how do i disassemble a function in a library.

roman_atood · October 26, 2015, 6:20am

How do i disassemble function or a Library on windows?
i have installed windbg. I want to disassemble some Cryptographic function from Crypt32.dll. How do i do that ?
second Question what function from cyrpt32 library end up calling which kernel mode driver ?

Kind Regards,

Maxim_S_Shatskih · October 26, 2015, 9:14am

“Open Crash Dump” for an .exe/.dll will open the disassembler mode.

wrote in message news:xxxxx@ntdev…
> How do i disassemble function or a Library on windows?
> i have installed windbg. I want to disassemble some Cryptographic function from Crypt32.dll. How do i do that ?
> second Question what function from cyrpt32 library end up calling which kernel mode driver ?
>
> Kind Regards,
>

raj_r · October 26, 2015, 4:12pm

as maxim said use the -z option to load the dll as dump file

C:\>CDB -c “uf crypt32!MD5Init;q” -z C:\WINDOWS\system32\crypt32.dll
| grep -A 100 -i init.*:

crypt32!MD5Init:
77a9591a 8bff mov edi,edi
77a9591c 55 push ebp
77a9591d 8bec mov ebp,esp
77a9591f 8b4508 mov eax,dword ptr [ebp+8]
77a95922 c70000000000 mov dword ptr [eax],0
77a95928 c7400400000000 mov dword ptr [eax+4],0
77a9592f c7400801234567 mov dword ptr [eax+8],67452301h
77a95936 c7400c89abcdef mov dword ptr [eax+0Ch],0EFCDAB89h
77a9593d c74010fedcba98 mov dword ptr [eax+10h],98BADCFEh
77a95944 c7401476543210 mov dword ptr [eax+14h],10325476h
77a9594b 5d pop ebp
77a9594c c20400 ret 4
quit:

your second question is not quiet understandable
every function in crypt32 that calls some of the advapi . kernel , or
ntdll .dlls function can end up in kernel

running !imports on crypt32 says it imports from advapi32

0:000> .shell -ci "!imports crypt32 " grep -i crypt
crypt32 crypt32 Imports from file: ADVAPI32.dll
CryptAcquireContextA

this function calls RegOpenKey which calls NtOpenKey which goes into kernel
clarify

On 10/26/15, Maxim S. Shatskih wrote:
> “Open Crash Dump” for an .exe/.dll will open the disassembler mode.
>
> wrote in message news:xxxxx@ntdev…
>> How do i disassemble function or a Library on windows?
>> i have installed windbg. I want to disassemble some Cryptographic function
>> from Crypt32.dll. How do i do that ?
>> second Question what function from cyrpt32 library end up calling which
>> kernel mode driver ?
>>
>> Kind Regards,
>>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>