From 5101d9576695fa205c621f798f543ae2b0587fd7 Mon Sep 17 00:00:00 2001
From: "SND\\kernelnet_cp"
 <SND\kernelnet_cp@9b283d60-5439-405e-af05-b73fd8c4d996>
Date: Tue, 9 Nov 2010 09:51:19 +0000
Subject: [PATCH] [+] added: windbg snippet displaying list of export for
 module

git-svn-id: https://pykd.svn.codeplex.com/svn@57286 9b283d60-5439-405e-af05-b73fd8c4d996
---
 snippets/export.py | 55 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 snippets/export.py

diff --git a/snippets/export.py b/snippets/export.py
new file mode 100644
index 0000000..4daee27
--- /dev/null
+++ b/snippets/export.py
@@ -0,0 +1,55 @@
+#
+#
+#
+
+import sys
+import fnmatch
+from pykd import *
+
+
+def export( moduleName, mask = "*" ):
+
+    module = loadModule( moduleName )
+    dprintln( "Module: " + moduleName + " base: %x" % module.begin() + " end: %x" % module.end() )
+
+    dosHeader = typedVar( "nt", "_IMAGE_DOS_HEADER", module.begin() )
+
+    if is64bitSystem():
+        ntHeader = typedVar( "nt", "_IMAGE_NT_HEADERS64", module.begin() + dosHeader.e_lfanew )
+    else:
+        ntHeader = typedVar( "nt", "_IMAGE_NT_HEADERS", module.begin() + dosHeader.e_lfanew )
+    
+
+    dprintln( "Export RVA: %x  Size: %x" % ( ntHeader.OptionalHeader.DataDirectory[0].VirtualAddress, ntHeader.OptionalHeader.DataDirectory[0].Size  ) )
+    dprintln( "========================" )
+    
+    exportDirAddr = module.begin() + ntHeader.OptionalHeader.DataDirectory[0].VirtualAddress;
+
+    namesCount = ptrDWord( exportDirAddr + 0x18 )
+   
+    namesRva = module.begin() + ptrDWord( exportDirAddr + 0x20 ) 
+
+    for i in range( 0, namesCount ):
+        exportName = loadCStr( module.begin() + ptrDWord( namesRva + 4 * i ) )
+        if fnmatch.fnmatch( exportName, mask ): 
+            dprintln( exportName )    
+
+
+if __name__ == "__main__":
+
+    if not isSessionStart():
+        print "script is launch out of windbg"
+        quit( 0 )
+
+    if len( sys.argv ) == 1:
+
+        if sys.argv[0]=="":
+            dprintln( "module name not found" )
+        else:      
+            export( sys.argv[0] )
+
+    else:
+     
+        export( sys.argv[0], sys.argv[1] )
+
+