{"id":7609,"date":"2011-12-01T12:20:48","date_gmt":"2011-12-01T11:20:48","guid":{"rendered":"https:\/\/www.corelan.be\/?p=7609"},"modified":"2011-12-01T12:20:48","modified_gmt":"2011-12-01T11:20:48","slug":"roads-iat","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2011\/12\/01\/roads-iat\/","title":{"rendered":"Many roads to IAT"},"content":{"rendered":"

Introduction<\/h3>\n

A few days ago a friend approached me and asked how he could see the import address table under immunity debugger and if this could be done using the command line.<\/p>\n

I figured this would be a good time to take a look at what the IAT is, how we can list the IAT and what common reversing hurdles could be with regards to the IAT.<\/p>\n

Let\u2019s see first what is IAT and why it\u2019s good to know what is in there.<\/p>\n

IAT stands for Import Address Table and according to wikipedia<\/a>,<\/p>\n

\u201cOne section of note is the import address table<\/em> (IAT), which is used as a lookup table when the application is calling a function in a different module. It can be in form of both import by ordinal and import by name<\/a>. Because a compiled program cannot know the memory location of the libraries it depends upon, an indirect jump is required whenever an API call is made. As the dynamic linker loads modules and joins them together, it writes actual addresses into the IAT slots, so that they point to the memory locations of the corresponding library functions. Though this adds an extra jump over the cost of an intra-module call resulting in a performance penalty, it provides a key benefit: The number of memory pages that need to be copy-on-write changed by the loader is minimized, saving memory and disk I\/O time. If the compiler knows ahead of time that a call will be inter-module (via a dllimport attribute) it can produce more optimized code that simply results in an indirect call opcode<\/a>.\u201d<\/p><\/blockquote>\n

By knowing what\u2019s inside IAT we can identify functions that are called from other modules in a program, look for possibly unwanted or strange behavior ( cases on virus \/ malware ) make the code under the debugger easier to read and find address location from functions of interest ( VirtualAlloc<\/a><\/strong>, HeapCreate<\/strong>, SetProcessDEPPolicy, NtSetInformationProcess, VirtualProtect, WriteProcessMemory<\/strong><\/strong><\/strong><\/strong> ). In case you haven't figured it out, you can use those functions to bypass DEP<\/a>. Having an accurate pointer in the IAT to one of the functions will make it trivial to call the function in a ROP chain.<\/p>\n

 <\/p>\n

How can we query or list entries in the IAT ?<\/h3>\n

Windbg<\/h4>\n

Windbg is many times the debugger of my choice, not because it\u2019s the easiest to use, but mostly I got used to the interface and the fast response. Doing things under windbg in most cases will take far less time, if you know the way and far more time if you are trying to find your way now.<\/p>\n

After launching windbg, this is what you'll get:<\/p>\n

\"windbg\"<\/a><\/p>\n

You can start a debugging process under windbg by launching an application in the debugger (File - Open) or by attaching the debugger to a running application (File - Attach). For the purpose of this example we are going to use notepad.exe as test file,<\/p>\n

\"\"<\/a><\/p>\n

windbg will load the modules and it will stop just before the execution of the program waiting for command. All modules loaded at this moment can be viewed in the screen.<\/p>\n

As opposed to the other two debuggers, windbg lacks the easy drop down menu commands and identifying IAT requires a bit more time. First we need to locate the address of the Import Address Table in our executable, to do so the command !dh will be used:<\/p>\n

\"\"<\/a><\/p>\n

!dh command will D<\/span>isplay the Headers of the requested module, (more for the commands at : http:\/\/windbg.info\/doc\/1-common-cmds.html<\/a>) where we can identify the location, address of IAT. In my example IAT for notepad is located at memory address 1000 of the module notepad.exe.<\/p>\n

Dumping the content of the address we need to add the image base of our file plus the memory address of the IAT table, this can be done easily using two ways, either by using \u201cdps notepad+1000 l1000\/8 \u201c or by giving the image base address, \u201cdps 00c10000+1000 l1000\/8 \u201c. dps command stands for d<\/strong>isplay p<\/strong>ointer-s<\/strong>ized contents of memory in the given range.<\/p>\n

The output of the dps command will give us a lengthy result with the contents of the IAT table and the location of the functions.<\/p>\n

\"\"<\/a><\/p>\n

Another method again for windbg and a bit more elegant is described at http:\/\/www.osronline.com\/showthread.cfm?link=155938<\/a>, using the following windbg script,<\/p>\n

\n
1: r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)\n2: r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)\n3: dps ${$arg1}+$t0 l? (($t1+4)\/4)<\/pre>\n<\/div>\n
saving the script under a name, eg: test1.txt in windbg directory and calling the script from windbg with $$>a< test1.txt notepad, we will have the following output on the debugger:<\/p>\n
0:000> $$>a<<\/span> test1.txt notepad\n00121000  760e14d6 ADVAPI32!RegSetValueExWStub\n00121004  760e46ad ADVAPI32!RegQueryValueExWStub\n00121008  760e469d ADVAPI32!RegCloseKeyStub\n0012100c  760e1514 ADVAPI32!RegCreateKeyW\n00121010  760e468d ADVAPI32!RegOpenKeyExWStub\n00121014  760e448e ADVAPI32!IsTextUnicode\n00121018  760e369c ADVAPI32!CloseServiceHandleStub\n0012101c  760db537 ADVAPI32!QueryServiceConfigWStub\n00121020  760dca4c ADVAPI32!OpenServiceWStub\n00121024  760dca64 ADVAPI32!OpenSCManagerWStub\n00121028  00000000\n0012102c  763d55de kernel32!FindNLSStringStub\n00121030  763ba125 kernel32!GlobalAllocStub\n00121034  763ba183 kernel32!GlobalUnlock\n00121038  763ba235 kernel32!GlobalLock\n0012103c  763bafc0 kernel32!GetTimeFormatW\n00121040  763bb1a2 kernel32!GetDateFormatW\n00121044  763baaef kernel32!GetLocalTimeStub\n00121048  763b2b7b kernel32!GetUserDefaultUILanguageStub\n0012104c  763bc3c0 kernel32!HeapFree\n00121050  77a82dd6 ntdll!RtlAllocateHeap\n00121054  763bfcdd kernel32!GetProcessHeapStub\n00121058  763bbdad kernel32!GetFileInformationByHandleStub\n0012105c  763bc452 kernel32!InterlockedExchangeStub\n00121060  763b0368 kernel32!FreeLibraryAndExitThreadStub\n00121064  763c4c14 kernel32!GetFileAttributesWStub\n00121068  763ffd71 kernel32!Wow64RevertWow64FsRedirectionStub\n... <<\/span>snip<\/span>><\/span> ...\n001213e0  77a64168 ntdll!RtlInitUnicodeString\n001213e4  77a760f8 ntdll!NtQueryLicenseValue\n001213e8  77a504a5 ntdll!WinSqmAddToStream\n001213ec  00000000\n001213f0  74f91a15 VERSION!GetFileVersionInfoExW\n001213f4  74f918e9 VERSION!GetFileVersionInfoSizeExW\n001213f8  74f91b51 VERSION!VerQueryValueW\n001213fc  00000000\n00121400  90909090<\/pre>\n
 <\/p>\n
Common commands for windbg, http:\/\/blogs.msdn.com\/b\/willy-peter_schaub\/archive\/2009\/11\/27\/common-windbg-commands-reference.aspx<\/p>\n
 <\/p>\n
OllyDBG<\/h4>\n
Much simpler than windbg, ollydbg will easily display the IAT using the following steps :<\/p>\n
\"\"<\/a><\/p>\n
Load the executable of your choice, then from the View menu option we select \u201cexecutable modules\u201d. Next, from the window with the modules, right click on the module that you want to query, and select \u201cView Names\u201d<\/p>\n
\"\"<\/a><\/p>\n
This will produce the following output:<\/p>\n
Names in notepad\nAddress    Section    Type    (  Name                                    Comment\n00C113D4   .text      Import     OLEAUT32.#2\n00C113C8   .text      Import     COMCTL32.#345\n00C113D0   .text      Import     OLEAUT32.#6\n00C11178   .text      Import  (  GDI32.AbortDoc\n00C11310   .text      Import     msvcrt._acmdln\n00C11308   .text      Import     msvcrt._amsg_exit\n00C11324   .text      Import  (  msvcrt._cexit\n00C11238   .text      Import  (  USER32.CharNextW\n00C111CC   .text      Import  (  USER32.CharUpperW\n00C1123C   .text      Import  (  USER32.CheckMenuItem\n00C11274   .text      Import  (  USER32.ChildWindowFromPoint\n00C11348   .text      Import  (  COMDLG32.ChooseFontW\n00C11240   .text      Import  (  USER32.CloseClipboard\n00C1112C   .text      Import  (  KERNEL32.CloseHandle\n00C11388   .text      Import     WINSPOOL.ClosePrinter\n00C11018   .text      Import     ADVAPI32.CloseServiceHandle\n00C113A0   .text      Import     ole32.CoCreateInstance\n00C113A8   .text      Import     ole32.CoInitialize\n00C11394   .text      Import     ole32.CoInitializeEx\n00C11350   .text      Import  (  COMDLG32.CommDlgExtendedError\n... <<\/span>snip<\/span>><\/span> ...\n00C112F4   .text      Import  (  msvcrt.wcsrchr\n00C110A8   .text      Import  (  KERNEL32.WideCharToMultiByte\n00C1126C   .text      Import  (  USER32.WinHelpW\n00C113E8   .text      Import     ntdll.WinSqmAddToStream\n00C113DC   .text      Import     ntdll.WinSqmIncrementDWORD\n00C1106C   .text      Import     KERNEL32.Wow64DisableWow64FsRedirectio\n00C11068   .text      Import     KERNEL32.Wow64RevertWow64FsRedirection\n00C110B0   .text      Import  (  KERNEL32.WriteFile\n00C112E4   .text      Import  (  msvcrt._wtol\n00C1131C   .text      Import     msvcrt._XcptFilter<\/pre>\n
 <\/p>\n
Immunity Debugger<\/h4>\n
Immunity debugger is based on Ollydbg so the same process for displaying the IAT of a module under Ollydbg applies to it as well.<\/p>\n
Since Immunity debugger has support for python scripting, we can use the great mona.py python script from Corelan Team (download here: http:\/\/redmine.corelan.be\/projects\/mona<\/a> manual can be found here : https:\/\/www.corelan.be\/index.php\/2011\/07\/14\/mona-py-the-manual\/<\/a> ).<\/p>\n
Let\u2019s see what options we have.<\/p>\n
First of all mona.py includes in the latest version a new function called \u201cgetiat\u201d making the process of enumerating the IAT table of all loaded modules a very easy process.<\/p>\n
\"\"<\/a><\/p>\n
Running mona.py with getiat function will give us the following results:<\/p>\n
Log data\nAddress    Message\n75F91340   At 0x75f91340 in rpcrt4.dll (base + 0x00001340) : 0x763bd7b5 (ptr to api-ms-win-core-processthreads-l1-1-0.getcurrentprocessid)\n75F910E8   At 0x75f910e8 in rpcrt4.dll (base + 0x000010e8) : 0x77a752c8 (ptr to ntdll.ntallocateuuids)\n75F9117C   At 0x75f9117c in rpcrt4.dll (base + 0x0000117c) : 0x77a75348 (ptr to ntdll.ntalpccreatesectionview)\n75F910EC   At 0x75f910ec in rpcrt4.dll (base + 0x000010ec) : 0x77a76218 (ptr to ntdll.ntquerysystemtime)\n75F91144   At 0x75f91144 in rpcrt4.dll (base + 0x00001144) : 0x77a52fc6 (ptr to ntdll.tpallocalpccompletionex)\n75F910F0   At 0x75f910f0 in rpcrt4.dll (base + 0x000010f0) : 0x77a6206f (ptr to ntdll.etweventenabled)\n75F91228   At 0x75f91228 in rpcrt4.dll (base + 0x00001228) : 0x763a8d68 (ptr to api-ms-win-core-handle-l1-1-0.sethandleinformation)\n75F910F4   At 0x75f910f4 in rpcrt4.dll (base + 0x000010f4) : 0x77aa9d5b (ptr to ntdll.etweventwritetransfer)\n75F910F8   At 0x75f910f8 in rpcrt4.dll (base + 0x000010f8) : 0x77a427d7 (ptr to ntdll.etweventactivityidcontrol)\n75F912D4   At 0x75f912d4 in rpcrt4.dll (base + 0x000012d4) : 0x75dc7ac4 (ptr to api-ms-win-core-memory-l1-1-0.virtualfree)\n75F9118C   At 0x75f9118c in rpcrt4.dll (base + 0x0000118c) : 0x77a76708 (ptr to ntdll.ntsetiocompletionex)\n75F910FC   At 0x75f910fc in rpcrt4.dll (base + 0x000010fc) : 0x77a75338 (ptr to ntdll.ntalpccreateresourcereserve)\n75F91414   At 0x75f91414 in rpcrt4.dll (base + 0x00001414) : 0x75dc99af (ptr to api-ms-win-security-base-l1-1-0.equalsid)\n75F91300   At 0x75f91300 in rpcrt4.dll (base + 0x00001300) : 0x75de3c94 (ptr to api-ms-win-core-namedpipe-l1-1-0.getnamedpipeclientcomputernamew)\n... <<\/span>snip<\/span>><\/span> ...\n747111EC   At 0x747111ec in comctl32.dll (base + 0x000011ec) : 0x765a72c0 (ptr to gdi32.bitblt)\n747111F0   At 0x747111f0 in comctl32.dll (base + 0x000011f0) : 0x765a5ddf (ptr to gdi32.getstockobject)\n747111F4   At 0x747111f4 in comctl32.dll (base + 0x000011f4) : 0x765af4e3 (ptr to gdi32.createpen)\n747111F8   At 0x747111f8 in comctl32.dll (base + 0x000011f8) : 0x765afc35 (ptr to gdi32.getcharwi<\/pre>\n
Making things even easier, mona.py has the ability to search for a specific function using the \u201c-s\" parameter, so the command \u201c!mona getiat \u2013s *virtualalloc*\u201d will give us these result:<\/p>\n
 <\/p>\n
           ---------- Mona command started on 2011-10-19 11:54:18 ----------\n0BADF00D   [+] Processing arguments and criteria\n0BADF00D       - Pointer access level : X\n0BADF00D   [+] Generating module info table, hang on...\n0BADF00D       - Processing modules\n0BADF00D       - Done. Let's rock 'n roll.\n0BADF00D   [+] Querying 22 modules\n0BADF00D   [+] Preparing log file 'iatsearch.txt'\n0BADF00D       - (Re)setting logfile c:\\logs\\notepad\\iatsearch.txt\n76371818   At 0x76371818 in kernel32.dll (base + 0x00001818) : 0x75df3691 (ptr to kernelbase.virtualallocexnuma)\n76371914   At 0x76371914 in kernel32.dll (base + 0x00001914) : 0x75dc7a4f (ptr to api-ms-win-core-memory-l1-1-0.virtualalloc)\n76371918   At 0x76371918 in kernel32.dll (base + 0x00001918) : 0x75dc7a08 (ptr to api-ms-win-core-memory-l1-1-0.virtualallocex)\n77BA11BC   At 0x77ba11bc in msvcrt.dll (base + 0x000011bc) : 0x75dc7a4f (ptr to api-ms-win-core-memory-l1-1-0.virtualalloc)\n7695143C   At 0x7695143c in ole32.dll (base + 0x0000143c) : 0x75dc7a4f (ptr to api-ms-win-core-memory-l1-1-0.virtualalloc)\n76AB12F8   At 0x76ab12f8 in shell32.dll (base + 0x000012f8) : 0x75dc7a4f (ptr to api-ms-win-core-memory-l1-1-0.virtualalloc)\n75F912C4   At 0x75f912c4 in rpcrt4.dll (base + 0x000012c4) : 0x75dc7a4f (ptr to api-ms-win-core-memory-l1-1-0.virtualalloc)\n726512C8   At 0x726512c8 in winspool.drv (base + 0x000012c8) : 0x763bc43a (ptr to virtualalloc)\n760D16D0   At 0x760d16d0 in advapi32.dll (base + 0x000016d0) : 0x763ac783 (ptr to kernel32.virtualallocex)\n           [+] This mona.py action took 0:00:00.844000<\/pre>\n
 <\/p>\n
IDA Pro<\/h4>\n
Listing IAT under IDA pro, is much more straight forward than in other debuggers.<\/p>\n
After loading our executable in the debugger\/disassembler we can view the import table by either going at menu options,<\/p>\n
\"\"<\/a><\/p>\n
or directly from the imports tab<\/p>\n
\"\"<\/a><\/p>\n
 <\/p>\n
You can find more info on IAT at<\/p>\n