I am using Immunity Debugger to do API (intermodullar) calls logging using code similar to this:
*** Immunity Debugger Python Shell v0.1 ***
Immlib instanciated as 'imm' PyObject
>>>stacks = imm.callStack()
>>>main_call = False
>>>for i in stacks:
>>> if i.getProcedure().startswith(" ") == False:
>>> if main_call == True:
>>> main_call = True
>>> print "Main Call %s" % i.getProcedure()
>>> print "Argument: %s" % i.getProcedure()
Main Call kernel32.CreateFileA
Argument: FileName = "C:\WINDOWS\System32\drivers\etc\services"
Argument: Access = GENERIC_READ
Argument: ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
Argument: pSecurity = 0345EFC4
Argument: Mode = OPEN_EXISTING
Argument: Attributes = NORMAL
Argument: hTemplateFile = NULL
Of course with this example kernel32.dll has full debug symbols so the result displays correctly the parameters names and content.
How would it be possible to do the same display formating with dlls which don't have debug symblos, but for which you know the function parameters names and type?
I guess I could make some kind of file with function prototypes but then I don't know how to deal with the python script and callstack.getProcedure or such.