"""find_vtable_refs.py Scan ALL committed memory (not just RW writable) for any DWORD == addr. Used to verify whether an alleged vtable address is referenced anywhere in the dump's process memory. """ import os, struct, sys from collections import Counter from minidump.minidumpfile import MinidumpFile def _ei(v): if v is None: return 0 if hasattr(v, 'value'): return int(v.value) return int(v) md = MinidumpFile.parse(sys.argv[1]) target = int(sys.argv[2], 16) print(f"searching for 0x{target:08x} in dump {sys.argv[1]}") reader = md.get_reader().get_buffered_reader() # Scan everything committed hits = [] total = 0 for r in md.memory_info.infos: st = _ei(r.State); ty = _ei(r.Type); pr = _ei(r.Protect) & 0xff if st != 0x1000: continue # not committed if pr == 0x01: continue # no-access try: reader.move(r.BaseAddress) buf = reader.read(r.RegionSize) except Exception: continue if not buf: continue total += len(buf) end = (len(buf) // 4) * 4 for off in range(0, end, 4): v = struct.unpack_from("