3

The answer to this is not "see the import address table".

I am looking to do some analysis on a few binaries that I am generating, specifically to get a better idea of what libraries and windows API functions I am using. I have used Dependency Walker to take a look at this, but some of the testing I have done indicates to me that there might be a lot of extra function calls put into the IAT, even if they arent called.

What I am looking for is a way to determine what functions are being called... not just what is being put in the IAT.

The best way would probably be to reverse it and look at all of the 'CALL's but I dont know a good way to do that either.

What is the best way to do this?

Improve this question
4
  • Remember seeing Windows API hook(er?) between Sysinternals toolkit a while ago. Appearently, they merged that functionality into Proccess Monitor. Google also offers ApiMonitor from Rohitab (still Alpha version). Commented Oct 15, 2013 at 17:20
  • Thats not bad... and actually gave me 80% of the answer I was looking for. Although I would have to make sure that I go down each execution path as opposed to somehow finding all of the calls in the binary. But that was a good idea! Commented Oct 15, 2013 at 17:51
  • wasn't sure if You're intented to trace just specific actions and their API calls or every single one. I'm almost sure that it was possible do generate some call maps with IDA Pro... Commented Oct 15, 2013 at 18:09
  • If you want to profile an application use a profiler. Visual Studio 2012 has a pretty powerful one that will answer some of the questions you have. However, since it doesn't instrument the code but collects samples at configurable intervals instead it will miss some calls. Then again, static analysis will likely have a hard time when it comes to indirect calls. Commented Oct 15, 2013 at 18:38

3 Answers 3

Reset to default
1
  1. Launch WinDbg (Debugging tools of windows)
  2. Open the executable you want to analyse.

  3. run the following commands

    • !logexts.loge
    • !logexts.logo e v (enables verbose logging)
    • !logexts.logo e t (enables text logging)
    • g

Open the logviewer tool come along with debugging tools of windows to see the api's, Default logs path is desktop\logexts

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

If you are using link.exe to link your binary, pass /MAP flag at the time of linking. This will generate a MAP file(binary.map)...it will have functions which are used(not all functions).

Improve this answer

Comments

0

I don't know if it's the "best way", but I would kinda agree to your suggestion that all the CALLs give a good overview.

With the "Ollydbg" debugger you can load your program, go the the exe module of your process and rightclick -> search for -> all intermodular calls.

This gives you a nice sortable, searchable list of all "CALL"s that appear in your module and lead to other modules.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.