Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Import Table Functions

Sercan_ercanSercan_ercan Member Posts: 137
lm shows loaded modules but how can we see import functions with Windbg?
Is there a command or extension?

Comments

  • Ken_JohnsonKen_Johnson Member - All Emails Posts: 1,559
    !dh <module>, read the headers to find the IAT, and dump it with dps.

    - S

    -----Original Message-----
    From: xxxxx@gmail.com <xxxxx@gmail.com>
    Sent: Sunday, May 10, 2009 12:30
    To: Kernel Debugging Interest List <xxxxx@lists.osr.com>
    Subject: [windbg] Import Table Functions


    lm shows loaded modules but how can we see import functions with Windbg?
    Is there a command or extension?

    ---
    WINDBG is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
  • Sercan_ercanSercan_ercan Member Posts: 137
    OK, it worked.
    Thank you
  • raj_rraj_r Member - All Emails Posts: 977
    i use a dirty script to dump import names maybe you could use it

    copy paste the following into a file names.txt in windbg dir and invoke with
    $$>a< names.txt "your module name"

    r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
    r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
    dps ${$arg1}+$t0 l? (($t1+4)/4)




    On 5/11/09, xxxxx@gmail.com wrote:
    >
    > lm shows loaded modules but how can we see import functions with Windbg?
    > Is there a command or extension?
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >



    --
    thanks and regards

    raj_r
  • raj_rraj_r Member - All Emails Posts: 977
    On 5/11/09, Skywing wrote:
    >
    > !dh , read the headers to find the IAT, and dump it with dps.


    skywing how robust is this almost equivalent hack ?

    r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
    r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
    dps ${$arg1}+$t0 l? (($t1+4)/4)

    i use it like $$>a< parse.txt user32

    0:000> $$>a< parse.txt user32
    77d41000 7c90e213 ntdll!ZwQueryVirtualMemory
    77d41004 7c937a40 ntdll!RtlUnwind
    77d41008 7c90fb3d ntdll!RtlNtStatusToDosError
    77d4100c 7c97c008 ntdll!NlsAnsiCodePage
    77d41010 7c9105d4 ntdll!RtlAllocateHeap

    i would have loved to use the !dh output earlier when i wrote that script

    0:000> .shell -ci "!dh windbg" grep -i "import address"
    1000 [ 4AC] address [size] of Import Address Table Directory
    .shell: Process exited

    but i cant find a way to pass that result to subsequent command or an easy
    way to strip the ] (square bracket) appended to size
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,007
    raj_r wrote:
    > i use a dirty script to dump import names maybe you could use it
    >
    > copy paste the following into a file names.txt in windbg dir and
    > invoke with $$>a< names.txt "your module name"
    >
    > r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
    > r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
    > dps ${$arg1}+$t0 l? (($t1+4)/4)

    I'm amazed you could type all of that with a straight face. Those are
    commands only a Perl programmer could love.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • raj_rraj_r Member - All Emails Posts: 977
    On 5/13/09, Tim Roberts wrote:
    >
    > raj_r wrote:
    > > i use a dirty script to dump import names maybe you could use it
    > >
    > > copy paste the following into a file names.txt in windbg dir and
    > > invoke with $$>a< names.txt "your module name"
    > >
    > > r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
    > > r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
    > > dps ${$arg1}+$t0 l? (($t1+4)/4)
    >
    > I'm amazed you could type all of that with a straight face. Those are
    > commands only a Perl programmer could love.
    >
    > --
    > Tim Roberts, xxxxx@probo.com
    > Providenza & Boekelheide, Inc.


    well windbg scripting is sometimes
    worser/arcane/unwieldy/unreadable/indecipherable/ in many orders of
    magnittude than perl

    anyway for the record 0x3c is dos_elfawnew 0xd8 is Import Table Address
    Address and 0xdc is Import Table Size

    with a bit of patience this crap of script could be converted to use
    something more readable and scripted too

    0:000> dt -co ntdll!_image_nt_headers OptionalHeader.DataDirectory[0xc].
    windbg+poi(windbg+0x3c)
    OptionalHeader
    DataDirectory [12]
    VirtualAddress 0x1000 Size 0x4ac

    but if you notice the input still has some ${$arg1} repalacement
  • Ken_JohnsonKen_Johnson Member - All Emails Posts: 1,559
    I would use the image header offsets from ntdll type info, but it'd come out to be the same less 64-bit support.

    (Note that dwo and not poi would be more correct here as those are 32-bit fields, but the hardcoded offset breaks on 64-bit anyways as I recall.)

    - S

    ________________________________
    From: raj_r
    Sent: Tuesday, May 12, 2009 14:44
    To: Kernel Debugging Interest List
    Subject: Re: [windbg] Import Table Functions



    On 5/13/09, Tim Roberts > wrote:
    raj_r wrote:
    > i use a dirty script to dump import names maybe you could use it
    >
    > copy paste the following into a file names.txt in windbg dir and
    > invoke with $$>a< names.txt "your module name"
    >
    > r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
    > r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
    > dps ${$arg1}+$t0 l? (($t1+4)/4)

    I'm amazed you could type all of that with a straight face. Those are
    commands only a Perl programmer could love.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    well windbg scripting is sometimes worser/arcane/unwieldy/unreadable/indecipherable/ in many orders of magnittude than perl

    anyway for the record 0x3c is dos_elfawnew 0xd8 is Import Table Address Address and 0xdc is Import Table Size

    with a bit of patience this crap of script could be converted to use something more readable and scripted too

    0:000> dt -co ntdll!_image_nt_headers OptionalHeader.DataDirectory[0xc]. windbg+poi(windbg+0x3c)
    OptionalHeader
    DataDirectory [12]
    VirtualAddress 0x1000 Size 0x4ac

    but if you notice the input still has some ${$arg1} repalacement


    --- WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA