def lsmod(addr_space, profile):
""" A Generator for modules (uses _KPCR symbols) """
## Locate the kpcr struct - this is hard coded right now
kpcr = NewObject("_KPCR", kpcr_addr, addr_space, profile=profile)
## Try to dereference the KdVersionBlock as a 64 bit struct
DebuggerDataList = kpcr.KdVersionBlock.dereference_as(
"_DBGKD_GET_VERSION64").DebuggerDataList
if DebuggerDataList.is_valid():
offset = DebuggerDataList.dereference().v()
## This is a pointer to a _KDDEBUGGER_DATA64 struct. We only
## care about the PsActiveProcessHead entry:
tmp = NewObject("_KDDEBUGGER_DATA64",
offset,
addr_space,
profile=profile).PsLoadedModuleList
if not tmp.is_valid():
## Ok maybe its a 32 bit struct
tmp = NewObject("_KDDEBUGGER_DATA32",
offset,
addr_space,
profile=profile).PsLoadedModuleList
## Try to iterate over the process list in PsActiveProcessHead
## (its really a pointer to a _LIST_ENTRY)
for l in tmp.dereference_as("_LIST_ENTRY").list_of_type(
"_LDR_MODULE", "InLoadOrderModuleList"):
yield l
def subkeys(key):
if not key.is_valid(): return
if key.SubKeyCounts[0] > 0:
sk_off = key.SubKeyLists[0]
sk = NewObject("_CM_KEY_INDEX", sk_off, key.vm, profile=key.profile)
if not sk or not sk.is_valid():
pass
else:
for i in read_sklist(sk):
if i.Signature.v() == NK_SIG:
yield i
if key.SubKeyCounts[1] > 0:
sk_off = key.SubKeyLists[1]
sk = NewObject("_CM_KEY_INDEX", sk_off, key.vm, profile=key.profile)
if not sk or not sk.is_valid():
pass
else:
for i in read_sklist(sk):
if i and i.Signature.v() == NK_SIG:
yield i
def subkeys(key):
if not key.is_valid(): return
if key.SubKeyCounts[0] > 0:
sk_off = key.SubKeyLists[0]
sk = NewObject("_CM_KEY_INDEX", sk_off, key.vm, profile=key.profile)
if not sk or not sk.is_valid():
pass
else:
for i in read_sklist(sk):
if i.Signature.v() == NK_SIG:
yield i
if key.SubKeyCounts[1] > 0:
sk_off = key.SubKeyLists[1]
sk = NewObject("_CM_KEY_INDEX", sk_off, key.vm, profile=key.profile)
if not sk or not sk.is_valid():
pass
else:
for i in read_sklist(sk):
if i and i.Signature.v() == NK_SIG:
yield i
def _Peb(self,attr):
""" Returns a _PEB object which is using the process address space.
The PEB structure is referencing back into the process address
space so we need to switch address spaces when we look at
it. This method ensure this happens automatically.
"""
process_ad = self.get_process_address_space()
if process_ad:
offset = self.m("Peb").v()
peb = NewObject("_PEB",offset, vm=process_ad, profile=self.profile,
name = "Peb", parent=self)
if peb.is_valid():
return peb
def _Peb(self, attr):
""" Returns a _PEB object which is using the process address space.
The PEB structure is referencing back into the process address
space so we need to switch address spaces when we look at
it. This method ensure this happens automatically.
"""
process_ad = self.get_process_address_space()
if process_ad:
offset = self.m("Peb").v()
peb = NewObject("_PEB",
offset,
vm=process_ad,
profile=self.profile,
name="Peb",
parent=self)
if peb.is_valid():
return peb
def lsmod(addr_space, profile):
""" A Generator for modules (uses _KPCR symbols) """
## Locate the kpcr struct - this is hard coded right now
kpcr = NewObject("_KPCR", kpcr_addr, addr_space, profile=profile)
## Try to dereference the KdVersionBlock as a 64 bit struct
DebuggerDataList = kpcr.KdVersionBlock.dereference_as("_DBGKD_GET_VERSION64").DebuggerDataList
if DebuggerDataList.is_valid():
offset = DebuggerDataList.dereference().v()
## This is a pointer to a _KDDEBUGGER_DATA64 struct. We only
## care about the PsActiveProcessHead entry:
tmp = NewObject("_KDDEBUGGER_DATA64", offset, addr_space, profile=profile).PsLoadedModuleList
if not tmp.is_valid():
## Ok maybe its a 32 bit struct
tmp = NewObject("_KDDEBUGGER_DATA32", offset, addr_space, profile=profile).PsLoadedModuleList
## Try to iterate over the process list in PsActiveProcessHead
## (its really a pointer to a _LIST_ENTRY)
for l in tmp.dereference_as("_LIST_ENTRY").list_of_type("_LDR_MODULE", "InLoadOrderModuleList"):
yield l
