http://ntcore.com/dynlogger.php

DynLogger logs all dynamically retrieved functions by reporting the module name and the requested function. It can come very handy when one wants to know a "hidden" function used by an application.

I recycled the code of a bigger project to write this little application. It's a very small utility, but it might be of use after all. It was tested on XP and Vista, both x86 and x64. It works for .NET application as well. Just start the logging process, the log will be saved after you quit the monitored application.

I wasn't really sure if I should have posted it here or not. But a friend of mine needed it, so I figured out that maybe even other people might need it.

Nice work Daniel and thanks for sharing it!

An handy tool for Malware Reversing, where tons of API hiding
tricks are used.

yes really nice work..

Thanks evilcry and NeOXOeN, but it's really nothing.

However, now that I think about it, it could be useful for malware reversing.

You mispelled "dynamically" in the screenshot with notepad :P

Good job! Was quite useful for an unpackme I was working on.

Thanks rendari for notifying the mispelling. I fixed it both in the code and in the screenshot (with a simple paint operation =).

Well, it seems to be useful after all.

CRCETL:
http://www.woodmann.com/collaborative/tools/index.php/DynLogger

Btw, Daniel, are you just hooking GetProcAddress or something more fancy? I think it would be great to log LoadLibrary calls separately, because a sneaky application can just load the DLL in question into the address space and then parse its export table manually to get the individual API addresses and then execute them. This makes the LoadLibrary function much more important than GetProcAddress I think.

You can of course make a custom loader to bypass LoadLibrary too, but that's much harder and should be much more rare.

I am hooking LoadLibrary as well, but as you already pointed out you could inject the module by yourself. You say it's hard.. well not for those who have read my Antimida article. There's a complete dll injection with relocation and IAT etc. But dll injection isn't possible when the dll is a system one and is already in the address space. Or better, it's possible, but extremely ugly.

Great, but I don't see any separate log entries for this, and that's all I suggest.

Something like: "Library xxx.dll was loaded"?


Actually, I only said it was harder than manually parsing an export table, which I still think holds true indeed.


Yes, that is great, and that also makes the suggested separate logging of LoadLibrary even more powerful and hard to circumvent. So, maybe this little feature could be added after all?

Uhm you convinced me, it's a good idea. Wait an ahour, I'll add this to the logging.

Ok done, took me 5 minutes. The new log looks something like:

Functions dynamically retrieved by "C:\Programmi\IrfanView\i_view32.exe":

Initally loaded modules:
C:\Programmi\IrfanView\i_view32.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\winspool.drv
C:\WINDOWS\system32\comdlg32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\guard32.dll
C:\WINDOWS\system32\fltLib.dll
C:\WINDOWS\system32\winsta.dll
C:\WINDOWS\system32\NETAPI32.dll

The module "uxtheme.dll" was loaded

Module: C:\WINDOWS\system32\USER32.dll Name: GetSystemMetrics
Module: C:\WINDOWS\system32\USER32.dll Name: MonitorFromWindow
Module: C:\WINDOWS\system32\USER32.dll Name: MonitorFromRect
Module: C:\WINDOWS\system32\USER32.dll Name: MonitorFromPoint
Module: C:\WINDOWS\system32\USER32.dll Name: EnumDisplayMonitors
Module: C:\WINDOWS\system32\USER32.dll Name: GetMonitorInfoA
Module: C:\WINDOWS\system32\ntdll.dll Name: NtQueryInformationProcess
Module: C:\WINDOWS\system32\IMM32.DLL Name: CtfImmCoUninitialize
Module: C:\WINDOWS\system32\IMM32.DLL Name: CtfImmLastEnabledWndDestroy
Module: C:\WINDOWS\system32\IMM32.DLL Name: CtfImmSetCiceroStartInThread
Module: C:\WINDOWS\system32\IMM32.DLL Name: CtfImmIsCiceroStartedInThread
Module: C:\WINDOWS\system32\IMM32.DLL Name: CtfImmIsCiceroEnabled
Module: C:\WINDOWS\system32\IMM32.DLL Name: CtfImmIsTextFrameServiceDisabled

[...]

Module: C:\WINDOWS\system32\IMM32.DLL Name: ImmGetDescriptionW
Module: C:\WINDOWS\system32\IMM32.DLL Name: ImmGetIMEFileNameA
Module: C:\WINDOWS\system32\IMM32.DLL Name: ImmGetIMEFileNameW
Module: C:\WINDOWS\system32\IMM32.DLL Name: ImmSetHotKey
Module: C:\WINDOWS\system32\kernel32.dll Name: GetUserDefaultUILanguage

The module "C:\WINDOWS\system32\MSCTF.dll" was loaded


The module "version.dll" was loaded

Module: version.dll Name: GetFileVersionInfoW
Module: version.dll Name: GetFileVersionInfoSizeW
Module: version.dll Name: VerQueryValueW

The module "apphelp.dll" was loaded

Module: apphelp.dll Name: ApphelpCheckIME
Module: C:\WINDOWS\system32\ole32.dll Name: CoCreateInstance

The module "C:\WINDOWS\system32\msctfime.ime" was loaded

Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeCreateThreadMgr
Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeDestroyThreadMgr
Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeCreateInputContext
Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeDestroyInputContext
Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeSetActiveContextAlways
Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeProcessCicHotkey
Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeDispatchDefImeMessage
Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeIsIME

[etc.]

Better? =)

I'm sure many are trying to find a few moments to "drive" this new toy "around the block" a few times and see how she runs! Thanks for the quick response and the update. If you haven't already, you might want to update the comment in the CRCETL to mention the new functionality!

Regards,

Thanks JMI, updated! Well, I wouldn't encourage anyone to lose time to try this. It's really nothing.

Looks great Daniel, thanks!