How do I determine what functions are being called in a binary?

Question

The answer to this is not "see the import address table".

I am looking to do some analysis on a few binaries that I am generating, specifically to get a better idea of what libraries and windows API functions I am using. I have used Dependency Walker to take a look at this, but some of the testing I have done indicates to me that there might be a lot of extra function calls put into the IAT, even if they arent called.

What I am looking for is a way to determine what functions are being called... not just what is being put in the IAT.

The best way would probably be to reverse it and look at all of the 'CALL's but I dont know a good way to do that either.

What is the best way to do this?

Answer 1

If you are using link.exe to link your binary, pass /MAP flag at the time of linking. This will generate a MAP file(binary.map)...it will have functions which are used(not all functions).

Answer 2

1. Launch WinDbg (Debugging tools of windows)
2. Open the executable you want to analyse.

3. run the following commands

   • !logexts.loge
   • !logexts.logo e v (enables verbose logging)
   • !logexts.logo e t (enables text logging)
   • g

Open the logviewer tool come along with debugging tools of windows to see the api's, Default logs path is desktop\logexts

Answer 3

I don't know if it's the "best way", but I would kinda agree to your suggestion that all the CALLs give a good overview.

With the "Ollydbg" debugger you can load your program, go the the exe module of your process and rightclick -> search for -> all intermodular calls.

This gives you a nice sortable, searchable list of all "CALL"s that appear in your module and lead to other modules.