堆栈内存溢出
  简体   繁体   English

如何确定二进制文件中调用的函数?

[英]How do I determine what functions are being called in a binary?

 原文  2013-10-15 16:46:48       c++/ c/ winapi/ reverse-engineering/ binaryfiles

问题描述

The answer to this is not "see the import address table". 答案不是“查看导入地址表”。

I am looking to do some analysis on a few binaries that I am generating, specifically to get a better idea of what libraries and windows API functions I am using. 我希望对我生成的一些二进制文件进行一些分析,特别是为了更好地了解我正在使用的库和Windows API函数。 I have used Dependency Walker to take a look at this, but some of the testing I have done indicates to me that there might be a lot of extra function calls put into the IAT, even if they arent called. 我已经使用Dependency Walker来看一下这个,但是我做过的一些测试向我表明,可能会有很多额外的函数调用放入IAT,即使它们没有被调用。

What I am looking for is a way to determine what functions are being called... not just what is being put in the IAT. 我正在寻找的是一种确定调用函数的方法......而不仅仅是IAT中的内容。

The best way would probably be to reverse it and look at all of the 'CALL's but I dont know a good way to do that either. 最好的方法可能是扭转它并查看所有'CALL',但我也不知道这样做的好方法。

What is the best way to do this? 做这个的最好方式是什么?

3 个解决方案

解决方案1
 1  2013-10-21 14:20:43

  1. Launch WinDbg (Debugging tools of windows) 启动WinDbg(Windows的调试工具)
  2. Open the executable you want to analyse. 打开要分析的可执行文件。

  3. run the following commands 运行以下命令

    • !logexts.loge !logexts.loge
    • !logexts.logo ev (enables verbose logging) !logexts.logo ev(启用详细日志记录)
    • !logexts.logo et (enables text logging) !logexts.logo et(启用文本记录)
    • g G

Open the logviewer tool come along with debugging tools of windows to see the api's, Default logs path is desktop\\logexts 打开logviewer工具自带windows调试工具查看api,默认日志路径是desktop \\ logexts

解决方案2
 1  2013-10-22 11:30:25

If you are using link.exe to link your binary, pass /MAP flag at the time of linking. 如果您使用link.exe链接二进制文件,请在链接时传递/ MAP标记。 This will generate a MAP file(binary.map)...it will have functions which are used(not all functions). 这将生成一个MAP文件(binary.map)...它将具有使用的功能(不是所有功能)。

解决方案3
 0  2013-10-16 23:17:17

I don't know if it's the "best way", but I would kinda agree to your suggestion that all the CALLs give a good overview. 我不知道这是不是“最好的方式”,但我有点同意你的建议,所有的CALL都给出了很好的概述。

With the "Ollydbg" debugger you can load your program, go the the exe module of your process and rightclick -> search for -> all intermodular calls. 使用“Ollydbg”调试器,您可以加载程序,转到进程的exe模块,然后右键单击 - >搜索 - >所有模块间调用。

This gives you a nice sortable, searchable list of all "CALL"s that appear in your module and lead to other modules. 这为您提供了一个很好的可排序,可搜索的列表,列出了模块中出现的所有“CALL”,并指向其他模块。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我如何确定 function 是虚拟的,什么时候不是虚拟的? - How do I determine what a function will be called if it's virtual and when it is not? 如何以模板化方式获得二进制函数的幂等值? - How do I get an idempotent value for binary functions, in a templated way? 为什么在定义之前调用这些函数? - How come these functions are called before being defined? ostream:如何为这个链式 output 调用函数? - ostream: how are functions being called for this chained output? 函数调用者如何使用头文件来确定如何处理已编译的二进制文件? - How does a function caller use a header file to determine what to do with a compiled binary? 如何确定输入的类型是什么 - How to determine, what type do I have on input 如何确定系统使用的Scheme版本? - How do I determine what Scheme version a system is using? 没有调用函数,而是使用了垃圾值。 如何调用函数并解决问题? - Function is not being called, instead junk values are being used. How do I call the function and fix the issue? 如何找出从哪些类调用的函数? - How can I find out what functions have been called from what classes? 如何找出DLL中正在调用哪些函数? - How to find out which functions are being called in a DLL?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM