Skip to main content

Find IAT using Windbg

·1 min
OffensiveSecurity ExploitDev WindowsInternal debugger
Table of Contents

You can find the Import Address Table of an application and the list of imported functions by attaching Windbg to the process and following the steps below.

Find the module in windbg #

lm

Dump the header of the module #

!dh <module_address> -f

The result of !df look for Import Address Table Directory which will contain the offset vaule and the size.

Use the IAT offset and size of IAT as follow to list the imported functions #

dps <module_address>+<IAT_offset_address> <module_address>+<IAT_offset_address>+<sizeof_IAT>

Reference: tom’s reversing viewing imports