API Breakpoint

[AndreiN]

Hello everyone!I am trying at the moment to code an unpacker for several different compressors and packers using the TitanEngine Community edition. One of the things which I am trying to do is to set a breakpoint on an API (GetProcAddress). However, my callback code seems to be called only in cases where the breakpoint is placed at the begining of the API :

 

SetAPIBreakPoint("KERNEL32.DLL","GetProcAddress",UE_BREAKPOINT,UE_APISTART,(void*)cbCallBack);

 

If I am change the UE_APISTART with APIEND, the callback never gets called. The thing is that I would need to be able to land somewhere near the end of the API call and return from there. Does anyone know how I can do this?

I apologize if this is not the correct thread to post this question.
 

[xSRTsect]

Just because your api is called it doesn't mean that the end of the api is executed. Are you sure that, whatever you are trying to execute actually executes:

7C80AC86     C9                               LEAVE

7C80AC87     C2 0800                          RET 8

[mrexodia]

@AndreiN: UE_APIEND just searches for the first RET instruction and puts a breakpoint there. Just go for UE_APISTART and use StepOut from there (StepOut will trace to the return value).

Greetings

[n0th!ng]

if you change the library from kernel32 to kernelbase it will work

cause after calling GetProcAddress in kernel32

you will find 2 jump ,lead you to GetProcAddress in kernelbase

[mrexodia]

Thats because there is no ret instruction in all cases inside kernel32. Its a forwarder, but not in all cases and its also different on windows xp. you should use kernel32, since this is the official dll, kernelbase is subject to changes.