View Full Version : DynLogger
Daniel Pistelli
April 13th, 2008, 07:01
http://ntcore.com/dynlogger.php
DynLogger logs all dynamically retrieved functions by reporting the module name and the requested function. It can come very handy when one wants to know a "hidden" function used by an application.
I recycled the code of a bigger project to write this little application. It's a very small utility, but it might be of use after all. It was tested on XP and Vista, both x86 and x64. It works for .NET application as well. Just start the logging process, the log will be saved after you quit the monitored application.
I wasn't really sure if I should have posted it here or not. But a friend of mine needed it, so I figured out that maybe even other people might need it.
evilcry
April 13th, 2008, 07:17
Nice work Daniel
and thanks for sharing it!
An handy tool for Malware Reversing, where tons of API hiding
tricks are used.
NeOXOeN
April 13th, 2008, 10:13
yes really nice work..
Daniel Pistelli
April 13th, 2008, 12:03
Thanks evilcry and NeOXOeN, but it's really nothing.
However, now that I think about it, it could be useful for malware reversing.
rendari
April 13th, 2008, 18:03
You mispelled "dynamically" in the screenshot with notepad :P
Good job! Was quite useful for an unpackme I was working on.
Daniel Pistelli
April 14th, 2008, 02:22
Thanks rendari for notifying the mispelling. I fixed it both in the code and in the screenshot (with a simple paint operation =).
Well, it seems to be useful after all.
dELTA
April 14th, 2008, 04:07
CRCETL:
http://www.woodmann.com/collaborative/tools/DynLogger
Btw, Daniel, are you just hooking GetProcAddress or something more fancy? I think it would be great to log LoadLibrary calls separately, because a sneaky application can just load the DLL in question into the address space and then parse its export table manually to get the individual API addresses and then execute them. This makes the LoadLibrary function much more important than GetProcAddress I think.
You can of course make a custom loader to bypass LoadLibrary too, but that's much harder and should be much more rare.
Daniel Pistelli
April 14th, 2008, 07:19
I am hooking LoadLibrary as well, but as you already pointed out you could inject the module by yourself. You say it's hard.. well not for those who have read my Antimida article. There's a complete dll injection with relocation and IAT etc. But dll injection isn't possible when the dll is a system one and is already in the address space. Or better, it's possible, but extremely ugly.
dELTA
April 14th, 2008, 09:01
Quote:
| [Originally Posted by Daniel Pistelli;73951]I am hooking LoadLibrary as well |
Great, but I don't see any separate log entries for this, and that's all I suggest.
Something like: "Library xxx.dll was loaded"?
Quote:
| [Originally Posted by Daniel Pistelli;73951]but as you already pointed out you could inject the module by yourself. You say it's hard.. well not for those who have read my Antimida article. |
Actually, I only said it was hard
er than manually parsing an export table, which I still think holds true indeed.
Quote:
| [Originally Posted by Daniel Pistelli;73951]But dll injection isn't possible when the dll is a system one and is already in the address space. Or better, it's possible, but extremely ugly. |
Yes, that is great, and that also makes the suggested separate logging of LoadLibrary even
more powerful and hard to circumvent.
So, maybe this little feature could be added after all?
Daniel Pistelli
April 14th, 2008, 09:10
Uhm you convinced me, it's a good idea. Wait an ahour, I'll add this to the logging.
Daniel Pistelli
April 14th, 2008, 09:31
Ok done, took me 5 minutes. The new log looks something like:
Functions dynamically retrieved by "C:\Programmi\IrfanView\i_view32.exe":
Initally loaded modules:
C:\Programmi\IrfanView\i_view32.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\winspool.drv
C:\WINDOWS\system32\comdlg32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\guard32.dll
C:\WINDOWS\system32\fltLib.dll
C:\WINDOWS\system32\winsta.dll
C:\WINDOWS\system32\NETAPI32.dll
The module "uxtheme.dll" was loaded
Module: C:\WINDOWS\system32\USER32.dll Name: GetSystemMetrics
Module: C:\WINDOWS\system32\USER32.dll Name: MonitorFromWindow
Module: C:\WINDOWS\system32\USER32.dll Name: MonitorFromRect
Module: C:\WINDOWS\system32\USER32.dll Name: MonitorFromPoint
Module: C:\WINDOWS\system32\USER32.dll Name: EnumDisplayMonitors
Module: C:\WINDOWS\system32\USER32.dll Name: GetMonitorInfoA
Module: C:\WINDOWS\system32\ntdll.dll Name: NtQueryInformationProcess
Module: C:\WINDOWS\system32\IMM32.DLL Name: CtfImmCoUninitialize
Module: C:\WINDOWS\system32\IMM32.DLL Name: CtfImmLastEnabledWndDestroy
Module: C:\WINDOWS\system32\IMM32.DLL Name: CtfImmSetCiceroStartInThread
Module: C:\WINDOWS\system32\IMM32.DLL Name: CtfImmIsCiceroStartedInThread
Module: C:\WINDOWS\system32\IMM32.DLL Name: CtfImmIsCiceroEnabled
Module: C:\WINDOWS\system32\IMM32.DLL Name: CtfImmIsTextFrameServiceDisabled
[...]
Module: C:\WINDOWS\system32\IMM32.DLL Name: ImmGetDescriptionW
Module: C:\WINDOWS\system32\IMM32.DLL Name: ImmGetIMEFileNameA
Module: C:\WINDOWS\system32\IMM32.DLL Name: ImmGetIMEFileNameW
Module: C:\WINDOWS\system32\IMM32.DLL Name: ImmSetHotKey
Module: C:\WINDOWS\system32\kernel32.dll Name: GetUserDefaultUILanguage
The module "C:\WINDOWS\system32\MSCTF.dll" was loaded
The module "version.dll" was loaded
Module: version.dll Name: GetFileVersionInfoW
Module: version.dll Name: GetFileVersionInfoSizeW
Module: version.dll Name: VerQueryValueW
The module "apphelp.dll" was loaded
Module: apphelp.dll Name: ApphelpCheckIME
Module: C:\WINDOWS\system32\ole32.dll Name: CoCreateInstance
The module "C:\WINDOWS\system32\msctfime.ime" was loaded
Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeCreateThreadMgr
Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeDestroyThreadMgr
Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeCreateInputContext
Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeDestroyInputContext
Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeSetActiveContextAlways
Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeProcessCicHotkey
Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeDispatchDefImeMessage
Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeIsIME
[etc.]
Better? =)
JMI
April 14th, 2008, 11:06
I'm sure many are trying to find a few moments to "drive" this new toy "around the block" a few times and see how she runs! Thanks for the quick response and the update.
If you haven't already, you might want to update the comment in the CRCETL to mention the new functionality!
Regards,
Daniel Pistelli
April 14th, 2008, 11:47
Thanks JMI, updated! Well, I wouldn't encourage anyone to lose time to try this. It's really nothing.
dELTA
April 14th, 2008, 16:23
Looks great Daniel, thanks!
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.