hello,

i'm quite new to debugging. i try to find out how a dll in an exe process load's up an other dll. it uses a custom funktion or things lige this and i need the params of that funktion. the debugprogramm doesn't jump into the mdoules of that exe file. it debug the system dll like mfc42.dll or things like that, but not the dll's of the programm i debug.
how can i force the debugger to jump into the dll's??

regards
ngc

Greets,

depends how the dll is bound/loaded.

If the dll is loaded explictly (via LoadLibrary) or on demand (DelayLoad feature) you just can use "Break on new module" under debugging options -> events. Wait for your dll to break. Go to "executable modules" view and browse imports/exports "view names".

If you only want to trace a known specific dll export, set a breakpoint in that list. Go and it will break on the first byte of the function prolog. You can then evaluate the call stack to get the caller. Using the disassembly you can now identify the parameters and the calling convention (cdecl, stdcall etc.).

If the dll is early bound, use the "debugging options" -> "events" -> "system breakpoint" feature to break loader at very early stage.

Usually dlls have an entry point to initialize instance data (C-runtime init/startup stuff which in turn calls user supplied (main) routines). Ollydbg displays it as <ModuleEntryPoint>. If you place a breakpoint at this entry you can trace dll initialization stuff (or breakpoints on all exports if you dont know which one). The main/entry function of the application is called later.

Hope this helps...

Regards,
Anastasius Focht

Are there cases when "Break on new module" would not work even when DLL is loaded by getprocaddress?

GetProcAddress can't load a new DLL, it can only get address of function inside a dll you already have the handle off.

The win32 debugging specs also indicate that any DLL load will generate a dll load event, which will trigger Ollydbg's "Break on new module".

Oops, I meant "LoadLibrary" of course.