def lsmod(addr_space, profile):
""" A Generator for modules (uses _KPCR symbols) """
## Locate the kpcr struct - this is hard coded right now
kpcr = NewObject("_KPCR", kpcr_addr, addr_space, profile=profile)
## Try to dereference the KdVersionBlock as a 64 bit struct
DebuggerDataList = kpcr.KdVersionBlock.dereference_as(
"_DBGKD_GET_VERSION64").DebuggerDataList
if DebuggerDataList.is_valid():
offset = DebuggerDataList.dereference().v()
## This is a pointer to a _KDDEBUGGER_DATA64 struct. We only
## care about the PsActiveProcessHead entry:
tmp = NewObject("_KDDEBUGGER_DATA64",
offset,
addr_space,
profile=profile).PsLoadedModuleList
if not tmp.is_valid():
## Ok maybe its a 32 bit struct
tmp = NewObject("_KDDEBUGGER_DATA32",
offset,
addr_space,
profile=profile).PsLoadedModuleList
## Try to iterate over the process list in PsActiveProcessHead
## (its really a pointer to a _LIST_ENTRY)
for l in tmp.dereference_as("_LIST_ENTRY").list_of_type(
"_LDR_MODULE", "InLoadOrderModuleList"):
yield l
def lsmod(addr_space, profile):
""" A Generator for modules (uses _KPCR symbols) """
## Locate the kpcr struct - this is hard coded right now
kpcr = NewObject("_KPCR", kpcr_addr, addr_space, profile=profile)
## Try to dereference the KdVersionBlock as a 64 bit struct
DebuggerDataList = kpcr.KdVersionBlock.dereference_as("_DBGKD_GET_VERSION64").DebuggerDataList
if DebuggerDataList.is_valid():
offset = DebuggerDataList.dereference().v()
## This is a pointer to a _KDDEBUGGER_DATA64 struct. We only
## care about the PsActiveProcessHead entry:
tmp = NewObject("_KDDEBUGGER_DATA64", offset, addr_space, profile=profile).PsLoadedModuleList
if not tmp.is_valid():
## Ok maybe its a 32 bit struct
tmp = NewObject("_KDDEBUGGER_DATA32", offset, addr_space, profile=profile).PsLoadedModuleList
## Try to iterate over the process list in PsActiveProcessHead
## (its really a pointer to a _LIST_ENTRY)
for l in tmp.dereference_as("_LIST_ENTRY").list_of_type("_LDR_MODULE", "InLoadOrderModuleList"):
yield l
