10
def export( moduleName, mask = "*" ):
12
modObj = module( moduleName )
13
dprintln( "Module: " + moduleName + " base: %x" % modObj.begin() + " end: %x" % modObj.end() )
15
if isKernelDebugging():
16
systemModule = module( "nt" )
18
systemModule = module( "ntdll" )
22
ntHeader = systemModule.typedVar( "_IMAGE_NT_HEADERS64", modObj.begin() + ptrDWord( modObj.begin() + 0x3c ) )
23
if ntHeader.OptionalHeader.Magic == 0x10b:
24
systemModule = loadModule( "ntdll32" )
25
ntHeader = systemModule.typedVar( "_IMAGE_NT_HEADERS", modObj.begin() + ptrDWord( modObj.begin() + 0x3c ) )
27
ntHeader = systemModule.typedVar("_IMAGE_NT_HEADERS", modObj.begin() + ptrDWord( modObj.begin() + 0x3c ) )
30
dprintln( "Export RVA: %x Size: %x" % ( ntHeader.OptionalHeader.DataDirectory[0].VirtualAddress, ntHeader.OptionalHeader.DataDirectory[0].Size ) )
31
dprintln( "========================" )
33
if ntHeader.OptionalHeader.DataDirectory[0].Size == 0:
36
exportDirAddr = modObj.begin() + ntHeader.OptionalHeader.DataDirectory[0].VirtualAddress;
38
namesCount = ptrDWord( exportDirAddr + 0x18 )
40
namesRva = modObj.begin() + ptrDWord( exportDirAddr + 0x20 )
42
for i in range( 0, namesCount ):
43
exportName = loadCStr( modObj.begin() + ptrDWord( namesRva + 4 * i ) )
44
if fnmatch.fnmatch( exportName, mask ):
45
dprintln( exportName )
48
if __name__ == "__main__":
51
print "script is launch out of windbg"
55
dprintln( "usage: !py export module_name ( export mask )" )
56
elif len( sys.argv ) == 2:
59
export( sys.argv[1], sys.argv[2] )