How do I determine what functions are being called in a binary?

Question

The answer to this is not "see the import address table".

I am looking to do some analysis on a few binaries that I am generating, specifically to get a better idea of what libraries and windows API functions I am using. I have used Dependency Walker to take a look at this, but some of the testing I have done indicates to me that there might be a lot of extra function calls put into the IAT, even if they arent called.

What I am looking for is a way to determine what functions are being called... not just what is being put in the IAT.

The best way would probably be to reverse it and look at all of the 'CALL's but I dont know a good way to do that either.

What is the best way to do this?

Answer 1

1. Launch WinDbg (Debugging tools of windows)
2. Open the executable you want to analyse.

3. run the following commands

   • !logexts.loge
   • !logexts.logo e v (enables verbose logging)
   • !logexts.logo e t (enables text logging)
   • g

Open the logviewer tool come along with debugging tools of windows to see the api's, Default logs path is desktop\logexts

Answer 2

If you are using link.exe to link your binary, pass /MAP flag at the time of linking. This will generate a MAP file(binary.map)...it will have functions which are used(not all functions).