2

An application I'm reversing frequently outputs debug strings. Some of them could aid me in locating the code I'm looking for, but somehow, the app doesn't seem the be using OutputDebugString at all (I've used IDA's Imports window, Olly's Search for intermodular calls, and dumpbin /IMPORTS). The program only imports native Windows DLLs and one custom library which does call the function, but I've checked it and all its debug strings are internal stuff, there's no exported logging function for my exe.

Additionally, the debug strings being printed cannot be found inside the exe (again, tried both Olly and IDA).

Is it possible that the call is somehow hidden by not using WinAPI? Since the program is in no way protected, I find the use of any such techniques highly unlikely, but could that be why I can't find anything using "ordinary" methods?

Improve this question

3 Answers 3

Reset to default
3

Ollydbg

Alt+O -> events -> check mark break on debug string on break

Hit Alt+K to view call stack

WinDbg

sx- -c "kc" out

This will print the call stack automatically on each and every DebugString.

0:000> g This is from Win32Api Going deeper now kernel32!RaiseException kernel32!OutputDebugStringA dbgprints!wmain dbgprints!__tmainCRTStartup kernel32!BaseProcessStart hello from ntdll!DbgPrint ntdll!vDbgPrintExWithPrefix ntdll!DbgPrint dbgprints!wmain dbgprints!__tmainCRTStartup kernel32!BaseProcessStart (5d8.950): Unknown exception - code eaceba5e (first chance) This String is from RaiseException argument 1
Improve this answer
1
  • Found it using only OllyDbg and your method - I guess the "Accept" goes to you sir. Commented Oct 17, 2014 at 16:51
2

Some debuggers can pause the program when it prints a debug message. Then you can go up the stack trace and see whence it is coming.

enter image description here

Improve this answer
1

Set a breakpoint on OutputDebugString(); when the breakpoint hits, check the callstack to find the source of the call.

I can't, that's the point - it doesn't seem to be called, yet the strings are output.

Then the strings aren't being output by the executable. Attach WinDbg to your system and set breakpoints on nt!DbgPrint and nt!DbgPrintEx; when the breakpoint hits, check the callstack to find the source of the call.

Improve this answer
2
  • I can't, that's the point - it doesn't seem to be called, yet the strings are output. Commented Oct 15, 2014 at 19:13
  • 1
    About the edit: that's what I was talking about - thanks :) Commented Oct 15, 2014 at 19:29

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.