Tagged: windbg PE import table
Viewing import table from windbg
Viewing the functions that a particular dll or executable imports can be useful in understanding more about how a component behaves.There are tools such a dependency walker which can show you this information if you point it to a static binary which I won’t go into here. Here we will look at how to get this information when using windbg.
- List loaded modules and note their base address. (In this example I attached to notepad and want to see what modules notepad imports)
2. Dump the header from the dll your interested in !dh <module> –f
3. From the output from !dh look for the the “Import Address Table Directory”. In this example you see that it is at offset “C000” from the base address.
4. Use the “dps” command to dump the address at that offset and try to resolve them to symbols. You will likely need to run dps a number of times to cycle through the entire import table. You could also see that the size of the import table is “7F0” and tell dps to display until that address [ dps ffa30000+C000 ffa30000+C000+7F0 ]