Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Go Back   OSR Online Lists > windbg
Welcome, Guest
You must login to post to this list
  Message 1 of 8  
10 May 09 15:31
Sercan ercan
xxxxxx@gmail.com
Join Date: 17 Dec 2006
Posts To This List: 19
Import Table Functions

lm shows loaded modules but how can we see import functions with Windbg? Is there a command or extension?
  Message 2 of 8  
10 May 09 15:35
Ken Johnson
xxxxxx@valhallalegends.com
Join Date: 24 Jul 2008
Posts To This List: 296
Import Table Functions

!dh <module>, read the headers to find the IAT, and dump it with dps. - S -----Original Message----- From: xxxxx@gmail.com <xxxxx@gmail.com> Sent: Sunday, May 10, 2009 12:30 To: Kernel Debugging Interest List <xxxxx@lists.osr.com> Subject: [windbg] Import Table Functions lm shows loaded modules but how can we see import functions with Windbg? Is there a command or extension? --- WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.o= sronline.com/page.cfm?name=3DListServer
  Message 3 of 8  
10 May 09 16:47
Sercan ercan
xxxxxx@gmail.com
Join Date: 17 Dec 2006
Posts To This List: 19
Import Table Functions

OK, it worked. Thank you
  Message 4 of 8  
12 May 09 16:38
raj r
xxxxxx@gmail.com
Join Date: 20 Jul 2006
Posts To This List: 582
Import Table Functions

i use a dirty script to dump import names maybe you could use it copy paste the following into a file names.txt in windbg dir and invoke with $$>a< names.txt "your module name" r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8) r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc) dps ${$arg1}+$t0 l? (($t1+4)/4) On 5/11/09, xxxxx@gmail.com <xxxxx@gmail.com> wrote: > > lm shows loaded modules but how can we see import functions with Windbg? > Is there a command or extension? > > --- > WINDBG is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > <...excess quoted lines suppressed...> -- thanks and regards raj_r --
  Message 5 of 8  
12 May 09 16:47
raj r
xxxxxx@gmail.com
Join Date: 20 Jul 2006
Posts To This List: 582
Import Table Functions

On 5/11/09, Skywing <xxxxx@valhallalegends.com> wrote: > > !dh <module>, read the headers to find the IAT, and dump it with dps. skywing how robust is this almost equivalent hack ? r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8) r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc) dps ${$arg1}+$t0 l? (($t1+4)/4) i use it like $$>a< parse.txt user32 0:000> $$>a< parse.txt user32 77d41000 7c90e213 ntdll!ZwQueryVirtualMemory 77d41004 7c937a40 ntdll!RtlUnwind 77d41008 7c90fb3d ntdll!RtlNtStatusToDosError 77d4100c 7c97c008 ntdll!NlsAnsiCodePage 77d41010 7c9105d4 ntdll!RtlAllocateHeap i would have loved to use the !dh output earlier when i wrote that script 0:000> .shell -ci "!dh windbg" grep -i "import address" 1000 [ 4AC] address [size] of Import Address Table Directory .shell: Process exited but i cant find a way to pass that result to subsequent command or an easy way to strip the ] (square bracket) appended to size --
  Message 6 of 8  
12 May 09 16:56
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 487
Import Table Functions

raj_r wrote: > i use a dirty script to dump import names maybe you could use it > > copy paste the following into a file names.txt in windbg dir and > invoke with $$>a< names.txt "your module name" > > r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8) > r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc) > dps ${$arg1}+$t0 l? (($t1+4)/4) I'm amazed you could type all of that with a straight face. Those are commands only a Perl programmer could love. -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 7 of 8  
12 May 09 17:44
raj r
xxxxxx@gmail.com
Join Date: 20 Jul 2006
Posts To This List: 582
Import Table Functions

On 5/13/09, Tim Roberts <xxxxx@probo.com> wrote: > > raj_r wrote: > > i use a dirty script to dump import names maybe you could use it > > > > copy paste the following into a file names.txt in windbg dir and > > invoke with $$>a< names.txt "your module name" > > > > r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8) > > r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc) > > dps ${$arg1}+$t0 l? (($t1+4)/4) <...excess quoted lines suppressed...> well windbg scripting is sometimes worser/arcane/unwieldy/unreadable/indecipherable/ in many orders of magnittude than perl anyway for the record 0x3c is dos_elfawnew 0xd8 is Import Table Address Address and 0xdc is Import Table Size with a bit of patience this crap of script could be converted to use something more readable and scripted too 0:000> dt -co ntdll!_image_nt_headers OptionalHeader.DataDirectory[0xc]. windbg+poi(windbg+0x3c) OptionalHeader DataDirectory [12] VirtualAddress 0x1000 Size 0x4ac but if you notice the input still has some ${$arg1} repalacement --
  Message 8 of 8  
12 May 09 19:33
Ken Johnson
xxxxxx@valhallalegends.com
Join Date: 24 Jul 2008
Posts To This List: 296
Import Table Functions

I would use the image header offsets from ntdll type info, but it'd come out to be the same less 64-bit support. (Note that dwo and not poi would be more correct here as those are 32-bit fields, but the hardcoded offset breaks on 64-bit anyways as I recall.) - S ________________________________ From: raj_r <xxxxx@gmail.com> Sent: Tuesday, May 12, 2009 14:44 To: Kernel Debugging Interest List <xxxxx@lists.osr.com> Subject: Re: [windbg] Import Table Functions On 5/13/09, Tim Roberts <xxxxx@probo.com<mailto:xxxxx@probo.com>> wrote: raj_r wrote: > i use a dirty script to dump import names maybe you could use it > > copy paste the following into a file names.txt in windbg dir and > invoke with $$>a< names.txt "your module name" > > r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8) > r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc) > dps ${$arg1}+$t0 l? (($t1+4)/4) I'm amazed you could type all of that with a straight face. Those are commands only a Perl programmer could love. -- Tim Roberts, xxxxx@probo.com<mailto:xxxxx@probo.com> Providenza & Boekelheide, Inc. well windbg scripting is sometimes worser/arcane/unwieldy/unreadable/indecipherable/ in many orders of magnittude than perl anyway for the record 0x3c is dos_elfawnew 0xd8 is Import Table Address Address and 0xdc is Import Table Size with a bit of patience this crap of script could be converted to use something more readable and scripted too 0:000> dt -co ntdll!_image_nt_headers OptionalHeader.DataDirectory[0xc]. windbg+poi(windbg+0x3c) OptionalHeader DataDirectory [12] VirtualAddress 0x1000 Size 0x4ac but if you notice the input still has some ${$arg1} repalacement --- WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer --
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the windbg list to be able to post.

All times are GMT -5. The time now is 13:21.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license