def reslove_iat_pointers(pid, iat_ptrs):
"""Use winappdbg to resolve IAT pointers to their respective module and function names
@param pid: process ID to connect to
@param iat_ptrs: list of pointer addresses to be resolved
"""
######################################################################
#
# Attach to process and start using winappdbg
#
######################################################################
# Request debug privileges.
System.request_debug_privileges()
# Attach to process
process = Process(pid)
# Lookup the process modules.
process.scan_modules()
# imp_table[ <funct_pointer> ] = [ <module_name>, <function_name> ]
imp_table = {}
for iat_ptr in iat_ptrs:
# For each iat pointer get the function name as a label populated by winappdbg
label = process.get_label_at_address(process.peek_dword(iat_ptr))
module,function,offset = Process.split_label_strict(label)
# Only add functions that have valid labels
if function != None:
imp_table[iat_ptr] = [module, function]
assert len(imp_table) != 0, "Unable to find imports in code!"
######################################################################
#
# Because we may have missed some IAT pointers with our scanner we
# are going to attempt to locate the full mapped IAT directory in the
# section then enumerate ever pointer in the directory. And use that
# list instead.
#
######################################################################
imp_table_new={}
for iat_ptr in range(min(imp_table.keys()), max(imp_table.keys())+4, 4):
# Resolve the requested label address.
label = process.get_label_at_address(process.peek_dword(iat_ptr))
module,function,offset = Process.split_label_strict(label)
if function != None:
imp_table_new[iat_ptr] = [module, function]
return imp_table_new
