Looking at the files in the directory where I installed the client, I see that there is a ycpssl.dll file - looking at the network dump I see that the authentication is done using SSL. I'm trying to figure out where in the binary, the call to a function from within ycpssl.dll is.

I run the process, attach Windbg to it and list the modules - ycpssl.dll shows up; it says the module is deferred(not loaded yet?) so I did the following :-

sxe ld:ycpssl.dll

and resumed the process.

After that I tried logging in to the account but Windbg is not halting the process. Is there something obvious that I'm doing wrong?

deferred does not have anything to do with actual module loads


deferred means windbg decided it will not load symbols for that module until it deems fit

the modules are not loaded by windbg they are loaded by the executable and if an executable needs a module it will load it before it starts

and to catch module loads you need to do it by executing

attaching to a running executable wont let you catch module loading

you need to start from scratch

and even then you wont catch ntdll loading with sxe ld

I see. Makes sense, yes, Thank you.