Created
October 10, 2018 14:24
-
-
Save neitsa/f6f5ea31289d0debe7875608ed6af315 to your computer and use it in GitHub Desktop.
Symbol Address (windbg + Javascript)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "use strict;" | |
| // | |
| // Test.js | |
| // | |
| // Usage: | |
| // | |
| // .load jsprovider.dll | |
| // .scriptload Test.js | |
| // dx Debugger.State.Scripts.Test.Contents.Test(0x1) | |
| // | |
| function exec_command(cmd_str) | |
| { | |
| return host.namespace.Debugger.Utility.Control.ExecuteCommand(cmd_str); | |
| } | |
| function gsa(sym) | |
| { | |
| return host.evaluateExpression("(unsigned __int64)(&" + sym + ")"); | |
| } | |
| /* Get Symbol Address | |
| Args: | |
| - sym_module (string): name of the module in which the symbol lies. | |
| - sym_name (string): name of the symbol for which to get the address | |
| Returns: | |
| - The address of the symbol (if the symbol exists), otherwise the function returns null. | |
| */ | |
| function get_symbol_address(sym_module, sym_name) | |
| { | |
| // basic input check. | |
| if(!sym_module || !sym_name){ | |
| host.diagnostics.debugLog("get_symbol_address: sym_module or sym_name can't be empty.\n"); | |
| return null; | |
| } | |
| // build the command | |
| // e.g. "x nt!ObTypeIndexTable" | |
| command = "x /0 " + sym_module + "!" + sym_name; | |
| // get the command result; e.g "fffff803`e8ae9b70" | |
| result = exec_command(command); | |
| addr_string = result.First(); | |
| //host.diagnostics.debugLog("len: ", addr_string.length, " ; v:", addr_string,"\n"); | |
| // we have a string longer than 18 chars if the symbol couldn't be resolved. | |
| if (addr_string.startsWith(" ") || addr_string.length > 18){ | |
| return null; | |
| } | |
| // get the substring | |
| // note: passing the address string directly doesn't work... we need to remove the last char. | |
| addr_string = addr_string.substr(0, addr_string.length - 1); | |
| // convert to int64 | |
| addr = host.parseInt64(addr_string , 16); | |
| return addr; | |
| } | |
| function Test(devObjParam) { | |
| // Get easy access to the debug output method | |
| var dbgOutput = host.diagnostics.debugLog; | |
| // ok! | |
| addr = host.getModuleSymbolAddress('ntdll', 'RtlAllocateHeap'); | |
| dbgOutput("addr: ", addr, "\n"); | |
| // ok! | |
| addr = host.getModuleSymbolAddress('nt', 'NtQueryInformationToken'); | |
| dbgOutput("addr: ", addr, "\n"); | |
| // KO :(( doesn't work | |
| //addr = host.getModuleSymbolAddress('nt', 'ObTypeIndexTable') | |
| //dbgOutput("addr: ", addr, "\n"); | |
| // KO :(( doesn't work | |
| //addr = gsa("nt!NtQueryInformationToken") | |
| //dbgOutput("addr: ", addr, "\n"); | |
| // OK! | |
| addr = get_symbol_address("nt", "ObTypeIndexTable"); | |
| dbgOutput("nt!ObTypeIndexTable: ", addr, "\n"); | |
| addr = get_symbol_address("ntfs", "NtfsData"); | |
| dbgOutput("ntfs!NtfsData: ", addr, "\n"); | |
| addr = get_symbol_address("nt", "NtQueryInformationToken"); | |
| dbgOutput("nt!NtQueryInformationToken: ", addr, "\n"); | |
| addr = get_symbol_address("foo", "bar"); | |
| dbgOutput("foo!Bar: ", addr, "\n"); | |
| addr = get_symbol_address("", "bar"); | |
| dbgOutput("!Bar: ", addr, "\n"); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment