pykd/samples/synimp.py

# 
# Add synthetic symbols for module by imports
# 

from pykd import *
import sys

def addSymSymbolsByImports(dbgModule):
  if isKernelDebugging():
      systemModule = loadModule( "nt" )
  else:
      systemModule = loadModule( "ntdll" )

  if is64bitSystem():
    ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS64", dbgModule.begin() + ptrDWord( dbgModule.begin() + 0x3c ) )
    if ntHeader.OptionalHeader.Magic == 0x10b:
      systemModule = loadModule( "ntdll32" ) 
      ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS", dbgModule.begin() + ptrDWord( dbgModule.begin() + 0x3c ) )
  else:
      ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS", dbgModule.begin() + ptrDWord( dbgModule.begin() + 0x3c ) )

  if ntHeader.OptionalHeader.DataDirectory[12].Size == 0:
    return
  
  iatAddr = dbgModule.begin() + ntHeader.OptionalHeader.DataDirectory[12].VirtualAddress;

  for i in range( 0, ntHeader.OptionalHeader.DataDirectory[12].Size / ptrSize() ):
      pIatEtry = iatAddr + i*ptrSize();
      iatEntry = ptrPtr( pIatEtry )

      if iatEntry != 0:
        try:
          symbolName = findSymbol( iatEntry ) 
          addSynSymbol(pIatEtry, ptrSize(), "_imp_" + symbolName)
        except TypeError:
          dprintln( "Symbol for 0x%x" % iatEntry + " not found" )

if __name__ == "__main__":

  if not isSessionStart():
    print "Script is launch out of WinDBG"
    quit(0)

  argc = len(sys.argv)
  if (2 == argc):
    addSymSymbolsByImports(findModule(expr(sys.argv[1])))
  else:
    dprintln("Invalid command line")
    dprintln("Usage: " + sys.argv[0] + " module_address")
$SND\EreTIk_cp$ [+] addSynSymbol function adds a synthetic symbol to a module by virtual address [+] dbgModuleClass::addSynSymbol method adds a synthetic symbol by offset related to module base [+] samples/synimp.py: add synthetic symbols for module by imports git-svn-id: https://pykd.svn.codeplex.com/svn@61768 9b283d60-5439-405e-af05-b73fd8c4d996 2011-02-21 17:49:47 +08:00			`#`
			`# Add synthetic symbols for module by imports`
			`#`

			`from pykd import *`
			`import sys`

			`def addSymSymbolsByImports(dbgModule):`
			`if isKernelDebugging():`
			`systemModule = loadModule( "nt" )`
			`else:`
			`systemModule = loadModule( "ntdll" )`

			`if is64bitSystem():`
			`ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS64", dbgModule.begin() + ptrDWord( dbgModule.begin() + 0x3c ) )`
			`if ntHeader.OptionalHeader.Magic == 0x10b:`
			`systemModule = loadModule( "ntdll32" )`
			`ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS", dbgModule.begin() + ptrDWord( dbgModule.begin() + 0x3c ) )`
			`else:`
			`ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS", dbgModule.begin() + ptrDWord( dbgModule.begin() + 0x3c ) )`

			`if ntHeader.OptionalHeader.DataDirectory[12].Size == 0:`
			`return`

			`iatAddr = dbgModule.begin() + ntHeader.OptionalHeader.DataDirectory[12].VirtualAddress;`

$SND\EreTIk_cp$ [~] skip unresolved imports [~] optimized for new functional of pykd git-svn-id: https://pykd.svn.codeplex.com/svn@61770 9b283d60-5439-405e-af05-b73fd8c4d996 2011-02-21 18:07:11 +08:00			`for i in range( 0, ntHeader.OptionalHeader.DataDirectory[12].Size / ptrSize() ):`
			`pIatEtry = iatAddr + i*ptrSize();`
			`iatEntry = ptrPtr( pIatEtry )`
$SND\EreTIk_cp$ [+] addSynSymbol function adds a synthetic symbol to a module by virtual address [+] dbgModuleClass::addSynSymbol method adds a synthetic symbol by offset related to module base [+] samples/synimp.py: add synthetic symbols for module by imports git-svn-id: https://pykd.svn.codeplex.com/svn@61768 9b283d60-5439-405e-af05-b73fd8c4d996 2011-02-21 17:49:47 +08:00
			`if iatEntry != 0:`
$SND\EreTIk_cp$ [~] skip unresolved imports [~] optimized for new functional of pykd git-svn-id: https://pykd.svn.codeplex.com/svn@61770 9b283d60-5439-405e-af05-b73fd8c4d996 2011-02-21 18:07:11 +08:00			`try:`
			`symbolName = findSymbol( iatEntry )`
			`addSynSymbol(pIatEtry, ptrSize(), "_imp_" + symbolName)`
			`except TypeError:`
			`dprintln( "Symbol for 0x%x" % iatEntry + " not found" )`
$SND\EreTIk_cp$ [+] addSynSymbol function adds a synthetic symbol to a module by virtual address [+] dbgModuleClass::addSynSymbol method adds a synthetic symbol by offset related to module base [+] samples/synimp.py: add synthetic symbols for module by imports git-svn-id: https://pykd.svn.codeplex.com/svn@61768 9b283d60-5439-405e-af05-b73fd8c4d996 2011-02-21 17:49:47 +08:00
			`if __name__ == "__main__":`

			`if not isSessionStart():`
			`print "Script is launch out of WinDBG"`
			`quit(0)`

			`argc = len(sys.argv)`
			`if (2 == argc):`
			`addSymSymbolsByImports(findModule(expr(sys.argv[1])))`
			`else:`
			`dprintln("Invalid command line")`
			`dprintln("Usage: " + sys.argv[0] + " module_address")`