Never, Log function arguments: Always).
NOTE: Make sure you resize all columns properly (so all text in a column
becomes clearly visible) before copying the function names to the clipboard.
"""
import sys, re, string
# Typical input:
"""
Names in kernel32, Base=7C800000
Address Section Type (Known) Name Comment
7C80A634 .text Export ActivateActCtx
7C8231D5 .text Export (Known) WriteProfileStringW
"""
RE_title = re.compile(r'^Names in (\S+), Base=([0-9a-fA-F]+)')
RE_heading = re.compile(r'^Address\s+Section\s+Type\s+\(Known\)\s+Name\s+Comment')
RE_api_info = re.compile(r"""
^([0-9a-fA-F]+) # Address
\s+
(\S+) # Section
\s+
((\S+)(\s+\(Known\))?) # Type
\s+
(\S+) # Name
(\s+(\S+))? # Comment
""", re.VERBOSE | re.MULTILINE)
file_management = 'AreFileApisANSI|CheckNameLegalDOS8Dot3|CloseHandle|CopyFile|CopyFileEx|CreateFile|CreateHardLink|DeleteFile|FindClose|FindFirstFile|FindFirstFileEx|FindFirstStreamW|FindNextFile|FindNextStreamW|GetBinaryType|GetCompressedFileSize|GetFileAttributes|GetFileAttributesEx|GetFileInformationByHandle|GetFileSize|GetFileSizeEx|GetFileTime|GetFileType|GetFullPathName|GetLongPathName|GetShortPathName|GetTempFileName|GetTempPath|MoveFile|MoveFileEx|MoveFileWithProgress|ReOpenFile|ReplaceFile|SearchPath|SetFileApisToANSI|SetFileApisToOEM|SetFileAttributes|SetFileSecurity|SetFileShortName|SetFileTime|SetFileValidData|'
file_io = 'CancelIo|CreateIoCompletionPort|FlushFileBuffers|GetQueuedCompletionStatus|LockFile|LockFileEx|PostQueuedCompletionStatus|ReadFile|ReadFileEx|ReadFileScatter|SetEndOfFile|SetFilePointer|SetFilePointerEx|UnlockFile|UnlockFileEx|WriteFile|WriteFileEx|WriteFileGather|'
file_mapping = 'CreateFileMapping|FlushViewOfFile|MapViewOfFile|MapViewOfFileEx|OpenFileMapping|UnmapViewOfFile|'
memory_management = 'CopyMemory|CreateMemoryResourceNotification|FillMemory|GetLargePageMinimum|GetWriteWatch|GlobalMemoryStatus|GlobalMemoryStatusEx|IsBadCodePtr|IsBadReadPtr|IsBadStringPtr|IsBadWritePtr|MoveMemory|QueryMemoryResourceNotification|ResetWriteWatch|SecureZeroMemory|ZeroMemory|'
memory_global_and_local = 'GlobalAlloc|GlobalDiscard|GlobalFlags|GlobalFree|GlobalHandle|GlobalLock|GlobalReAlloc|GlobalSize|GlobalUnlock|LocalAlloc|LocalDiscard|LocalFlags|LocalFree|LocalHandle|LocalLock|LocalReAlloc|LocalSize|LocalUnlock|'
memory_heap = 'GetProcessHeap|GetProcessHeaps|HeapAlloc|HeapCompact|HeapCreate|HeapDestroy|HeapFree|HeapLock|HeapQueryInformation|HeapReAlloc|HeapSetInformation|HeapSize|HeapUnlock|HeapValidate|HeapWalk|'
memory_virtual = 'VirtualAlloc|VirtualAllocEx|VirtualFree|VirtualFreeEx|VirtualLock|VirtualProtect|VirtualProtectEx|VirtualQuery|VirtualQueryEx|VirtualUnlock|'
dynamic_linking = 'DisableThreadLibraryCalls|DllMain|FreeLibrary|FreeLibraryAndExitThread|GetDllDirectory|GetModuleFileName|GetModuleFileNameEx|GetModuleHandle|GetModuleHandleEx|GetProcAddress|LoadLibrary|LoadLibraryEx|SetDllDirectory|LoadModule|'
process_management = 'CreateProcess|CreateProcessAsUser|CreateProcessWithLogonW|CreateProcessWithTokenW|ExitProcess|FreeEnvironmentStrings|GetCommandLine|GetCurrentProcess|GetCurrentProcessId|GetCurrentProcessorNumber|GetEnvironmentStrings|GetEnvironmentVariable|GetExitCodeProcess|GetGuiResources|GetLogicalProcessorInformation|GetPriorityClass|GetProcessAffinityMask|GetProcessHandleCount|GetProcessId|GetProcessIdOfThread|GetProcessIoCounters|GetProcessPriorityBoost|GetProcessShutdownParameters|GetProcessTimes|GetProcessVersion|GetProcessWorkingSetSize|GetProcessWorkingSetSizeEx|GetStartupInfo|NeedCurrentDirectoryForExePath|OpenProcess|SetEnvironmentVariable|SetPriorityClass|SetProcessAffinityMask|SetProcessPriorityBoost|SetProcessShutdownParameters|SetProcessWorkingSetSize|SetProcessWorkingSetSizeEx|TerminateProcess|WinExec|'
process_enumerate = 'EnumProcesses|Process32First|Process32Next|WTSEnumerateProcesses|'
thread_management = 'AttachThreadInput|CreateRemoteThread|CreateThread|ExitThread|GetCurrentThread|GetCurrentThreadId|GetExitCodeThread|GetThreadId|GetThreadIOPendingFlag|GetThreadPriority|GetThreadPriorityBoost|GetThreadTimes|OpenThread|ResumeThread|SetThreadAffinityMask|SetThreadIdealProcessor|SetThreadPriority|SetThreadPriorityBoost|SetThreadStackGuarantee|Sleep|SleepEx|SuspendThread|SwitchToThread|TerminateThread|ThreadProc|TlsAlloc|TlsFree|TlsGetValue|TlsSetValue|WaitForInputIdle|'
##
# Create a filter for API calls we want to place a breakpoint on
##
filter = '|'
filter += file_management + file_io + file_mapping
#filter += memory_management + memory_global_and_local + memory_heap + memory_virtual
#filter += dynamic_linking
#filter += process_management + process_enumerate + thread_management
def not_filtered(address, section, type, apicall, comment):
if(type != 'Export'):
return 0
f = apicall
if(apicall[-1] in ['A', 'W']):
f = apicall[0:-1]
if(filter.find('|' + f + '|') >= 0):
return 1
return 0
def main():
base_address = 0
expression = 'Q'
f = sys.stdin
line = f.readline() # Names in kernel32
m = RE_title.match(line)
if(not m):
print "ERROR: invalid 1st line\n%s" % line
return 1
module, base_address = m.group(1,2)
base_address = long(base_address, 16)
line = f.readline() # Address Section Type (Known) Name Comment
m = RE_heading.match(line)
if(not m):
print "ERROR: invalid 2nd line\n%s" % line
return 1
while 1:
line = f.readline()
if(not line): break
m = RE_api_info.match(line)
if(not m): break
address, section, type, apicall, comment = m.group(1, 2, 4, 6, 8)
address = long(address, 16)
if(not_filtered(address, section, type, apicall, comment)):
print "%s:%08X:%s:%s" % (module, address-base_address, expression, apicall)
return 0
main()
%<------%<------%<--CUT_HERE----%<------%<------%<------%<
扫一扫
2759
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
