5.6 用OllyDbg获取函数调用序列

https://scz.617.cn/misc/201505221529.txt

Q:

调试中我想从地址A执行到地址B，有办法获取这个过程中的函数调用序列吗？

A:

API Spying with OllyDbg - [2008-02-09]
http://www.openrce.org/forums/posts/715

用OD打开calc.exe，使之停在"Program entry point"->Alt-E->comctl32->右键菜单->
Follow entry->Ctrl-A->右键菜单->Search for->All intermodular calls->
"Found intermodular calls"窗口->右键菜单->Set log breakpoint on every command->
条件记录断点对话框->Log function arguments->Always->OK

Alt-L->日志窗口->右键菜单->Log to file->comctl32.log

Alt-C->代码窗口->F9

查看comctl32.log，类似这样的输出:

--------------------------------------------------------------------------
773F3DF1  CALL to GetWindowLongW
            hWnd = 002101CA (class='Edit')
            Index = 0.
...
773F4255  CALL to GetProcessHeap
773F425C  CALL to HeapAlloc
            hHeap = 000C0000
            Flags = HEAP_ZERO_MEMORY
            HeapSize = 128 (296.)
...
773F6C86  CALL to IsWindowEnabled
            hWnd = 00380332 ('1/x',class='Button',parent=003A030E)
...
773EB006  CALL to SendMessageW
            hWnd = 0x3A030E
            Message = WM_NOTIFY
            wParam = 0x6D
            lParam = 0x7FB14
...
773EA498  CALL to GetWindowThreadProcessId
            hWnd = 003A030E ('Calculator',class='SciCalc')
            pProcessID = 0007FA78
773EA4A6  CALL to GetCurrentProcessId
773EB006  CALL to SendMessageW
            hWnd = 0x3A030E
            Message = WM_NOTIFY
            wParam = 0x6D
            lParam = 0x7FB14
...
--------------------------------------------------------------------------