Viewing import table from windbg
Viewing the functions that a particular dll or executable imports can be useful in understanding more about how a component behaves.There are tools such a dependency walker which can show you this information if you point it to a static binary which I won’t go into here. Here we will look at how to get this information when using windbg.
- List loaded modules and note their base address. (In this example I attached to notepad and want to see what modules notepad imports)
2. Dump the header from the dll your interested in !dh <module> –f
3. From the output from !dh look for the the “Import Address Table Directory”. In this example you see that it is at offset “C000” from the base address.
4. Use the “dps” command to dump the address at that offset and try to resolve them to symbols. You will likely need to run dps a number of times to cycle through the entire import table. You could also see that the size of the import table is “7F0” and tell dps to display until that address [ dps ffa30000+C000 ffa30000+C000+7F0 ]
Where do I start?–Books and Blogs
Books – Although I feel I have a solid understanding windows internals, debugging and troubleshooting techniques and using Microsoft’s windbg as my preferred debugger I need to know where and how I could start to move my learning forward with regards to reversing engineering and malware analysis.
It seems these two books seem to be good books to start with which I intend to purchase shortly.
I already own Reversing and have been using it as light reading recently and so far find it a excellent read.
Some blogs and web sites I’ve been monitoring and following
Nice post on where to start @ http://computer-forensics.sans.org/blog/2010/11/12/get-started-with-malware-analysis/
Great IDA pro tutorials @ http://www.woodmann.com/TiGa/idaseries.html
Reversing labs @ http://fumalwareanalysis.blogspot.ie/p/malware-analysis-tutorials-reverse.html
Tons of past presentations on various interesting topics @ https://www.blackhat.com/html/bh-us-12/bh-us-12-archives.html
Site from the guy that runs the GREM training course for SANS – http://zeltser.com/reverse-malware/
Run by a good friend is this excellent resource for post mortem debugging and windbg @ http://dumpanalysis.org/
These are the blogs and books I’m reviewing and learning from at the moment.