Networking Thread Data

Question

I'm trying to reverse-engineer an undocumented protocol. A server is sending UDP updates to a client, and I have the client application in OllyDbg. Within Olly, I see that function recvfrom in WS2_32.dll is used to get the data I'm interested in (verified by wireshark). I'm wondering how I can see where this data goes with the application. The thread that calls recvfrom appears to be simply looping and storing the data in the heap, and as it loops it overwrites it with new data. This leads me to believe that a separate thread is actually parsing the data, as shown below:

My ultimate goal is to follow the data as it flows within the client to see how it is parsed, and eventually document the protocol.

To sum up: my question is, how would you go about determining which thread is involved in handling data located in a known heap memory location?

Answer 1

I figured out how I can do this. 1) Break as soon as the thread that calls recvfrom() stores that received data in the heap. 2) In OllyDbg, you can right-click in the heap and set a breakpoint on memory access (or write). The thread that it breaks on is the thread that is accessing the memory that was previously created from the thread with recvfrom().