Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / MALWARE REVERSE / WINDOWS / WINDBG

Trace Calls

1. Locate imports of main module

!dh <BaseAddress> -i
  • Locate IAT : <address> Import Address Table
  • Pinpoint target entry (on x64 - each entry is 8 bytes)
  • <IAT> + (<entry order> x 8)

2. Dump IAT

dps <IATAddress> L12

3. Disassemble the Module

u <BaseAddress> L200