there are some serious discrepancies in the script
you are setting c++ expression and then using masm expression inside
the blocks at several places
you have a module named ntdll32
it is not clear what is that module and if it contains the relevent
type information which you are using
you are again using a module (Mydll_00) which again appears to be suspect
alias expansion needs a .block{}
and the loops are going to be troublesome to debug or provide an useful answer
why are you writing this script in first place if getting the imports
is the only requirement then windbg’s !showimports does
that for you
if you are trying to learn scripting
split your script into pieces unroll all your loop
and start with one step at a time
if you were writing it for some learning purpose adapt this script
this script was done for for x86 32 bits pe file windows calc in window 7
$$ an arbitrary constant #defined
r $t19 = 0n10
$$ script argument Modulebase as string like 0xc0000
r? $t1 = ${$arg1}
$$ pe header of the module
r? $t2 = @$t1 + ( (ntdll!_IMAGE_DOS_HEADER *) @$t1 )->e_lfanew
$$ va of import directory
r? $t3 = ( (ntdll!_IMAGE_NT_HEADERS *) @$t2
)->OptionalHeader.DataDirectory[1].VirtualAddress
$$ dumping arbitrary imports from the module provided
r? $t5 = (ole32!IMAGE_IMPORT_DESCRIPTOR *) (@$t3+@$t1)
.printf “==================\nImports From First Dll\n==================\n”
.for(r $t18 = 0; @$t18 < @$t19; r $t18 = @$t18+1)
{
r? $t6 = (((ole32!IMAGE_THUNK_DATA *) ((@$t5->OriginalFirstThunk)
+ @$t1) + @$t18)->u1.AddressOfData + @$t1)
.if(@$t6 == @$t1)
{
.printf “==================\nImports from next
dll\n==================\n”
}
.elsif((@$t6 & 0x80000000) == 0x80000000)
{
.printf “\nimported by ordinal\n\n”
}
.else
{
?? (char *)((ole32!IMAGE_IMPORT_BY_NAME *)@$t6)->Name
}
}
if you execute the above script you should get 0n0 imports printed like this
0:000> $$>a< c:\impydumpy.txt 0x840000
==================
Imports From First Dll
==================
char * 0x00892352
“SHGetSpecialFolderPathW”
char * 0x0089236c
“SHGetFolderPathW”
char * 0x00892380
“ShellAboutW”
imported by ordinal
char * 0x0089238e
“ShellExecuteExW”
==================
Imports from next dll
==================
imported by ordinal
==================
Imports from next dll
==================
char * 0x008923a0
“GdipDrawLineI”
char * 0x008923b0
“GdipDrawArcI”
On 8/14/17, xxxxx@gmail.com wrote:
> The below windbg script always fails. I couldn't figure out what I am doing
> wrong.
> ==============================================================
> $$
> $$ print all imported function names. ${$arg1} base address of a loaded
> image
> $$
>
> .block {
> .expr /s c++
> r $t1 = ${$arg1} + ((ntdll32!_IMAGE_DOS_HEADER*)${$arg1})->e_lfanew
> r $t1 = ${$arg1} +
> ((ntdll32!_IMAGE_NT_HEADERS*)@$t1)->OptionalHeader.DataDirectory[1].VirtualAddress
> r $t0 = 0
>
> aS ${curImpDesc} ((Mydll_00!_IMAGE_IMPORT_DESCRIPTOR*)@$t1)[@$t0]
> .while (${curImpDesc}.Name != 0) {
> .printf "\n Imported Image: %ma\n", (${$arg1} + ${curImpDesc}.Name)
>
> r $t2 = 0
> r $t3 = ${$arg1} + ${curImpDesc}.OriginalFirstThunk
>
> aS ${curThunkData} ((Mydll_00!_IMAGE_THUNK_DATA32*)@$t3)[@$t2]
> .while (${curThunkData}.u1.AddressOfData != 0) {
> r $t4 = ${$arg1} + ${curThunkData}.u1.AddressOfData
> da &(((Mydll_00!_IMAGE_IMPORT_BY_NAME*)@$t4)->Name)
> r $t2 = @$t2 + 1
> }
> r $t0 = @$t0 + 1
> }
>
> ad ${curImpDesc}
> ad ${curThunkData}
> }
>
> ==========================================================
>
> I wrote this script to print the imported image name , followed by all the
> imported function names. If I run this script line-by-line all going fine
> and I get the expected output. But if I run it as script file, then I am
> getting error
>
> 0:065:x86> $$>a< "D:\import.wds" 0x74e70000
> Unexpected character in '${curImpDesc}.Name != 0) {;....
>
> ---
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
> drivers!
> Details at
>
> To unsubscribe, visit the List Server section of OSR Online at
>
>