"""inspect_vtable.py [num_slots] Read N dwords starting at vtable_va. For each, mark whether it is in code memory (image, executable). A valid vtable is a row of >= 4 contiguous code pointers. """ import struct, sys from minidump.minidumpfile import MinidumpFile def _ei(v): if v is None: return 0 if hasattr(v, 'value'): return int(v.value) return int(v) def main(): md = MinidumpFile.parse(sys.argv[1]) vt = int(sys.argv[2], 16) n = int(sys.argv[3]) if len(sys.argv) > 3 else 32 # Module map mods = [] for m in md.modules.modules: mods.append((m.baseaddress, m.size, m.name.split("\\")[-1])) def mod_of(a): for b, s, nm in mods: if b <= a < b + s: return nm return None # Executable image-region cache exec_ranges = [] for r in md.memory_info.infos: st, ty, pr = _ei(r.State), _ei(r.Type), _ei(r.Protect) & 0xff if st == 0x1000 and ty == 0x1000000 and pr in (0x20, 0x80): exec_ranges.append((r.BaseAddress, r.BaseAddress + r.RegionSize)) def is_exec(a): for lo, hi in exec_ranges: if lo <= a < hi: return True return False rdr = md.get_reader().get_buffered_reader() rdr.move(vt) buf = rdr.read(n * 4) print(f"vtable @ 0x{vt:08x} ({mod_of(vt) or '?'}):") for i in range(n): v = struct.unpack_from("