Viewing import table from windbg

Viewing the functions that a particular dll or executable imports can be useful in understanding more about how a component behaves.There are tools such a dependency walker which can show you this information if you point it to a static binary which I won’t go into here. Here we will look at how to get this information when using windbg.

  1. List loaded modules and note their base address. (In this example I attached to notepad and want to see what modules notepad imports)

image

2. Dump the header from the dll your interested in !dh <module> –f

image

<snip>

image

3. From the output from !dh look for the the “Import Address Table Directory”. In this example you see that it is at offset “C000” from the base address.

4. Use the “dps” command to dump the address at that offset and try to resolve them to symbols. You will likely need to run dps a number of times to cycle through the entire import table. You could also see that the size of the import table is “7F0” and tell dps to display until that address [ dps ffa30000+C000   ffa30000+C000+7F0 ]

image

Advertisements

3 comments

  1. Igor

    thats one way..
    the way i do it is simply open the memory window, set the data from ‘Byte’ to ‘Pointers and Symbols’ and the address to the IAT. and there it is clean and elegant.

    thats a good way to follow the stack while debugging, just instead of IAT address you write rsp (stack pointer)

  2. Sky

    This was extremely helpful. Thank you! I needed to patch a module by finding the address in the IAT.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s