среда, 20 октября 2010 г.

windbg: view IAT table of kernel modules

This time we'll be looking for functions and their addresses in IAT (Import Address Table)  in one of kernel modules, e.g. Ntfs.sys

First you need to do in windbg is to view file headers of module and get IAT address :


0: kd> !dh -f ntfs
File Type: EXECUTABLE IMAGE 
FILE HEADER VALUES
       0  DLL characteristics
       0 [       0] address [size] of Export Directory
   86674 [      50] address [size] of Import Directory
   17B80 [     51C] address [size] of Import Address Table Directory
............................................................................


Then you need to find out module's start address:


0: kd> lm m ntfs
start    end        module name
b9e35000 b9ec1600   Ntfs       (deferred)


And now when you know IAT directory address and module's start address you can look whole list of functions in IAT of Ntfs module



0: kd> dds b9e35000+17b80
b9e4cb80  806e69f0 hal!KeAcquireInStackQueuedSpinLock
b9e4cb84  806e6940 hal!ExAcquireFastMutex
b9e4cb88  806e6aa8 hal!KeReleaseQueuedSpinLock
b9e4cb8c  806e6a4c hal!KeAcquireQueuedSpinLock
b9e4cb90  806e6900 hal!KfReleaseSpinLock
b9e4cb94  806e699c hal!ExTryToAcquireFastMutex
b9e4cb98  806e6974 hal!ExReleaseFastMutex
b9e4cb9c  806e6aa0 hal!KeReleaseInStackQueuedSpinLock
b9e4cba0  806e6830 hal!KfAcquireSpinLock
b9e4cba4  00000000
b9e4cba8  b9ec3022 KSecDD!GenerateSessionKey
b9e4cbac  b9ec2fdc KSecDD!EfsGenerateKey
b9e4cbb0  b9ec3002 KSecDD!GenerateDirEfs
b9e4cbb4  b9ec28f4 KSecDD!InitSecurityInterfaceW
b9e4cbb8  b9ec3012 KSecDD!EfsDecryptFek
b9e4cbbc  00000000
b9e4cbc0  8054705c nt!ExRaiseStatus
b9e4cbc4  804ec29a nt!FsRtlNormalizeNtstatus
b9e4cbc8  804e41b4 nt!CcFlushCache
b9e4cbcc  80535b9e nt!ExIsResourceAcquiredExclusiveLite
b9e4cbd0  8052e79c nt!RtlInitUnicodeString
b9e4cbd4  80546168 nt!InterlockedPopEntrySList
b9e4cbd8  8054618c nt!RtlpInterlockedPushEntrySList
b9e4cbdc  804f7e92 nt!KeQuerySystemTime
b9e4cbe0  80546210 nt!RtlCompareMemory
b9e4cbe4  8056d1b6 nt!FsRtlAreNamesEqual
b9e4cbe8  804eb004 nt!FsRtlCheckLockForWriteAccess




As yu may noticed, it lists not only functions regarding to ntoskrnl.exe , so it seems like Ntfs module contains exports to a few modules like hal.dll , KSecDD and ntoskrnl.exe. To ensure, we may use PEtools utility ( see screen below):




By the way, if you are too lazy to use windbg :-) you can use PEtools.
Автор: на
Ярлыки: , ,

1 комментарий:

  1. Pykd Maintainer6 июн. 2012 г., 06:56:00

    Можно заюзать pykd. Есть два готовых скрипта для вывода экспортов и импортов указанного модуля:
    3: kd> !py iat kernel32 *Ks*
    Module: kernel32 base: 760d0000 end: 761a4000
    IAT RVA: 1000 Size: de8
    ========================
    ntdll!RtlAcquireSRWLockShared
    ntdll!RtlReleaseSRWLockShared

    3: kd> !py export kernel32 Rt*Mem*
    Module: kernel32 base: 760d0000 end: 761a4000
    Export RVA: b4da8 Size: a915
    ========================
    RtlFillMemory
    RtlMoveMemory
    RtlZeroMemory

    Профит: можно все сделать не вылезая из отладчика

    ОтветитьУдалить

Подписаться на: Комментарии к сообщению (Atom)