This is pretty easy using Python and IDA. Now we just need to rename the dwords to the API name that we exported from Ollydbg. If we are lucky IDA will have found some jmps to some dwords.Ĭool. If not you will need to find the entry point or an address that we know is code and press 'c'. Odds are when IDA loaded the file up it identified code. To do this in IDA click on Edit, Segments, Rebase program., then add the address to the value field. In the example above the base address was 0x00870000. The memory image base will need to be changed to the start of the allocated memory. Now we will need to open up the memory dump in IDA. GetModuleFileNameAĠ087E040 7C90FE01 ntdll. GetSystemTimeAsFileTimeĠ087E014 7C80BC06 kernel32. This will give us an output as seen below.Ġ087E000 7C865B1F kernel32. Now we will need to select all the API names, copy them to the clipboard, and save them to a text file.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |