lm shows loaded modules but how can we see import functions with Windbg?
Is there a command or extension?
!dh , read the headers to find the IAT, and dump it with dps.
- S
-----Original Message-----
From: xxxxx@gmail.com
Sent: Sunday, May 10, 2009 12:30
To: Kernel Debugging Interest List
Subject: [windbg] Import Table Functions
lm shows loaded modules but how can we see import functions with Windbg?
Is there a command or extension?
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
OK, it worked.
Thank you
i use a dirty script to dump import names maybe you could use it
copy paste the following into a file names.txt in windbg dir and invoke with
$$>a< names.txt “your module name”
r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
dps ${$arg1}+$t0 l? (($t1+4)/4)
On 5/11/09, xxxxx@gmail.com wrote:
>
> lm shows loaded modules but how can we see import functions with Windbg?
> Is there a command or extension?
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
thanks and regards
raj_r
On 5/11/09, Skywing wrote:
>
> !dh , read the headers to find the IAT, and dump it with dps.
skywing how robust is this almost equivalent hack ?
r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
dps ${$arg1}+$t0 l? (($t1+4)/4)
i use it like $$>a< parse.txt user32
0:000> $$>a< parse.txt user32
77d41000 7c90e213 ntdll!ZwQueryVirtualMemory
77d41004 7c937a40 ntdll!RtlUnwind
77d41008 7c90fb3d ntdll!RtlNtStatusToDosError
77d4100c 7c97c008 ntdll!NlsAnsiCodePage
77d41010 7c9105d4 ntdll!RtlAllocateHeap
i would have loved to use the !dh output earlier when i wrote that script
0:000> .shell -ci “!dh windbg” grep -i “import address”
1000 [4AC] address [size] of Import Address Table Directory
.shell: Process exited
but i cant find a way to pass that result to subsequent command or an easy
way to strip the ] (square bracket) appended to size
raj_r wrote:
i use a dirty script to dump import names maybe you could use it
copy paste the following into a file names.txt in windbg dir and
invoke with $$>a< names.txt “your module name”r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
dps ${$arg1}+$t0 l? (($t1+4)/4)
I’m amazed you could type all of that with a straight face. Those are
commands only a Perl programmer could love.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
On 5/13/09, Tim Roberts wrote:
>
> raj_r wrote:
> > i use a dirty script to dump import names maybe you could use it
> >
> > copy paste the following into a file names.txt in windbg dir and
> > invoke with $$>a< names.txt “your module name”
> >
> > r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
> > r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
> > dps ${$arg1}+$t0 l? (($t1+4)/4)
>
> I’m amazed you could type all of that with a straight face. Those are
> commands only a Perl programmer could love.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
well windbg scripting is sometimes
worser/arcane/unwieldy/unreadable/indecipherable/ in many orders of
magnittude than perl
anyway for the record 0x3c is dos_elfawnew 0xd8 is Import Table Address
Address and 0xdc is Import Table Size
with a bit of patience this crap of script could be converted to use
something more readable and scripted too
0:000> dt -co ntdll!_image_nt_headers OptionalHeader.DataDirectory[0xc].
windbg+poi(windbg+0x3c)
OptionalHeader
DataDirectory [12]
VirtualAddress 0x1000 Size 0x4ac
but if you notice the input still has some ${$arg1} repalacement
I would use the image header offsets from ntdll type info, but it’d come out to be the same less 64-bit support.
(Note that dwo and not poi would be more correct here as those are 32-bit fields, but the hardcoded offset breaks on 64-bit anyways as I recall.)
- S
From: raj_r
Sent: Tuesday, May 12, 2009 14:44
To: Kernel Debugging Interest List
Subject: Re: [windbg] Import Table Functions
On 5/13/09, Tim Roberts > wrote:
raj_r wrote:
> i use a dirty script to dump import names maybe you could use it
>
> copy paste the following into a file names.txt in windbg dir and
> invoke with $$>a< names.txt “your module name”
>
> r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
> r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
> dps ${$arg1}+$t0 l? (($t1+4)/4)
I’m amazed you could type all of that with a straight face. Those are
commands only a Perl programmer could love.
–
Tim Roberts, xxxxx@probo.commailto:xxxxx
Providenza & Boekelheide, Inc.
well windbg scripting is sometimes worser/arcane/unwieldy/unreadable/indecipherable/ in many orders of magnittude than perl
anyway for the record 0x3c is dos_elfawnew 0xd8 is Import Table Address Address and 0xdc is Import Table Size
with a bit of patience this crap of script could be converted to use something more readable and scripted too
0:000> dt -co ntdll!_image_nt_headers OptionalHeader.DataDirectory[0xc]. windbg+poi(windbg+0x3c)
OptionalHeader
DataDirectory [12]
VirtualAddress 0x1000 Size 0x4ac
but if you notice the input still has some ${$arg1} repalacement
— WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx>