Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Upcoming OSR Seminars | ||
---|---|---|
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
Writing WDF Drivers | 7 Dec 2020 | LIVE ONLINE |
Internals & Software Drivers | 25 Jan 2021 | LIVE ONLINE |
Developing Minifilters | 8 March 2021 | LIVE ONLINE |
Comments
- S
-----Original Message-----
From: [email protected] <[email protected]>
Sent: Sunday, May 10, 2009 12:30
To: Kernel Debugging Interest List <[email protected]>
Subject: [windbg] Import Table Functions
lm shows loaded modules but how can we see import functions with Windbg?
Is there a command or extension?
---
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Thank you
copy paste the following into a file names.txt in windbg dir and invoke with
$$>a< names.txt "your module name"
r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
dps ${$arg1}+$t0 l? (($t1+4)/4)
On 5/11/09, [email protected] wrote:
>
> lm shows loaded modules but how can we see import functions with Windbg?
> Is there a command or extension?
>
> ---
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
--
thanks and regards
raj_r
>
> !dh , read the headers to find the IAT, and dump it with dps.
skywing how robust is this almost equivalent hack ?
r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
dps ${$arg1}+$t0 l? (($t1+4)/4)
i use it like $$>a< parse.txt user32
0:000> $$>a< parse.txt user32
77d41000 7c90e213 ntdll!ZwQueryVirtualMemory
77d41004 7c937a40 ntdll!RtlUnwind
77d41008 7c90fb3d ntdll!RtlNtStatusToDosError
77d4100c 7c97c008 ntdll!NlsAnsiCodePage
77d41010 7c9105d4 ntdll!RtlAllocateHeap
i would have loved to use the !dh output earlier when i wrote that script
0:000> .shell -ci "!dh windbg" grep -i "import address"
1000 [ 4AC] address [size] of Import Address Table Directory
.shell: Process exited
but i cant find a way to pass that result to subsequent command or an easy
way to strip the ] (square bracket) appended to size
> i use a dirty script to dump import names maybe you could use it
>
> copy paste the following into a file names.txt in windbg dir and
> invoke with $$>a< names.txt "your module name"
>
> r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
> r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
> dps ${$arg1}+$t0 l? (($t1+4)/4)
I'm amazed you could type all of that with a straight face. Those are
commands only a Perl programmer could love.
--
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
>
> raj_r wrote:
> > i use a dirty script to dump import names maybe you could use it
> >
> > copy paste the following into a file names.txt in windbg dir and
> > invoke with $$>a< names.txt "your module name"
> >
> > r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
> > r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
> > dps ${$arg1}+$t0 l? (($t1+4)/4)
>
> I'm amazed you could type all of that with a straight face. Those are
> commands only a Perl programmer could love.
>
> --
> Tim Roberts, [email protected]
> Providenza & Boekelheide, Inc.
well windbg scripting is sometimes
worser/arcane/unwieldy/unreadable/indecipherable/ in many orders of
magnittude than perl
anyway for the record 0x3c is dos_elfawnew 0xd8 is Import Table Address
Address and 0xdc is Import Table Size
with a bit of patience this crap of script could be converted to use
something more readable and scripted too
0:000> dt -co ntdll!_image_nt_headers OptionalHeader.DataDirectory[0xc].
windbg+poi(windbg+0x3c)
OptionalHeader
DataDirectory [12]
VirtualAddress 0x1000 Size 0x4ac
but if you notice the input still has some ${$arg1} repalacement
(Note that dwo and not poi would be more correct here as those are 32-bit fields, but the hardcoded offset breaks on 64-bit anyways as I recall.)
- S
________________________________
From: raj_r
Sent: Tuesday, May 12, 2009 14:44
To: Kernel Debugging Interest List
Subject: Re: [windbg] Import Table Functions
On 5/13/09, Tim Roberts > wrote:
raj_r wrote:
> i use a dirty script to dump import names maybe you could use it
>
> copy paste the following into a file names.txt in windbg dir and
> invoke with $$>a< names.txt "your module name"
>
> r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
> r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
> dps ${$arg1}+$t0 l? (($t1+4)/4)
I'm amazed you could type all of that with a straight face. Those are
commands only a Perl programmer could love.
--
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
well windbg scripting is sometimes worser/arcane/unwieldy/unreadable/indecipherable/ in many orders of magnittude than perl
anyway for the record 0x3c is dos_elfawnew 0xd8 is Import Table Address Address and 0xdc is Import Table Size
with a bit of patience this crap of script could be converted to use something more readable and scripted too
0:000> dt -co ntdll!_image_nt_headers OptionalHeader.DataDirectory[0xc]. windbg+poi(windbg+0x3c)
OptionalHeader
DataDirectory [12]
VirtualAddress 0x1000 Size 0x4ac
but if you notice the input still has some ${$arg1} repalacement
--- WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer