Spelunking - How The Program Uses An API Function?

We have already discussed how to discover what functions a program uses. Now that we know their names, wouldn't it be nice if we knew what parameters does the program passes or better what values does the prorgam passes and what is the result of the function?

Start Hackman Debugger.
From Files menu click open.
Locate GetRight.exe and load it.
Hackman Debugger will reply (or something similar):

IN: C:\Program Files\GetRight\getright.exe opened.

Set Breakpoints (you should first see what functions the program imports)
Start Debugging!

It's critical to find out if you really have symbols for the functions you are going to debug. Let's make this one clear: Hackman Debugger must have loaded symbols. In other words, consider you need to trap parameters to and from GetWindowTextItemA. You first need to know what types the function needs.

int GetWindowText(
                  HWND hWnd,            // handle to window or control
                  LPTSTR lpString,      // text buffer
                  int nMaxCount         // maximum number of characters to copy
                 );

Open platform SDK (see Platform SDK setup page) for more information on how to obtain this free-downloadbale treasure). Go to GetWIndowText and you'll see the above. We've already explained that A means ANSI function and W means Unicode. Don't worry, both versions have the same parameters. This function belongs to USER32 so we should declare:

USER32:GetWindowTextA(HWND|LPTSTR|DWORD) in Hackman Breakpoint Editor. (Fortunately, this has been already declared for you). The following table gives you the currently covered modules.

Library
KERNEL32.DLL

USER32.DLL

GDI32.DLL

COMDLG32.DLL

If you see a microsoft module (like ADVAPI) you should declare the breakpoints by yourself. Otherwise, if the DLL is a 3-rd party you need to uncover its functions and guess its parameters or resolve to disassembly to find them out. But that will be explained later.

As the program is running, the events tab in Hackman Debugger is refreshing when an instruction that has been spied is found. You get the input values plus the result of the function. So now we know what API functions are being used and how the program is using them.

But of course there are more to know: data types, sctructures, built-in functions. For all these we have to resort to disassembly. To make our lives easier, Hackman Disassembler and Hackman Debugger can co-operate together. It's no use to diassemble whole file. You have to disassemble each section that you are interested in separately. Hackman Debugger can do that.

Return