Feature: Import Address Table

[forensicxlab]

Hello,

This new plugin can be used to extract the Import Address Table from a process to identify the API/functions used by the program. Useful to identify some of the capabilities of a PE and orient the later reverse code analysis phase.

Details here: https://www.forensicxlab.com/posts/voliat/

Example output:

~» vol -r pretty -f Triage-Memory.mem windows.iat --pid 3496
Volatility 3 Framework 2.5.1
Formatting...0.00               PDB scanning finished                        
  |  PID |           Name |      Library | Bound |                        Function |  Address
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                            _iob | 0x80c0c8
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                _except_handler3 | 0x80c0cc
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                  __set_app_type | 0x80c0d0
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                      __p__fmode | 0x80c0d4
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                    __p__commode | 0x80c0d8
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                    _adjust_fdiv | 0x80c0dc
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                __setusermatherr | 0x80c0e0
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                       _initterm | 0x80c0e4
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                   __getmainargs | 0x80c0e8
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                   __p___initenv | 0x80c0ec
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                     _XcptFilter | 0x80c0f0
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                           _exit | 0x80c0f4
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                         _onexit | 0x80c0f8
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                     __dllonexit | 0x80c0fc
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                         strrchr | 0x80c100
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                         wcsncmp | 0x80c104
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                          _close | 0x80c108
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                          wcslen | 0x80c10c
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                          wcscpy | 0x80c110
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                        strerror | 0x80c114
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                            modf | 0x80c118
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                          strspn | 0x80c11c
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                         realloc | 0x80c120
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                    __p__environ | 0x80c124
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                   __p__wenviron | 0x80c128
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                          _errno | 0x80c12c
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                            free | 0x80c130
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                         strncmp | 0x80c134
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                          strstr | 0x80c138
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                         strncpy | 0x80c13c
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                           _ftol | 0x80c140
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                           qsort | 0x80c144
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                           fopen | 0x80c148
* | 3496 | UWkpjFjDzM.exe |   MSVCRT.dll | False |                          perror | 0x80c14c
[TRUNCATED]

Best regards and merry Christmas ☺️

[ikelos]

Looks good, I'm happy to merge it but since it's in windows land I'd prefer if @iMHLv2 gets a chance to look over it. If he takes too long though, it means he's busy so gimme a prod and I'll merge it in anyway. As I say, only a couple minor comments that you can look at or not as you wish... 5:)

[forensicxlab]

Hello @ikelos!
Hope you're well.

I have changed the comment for the exception handling ;)

About the PEB casting, I didn't found the time to dig into it, but I think it is good to stay consistent with the other plugins for now. I might dig into it and open a dedicated PR to modify this accross all plugins using similar method (like ldrmodules,...).

Any news from iMHLv2 ? Let me know if you are ok to merge this PR :D

Best regards.
Félix.

[ikelos]

Hiya, just found one other little thing, but otherwise looks good to merge. Yeah, pulling back the kernel is how most of the other plugins do it, so I'm happy pushing it like that. Do please look into it though because the more examples of efficient code that people can read to find out how to do stuff, the better. Once you get the copyright fixed, I'll get it merged... Thanks! 5:D

[forensicxlab]

Hi @ikelos,
Just made the modification :) Thanks for your time and dedication.