PDA

View Full Version : DLL Debug

Qubeley
January 4th, 2007, 02:08
Hi there, I am new to ollydbg and I am following the tutorial "Load DLL" on http://www.ollydbg.de/

I loaded User32.DLL in my system directory successfully, but unable to trigger the "Call DLL Export" from "Debug" menu. The "Call DLL Export" simply grayed out without any error message indicating what's going on.
On the other hand, I can export functions in a DLL that I wrote and call them withtout problem.
What's wrong with my operations above? Thanks in advance!
blabberer
January 4th, 2007, 02:19
when you load any dll in ollydb loaddll ollydbg first stops at DllInitialize

which is a mandatory function that is called when any dll is loaded

at this point the dll has not been initialised yet (and call debug export will not be avalable at this point)

so if you are sure the DllInitilaize () function is harmless simply f9 it
ollydbg will say running

now invoke call dll export it will be avilable

on the other hand if it is a malware or some stuff which would play tricks

single step throught the DllInitialize () find if it invokes any anti debugging measures etc disable them and then run with f9

and use call dll export later (you will know if call dll export is available if you see the green bug active in taskbar)
Qubeley
January 5th, 2007, 00:20
Thanks for detailed explanation. That solved my problem for exporting User32.DLL.
Another question, when I load NTDLL.DLL the OllyDBG doesn't give me a chance to press F9 - it just "runs" the DLL till initialization completed. My question is, why NTDLL.DLL doesn't stop "running" at the entry point (DLLInitialize)?

Thanks again!
blabberer
January 5th, 2007, 03:18
are you sure user32.dll dll gave you a chance to f9 it before it completed the DllInit ??

iirc none of those dlls that are already loaded by loaddll for its own operation will ever give you a chance to break before dllinit is completed

thats because the LoadLibrary () Function is simply incrementing the LoadedCount value in one of its internal tables

you cant modify the dll physically and save it to %system% becuse windows file protection wouldnt let you fiddle with core dlls

you cant save it to different path and load them because then it will clash with the preferred imagebase and often relocation will fail due to hardcoded
referances in the code (these core dlls simply assume since i m the first ill get what i want so i can do call 12345678 type of calls which will never get correct offset if relocated)

iirc both will stop in ollydbg loaddll only after dllinit has been called (at the first bp in loaddll

if you want to reallytest find some third party dll (for example the cmdline.dll in ollydbg directory will do and load it in ollydbg you will see you will have to f9 twice before call dll export is visible and working) once when it is at entry point of dll other after dll init has been finished
LLXX
January 5th, 2007, 05:33
Quote:
[Originally Posted by blabberer;63531]when you load any dll in ollydb loaddll ollydbg first stops at DllInitialize

which is a mandatory function that is called when any dll is loaded

at this point the dll has not been initialised yet (and call debug export will not be avalable at this point)

so if you are sure the DllInitilaize () function is harmless simply f9 it
ollydbg will say running

now invoke call dll export it will be avilable

on the other hand if it is a malware or some stuff which would play tricks

single step throught the DllInitialize () find if it invokes any anti debugging measures etc disable them and then run with f9

and use call dll export later (you will know if call dll export is available if you see the green bug active in taskbar)
You mean DLLMain()?
blabberer
January 5th, 2007, 09:32
Yeah DllMain() in userland DllInitialize() in kernel land

NTSTATUS
DllInitialize(
IN PUNICODE_STRING RegistryPath
);


BOOL WINAPI DllMain(
HINSTANCE hinstDLL, // handle to DLL module
DWORD fdwReason, // reason for calling function
LPVOID lpReserved ) // reserved


sorry if that caused any confusion digging inside kernel one tends to do
printk()'s instead of printf()'s

here is a doc which lists out a few problems when dealing with dlls especially the link sections which link to mgriers blog that talk about contract issues is worth reading a few times over and over
http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/DLL_bestprac.doc
Qubeley
January 8th, 2007, 23:59
are you sure user32.dll dll gave you a chance to f9 it before it completed the DllInit ??

Yes, and then the status bar of olly dbg displays as
"Entry point of debugged DLL". This happens when I load user32.dll from my windows system directory.

When I load ntdll.dll from windows system directory, as I said above, olly dbg runs directly post the intialization and the status bar displays as
"Initialize of Debugged DLL Finished"
blabberer
January 9th, 2007, 05:09
well just tried loading user32.dll and it didnt stop on dllinit for me now it stopped only after init finished

Code:


Log data

Address    Message



           File 'C:\WINDOWS\system32\user32.dll'

           New process with ID 00000BE4 created

00410070   Main thread with ID 00000DA4 created

00400000   Module C:\WINDOWS\system32\odbg110\LOADDLL.EXE

77D40000   Module C:\WINDOWS\system32\USER32.DLL

77F10000   Module C:\WINDOWS\system32\GDI32.dll

7C800000   Module C:\WINDOWS\system32\kernel32.dll

7C900000   Module C:\WINDOWS\system32\ntdll.dll

5AD70000   Module C:\WINDOWS\system32\uxtheme.dll

77C10000   Module C:\WINDOWS\system32\msvcrt.dll

77DD0000   Module C:\WINDOWS\system32\ADVAPI32.dll

77E70000   Module C:\WINDOWS\system32\RPCRT4.dll

74720000   Module C:\WINDOWS\system32\MSCTF.dll

           Initialization of debugged DLL finished


i have observerved non stoppage of loaddll in a few dlls earlier but i couldnt really put a real reason to the behaviour

if you search this forum for nico's post you will see i have posted a screenshot of a dll that refused to stop in its entry point
and in that case since it was a third party malware dll i had embedded an int3 in its entry point to make it stop like i did for sotm33 reversing challenge

try disabling sfc for a single session patch user32.dll with int3 on its entry point and try loading it in loaddll and see if it stops on entry point
Qubeley
January 9th, 2007, 21:39
Thanks, below is my log file when loading user32.dll and ntdll.dll

User32.dll (which stops at the entry point)
Code:


Log data

Address    Message

           OllyDbg v1.10

           Bookmarks sample plugin v1.06 (plugin demo)

             Copyright (C) 2001, 2002 Oleh Yuschuk

           Command line plugin v1.10

             Written by Oleh Yuschuk



           File 'C:\WINDOWS\system32\user32.dll'

           New process with ID 00000170 created

00410070   Main thread with ID 000008F8 created

00400000   Module G:\RSTools\odbg110\LOADDLL.EXE

77D40000   Module C:\WINDOWS\system32\USER32.DLL

77F10000   Module C:\WINDOWS\system32\GDI32.dll

7C800000   Module C:\WINDOWS\system32\kernel32.dll

7C900000   Module C:\WINDOWS\system32\ntdll.dll

77D4F538   Entry point of debugged DLL



NTDLL.DLL (which didn't stop)
Code:


Log data

Address    Message

           OllyDbg v1.10

           Bookmarks sample plugin v1.06 (plugin demo)

             Copyright (C) 2001, 2002 Oleh Yuschuk

           Command line plugin v1.10

             Written by Oleh Yuschuk



           Console file 'C:\WINDOWS\system32\ntdll.dll'

           New process with ID 00000D58 created

00410070   Main thread with ID 00000E34 created

00400000   Module G:\RSTools\odbg110\LOADDLL.EXE

77D40000   Module C:\WINDOWS\system32\USER32.DLL

77F10000   Module C:\WINDOWS\system32\GDI32.dll

7C800000   Module C:\WINDOWS\system32\kernel32.dll

7C900000   Module C:\WINDOWS\system32\ntdll.dll

5CB70000   Module C:\WINDOWS\system32\ShimEng.dll

76390000   Module C:\WINDOWS\system32\IMM32.DLL

77DD0000   Module C:\WINDOWS\system32\ADVAPI32.dll

77E70000   Module C:\WINDOWS\system32\RPCRT4.dll

629C0000   Module C:\WINDOWS\system32\LPK.DLL

74D90000   Module C:\WINDOWS\system32\USP10.dll

77C10000   Module C:\WINDOWS\system32\msvcrt.dll

48000000   Module C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL

71AB0000   Module C:\WINDOWS\system32\WS2_32.dll

48000000   Unload C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL

71AB0000   Unload C:\WINDOWS\system32\WS2_32.dll

5CB70000   Unload C:\WINDOWS\system32\ShimEng.dll

5AD70000   Module C:\WINDOWS\system32\uxtheme.dll

74720000   Module C:\WINDOWS\system32\MSCTF.dll

77B40000   Module C:\WINDOWS\system32\apphelp.dll

755C0000   Module C:\WINDOWS\system32\msctfime.ime

774E0000   Module C:\WINDOWS\system32\ole32.dll

           Initialization of debugged DLL finished