Appearance
Module interface
In a program, a module refers to an independent code unit used to implement specific functions or tasks. Modules can contain program components such as variables, functions, and classes, and can be referenced and reused by other programs or modules. The plugin provides various function support for module operations.
Get Module functions
get_module_base
To obtain the base address of a specified module, the get_module_base
function can be used, which takes one parameter and defaults to kernelbase.dll, indicating the name of the module to obtain the base address.
python
>>> base = dbg.get_module_base("kernelbase.dll")
>>> hex(base)
'0x753e0000'
>>>
>>> base = dbg.get_module_base("kernel32.dll")
>>> hex(base)
'0x76f40000'
get_module_proc_addr
Obtaining the memory address of a specified function in a module can be achieved by calling the get_module_proc_addr
function, which passes in a module name and a string of function names within the module, and successfully returns the memory address of the function.
python
>>> messagebox = dbg.get_module_proc_addr("user32.dll","MessageBoxA")
>>> hex(messagebox)
'0x75d11f70'
>>>
>>> messagebox = dbg.get_module_proc_addr("user32.dll","MessageBoxW")
>>> hex(messagebox)
'0x75d123a0'
get_base_from_address
Based on the incoming address, the first address of the module can be obtained by calling get_base_from_address
. This function passes in the current address and returns the base address of that address upon successful execution.
python
>>> eip = dbg.get_eip()
>>> hex(eip)
'0x776ef127'
>>>
>>> base = dbg.get_base_from_address(eip)
>>> hex(base)
'0x77640000'
>>>
>>> eip = 0x00F015BB
>>> base = dbg.get_base_from_address(eip)
>>> hex(base)
'0xf00000'
get_base_from_name
Obtain the first address of the module based on the passed in module name, call the get_base_from_name
function, and pass in the corresponding module name. Successfully execute and return the first address of the module.
python
>>> base = dbg.get_base_from_name("user32.dll")
>>> hex(base)
'0x75c90000'
>>>
>>> base = dbg.get_base_from_name("Win32Project.exe")
>>> hex(base)
'0xf00000'
get_size_from_address
Based on the incoming memory address, the module size is obtained. By calling the get_size_from_address
function and passing in the module address, the successful execution returns the module size.
python
>>> eip = dbg.get_eip()
>>>
>>> size = dbg.get_size_from_address(eip)
>>> size
28672
>>>
>>> eip = 0x6DC8100A
>>> size = dbg.get_size_from_address(eip)
>>> size
974848
get_size_from_name
Obtain the module size based on the passed in module name, call the get_size_from_name
function, pass in the module name, and successfully execute to return the module size.
python
>>> size = dbg.get_size_from_name("user32.dll")
>>> size
1675264
>>>
>>> size = dbg.get_size_from_name("kernelbase.dll")
>>> size
2072576
get_oep_from_address
Obtain the entry address of the module based on the incoming address, and call the get_oep_from_address
function, which takes a memory address and returns the entry OEP address of the module after successful execution.
python
>>> eip = dbg.get_eip()
>>> hex(eip)
'0xf01415'
>>>
>>> address = dbg.get_oep_from_address(eip)
>>> hex(address)
'0xf015bb'
get_oep_from_name
Obtain the entry address of the module based on the passed in module name, and call the get_oep_from_name
function, which takes a module name string and returns the entry OEP address of the module after successful execution.
python
>>> address = dbg.get_oep_from_name("user32.dll")
>>> hex(address)
'0x75cce990'
>>>
>>> address = dbg.get_oep_from_name("kernelbase.dll")
>>> hex(address)
'0x754eb9a0'
>>>
>>> address = dbg.get_oep_from_name("kernel32.dll")
>>> hex(address)
'0x76f5fd70'
get_path_from_name
Obtain the absolute path where the module is located based on the passed in module name, and call the get_path_from_name
function, which takes a module name string and returns the detailed module path after successful execution.
python
>>> path = dbg.get_path_from_name("kernel32.dll")
>>> path
b'C:\\Windows\\SysWOW64\\kernel32.dll'
>>>
>>> path = dbg.get_path_from_name("kernelbase.dll")
>>> path
b'C:\\Windows\\SysWOW64\\KernelBase.dll'
>>>
>>> path = dbg.get_path_from_name("Win32Project.exe")
>>> path
b'C:\\Win32Project.exe'
get_path_from_addr
Obtain the complete path of the module based on the incoming module address, and call the get_path_from_addr
function, which takes an address and returns the detailed path of the module upon successful execution.
python
>>> eip = dbg.get_eip()
>>> hex(eip)
'0xf01415'
>>>
>>> path = dbg.get_path_from_addr(eip)
>>> path
b'C:\\Win32Project.exe'
get_name_from_addr
Obtain the module name based on the incoming module address, and call either the get_name_from_addr
function or the get_module_at
function, both of which accept an address and return the module name upon successful execution.
python
>>> eip = dbg.get_eip()
>>> hex(eip)
'0xf01415'
>>>
>>> name = dbg.get_name_from_addr(eip)
>>> name
b'win32project.exe'
>>>
>>> name = dbg.get_name_from_addr(0x753E1014)
>>> name
b'kernelbase.dll'
>>>
>>> name = dbg.get_module_at(0x753E1014)
>>> name
'kernelbase'
get_main_module_
By calling this series of functions, users can obtain relevant information about the current module they are loading, such as the module path
, module name
, module base
address, module entry
address, module size
, and other parameters. This function does not require any parameters to be passed in, and the call will return the corresponding information.
python
>>> path = dbg.get_main_module_path()
>>> name = dbg.get_main_module_name()
>>> base = dbg.get_main_module_base()
>>> entry = dbg.get_main_module_entry()
>>> size = dbg.get_main_module_size()
>>>
>>> path
'C:\\Win32Project.exe'
>>> name
'win32project.exe'
>>> hex(base)
'0xf00000'
>>> hex(entry)
'0xf015bb'
>>> size
28672
Get Memory Section
get_section
Input the memory address and output the complete section table information under the current module. By calling the get_section
function, this function takes a memory address and outputs the section table information of the module at the corresponding memory address. The function returns a nested list dictionary, allowing users to parse the section table according to their needs.
python
>>> base = dbg.get_main_module_base()
>>> hex(base)
'0xf00000'
>>>
>>> section_list = dbg.get_section(base)
>>>
>>> section_list
[
{'Address': 15732736, 'Name': '.text', 'Size': 2932},
{'Address': 15736832, 'Name': '.rdata', 'Size': 1962},
{'Address': 15740928, 'Name': '.data', 'Size': 1304},
{'Address': 15745024, 'Name': '.rsrc', 'Size': 7584},
{'Address': 15753216, 'Name': '.reloc', 'Size': 392}
]
>>>
>>> section_list[0].get("Name")
'.text'
>>> section_list[0].get("Address")
15732736
get_main_module_section_count
Get the number of section tables in the module itself, this function does not require parameter passing and will return a section table count upon call.
python
>>> count = dbg.get_main_module_section_count()
>>> count
5
get_section_count_from_name
By passing in the module name, the number of sections in the module can be obtained. By calling the get_section_count_from_name
function, the user only needs to pass in the name of the module in the process to read how many sections there are in the module.
python
>>> count = dbg.get_section_count_from_name("kernelbase.dll")
>>> count
6
>>>
>>> count = dbg.get_section_count_from_name("Win32Project.exe")
>>> count
5
get_section_count_from_address
By passing in the module address, the number of sections in the module can be obtained. By calling the get_section_count_from_address
function, the user only needs to pass in the address of the module in the process to read how many sections there are in the module.
python
>>> eip = dbg.get_eip()
>>> hex(eip)
'0x776ef127'
>>>
>>> count = dbg.get_section_count_from_address(eip)
>>> count
7
>>> eip = dbg.get_eip()
>>> hex(eip)
'0xf015bb'
>>>
>>> count = dbg.get_section_count_from_address(eip)
>>> count
5
get_section_from_addr
Passing in the memory address returns the section information. By calling the get_section_from_addr
function, which takes two parameters, parameter 1 passes in a memory address, and parameter 2 passes in the section number to be obtained. The default number starts from 0, and different numbers represent different sections.
python
>>> eip = dbg.get_eip()
>>> hex(eip)
'0xf015bb'
>>>
>>> section = dbg.get_section_from_addr(eip,0)
>>> section
{'Address': 15732736, 'Size': 2932, 'Name': '.text'}
>>>
>>> section = dbg.get_section_from_addr(eip,1)
>>> section
{'Address': 15736832, 'Size': 1962, 'Name': '.rdata'}
>>>
>>> section = dbg.get_section_from_addr(eip,2)
>>> section
{'Address': 15740928, 'Size': 1304, 'Name': '.data'}
get_section_from_name
Passing in the module name will return section information. By calling the get_section_from_name
function (which takes two parameters), parameter 1 passes in the module name, and parameter 2 passes in the section number to be obtained. The default number starts from 0, and different numbers represent different parts.
python
>>> dbg.get_section_from_name("user32.dll",0)
{'Address': 1976111104, 'Size': 666666, 'Name': '.text'}
>>>
>>> dbg.get_section_from_name("user32.dll",1)
{'Address': 1976778752, 'Size': 5066, 'Name': '.data'}
get_section_list_from_addr
Read all section tables at the specified memory address, call the get_section_list_from_addr
function, pass in a memory address, and the function returns the entire section table information at the module where the address is located.
python
>>> eip = dbg.get_eip()
>>> hex(eip)
'0xf015bb'
>>>
>>> section = dbg.get_section_list_from_addr(eip)
>>>
>>> for index in section:
... print(index)
...
{'Address': 15732736, 'Name': '.text', 'Size': 2932}
{'Address': 15736832, 'Name': '.rdata', 'Size': 1962}
{'Address': 15740928, 'Name': '.data', 'Size': 1304}
{'Address': 15745024, 'Name': '.rsrc', 'Size': 7584}
{'Address': 15753216, 'Name': '.reloc', 'Size': 392}
get_section_list_from_name
Based on the input module name, read all section tables and call the get_section_list_from_name
function. Pass in the module name, and the function returns the entire section table information of the module where the address is located.
python
>>> section = dbg.get_section_list_from_name("user32.dll")
>>>
>>> for index in section:
... print("Address = {:08} | Name = {}".format(hex(index.get("Address")),index.get("Name")))
...
Address = 0x75c91000 | Name = .text
Address = 0x75d34000 | Name = .data
Address = 0x75d36000 | Name = .idata
Address = 0x75d3f000 | Name = .didat
Address = 0x75d40000 | Name = .rsrc
Address = 0x75e22000 | Name = .reloc
Get Memory Module
get_module
Retrieve all module information of the current loading process, and load all module information by calling the get_module
function. This function has no parameter passing and returns a list nested dictionary upon successful execution. Users can extract the corresponding fields for use.
python
>>> module_list = dbg.get_module()
>>>
>>> module_list[0]
{
'Base': 15728640,
'Entry': 15734203,
'Name': 'win32project.exe',
'Path': 'C:\\Win32Project.exe',
'Size': 28672
}
>>>
>>> module_list[0].get("Name")
'win32project.exe'
>>>
>>> module_list[0].get("Path")
'C:\\Win32Project.exe'
get_info_from_addr
Pass in the memory address to obtain the memory information, and call the get_info_from_addr
function, which takes in an address information and returns dictionary type information after successful execution.
python
>>> eip = dbg.get_eip()
>>> hex(eip)
'0xf015bb'
>>>
>>> info = dbg.get_info_from_addr(eip)
>>> info
{
'Address': 15728640,
'Size': 28672,
'SectionCount': 5,
'Name': 'win32project.exe',
'Path': 'D:\\Win32Project.exe'
}
get_info_from_name
Pass in the module name to obtain memory information, and call the get_info_from_name
function, which receives the module name information and returns the dictionary type information after successful execution.
python
>>> dbg.get_info_from_name("user32.dll")
{
'Address': 1976107008,
'Size': 1675264,
'SectionCount': 6,
'Name': 'user32.dll',
'Path': 'C:\\Windows\\SysWOW64\\user32.dll'
}
get_main_module_info
Retrieve the current process's main module information and call the get_main_module_info
function, which does not require parameter passing and successfully returns its own module information.
python
>>> dbg.get_main_module_info()
{
'Address': 15728640,
'Size': 28672,
'Name': 'win32project.exe'
}
get_module_import
Obtain the import table information of the specified module. By calling the get_module_import
function, the import table information of the specified module can be read. This function accepts and passes in a string type module name, and returns a list nested dictionary. Users can extract data as needed.
python
>>> imports = dbg.get_module_import("win32project.exe")
>>>
>>> imports[1]
{
'Name': 'EndDialog',
'UndecoratedName': '',
'IatVA': 15736984,
'IatRVA': 8344,
'Ordinal': -1
}
>>>
>>> imports[1].get("Name")
'EndDialog'
get_module_export
Obtain the export table information of the specified module. By calling the get_module_export
function, the export table information of the specified module can be read. This function accepts and passes in a string type module name, and returns a list nested dictionary. Users can extract data as needed.
python
>>> exports = dbg.get_module_export("user32.dll")
>>>
>>> exports[0]
{
'Name': 'Ordinal#1502',
'ForwardName': '',
'UndecorateName': '',
'Forwarded': 0,
'Va': 1976522304,
'Rva': 415296,
'Ordinal': 1502
}