Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Import Table Functions

Sercan_ercanSercan_ercan Member Posts: 137
lm shows loaded modules but how can we see import functions with Windbg?
Is there a command or extension?

Comments

  • Ken_JohnsonKen_Johnson Member - All Emails Posts: 1,559
    !dh <module>, read the headers to find the IAT, and dump it with dps.

    - S

    -----Original Message-----
    From: [email protected] <[email protected]>
    Sent: Sunday, May 10, 2009 12:30
    To: Kernel Debugging Interest List <[email protected]>
    Subject: [windbg] Import Table Functions


    lm shows loaded modules but how can we see import functions with Windbg?
    Is there a command or extension?

    ---
    WINDBG is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
  • Sercan_ercanSercan_ercan Member Posts: 137
    OK, it worked.
    Thank you
  • raj_rraj_r Member - All Emails Posts: 983
    i use a dirty script to dump import names maybe you could use it

    copy paste the following into a file names.txt in windbg dir and invoke with
    $$>a< names.txt "your module name"

    r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
    r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
    dps ${$arg1}+$t0 l? (($t1+4)/4)




    On 5/11/09, [email protected] wrote:
    >
    > lm shows loaded modules but how can we see import functions with Windbg?
    > Is there a command or extension?
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >



    --
    thanks and regards

    raj_r
  • raj_rraj_r Member - All Emails Posts: 983
    On 5/11/09, Skywing wrote:
    >
    > !dh , read the headers to find the IAT, and dump it with dps.


    skywing how robust is this almost equivalent hack ?

    r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
    r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
    dps ${$arg1}+$t0 l? (($t1+4)/4)

    i use it like $$>a< parse.txt user32

    0:000> $$>a< parse.txt user32
    77d41000 7c90e213 ntdll!ZwQueryVirtualMemory
    77d41004 7c937a40 ntdll!RtlUnwind
    77d41008 7c90fb3d ntdll!RtlNtStatusToDosError
    77d4100c 7c97c008 ntdll!NlsAnsiCodePage
    77d41010 7c9105d4 ntdll!RtlAllocateHeap

    i would have loved to use the !dh output earlier when i wrote that script

    0:000> .shell -ci "!dh windbg" grep -i "import address"
    1000 [ 4AC] address [size] of Import Address Table Directory
    .shell: Process exited

    but i cant find a way to pass that result to subsequent command or an easy
    way to strip the ] (square bracket) appended to size
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,489
    raj_r wrote:
    > i use a dirty script to dump import names maybe you could use it
    >
    > copy paste the following into a file names.txt in windbg dir and
    > invoke with $$>a< names.txt "your module name"
    >
    > r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
    > r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
    > dps ${$arg1}+$t0 l? (($t1+4)/4)

    I'm amazed you could type all of that with a straight face. Those are
    commands only a Perl programmer could love.

    --
    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • raj_rraj_r Member - All Emails Posts: 983
    On 5/13/09, Tim Roberts wrote:
    >
    > raj_r wrote:
    > > i use a dirty script to dump import names maybe you could use it
    > >
    > > copy paste the following into a file names.txt in windbg dir and
    > > invoke with $$>a< names.txt "your module name"
    > >
    > > r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
    > > r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
    > > dps ${$arg1}+$t0 l? (($t1+4)/4)
    >
    > I'm amazed you could type all of that with a straight face. Those are
    > commands only a Perl programmer could love.
    >
    > --
    > Tim Roberts, [email protected]
    > Providenza & Boekelheide, Inc.


    well windbg scripting is sometimes
    worser/arcane/unwieldy/unreadable/indecipherable/ in many orders of
    magnittude than perl

    anyway for the record 0x3c is dos_elfawnew 0xd8 is Import Table Address
    Address and 0xdc is Import Table Size

    with a bit of patience this crap of script could be converted to use
    something more readable and scripted too

    0:000> dt -co ntdll!_image_nt_headers OptionalHeader.DataDirectory[0xc].
    windbg+poi(windbg+0x3c)
    OptionalHeader
    DataDirectory [12]
    VirtualAddress 0x1000 Size 0x4ac

    but if you notice the input still has some ${$arg1} repalacement
  • Ken_JohnsonKen_Johnson Member - All Emails Posts: 1,559
    I would use the image header offsets from ntdll type info, but it'd come out to be the same less 64-bit support.

    (Note that dwo and not poi would be more correct here as those are 32-bit fields, but the hardcoded offset breaks on 64-bit anyways as I recall.)

    - S

    ________________________________
    From: raj_r
    Sent: Tuesday, May 12, 2009 14:44
    To: Kernel Debugging Interest List
    Subject: Re: [windbg] Import Table Functions



    On 5/13/09, Tim Roberts > wrote:
    raj_r wrote:
    > i use a dirty script to dump import names maybe you could use it
    >
    > copy paste the following into a file names.txt in windbg dir and
    > invoke with $$>a< names.txt "your module name"
    >
    > r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
    > r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
    > dps ${$arg1}+$t0 l? (($t1+4)/4)

    I'm amazed you could type all of that with a straight face. Those are
    commands only a Perl programmer could love.

    --
    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

    well windbg scripting is sometimes worser/arcane/unwieldy/unreadable/indecipherable/ in many orders of magnittude than perl

    anyway for the record 0x3c is dos_elfawnew 0xd8 is Import Table Address Address and 0xdc is Import Table Size

    with a bit of patience this crap of script could be converted to use something more readable and scripted too

    0:000> dt -co ntdll!_image_nt_headers OptionalHeader.DataDirectory[0xc]. windbg+poi(windbg+0x3c)
    OptionalHeader
    DataDirectory [12]
    VirtualAddress 0x1000 Size 0x4ac

    but if you notice the input still has some ${$arg1} repalacement


    --- WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA