Import Table Functions

Sercan_ercan

lm shows loaded modules but how can we see import functions with Windbg?
Is there a command or extension?

Ken_Johnson

!dh <module>, read the headers to find the IAT, and dump it with dps.

- S

-----Original Message-----
From: [email protected] <[email protected]>
Sent: Sunday, May 10, 2009 12:30
To: Kernel Debugging Interest List <[email protected]>
Subject: [windbg] Import Table Functions


lm shows loaded modules but how can we see import functions with Windbg?
Is there a command or extension?

---
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Sercan_ercan

OK, it worked.
Thank you

raj_r

i use a dirty script to dump import names maybe you could use it

copy paste the following into a file names.txt in windbg dir and invoke with
$$>a< names.txt "your module name"

r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
dps ${$arg1}+$t0 l? (($t1+4)/4)




On 5/11/09, [email protected] wrote:
>
> lm shows loaded modules but how can we see import functions with Windbg?
> Is there a command or extension?
>
> ---
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>



--
thanks and regards

raj_r

raj_r

On 5/11/09, Skywing wrote:
>
> !dh , read the headers to find the IAT, and dump it with dps.


skywing how robust is this almost equivalent hack ?

r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
dps ${$arg1}+$t0 l? (($t1+4)/4)

i use it like $$>a< parse.txt user32

0:000> $$>a< parse.txt user32
77d41000 7c90e213 ntdll!ZwQueryVirtualMemory
77d41004 7c937a40 ntdll!RtlUnwind
77d41008 7c90fb3d ntdll!RtlNtStatusToDosError
77d4100c 7c97c008 ntdll!NlsAnsiCodePage
77d41010 7c9105d4 ntdll!RtlAllocateHeap

i would have loved to use the !dh output earlier when i wrote that script

0:000> .shell -ci "!dh windbg" grep -i "import address"
1000 [ 4AC] address [size] of Import Address Table Directory
.shell: Process exited

but i cant find a way to pass that result to subsequent command or an easy
way to strip the ] (square bracket) appended to size

Tim_Roberts

raj_r wrote:
> i use a dirty script to dump import names maybe you could use it
>
> copy paste the following into a file names.txt in windbg dir and
> invoke with $$>a< names.txt "your module name"
>
> r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
> r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
> dps ${$arg1}+$t0 l? (($t1+4)/4)

I'm amazed you could type all of that with a straight face. Those are
commands only a Perl programmer could love.

--
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.

raj_r

On 5/13/09, Tim Roberts wrote:
>
> raj_r wrote:
> > i use a dirty script to dump import names maybe you could use it
> >
> > copy paste the following into a file names.txt in windbg dir and
> > invoke with $$>a< names.txt "your module name"
> >
> > r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
> > r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
> > dps ${$arg1}+$t0 l? (($t1+4)/4)
>
> I'm amazed you could type all of that with a straight face. Those are
> commands only a Perl programmer could love.
>
> --
> Tim Roberts, [email protected]
> Providenza & Boekelheide, Inc.


well windbg scripting is sometimes
worser/arcane/unwieldy/unreadable/indecipherable/ in many orders of
magnittude than perl

anyway for the record 0x3c is dos_elfawnew 0xd8 is Import Table Address
Address and 0xdc is Import Table Size

with a bit of patience this crap of script could be converted to use
something more readable and scripted too

0:000> dt -co ntdll!_image_nt_headers OptionalHeader.DataDirectory[0xc].
windbg+poi(windbg+0x3c)
OptionalHeader
DataDirectory [12]
VirtualAddress 0x1000 Size 0x4ac

but if you notice the input still has some ${$arg1} repalacement

Ken_Johnson

I would use the image header offsets from ntdll type info, but it'd come out to be the same less 64-bit support.

(Note that dwo and not poi would be more correct here as those are 32-bit fields, but the hardcoded offset breaks on 64-bit anyways as I recall.)

- S

________________________________
From: raj_r
Sent: Tuesday, May 12, 2009 14:44
To: Kernel Debugging Interest List
Subject: Re: [windbg] Import Table Functions



On 5/13/09, Tim Roberts > wrote:
raj_r wrote:
> i use a dirty script to dump import names maybe you could use it
>
> copy paste the following into a file names.txt in windbg dir and
> invoke with $$>a< names.txt "your module name"
>
> r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
> r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
> dps ${$arg1}+$t0 l? (($t1+4)/4)

I'm amazed you could type all of that with a straight face. Those are
commands only a Perl programmer could love.

--
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.

well windbg scripting is sometimes worser/arcane/unwieldy/unreadable/indecipherable/ in many orders of magnittude than perl

anyway for the record 0x3c is dos_elfawnew 0xd8 is Import Table Address Address and 0xdc is Import Table Size

with a bit of patience this crap of script could be converted to use something more readable and scripted too

0:000> dt -co ntdll!_image_nt_headers OptionalHeader.DataDirectory[0xc]. windbg+poi(windbg+0x3c)
OptionalHeader
DataDirectory [12]
VirtualAddress 0x1000 Size 0x4ac

but if you notice the input still has some ${$arg1} repalacement


--- WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer