zjgcjy/pykd
1
0
Fork 0
mirror of https://github.com/ivellioscolin/pykd.git synced 2025-04-19 19:13:22 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
84250a8ab6
pykd/snippets/iat.py
SND\kernelnet_cp da1b7b7977 [snippets] updated 
git-svn-id: https://pykd.svn.codeplex.com/svn@65717 9b283d60-5439-405e-af05-b73fd8c4d996
2011-05-23 07:51:26 +00:00

70 lines
2.1 KiB
Python
Raw Blame History

#
#
#
import sys
import fnmatch
from pykd import *
def iat( moduleName, mask = "*" ):
module = loadModule( moduleName )
dprintln( "Module: " + moduleName + " base: %x" % module.begin() + " end: %x" % module.end() )
if isKernelDebugging():
systemModule = loadModule( "nt" )
else:
systemModule = loadModule( "ntdll" )
if is64bitSystem():
ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS64", module.begin() + ptrDWord( module.begin() + 0x3c ) )
if ntHeader.OptionalHeader.Magic == 0x10b:
systemModule = loadModule( "ntdll32" )
ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS", module.begin() + ptrDWord( module.begin() + 0x3c ) )
pSize = 4
else:
pSize = 8
else:
ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS", module.begin() + ptrDWord( module.begin() + 0x3c ) )
pSize = 4
dprintln( "IAT RVA: %x Size: %x" % ( ntHeader.OptionalHeader.DataDirectory[12].VirtualAddress, ntHeader.OptionalHeader.DataDirectory[12].Size ) )
dprintln( "========================" )
if ntHeader.OptionalHeader.DataDirectory[12].Size == 0:
return
iatAddr = module.begin() + ntHeader.OptionalHeader.DataDirectory[12].VirtualAddress;
for i in range( 0, ntHeader.OptionalHeader.DataDirectory[12].Size / pSize ):
if ( pSize == 4 ):
iatEntry = ptrDWord( iatAddr + i*pSize )
else:
iatEntry = ptrQWord( iatAddr + i*pSize )
if iatEntry != None and iatEntry != 0:
symbolName = findSymbol( iatEntry )
if fnmatch.fnmatch( symbolName, mask ):
dprintln( symbolName )
if __name__ == "__main__":
if not isWindbgExt():
print "script is launch out of windbg"
quit( 0 )
if len (sys.argv)<=1:
dprintln( "usage: !py import module_name ( symbol name mask )" )
elif len( sys.argv ) == 2:
iat( sys.argv[1] )
else:
iat( sys.argv[1], sys.argv[2] )
Reference in New Issue View Git Blame Copy Permalink