Created
April 18, 2022 16:20
-
-
Save uf0o/b60ee72b475a37de820fb2f8ecbbb2f2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pykd import * | |
import sys | |
# .load pykd. | |
# !py c:\users\uf0\desktop\dump_iat.py target_module_name|all [dep] | |
def usage(): | |
print("USAGE: !py c:\\users\\uf0\\desktop\\dump_iat.py target_module_name|all [dep]") | |
def fetch_iat(module,cmd,dep): | |
print("[*] - %s IAT" % module) | |
dep_functions = ['VirtualAllocStub','VirtualProtectStub','WriteProcessMemoryStub'] | |
module_base = (pykd.dbgCommand("lm m "+module)).split('\n')[2].split(' ')[0] | |
iat = (pykd.dbgCommand("!dh "+module)).split('Import Address Table Directory')[0].split('\n')[-1] | |
if iat == '': | |
return | |
iat_offset = iat.split('[')[0].replace(' ','') | |
if iat_offset == '0': | |
return | |
iat_size = iat.split('[')[1].split(']')[0].replace(' ','') | |
iat = (pykd.dbgCommand(cmd + module_base+'+'+iat_offset +' L'+iat_size+'/4')) | |
if dep: | |
iat_parse = iat.split('\n') | |
for iat_entry in iat_parse: | |
for function in dep_functions: | |
if function in iat_entry: | |
return iat_entry | |
else: | |
return iat | |
def main(): | |
if len(sys.argv) < 2: | |
usage() | |
sys.exit() | |
dep = False | |
cmd = 'dps ' | |
if (len(sys.argv) > 2) and (sys.argv[2] == 'dep'): | |
dep = True | |
if sys.argv[1] == 'all': | |
module_list = [] | |
module_list = (pykd.dbgCommand("lm 1m i o")).split('\n') | |
for module_name in module_list: | |
if module_name == '': | |
continue | |
else: | |
print(fetch_iat(module_name,cmd,dep)) | |
else: | |
module = sys.argv[1] | |
print(fetch_iat(module,cmd,dep)) | |
if __name__ == "__main__": | |
main() | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment