From 533bb27764735cbb9be3c64fa76b3a17cce3834a Mon Sep 17 00:00:00 2001
From: "SND\\kernelnet_cp"
 <SND\kernelnet_cp@9b283d60-5439-405e-af05-b73fd8c4d996>
Date: Mon, 22 Nov 2010 11:47:51 +0000
Subject: [PATCH] [+] added: windbg snippet displaying IAT for module

git-svn-id: https://pykd.svn.codeplex.com/svn@57928 9b283d60-5439-405e-af05-b73fd8c4d996
---
 snippets/iat.py | 56 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 snippets/iat.py

diff --git a/snippets/iat.py b/snippets/iat.py
new file mode 100644
index 0000000..2de17f3
--- /dev/null
+++ b/snippets/iat.py
@@ -0,0 +1,56 @@
+#
+#
+#
+
+import sys
+import fnmatch
+from pykd import *
+
+
+def iat( moduleName, mask = "*" ):
+
+    module = loadModule( moduleName )
+    dprintln( "Module: " + moduleName + " base: %x" % module.begin() + " end: %x" % module.end() )
+
+
+    systemModule = loadModule( "nt" )
+
+    if systemModule==None:
+        systemModule = loadModule( "ntdll" ) 	
+
+
+    if is64bitSystem():
+        ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS64", module.begin() + ptrDWord( module.begin() + 0x3c ) )
+    else:
+        ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS", module.begin() + ptrDWord( module.begin() + 0x3c ) )
+
+
+    dprintln( "IAT RVA: %x  Size: %x" % ( ntHeader.OptionalHeader.DataDirectory[12].VirtualAddress, ntHeader.OptionalHeader.DataDirectory[12].Size  ) )
+    dprintln( "========================" )
+
+    if ntHeader.OptionalHeader.DataDirectory[12].Size == 0:
+        return
+    
+    iatAddr = module.begin() + ntHeader.OptionalHeader.DataDirectory[12].VirtualAddress;
+
+    for i in range( 0, ntHeader.OptionalHeader.DataDirectory[12].Size / ptrSize() ):
+        iatEntry = ptrPtr( iatAddr + i*ptrSize() )
+        if  iatEntry != 0:
+            symbolName = findSymbol( iatEntry ) 
+            if fnmatch.fnmatch( symbolName, mask ): 
+                dprintln( symbolName )
+
+
+if __name__ == "__main__":
+
+    if not isSessionStart():
+        print "script is launch out of windbg"
+        quit( 0 )
+
+    if len (sys.argv)<=0:
+        dprintln( "usage: !py import module_name ( symbol name mask )" )
+    elif len( sys.argv ) == 2:
+        iat( sys.argv[1] )
+    else:
+        iat( sys.argv[1], sys.argv[2] )
+