def reslove_iat_pointers(pid, iat_ptrs): """Use winappdbg to resolve IAT pointers to their respective module and function names @param pid: process ID to connect to @param iat_ptrs: list of pointer addresses to be resolved """ ###################################################################### # # Attach to process and start using winappdbg # ###################################################################### # Request debug privileges. System.request_debug_privileges() # Attach to process process = Process(pid) # Lookup the process modules. process.scan_modules() # imp_table[ <funct_pointer> ] = [ <module_name>, <function_name> ] imp_table = {} for iat_ptr in iat_ptrs: # For each iat pointer get the function name as a label populated by winappdbg label = process.get_label_at_address(process.peek_dword(iat_ptr)) module,function,offset = Process.split_label_strict(label) # Only add functions that have valid labels if function != None: imp_table[iat_ptr] = [module, function] assert len(imp_table) != 0, "Unable to find imports in code!" ###################################################################### # # Because we may have missed some IAT pointers with our scanner we # are going to attempt to locate the full mapped IAT directory in the # section then enumerate ever pointer in the directory. And use that # list instead. # ###################################################################### imp_table_new={} for iat_ptr in range(min(imp_table.keys()), max(imp_table.keys())+4, 4): # Resolve the requested label address. label = process.get_label_at_address(process.peek_dword(iat_ptr)) module,function,offset = Process.split_label_strict(label) if function != None: imp_table_new[iat_ptr] = [module, function] return imp_table_new
def print_label(pid, address): # Request debug privileges. System.request_debug_privileges() # Instance a Process object. process = Process(pid) # Lookup it's modules. process.scan_modules() # Resolve the requested label address. label = process.get_label_at_address(address) # Print the label. print("%s == 0x%.08x" % (label, address))
def print_label( pid, address ): # Request debug privileges. System.request_debug_privileges() # Instance a Process object. process = Process( pid ) # Lookup it's modules. process.scan_modules() # Resolve the requested label address. label = process.get_label_at_address( address ) # Print the label. print "%s == 0x%.08x" % ( label, address )