LyScript

Appearance

Module interface

In a program, a module refers to an independent code unit used to implement specific functions or tasks. Modules can contain program components such as variables, functions, and classes, and can be referenced and reused by other programs or modules. The plugin provides various function support for module operations.

Get Module functions

get_module_base

To obtain the base address of a specified module, the get_module_base function can be used, which takes one parameter and defaults to kernelbase.dll, indicating the name of the module to obtain the base address.

python
>>> base = dbg.get_module_base("kernelbase.dll")
>>> hex(base)
'0x753e0000'
>>>
>>> base = dbg.get_module_base("kernel32.dll")
>>> hex(base)
'0x76f40000'

get_module_proc_addr

Obtaining the memory address of a specified function in a module can be achieved by calling the get_module_proc_addr function, which passes in a module name and a string of function names within the module, and successfully returns the memory address of the function.

python
>>> messagebox = dbg.get_module_proc_addr("user32.dll","MessageBoxA")
>>> hex(messagebox)
'0x75d11f70'
>>>
>>> messagebox = dbg.get_module_proc_addr("user32.dll","MessageBoxW")
>>> hex(messagebox)
'0x75d123a0'

get_base_from_address

Based on the incoming address, the first address of the module can be obtained by calling get_base_from_address. This function passes in the current address and returns the base address of that address upon successful execution.

python
>>> eip = dbg.get_eip()
>>> hex(eip)
'0x776ef127'
>>>
>>> base = dbg.get_base_from_address(eip)
>>> hex(base)
'0x77640000'
>>>
>>> eip = 0x00F015BB
>>> base = dbg.get_base_from_address(eip)
>>> hex(base)
'0xf00000'

get_base_from_name

Obtain the first address of the module based on the passed in module name, call the get_base_from_name function, and pass in the corresponding module name. Successfully execute and return the first address of the module.

python
>>> base = dbg.get_base_from_name("user32.dll")
>>> hex(base)
'0x75c90000'
>>>
>>> base = dbg.get_base_from_name("Win32Project.exe")
>>> hex(base)
'0xf00000'

get_size_from_address

Based on the incoming memory address, the module size is obtained. By calling the get_size_from_address function and passing in the module address, the successful execution returns the module size.

python
>>> eip = dbg.get_eip()
>>>
>>> size = dbg.get_size_from_address(eip)
>>> size
28672
>>>
>>> eip = 0x6DC8100A
>>> size = dbg.get_size_from_address(eip)
>>> size
974848

get_size_from_name

Obtain the module size based on the passed in module name, call the get_size_from_name function, pass in the module name, and successfully execute to return the module size.

python
>>> size = dbg.get_size_from_name("user32.dll")
>>> size
1675264
>>>
>>> size = dbg.get_size_from_name("kernelbase.dll")
>>> size
2072576

get_oep_from_address

Obtain the entry address of the module based on the incoming address, and call the get_oep_from_address function, which takes a memory address and returns the entry OEP address of the module after successful execution.

python
>>> eip = dbg.get_eip()
>>> hex(eip)
'0xf01415'
>>>
>>> address = dbg.get_oep_from_address(eip)
>>> hex(address)
'0xf015bb'

get_oep_from_name

Obtain the entry address of the module based on the passed in module name, and call the get_oep_from_name function, which takes a module name string and returns the entry OEP address of the module after successful execution.

python
>>> address = dbg.get_oep_from_name("user32.dll")
>>> hex(address)
'0x75cce990'
>>>
>>> address = dbg.get_oep_from_name("kernelbase.dll")
>>> hex(address)
'0x754eb9a0'
>>>
>>> address = dbg.get_oep_from_name("kernel32.dll")
>>> hex(address)
'0x76f5fd70'

get_path_from_name

Obtain the absolute path where the module is located based on the passed in module name, and call the get_path_from_name function, which takes a module name string and returns the detailed module path after successful execution.

python
>>> path = dbg.get_path_from_name("kernel32.dll")
>>> path
b'C:\\Windows\\SysWOW64\\kernel32.dll'
>>>
>>> path = dbg.get_path_from_name("kernelbase.dll")
>>> path
b'C:\\Windows\\SysWOW64\\KernelBase.dll'
>>>
>>> path = dbg.get_path_from_name("Win32Project.exe")
>>> path
b'C:\\Win32Project.exe'

get_path_from_addr

Obtain the complete path of the module based on the incoming module address, and call the get_path_from_addr function, which takes an address and returns the detailed path of the module upon successful execution.

python
>>> eip = dbg.get_eip()
>>> hex(eip)
'0xf01415'
>>>
>>> path = dbg.get_path_from_addr(eip)
>>> path
b'C:\\Win32Project.exe'

get_name_from_addr

Obtain the module name based on the incoming module address, and call either the get_name_from_addr function or the get_module_at function, both of which accept an address and return the module name upon successful execution.

python
>>> eip = dbg.get_eip()
>>> hex(eip)
'0xf01415'
>>>
>>> name = dbg.get_name_from_addr(eip)
>>> name
b'win32project.exe'
>>>
>>> name = dbg.get_name_from_addr(0x753E1014)
>>> name
b'kernelbase.dll'
>>>
>>> name = dbg.get_module_at(0x753E1014)
>>> name
'kernelbase'

get_main_module_

By calling this series of functions, users can obtain relevant information about the current module they are loading, such as the module path, module name, module base address, module entry address, module size, and other parameters. This function does not require any parameters to be passed in, and the call will return the corresponding information.

python
>>> path = dbg.get_main_module_path()
>>> name = dbg.get_main_module_name()
>>> base = dbg.get_main_module_base()
>>> entry = dbg.get_main_module_entry()
>>> size = dbg.get_main_module_size()
>>>
>>> path
'C:\\Win32Project.exe'
>>> name
'win32project.exe'
>>> hex(base)
'0xf00000'
>>> hex(entry)
'0xf015bb'
>>> size
28672

Get Memory Section

get_section

Input the memory address and output the complete section table information under the current module. By calling the get_section function, this function takes a memory address and outputs the section table information of the module at the corresponding memory address. The function returns a nested list dictionary, allowing users to parse the section table according to their needs.

python
>>> base = dbg.get_main_module_base()
>>> hex(base)
'0xf00000'
>>>
>>> section_list = dbg.get_section(base)
>>>
>>> section_list
[
	{'Address': 15732736, 'Name': '.text', 'Size': 2932}, 
	{'Address': 15736832, 'Name': '.rdata', 'Size': 1962}, 
	{'Address': 15740928, 'Name': '.data', 'Size': 1304}, 
	{'Address': 15745024, 'Name': '.rsrc', 'Size': 7584}, 
	{'Address': 15753216, 'Name': '.reloc', 'Size': 392}
]
>>>
>>> section_list[0].get("Name")
'.text'
>>> section_list[0].get("Address")
15732736

get_main_module_section_count

Get the number of section tables in the module itself, this function does not require parameter passing and will return a section table count upon call.

python
>>> count = dbg.get_main_module_section_count()
>>> count
5

get_section_count_from_name

By passing in the module name, the number of sections in the module can be obtained. By calling the get_section_count_from_name function, the user only needs to pass in the name of the module in the process to read how many sections there are in the module.

python
>>> count = dbg.get_section_count_from_name("kernelbase.dll")
>>> count
6
>>>
>>> count = dbg.get_section_count_from_name("Win32Project.exe")
>>> count
5

get_section_count_from_address

By passing in the module address, the number of sections in the module can be obtained. By calling the get_section_count_from_address function, the user only needs to pass in the address of the module in the process to read how many sections there are in the module.

python
>>> eip = dbg.get_eip()
>>> hex(eip)
'0x776ef127'
>>>
>>> count = dbg.get_section_count_from_address(eip)
>>> count
7
>>> eip = dbg.get_eip()
>>> hex(eip)
'0xf015bb'
>>>
>>> count = dbg.get_section_count_from_address(eip)
>>> count
5

get_section_from_addr

Passing in the memory address returns the section information. By calling the get_section_from_addr function, which takes two parameters, parameter 1 passes in a memory address, and parameter 2 passes in the section number to be obtained. The default number starts from 0, and different numbers represent different sections.

python
>>> eip = dbg.get_eip()
>>> hex(eip)
'0xf015bb'
>>>
>>> section = dbg.get_section_from_addr(eip,0)
>>> section
{'Address': 15732736, 'Size': 2932, 'Name': '.text'}
>>>
>>> section = dbg.get_section_from_addr(eip,1)
>>> section
{'Address': 15736832, 'Size': 1962, 'Name': '.rdata'}
>>>
>>> section = dbg.get_section_from_addr(eip,2)
>>> section
{'Address': 15740928, 'Size': 1304, 'Name': '.data'}

get_section_from_name

Passing in the module name will return section information. By calling the get_section_from_name function (which takes two parameters), parameter 1 passes in the module name, and parameter 2 passes in the section number to be obtained. The default number starts from 0, and different numbers represent different parts.

python
>>> dbg.get_section_from_name("user32.dll",0)
{'Address': 1976111104, 'Size': 666666, 'Name': '.text'}
>>>
>>> dbg.get_section_from_name("user32.dll",1)
{'Address': 1976778752, 'Size': 5066, 'Name': '.data'}

get_section_list_from_addr

Read all section tables at the specified memory address, call the get_section_list_from_addr function, pass in a memory address, and the function returns the entire section table information at the module where the address is located.

python
>>> eip = dbg.get_eip()
>>> hex(eip)
'0xf015bb'
>>>
>>> section = dbg.get_section_list_from_addr(eip)
>>>
>>> for index in section:
...     print(index)
...
{'Address': 15732736, 'Name': '.text', 'Size': 2932}
{'Address': 15736832, 'Name': '.rdata', 'Size': 1962}
{'Address': 15740928, 'Name': '.data', 'Size': 1304}
{'Address': 15745024, 'Name': '.rsrc', 'Size': 7584}
{'Address': 15753216, 'Name': '.reloc', 'Size': 392}

get_section_list_from_name

Based on the input module name, read all section tables and call the get_section_list_from_name function. Pass in the module name, and the function returns the entire section table information of the module where the address is located.

python
>>> section = dbg.get_section_list_from_name("user32.dll")
>>>
>>> for index in section:
...     print("Address = {:08} | Name = {}".format(hex(index.get("Address")),index.get("Name")))
...
Address = 0x75c91000 | Name = .text
Address = 0x75d34000 | Name = .data
Address = 0x75d36000 | Name = .idata
Address = 0x75d3f000 | Name = .didat
Address = 0x75d40000 | Name = .rsrc
Address = 0x75e22000 | Name = .reloc

Get Memory Module

get_module

Retrieve all module information of the current loading process, and load all module information by calling the get_module function. This function has no parameter passing and returns a list nested dictionary upon successful execution. Users can extract the corresponding fields for use.

python
>>> module_list = dbg.get_module()
>>>
>>> module_list[0]
{
	'Base': 15728640, 
	'Entry': 15734203, 
	'Name': 'win32project.exe', 
	'Path': 'C:\\Win32Project.exe', 
	'Size': 28672
}
>>>
>>> module_list[0].get("Name")
'win32project.exe'
>>>
>>> module_list[0].get("Path")
'C:\\Win32Project.exe'

get_info_from_addr

Pass in the memory address to obtain the memory information, and call the get_info_from_addr function, which takes in an address information and returns dictionary type information after successful execution.

python
>>> eip = dbg.get_eip()
>>> hex(eip)
'0xf015bb'
>>>
>>> info = dbg.get_info_from_addr(eip)
>>> info
{
	'Address': 15728640, 
	'Size': 28672, 
	'SectionCount': 5, 
	'Name': 'win32project.exe', 
	'Path': 'D:\\Win32Project.exe'
}

get_info_from_name

Pass in the module name to obtain memory information, and call the get_info_from_name function, which receives the module name information and returns the dictionary type information after successful execution.

python
>>> dbg.get_info_from_name("user32.dll")
{
	'Address': 1976107008, 
	'Size': 1675264,
	'SectionCount': 6,
	'Name': 'user32.dll',
	'Path': 'C:\\Windows\\SysWOW64\\user32.dll'
}

get_main_module_info

Retrieve the current process's main module information and call the get_main_module_info function, which does not require parameter passing and successfully returns its own module information.

python
>>> dbg.get_main_module_info()
{
	'Address': 15728640,
	'Size': 28672,
	'Name': 'win32project.exe'
}

get_module_import

Obtain the import table information of the specified module. By calling the get_module_import function, the import table information of the specified module can be read. This function accepts and passes in a string type module name, and returns a list nested dictionary. Users can extract data as needed.

python
>>> imports = dbg.get_module_import("win32project.exe")
>>>
>>> imports[1]
{
	'Name': 'EndDialog', 
	'UndecoratedName': '', 
	'IatVA': 15736984, 
	'IatRVA': 8344, 
	'Ordinal': -1
}
>>>
>>> imports[1].get("Name")
'EndDialog'

get_module_export

Obtain the export table information of the specified module. By calling the get_module_export function, the export table information of the specified module can be read. This function accepts and passes in a string type module name, and returns a list nested dictionary. Users can extract data as needed.

python
>>> exports = dbg.get_module_export("user32.dll")
>>>
>>> exports[0]
{
	'Name': 'Ordinal#1502', 
	'ForwardName': '', 
	'UndecorateName': '', 
	'Forwarded': 0, 
	'Va': 1976522304, 
	'Rva': 415296, 
	'Ordinal': 1502
}