A pykd module to locate specific function addresses within the Windows Import Address Table (IAT) in WinDbg. Useful when you want to bypass Data Execution Prevention (DEP) and build Return-Oriented Programming (ROP) chains using Win32 API skeleton such as VirtualAlloc.
To start, ensure pykd.dll is located in %ProgramFiles(x86)%\Windows Kits\10\Debuggers\x86\winext\ (path may vary depending on OS and WinDbg version).
Next, load pykd inside WinDbg:
.load pykdThen, you can use the script directly on your target module:
!py C:\Tools\iatloc.py CSFTPAV6 VirtualAlloc
If the desired function is not loaded inside IAT, the script will give you some offset to play with. For example, searching for WriteProcessMemory address:
!py C:\Tools\iatloc.py CSFTPAV6 WriteProcessMemory
If you want to search through all the eligible modules, you can just omit the module as an argument:
!py C:\Tools\iatloc.py VirtualAlloc
This script was created to automate the task of locating specific function addresses in the IAT during my EXP-301 journey. While it worked well for my OSED certification studies, I do not guarantee portability accross up-to-date WinDbg.