10
def iat( moduleName, mask = "*" ):
12
mod = module( moduleName )
13
dprintln( "Module: " + moduleName + " base: %x" % mod.begin() + " end: %x" % mod.end() )
15
if isKernelDebugging():
16
systemModule = module( "nt" )
18
systemModule = module( "ntdll" )
22
ntHeader = systemModule.typedVar( "_IMAGE_NT_HEADERS64", mod.begin() + ptrDWord( mod.begin() + 0x3c ) )
23
if ntHeader.OptionalHeader.Magic == 0x10b:
24
systemModule = loadModule( "ntdll32" )
25
ntHeader = systemModule.typedVar( "_IMAGE_NT_HEADERS", mod.begin() + ptrDWord( mod.begin() + 0x3c ) )
30
ntHeader = systemModule.typedVar( "_IMAGE_NT_HEADERS", mod.begin() + ptrDWord( mod.begin() + 0x3c ) )
34
dprintln( "IAT RVA: %x Size: %x" % ( ntHeader.OptionalHeader.DataDirectory[12].VirtualAddress, ntHeader.OptionalHeader.DataDirectory[12].Size ) )
35
dprintln( "========================" )
37
if ntHeader.OptionalHeader.DataDirectory[12].Size == 0:
40
iatAddr = mod.begin() + ntHeader.OptionalHeader.DataDirectory[12].VirtualAddress;
42
for i in range( 0, ntHeader.OptionalHeader.DataDirectory[12].Size / pSize ):
45
iatEntry = addr64(ptrDWord( iatAddr + i*pSize ))
47
iatEntry = addr64(ptrQWord( iatAddr + i*pSize ))
49
if iatEntry != None and iatEntry != 0:
50
symbolName = findSymbol( iatEntry )
51
if fnmatch.fnmatch( symbolName, mask ):
52
dprintln( symbolName )
55
if __name__ == "__main__":
58
print "script is launch out of windbg"
62
dprintln( "usage: !py import module_name ( symbol name mask )" )
63
elif len( sys.argv ) == 2:
66
iat( sys.argv[1], sys.argv[2] )