Beispiel #1
0
def is_executable(addr):
    if pykd.isKernelDebugging():
        return False  # we need to find a way to get the memory protection information in kernel debug mode
    if "Execute" in str(pykd.getVaProtect(addr)):
        return True
    else:
        return False
Beispiel #2
0
	def is_writable(self, address):
		if pykd.isKernelDebugging():
			return False
		if "Write" in str(pykd.getVaProtect(address)):
			return True
		else:
			return False
Beispiel #3
0
    def __init__(self, base, config, *args, **kwargs):

         self.as_assert(base == None)
         self.as_assert(config.LOCATION=='windbg')
         self.as_assert(pykd.isKernelDebugging())
         self.dtb = pykd.reg('cr3')
         self.nt = pykd.module('nt')
         config.KDBG = self.nt.KdCopyDataBlock
         self.pageSize = pykd.pageSize()
         self.lowPage = pykd.ptrMWord(self.nt.MmLowestPhysicalPage)
         self.highPage = pykd.ptrMWord(self.nt.MmHighestPhysicalPage)
         self.spaces = [ ( self.lowPage*self.pageSize, (self.highPage -self.lowPage )*self.pageSize) ]

         super(PykdAddressSpace,self).__init__(base,config)

         self.name = "WinDBG Address Space"
Beispiel #4
0
    def __init__(self, base, config, *args, **kwargs):

        self.as_assert(base == None)
        self.as_assert(config.LOCATION == 'windbg')
        self.as_assert(pykd.isKernelDebugging())
        self.dtb = pykd.reg('cr3')
        self.nt = pykd.module('nt')
        config.KDBG = self.nt.KdCopyDataBlock
        self.pageSize = pykd.pageSize()
        self.lowPage = pykd.ptrMWord(self.nt.MmLowestPhysicalPage)
        self.highPage = pykd.ptrMWord(self.nt.MmHighestPhysicalPage)
        self.spaces = [(self.lowPage * self.pageSize,
                        (self.highPage - self.lowPage) * self.pageSize)]

        super(PykdAddressSpace, self).__init__(base, config)

        self.name = "WinDBG Address Space"
Beispiel #5
0
def reloadModules():

    global moduleList

    for m in moduleList:
        globals()[m.name().lower()] = None

    if pykd.isKernelDebugging():

        global nt

        nt = pykd.loadModule("nt")

        modules = pykd.typedVarList(nt.PsLoadedModuleList, "nt",
                                    "_LDR_DATA_TABLE_ENTRY",
                                    "InLoadOrderLinks")

        moduleList.append(nt)

    else:

        ntdll = pykd.loadModule("ntdll")

        peb = pykd.typedVar("ntdll", "_PEB", pykd.getCurrentProcess())

        ldr = pykd.typedVar("ntdll", "_PEB_LDR_DATA", peb.Ldr)

        modules = pykd.typedVarList(ldr.InLoadOrderModuleList.getAddress(),
                                    "ntdll", "_LDR_DATA_TABLE_ENTRY",
                                    "InLoadOrderLinks")

    moduleList = []

    for m in modules:

        baseName = str(pykd.loadUnicodeString(m.BaseDllName.getAddress()))

        if baseName == "ntoskrnl.exe":
            continue

        module = pykd.findModule(m.DllBase)

        globals()[module.name().lower()] = module

        moduleList.append(module)
Beispiel #6
0
def isKernelDebugging():
    return pykd.isKernelDebugging("r")
Beispiel #7
0
        return sympath + newdir
    else:
        return sympath + ";" + newdir


g_windowsdir = win32api.GetWindowsDirectory()
g_system32dir = os.path.join(g_windowsdir, "system32")

config = open("config.txt", "rb").read()
config = json.loads(config)
windbgpath = config.get("windbgpath")
if not os.path.exists(windbgpath):
    raise Exception("%s not exists, modify your config.txt" % windbgpath)

pykd.attachKernel()
if not pykd.isKernelDebugging():
    raise Exception("not a kernel debugging")
print "load symbol, wait...."

g_sympath = config.get("sympath")
if not g_sympath:
    raise Exception("%s can not be null")

print "your sympath:%s" % g_sympath
g_sympath = add_symbolpath(g_sympath, g_windowsdir)
g_sympath = add_symbolpath(g_sympath, g_system32dir)
pykd.dbgCommand(".sympath %s" % g_sympath)
pykd.dbgCommand(".reload *")
print "load symbol ok!"
windbgextdirs = ["winxp", "winext"]
default_exts = ["kdexts.dll", "ext.dll", "exts.dll", "kext.dll", "kdexts.dll", "ntsdexts.dll"]
Beispiel #8
0
 def testIsKernelDebugging(self):
     self.assertFalse(pykd.isKernelDebugging())
Beispiel #9
0
    print '[+] Finding target pid %d...' % opts.pid
    process = Process(opts.pid)

    print '[+] Current privileges:'
    print '\n%s\n' % tabulate(
        {
            "Privilege": process.current_privileges.keys(),
            "State": process.current_privileges.values()
        },
        headers="keys")

    if opts.enable:
        for priv in opts.enable:
            if process.enable_privilege(priv):
                print '[+] %s enabled' % priv
            else:
                print '[-] Could not enable %s' % priv

    if opts.disable:
        for priv in opts.disable:
            if process.disable_privilege(priv):
                print '[+] %s disabled' % priv
            else:
                print '[-] Could not disable %s' % priv


if __name__ == "__main__":
    if not pykd.isKernelDebugging():
        print 'Currently not kd!'

    run(parse_args())