|
|
|
|
#1
11-20-2016, 04:57
|
|||
|
|||
|
OW Imports
by: qwerty9384 / bloodwrath released: 11.13.2016 summary: this plugin adds the 'oiu' command to x64dbg. executing the command with the IAT's base address will label all obfuscated winapi imports and log the address / label names in the x64dbg log tab. generated labels are automatically deleted once you stop debugging. behavior is undefined if used on any other address or if you run the command more than once per debug session. note: the IAT is dynamically built some time between the second TLS callback and the creation of the second thread. how to use: 1. click on the "Memory Map" tab in x64dbg. 2. find the first region (lowest address) of virtual memory of size 0x3000. it's always near the top of the mem map table. 3. go to this region's base address in the disassembly view. 4. you should see something like this: 00000000000B0000 | 48 | MOVABS RAX, iphlpapi.7FEF9F73F33 | 00000000000B000A | 48 | ADD RAX, 39F9 | 00000000000B0010 | 71 | JNO B0014 | 5. click the base address, press 'ALT+INSERT' to copy the address. 6. press 'CTRL+ENTER' to focus the cmd line. 7. type 'oiu ', paste the address, press enter. 8. check the log for the import name / address dump. 9. all labels will be automatically removed when you stop debugging. http://www.mediafire.com/file/5zorao...ats.me%5D_.zip 
|
| The Following User Says Thank You to mak For This Useful Post: | ||
Indigo (07-19-2019) | ||
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| using x64_dbg | rcer | General Discussion | 8 | 09-06-2015 08:28 |
Hybrid Mode
