how to debug a jni dll

Question

I have a small java program. It loads a jni dll and that dll loads a normal win32 dll. I would like to debug which arguments the Java application in the end provides to one specific call of the win32 dll. My plan was to put a breakpoint on this DLL call in ollydbg and then inspect the stack. But I have to provide an executable when I start the debug mode in ollydbg so the only option I have is provide java.exe with the parameters to start my java program. But I can only set the breakpoint in the DLL when the DLL is eventually loaded which requires me to basically run the program. I can't see how I can't "halt" the execution to set the breakpoint and if I could halt somehow I wouldn't need the breakpoint. Can anyone tell me what I need to do?

Answer 1

You can instruct the debugger to break when a particular dll is loaded.

• load "java.exe" in Ollydbg
• Go to "Options > options" menu (ALT + O).
• On the option window, on the left menu, go to "Debugging > Events"
• Check "Pause on new module (DLL)"
• (Optionally) Check "Only on the following modules" (otherwise the debugger will break for all loaded modules, including system ones).
• Click "Add" button and fill the box with the name of your dll.
• Click "OK" at the bottom of the "Debugging events" window

• Go to "File > Set new arguments" menu if you want to pass some args to java.exe.
• Restart the program (CTRL + F2), this is needed to take the changes into account.
• Run the program, it should break when you jni dll is loaded (on DLL main).
• Press "CTRL + N" to see the names exported by your DLL
  • note: you can actually type the name you are searching for on this window
  • it looks like that (example with kernel32.dll system DLL, I typed "CreatefileW" on the window):

• Press F2 on the function name you want to break on (this put a break point on the function)
• Run program with F9: if the function is called, this should break.