Skip to content

Instantly share code, notes, and snippets.

@uf0o

uf0o/dump_iat.py

Created April 18, 2022 16:20
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save uf0o/b60ee72b475a37de820fb2f8ecbbb2f2 to your computer and use it in GitHub Desktop.
Save uf0o/b60ee72b475a37de820fb2f8ecbbb2f2 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
dump_iat.py
from pykd import *
import sys
# .load pykd.
# !py c:\users\uf0\desktop\dump_iat.py target_module_name|all [dep]
def usage():
print("USAGE: !py c:\\users\\uf0\\desktop\\dump_iat.py target_module_name|all [dep]")
def fetch_iat(module,cmd,dep):
print("[*] - %s IAT" % module)
dep_functions = ['VirtualAllocStub','VirtualProtectStub','WriteProcessMemoryStub']
module_base = (pykd.dbgCommand("lm m "+module)).split('\n')[2].split(' ')[0]
iat = (pykd.dbgCommand("!dh "+module)).split('Import Address Table Directory')[0].split('\n')[-1]
if iat == '':
return
iat_offset = iat.split('[')[0].replace(' ','')
if iat_offset == '0':
return
iat_size = iat.split('[')[1].split(']')[0].replace(' ','')
iat = (pykd.dbgCommand(cmd + module_base+'+'+iat_offset +' L'+iat_size+'/4'))
if dep:
iat_parse = iat.split('\n')
for iat_entry in iat_parse:
for function in dep_functions:
if function in iat_entry:
return iat_entry
else:
return iat
def main():
if len(sys.argv) < 2:
usage()
sys.exit()
dep = False
cmd = 'dps '
if (len(sys.argv) > 2) and (sys.argv[2] == 'dep'):
dep = True
if sys.argv[1] == 'all':
module_list = []
module_list = (pykd.dbgCommand("lm 1m i o")).split('\n')
for module_name in module_list:
if module_name == '':
continue
else:
print(fetch_iat(module_name,cmd,dep))
else:
module = sys.argv[1]
print(fetch_iat(module,cmd,dep))
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment