def listCmpCallback():
try:
notifyaddr=pykd.getOffset('nt!CmpCallBackVector')
count=pykd.getOffset('nt!CmpCallBackCount')
count=pykd.ptrPtr(count)
print '-'*10+'CmpCallback'+'-'*10
if is_2000():
for i in xrange(count):
funcaddr=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8
symbolname=pykd.findSymbol(source)
print 'routine:%x %s' % (funcaddr, symbolname)
else:
if pykd.is64bitSystem():
for i in xrange(count):
funcaddr=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8
symbolname=pykd.findSymbol(funcaddr)
print 'routine:%x %s' % (funcaddr, symbolname)
else:
for i in xrange(count):
routine_block=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8
funcaddr=pykd.ptrPtr(routine_block+g_mwordsize)
symbolname=pykd.findSymbol(funcaddr)
print 'routine:%x %s' % (funcaddr, symbolname)
except Exception, err:
print traceback.format_exc()
def listCreateProcess():
try:
print '-'*10+'CreateProcess'+'-'*10
notifyaddr=pykd.getOffset('nt!PspCreateProcessNotifyRoutine')
count=pykd.getOffset('nt!PspCreateProcessNotifyRoutineCount')
count=pykd.ptrPtr(count)
try:
excount=pykd.getOffset('nt!PspCreateProcessNotifyRoutineExCount')
except:
excount=0
count+=excount
if is_2000():
for i in xrange(count):
funcaddr=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8
symbolname=pykd.findSymbol(source)
print 'routine:%x %s' % (funcaddr, symbolname)
else:
if pykd.is64bitSystem():
for i in xrange(count):
funcaddr=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8
symbolname=pykd.findSymbol(funcaddr)
print 'routine:%x %s' % (funcaddr, symbolname)
else:
for i in xrange(count):
routine_block=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8
funcaddr=pykd.ptrPtr(routine_block+g_mwordsize)
symbolname=pykd.findSymbol(funcaddr)
print 'routine:%x %s' % (funcaddr, symbolname)
except Exception, err:
print traceback.format_exc()
def listCreateProcess():
try:
print '-' * 10 + 'CreateProcess' + '-' * 10
notifyaddr = pykd.getOffset('nt!PspCreateProcessNotifyRoutine')
count = pykd.getOffset('nt!PspCreateProcessNotifyRoutineCount')
count = pykd.ptrPtr(count)
try:
excount = pykd.getOffset('nt!PspCreateProcessNotifyRoutineExCount')
except:
excount = 0
count += excount
if is_2000():
for i in xrange(count):
funcaddr = pykd.ptrPtr(notifyaddr +
i * g_mwordsize) & 0xffffffffffffff8
symbolname = pykd.findSymbol(source)
print 'routine:%x %s' % (funcaddr, symbolname)
else:
if pykd.is64bitSystem():
for i in xrange(count):
funcaddr = pykd.ptrPtr(notifyaddr +
i * g_mwordsize) & 0xffffffffffffff8
symbolname = pykd.findSymbol(funcaddr)
print 'routine:%x %s' % (funcaddr, symbolname)
else:
for i in xrange(count):
routine_block = pykd.ptrPtr(
notifyaddr + i * g_mwordsize) & 0xffffffffffffff8
funcaddr = pykd.ptrPtr(routine_block + g_mwordsize)
symbolname = pykd.findSymbol(funcaddr)
print 'routine:%x %s' % (funcaddr, symbolname)
except Exception, err:
print traceback.format_exc()
def inspectSSDT():
kernelbase=g_kernelbase
KeServiceDescriptorTable=pykd.getOffset('nt!KeServiceDescriptorTable')
KiServiceTable=pykd.ptrPtr(KeServiceDescriptorTable)
serviceCount=pykd.ptrMWord(KeServiceDescriptorTable+2*g_mwordsize)
print 'nt!KeServiceDescriptorTable:0x%x' % KeServiceDescriptorTable
print 'nt!KiServiceTable:0x%x' % KiServiceTable
print 'serviceCount:0x%x(%d)' % (serviceCount, serviceCount)
ssdttable=pykd.loadPtrs(KiServiceTable, serviceCount)
table_rva=(KiServiceTable-kernelbase)
print 'KiServiceTable rva:0x%x' % table_rva
filedata=open(g_kernelpath, 'rb').read()
pe = pefile.PE(data=filedata, fast_load=True)
if pe.DOS_HEADER.e_magic!=0X5A4D or pe.NT_HEADERS.Signature!=0x4550:
raise Exception("%s is not a pe file" % filepath)
table_fileoffset=pe.get_offset_from_rva(table_rva)
print 'KiServiceTable file offset:0x%x' % table_fileoffset
d=filedata[table_fileoffset:table_fileoffset+g_mwordsize*serviceCount]
number=0
for i in xrange(serviceCount):
source=binascii.b2a_hex(d[i*g_mwordsize:(i+1)*g_mwordsize][::-1])
source=pykd.addr64(int(source, 16))-pykd.addr64(pe.OPTIONAL_HEADER.ImageBase)+kernelbase
symbolname=pykd.findSymbol(source)
current=ssdttable[i]
if source==current:
print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
else:
hooksymbolname=pykd.findSymbol(current)
print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (source, symbolname, current, hooksymbolname)
number+=1
print 'hooked function number:', number
def listCmpCallback():
try:
notifyaddr = pykd.getOffset('nt!CmpCallBackVector')
count = pykd.getOffset('nt!CmpCallBackCount')
count = pykd.ptrPtr(count)
print '-' * 10 + 'CmpCallback' + '-' * 10
if is_2000():
for i in xrange(count):
funcaddr = pykd.ptrPtr(notifyaddr +
i * g_mwordsize) & 0xffffffffffffff8
symbolname = pykd.findSymbol(source)
print 'routine:%x %s' % (funcaddr, symbolname)
else:
if pykd.is64bitSystem():
for i in xrange(count):
funcaddr = pykd.ptrPtr(notifyaddr +
i * g_mwordsize) & 0xffffffffffffff8
symbolname = pykd.findSymbol(funcaddr)
print 'routine:%x %s' % (funcaddr, symbolname)
else:
for i in xrange(count):
routine_block = pykd.ptrPtr(
notifyaddr + i * g_mwordsize) & 0xffffffffffffff8
funcaddr = pykd.ptrPtr(routine_block + g_mwordsize)
symbolname = pykd.findSymbol(funcaddr)
print 'routine:%x %s' % (funcaddr, symbolname)
except Exception, err:
print traceback.format_exc()
def testFindSymbol(self):
self.assertEqual(
"FuncWithName0",
target.module.findSymbol(target.module.offset("FuncWithName0")))
self.assertEqual(
"_FuncWithName2",
target.module.findSymbol(target.module.offset("_FuncWithName2")))
self.assertEqual(
"targetapp!FuncWithName0",
pykd.findSymbol(target.module.offset("FuncWithName0")))
self.assertEqual(
"targetapp!_FuncWithName2",
pykd.findSymbol(target.module.offset("_FuncWithName2")))
self.assertEqual(
"_FuncWithName2+10",
target.module.findSymbol(
target.module.offset("_FuncWithName2") + 0x10))
self.assertEqual(
"_FuncWithName2",
target.module.findSymbol(target.module.offset("_FuncWithName2") +
0x10,
showDisplacement=False))
self.assertEqual(
"targetapp!_FuncWithName2+10",
pykd.findSymbol(target.module.offset("_FuncWithName2") + 0x10))
self.assertEqual(
"targetapp!_FuncWithName2",
pykd.findSymbol(target.module.offset("_FuncWithName2") + 0x10,
showDisplacement=False))
def inspectShadowSSDT():
r = pykd.dbgCommand('dd win32k L1').split(' ')
win32kbase = pykd.addr64(int(r[0], 16))
print 'wink32.sys baseaddr:0x%x' % win32kbase
W32pServiceTable = pykd.getOffset('win32k!W32pServiceTable')
print 'win32k!W32pServiceTable:0x%x' % W32pServiceTable
W32pServiceLimit = pykd.getOffset('win32k!W32pServiceLimit')
W32pServiceLimit = pykd.ptrMWord(W32pServiceLimit)
print 'win32k!W32pServiceLimit:0x%x(%d)' % (W32pServiceLimit,
W32pServiceLimit)
shadowssdttable = pykd.loadPtrs(W32pServiceTable, W32pServiceLimit)
table_rva = (W32pServiceTable - win32kbase)
print 'W32pServiceTable rva:0x%x' % table_rva
win32kname = 'win32k.sys'
windowsdir = win32api.GetWindowsDirectory()
filepath = os.path.join(windowsdir, 'system32', win32kname)
if not os.path.exists(filepath):
raise Exception('%s not exists!' % win32kname)
print 'win32k.sys path:', filepath
filedata = open(filepath, 'rb').read()
pe = pefile.PE(data=filedata, fast_load=True)
if pe.DOS_HEADER.e_magic != 0X5A4D or pe.NT_HEADERS.Signature != 0x4550:
raise Exception("%s is not a pe file" % filepath)
table_fileoffset = pe.get_offset_from_rva(table_rva)
print 'W32pServiceTable file offset:0x%x' % table_fileoffset
d = filedata[table_fileoffset:table_fileoffset +
g_mwordsize * W32pServiceLimit]
number = 0
for i in xrange(W32pServiceLimit):
source = binascii.b2a_hex(d[i * g_mwordsize:(i + 1) *
g_mwordsize][::-1])
source = int(source, 16) - pe.OPTIONAL_HEADER.ImageBase + win32kbase
symbolname = pykd.findSymbol(source)
current = shadowssdttable[i]
if source == current:
print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
else:
hooksymbolname = pykd.findSymbol(current)
print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (
source, symbolname, current, hooksymbolname)
number += 1
print 'hooked function number:', number
def listShutdown():
try:
print '-' * 10 + 'Shutdown' + '-' * 10
IRP_MJ_SHUTDOWN = 0x10
#define IRP_MJ_SHUTDOWN 0x10
head = pykd.getOffset('nt!IopNotifyShutdownQueueHead')
next = head
while 1:
next = pykd.ptrPtr(next)
if next == head:
break
try:
deviceobjectaddr = pykd.ptrPtr(next + g_mwordsize * 2)
deviceobject = pykd.typedVar('nt!_DEVICE_OBJECT',
deviceobjectaddr)
driverobject = pykd.typedVar('nt!_DRIVER_OBJECT',
int(deviceobject.DriverObject))
funcaddr = pykd.ptrPtr(driverobject.MajorFunction +
g_mwordsize * IRP_MJ_SHUTDOWN)
symbolname = pykd.findSymbol(funcaddr)
print 'routine:%x %s' % (funcaddr, symbolname)
except Exception, err:
pass
except Exception, err:
print traceback.format_exc()
def _xpp_raw_frames():
stack = _get_stack_with_frame_numbers()
eval_func_caller_frames = []
for idx, frame in enumerate(stack):
if 'evalFunc' in findSymbol(frame.instructionOffset):
eval_func_caller_frames.append(stack[idx + 1])
return eval_func_caller_frames
def inspectKernelTimer():
try:
cmdline='.reload;'
r=pykd.dbgCommand(cmdline)
cmdline=r'!timer'
r=pykd.dbgCommand(cmdline)
r=r.splitlines()
start=0
idx=0
for i in r:
i=i.strip()
if i.startswith('List Timer'):
start=1
continue
if start!=1:
continue
data=i.strip()
pos=data.find('(DPC @ ')
if pos!=-1:
endpos=data.find(')', pos)
data=data[pos+len('(DPC @ '):endpos]
dpc=pykd.addr64(int(data, 16))
if dpc<=int(mmhighestuseraddress):
print i, '!!!!!!!!'
else:
dpcobj=pykd.typedVar('nt!_KDPC', dpc)
symbolname=pykd.findSymbol(dpcobj.DeferredRoutine)
print '%d dpc:%x timerfunc:%x %s' % (idx, int(dpc), int(dpcobj.DeferredRoutine), symbolname)
idx+=1
except Exception, err:
print traceback.format_exc()
def _xpp_raw_frames():
stack = getStack()
eval_func_caller_frames = []
for idx, frame in enumerate(stack):
if 'evalFunc' in findSymbol(frame.instructionOffset):
eval_func_caller_frames.append(stack[idx+1])
return eval_func_caller_frames
def inspectKernelTimer():
try:
cmdline = '.reload;'
r = pykd.dbgCommand(cmdline)
cmdline = r'!timer'
r = pykd.dbgCommand(cmdline)
r = r.splitlines()
start = 0
idx = 0
for i in r:
i = i.strip()
if i.startswith('List Timer'):
start = 1
continue
if start != 1:
continue
data = i.strip()
pos = data.find('(DPC @ ')
if pos != -1:
endpos = data.find(')', pos)
data = data[pos + len('(DPC @ '):endpos]
dpc = pykd.addr64(int(data, 16))
if dpc <= int(mmhighestuseraddress):
print i, '!!!!!!!!'
else:
dpcobj = pykd.typedVar('nt!_KDPC', dpc)
symbolname = pykd.findSymbol(dpcobj.DeferredRoutine)
print '%d dpc:%x timerfunc:%x %s' % (
idx, int(dpc), int(dpcobj.DeferredRoutine), symbolname)
idx += 1
except Exception, err:
print traceback.format_exc()
def listObjectCallback():
try:
cmdline='!object \objecttypes'
r=pykd.dbgCommand(cmdline)
featurestr='----\n'
pos=r.find(featurestr)
if pos==-1:
return
r=r[pos+len(featurestr):].splitlines()
for i in r:
if i.find('Type'):
typeobjectaddr, name=i.split(' Type ')
pos=typeobjectaddr.rfind(' ')
if pos==-1:
return
name=name.strip()
typeobjectaddr=typeobjectaddr[pos+1:]
typeobjectaddr=int(typeobjectaddr, 16)
print '-'*20
print 'typeobject "%s":%x' % (name, typeobjectaddr)
typeobject=pykd.typedVar('nt!_OBJECT_TYPE', typeobjectaddr)
TypeInfo=pykd.typedVar('nt!_OBJECT_TYPE_INITIALIZER', typeobject.TypeInfo)
for membername, membervalue in TypeInfo:
if membername.endswith('Procedure'):
funcaddr=int(membervalue)
if funcaddr:
symbolname=pykd.findSymbol(funcaddr)
else:
symbolname=''
print '%s %x %s' % (membername, funcaddr, symbolname)
except Exception, err:
print traceback.format_exc()
def inspectDispatchRoutine(driverobjectaddr=None):
try:
if driverobjectaddr:
driverinfo=DriverInfo()
if not driverinfo.init1(driverobjectaddr):
print 'fail to get driver info'
return
driverlist=[driverinfo]
else:
driverlist=listDriverByDirectoryObject()
for driverinfo in driverlist:
try:
startaddr=driverinfo.baseaddr
endaddr=driverinfo.baseaddr+driverinfo.modulesize
driverobjectaddr=driverinfo.driverobjectaddr
driverobject=pykd.typedVar('nt!_DRIVER_OBJECT', driverobjectaddr)
print '='*10, 'drvobj:%x %s' % (driverobjectaddr,driverinfo.filepath),'='*10
for i in xrange(28):
funcaddr=pykd.ptrPtr(driverobject.MajorFunction+i*g_mwordsize)
symbolname=pykd.findSymbol(funcaddr)
if funcaddr<startaddr or funcaddr>=endaddr:
if symbolname.find('+')!=-1:
print '%d %s %x %s maybe hooked!!!!!' % (i, MajorFunction[i], funcaddr, symbolname)
else:
print '%d %s %x %s' % (i, MajorFunction[i], funcaddr, symbolname)
else:
print '%d %s %x %s' % (i, MajorFunction[i], funcaddr, symbolname)
except Exception, err:
print traceback.format_exc()
except Exception, err:
print traceback.format_exc()
def onUpdate( self ):
s = ""
stackFrames = pykd.getCurrentStack()
for frame in stackFrames:
s += pykd.findSymbol( frame.instructionOffset ) + " (%x)" % frame.instructionOffset + "\n"
self.textArea.setPlainText( s )
def inspectShadowSSDT():
r=pykd.dbgCommand('dd win32k L1').split(' ')
win32kbase=pykd.addr64(int(r[0],16))
print 'wink32.sys baseaddr:0x%x' % win32kbase
W32pServiceTable=pykd.getOffset('win32k!W32pServiceTable')
print 'win32k!W32pServiceTable:0x%x' % W32pServiceTable
W32pServiceLimit=pykd.getOffset('win32k!W32pServiceLimit')
W32pServiceLimit=pykd.ptrMWord(W32pServiceLimit)
print 'win32k!W32pServiceLimit:0x%x(%d)' % (W32pServiceLimit, W32pServiceLimit)
shadowssdttable=pykd.loadPtrs(W32pServiceTable, W32pServiceLimit)
table_rva=(W32pServiceTable-win32kbase)
print 'W32pServiceTable rva:0x%x' % table_rva
win32kname='win32k.sys'
windowsdir=win32api.GetWindowsDirectory()
filepath=os.path.join(windowsdir, 'system32', win32kname)
if not os.path.exists(filepath):
raise Exception('%s not exists!' % win32kname)
print 'win32k.sys path:', filepath
filedata=open(filepath, 'rb').read()
pe = pefile.PE(data=filedata, fast_load=True)
if pe.DOS_HEADER.e_magic!=0X5A4D or pe.NT_HEADERS.Signature!=0x4550:
raise Exception("%s is not a pe file" % filepath)
table_fileoffset=pe.get_offset_from_rva(table_rva)
print 'W32pServiceTable file offset:0x%x' % table_fileoffset
d=filedata[table_fileoffset:table_fileoffset+g_mwordsize*W32pServiceLimit]
number=0
for i in xrange(W32pServiceLimit):
source=binascii.b2a_hex(d[i*g_mwordsize:(i+1)*g_mwordsize][::-1])
source=int(source, 16)-pe.OPTIONAL_HEADER.ImageBase+win32kbase
symbolname=pykd.findSymbol(source)
current=shadowssdttable[i]
if source==current:
print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
else:
hooksymbolname=pykd.findSymbol(current)
print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (source, symbolname, current, hooksymbolname)
number+=1
print 'hooked function number:', number
def dereference(self, pointer, target_id=0):
"""
Recursively dereference a pointer for display
"""
fmt = ('<' if self.get_byte_order() == 'little' else '>') + {2: 'H', 4: 'L', 8: 'Q'}[self.get_addr_size()]
addr = pointer
chain = []
# recursively dereference
for i in range(0, self.max_deref):
try:
[ptr] = pykd.loadPtrs(addr, 1)
if ptr in chain:
break
chain.append(('pointer', addr))
addr = ptr
except:
log.exception("Dereferencing pointer 0x{:X}".format(addr))
break
# get some info for the last pointer
# first try to resolve a symbol context for the address
if len(chain):
p, addr = chain[-1]
output = pykd.findSymbol(addr)
sym = True
try:
# if there's no symbol found, pykd returns a hex string of the address
if int(output, 16) == addr:
sym = False
log.debug("no symbol context")
except:
pass
if sym:
chain.append(('symbol', output.strip()))
else:
log.debug("no symbol context")
mem = pykd.loadBytes(addr, 2)
if mem[0] < 127:
if mem[1] == 0:
a = []
for i in range(0, self.max_string, 2):
mem = pykd.loadBytes(addr + i, 2)
if mem == [0, 0]:
break
a.extend(mem)
output = array.array('B', a).tostring().decode('UTF-16').encode('latin1')
chain.append(('unicode', output))
else:
output = pykd.loadCStr(addr)
chain.append(('string', output))
log.debug("chain: {}".format(chain))
return chain
def dereference(self, pointer, target_id=0):
"""
Recursively dereference a pointer for display
"""
fmt = ('<' if self.get_byte_order() == 'little' else '>') + {2: 'H', 4: 'L', 8: 'Q'}[self.get_addr_size()]
addr = pointer
chain = []
# recursively dereference
for i in range(0, self.max_deref):
try:
[ptr] = pykd.loadPtrs(addr, 1)
if ptr in chain:
break
chain.append(('pointer', addr))
addr = ptr
except:
log.exception("Dereferencing pointer 0x{:X}".format(addr))
break
# get some info for the last pointer
# first try to resolve a symbol context for the address
if len(chain):
p, addr = chain[-1]
output = pykd.findSymbol(addr)
sym = True
try:
# if there's no symbol found, pykd returns a hex string of the address
if int(output, 16) == addr:
sym = False
log.debug("no symbol context")
except:
pass
if sym:
chain.append(('symbol', output.strip()))
else:
log.debug("no symbol context")
mem = pykd.loadBytes(addr, 2)
if mem[0] < 127:
if mem[1] == 0:
a = []
for i in range(0, self.max_string, 2):
mem = pykd.loadBytes(addr + i, 2)
if mem == [0, 0]:
break
a.extend(mem)
output = array.array('B', a).tostring().decode('UTF-16').encode('latin1')
chain.append(('unicode', output))
else:
output = pykd.loadCStr(addr)
chain.append(('string', output))
log.debug("chain: {}".format(chain))
return chain
def enhance_type(self, ptr, val):
ret_str = ""
if is_executable(ptr): # code page
symbol = pykd.findSymbol(ptr) + ":"
asm_str = disasm(ptr)[1]
ret_str = "{:#x}".format(ptr)
ret_str += color.gray(" ({:45s}{})".format(symbol, asm_str))
else:
ret_str = "{:#x} --> {:#x}".format(ptr, val)
val_str = get_string(ptr)
if val_str: # val is probably a string
ret_str += color.white(" (\"{}\")".format(val_str))
return ret_str
def inspectSSDT():
kernelbase = g_kernelbase
KeServiceDescriptorTable = pykd.getOffset('nt!KeServiceDescriptorTable')
KiServiceTable = pykd.ptrPtr(KeServiceDescriptorTable)
serviceCount = pykd.ptrMWord(KeServiceDescriptorTable + 2 * g_mwordsize)
print 'nt!KeServiceDescriptorTable:0x%x' % KeServiceDescriptorTable
print 'nt!KiServiceTable:0x%x' % KiServiceTable
print 'serviceCount:0x%x(%d)' % (serviceCount, serviceCount)
ssdttable = pykd.loadPtrs(KiServiceTable, serviceCount)
table_rva = (KiServiceTable - kernelbase)
print 'KiServiceTable rva:0x%x' % table_rva
filedata = open(g_kernelpath, 'rb').read()
pe = pefile.PE(data=filedata, fast_load=True)
if pe.DOS_HEADER.e_magic != 0X5A4D or pe.NT_HEADERS.Signature != 0x4550:
raise Exception("%s is not a pe file" % filepath)
table_fileoffset = pe.get_offset_from_rva(table_rva)
print 'KiServiceTable file offset:0x%x' % table_fileoffset
d = filedata[table_fileoffset:table_fileoffset +
g_mwordsize * serviceCount]
number = 0
for i in xrange(serviceCount):
source = binascii.b2a_hex(d[i * g_mwordsize:(i + 1) *
g_mwordsize][::-1])
source = pykd.addr64(int(source, 16)) - pykd.addr64(
pe.OPTIONAL_HEADER.ImageBase) + kernelbase
symbolname = pykd.findSymbol(source)
current = ssdttable[i]
if source == current:
print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
else:
hooksymbolname = pykd.findSymbol(current)
print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (
source, symbolname, current, hooksymbolname)
number += 1
print 'hooked function number:', number
def listSeFileSystem():
try:
print '-'*10+'SeFileSystem'+'-'*10
head=pykd.getOffset('nt!SeFileSystemNotifyRoutinesHead')
next=head
while 1:
next=pykd.ptrPtr(next)
if not next:
break
funcaddr=pykd.ptrPtr(next+g_mwordsize)
symbolname=pykd.findSymbol(funcaddr)
print 'routine:%x %s' % (funcaddr, symbolname)
except Exception, err:
print traceback.format_exc()
def listBugCheckReasonCallback():
try:
print '-'*10+'BugCheckReasonCallback'+'-'*10
head=pykd.getOffset('nt!KeBugCheckReasonCallbackListHead')
next=head
while 1:
next=pykd.ptrPtr(next)
if next==head:
break
funcaddr=pykd.ptrPtr(next+g_mwordsize*2)
symbolname=pykd.findSymbol(funcaddr)
print 'routine:%x %s' % (funcaddr, symbolname)
except Exception, err:
print traceback.format_exc()
def breakpoints(self, target_id=0):
"""
Return a list of breakpoints.
Returns data in the following structure:
[
{
"id": 1,
"enabled": True,
"one_shot": False,
"hit_count": 5,
"locations": [
{
"address": 0x100000cf0,
"name": 'main'
}
]
}
]
"""
breakpoints = []
for i in range(0, pykd.getNumberBreakpoints()):
b = pykd.getBp(i)
addr = b.getOffset()
name = hex(addr)
try:
name = pykd.findSymbol(addr)
except:
log.exception(
"No symbol found for address {}".format(addr))
pass
breakpoints.append({
'id':
i,
'enabled':
True,
'one_shot':
False,
'hit_count':
'-',
'locations': [{
"address": addr,
"name": name
}]
})
return breakpoints
def listBugCheckReasonCallback():
try:
print '-' * 10 + 'BugCheckReasonCallback' + '-' * 10
head = pykd.getOffset('nt!KeBugCheckReasonCallbackListHead')
next = head
while 1:
next = pykd.ptrPtr(next)
if next == head:
break
funcaddr = pykd.ptrPtr(next + g_mwordsize * 2)
symbolname = pykd.findSymbol(funcaddr)
print 'routine:%x %s' % (funcaddr, symbolname)
except Exception, err:
print traceback.format_exc()
def listIopTimer():
try:
print '-'*10+'IopTimer'+'-'*10
head=pykd.getOffset('nt!IopTimerQueueHead')
next=head
while 1:
next=pykd.ptrPtr(next)
if next==head:
break
funcaddr=pykd.ptrPtr(next+g_mwordsize*2)
symbolname=pykd.findSymbol(funcaddr)
print 'routine:%x %s' % (funcaddr, symbolname)
except Exception, err:
print traceback.format_exc()
def listSeFileSystem():
try:
print '-' * 10 + 'SeFileSystem' + '-' * 10
head = pykd.getOffset('nt!SeFileSystemNotifyRoutinesHead')
next = head
while 1:
next = pykd.ptrPtr(next)
if not next:
break
funcaddr = pykd.ptrPtr(next + g_mwordsize)
symbolname = pykd.findSymbol(funcaddr)
print 'routine:%x %s' % (funcaddr, symbolname)
except Exception, err:
print traceback.format_exc()
def listIopTimer():
try:
print '-' * 10 + 'IopTimer' + '-' * 10
head = pykd.getOffset('nt!IopTimerQueueHead')
next = head
while 1:
next = pykd.ptrPtr(next)
if next == head:
break
funcaddr = pykd.ptrPtr(next + g_mwordsize * 2)
symbolname = pykd.findSymbol(funcaddr)
print 'routine:%x %s' % (funcaddr, symbolname)
except Exception, err:
print traceback.format_exc()
def inspectProcessHiddenThread(eprocessaddr=None):
try:
if eprocessaddr:
eprocessobj = pykd.typedVar('nt!_EPROCESS', eprocessaddr)
eprocessinfo = ProcessInfo()
if not eprocessinfo.init(eprocessobj):
print 'it is not a eprocess'
return
processlist = [eprocessinfo]
else:
processlist = listProcessByPsActiveProcessHead()
if not processlist:
print 'can not get process list'
return
funclist = [
listThreadByTcbThreadListEntry, listThreadByThreadListEntry
]
for eprocessinfo in processlist:
try:
eprocessaddr = eprocessinfo.eprocessaddr
print '=' * 10, 'process:%x pid:%d %s' % (
eprocessaddr, eprocessinfo.pid,
eprocessinfo.filepath), '=' * 10
threadlist = {}
for func in funclist:
try:
l = func(eprocessaddr)
except Exception, err:
l = []
print err
for info in l:
if info.ethreadaddr not in threadlist:
threadlist[info.ethreadaddr] = info
hooknumber = 0
for info in threadlist.values():
symbolname = pykd.findSymbol(info.entrypoint)
if symbolname.find('!') == -1:
print 'ethread:%x tid:%d entry:%x' % (
info.ethreadaddr, info.tid, info.entrypoint)
hooknumber += 1
if hooknumber == 0:
print 'no hidden thread'
except Exception, err:
print traceback.format_exc()
def listPlugPlay():
try:
print '-' * 10 + 'PlugPlay' + '-' * 10
table = pykd.getOffset('nt!IopDeviceClassNotifyList')
for i in xrange(13):
head = table + g_mwordsize * i * 2
next = head
while 1:
next = pykd.ptrPtr(next)
if next == head:
break
funcaddr = pykd.ptrPtr(next + g_mwordsize * 5)
symbolname = pykd.findSymbol(funcaddr)
print 'routine:%x %s' % (funcaddr, symbolname)
except Exception, err:
print traceback.format_exc()
def listPlugPlay():
try:
print '-'*10+'PlugPlay'+'-'*10
table=pykd.getOffset('nt!IopDeviceClassNotifyList')
for i in xrange(13):
head=table+g_mwordsize*i*2
next=head
while 1:
next=pykd.ptrPtr(next)
if next==head:
break
funcaddr=pykd.ptrPtr(next+g_mwordsize*5)
symbolname=pykd.findSymbol(funcaddr)
print 'routine:%x %s' % (funcaddr, symbolname)
except Exception, err:
print traceback.format_exc()
def breakpoints(self, target_id=0):
"""
Return a list of breakpoints.
Returns data in the following structure:
[
{
"id": 1,
"enabled": True,
"one_shot": False,
"hit_count": 5,
"locations": [
{
"address": 0x100000cf0,
"name": 'main'
}
]
}
]
"""
breakpoints = []
for i in range(0, pykd.getNumberBreakpoints()):
b = pykd.getBp(i)
addr = b.getOffset()
name = hex(addr)
try:
name = pykd.findSymbol(addr)
except:
log.exception("No symbol found for address {}".format(addr))
pass
breakpoints.append({
'id': i,
'enabled': True,
'one_shot': False,
'hit_count': '-',
'locations': [{
"address": addr,
"name": name
}]
})
return breakpoints
def get_disasm(self, address):
"""
Get the ASM code of instruction at address
Args:
- address: address to read instruction (Int)
Returns:
- asm code (String)
"""
if not address:
return (None, None)
if self.is_executable(address):
func = pykd.findSymbol(address)
disasm = pykd.disasm(address).instruction().split(" ",2)[-1].strip()
return (func, disasm)
else:
return (None, None)
def inspectProcessHiddenThread(eprocessaddr=None):
try:
if eprocessaddr:
eprocessobj=pykd.typedVar('nt!_EPROCESS', eprocessaddr)
eprocessinfo=ProcessInfo()
if not eprocessinfo.init(eprocessobj):
print 'it is not a eprocess'
return
processlist=[eprocessinfo]
else:
processlist=listProcessByPsActiveProcessHead()
if not processlist:
print 'can not get process list'
return
funclist=[listThreadByTcbThreadListEntry, listThreadByThreadListEntry]
for eprocessinfo in processlist:
try:
eprocessaddr=eprocessinfo.eprocessaddr
print '='*10, 'process:%x pid:%d %s' % (eprocessaddr, eprocessinfo.pid, eprocessinfo.filepath), '='*10
threadlist={}
for func in funclist:
try:
l=func(eprocessaddr)
except Exception, err:
l=[]
print err
for info in l:
if info.ethreadaddr not in threadlist:
threadlist[info.ethreadaddr]=info
hooknumber=0
for info in threadlist.values():
symbolname=pykd.findSymbol(info.entrypoint)
if symbolname.find('!')==-1:
print 'ethread:%x tid:%d entry:%x' % (info.ethreadaddr, info.tid, info.entrypoint)
hooknumber+=1
if hooknumber==0:
print 'no hidden thread'
except Exception, err:
print traceback.format_exc()
def listFsNotifyChange():
try:
print '-'*10+'FsNotifyChange'+'-'*10
head=pykd.getOffset('nt!IopFsNotifyChangeQueueHead')
next=head
while 1:
next=pykd.ptrPtr(next)
if next==head:
break
dirverobjectaddr=pykd.ptrPtr(next+g_mwordsize*2)
funcaddr=pykd.ptrPtr(next+g_mwordsize*3)
try:
driverobject=pykd.typedVar('nt!_DRIVER_OBJECT', dirverobjectaddr)
drivername=pykd.loadUnicodeString(driverobject.DriverName)
except Exception, err:
drivername=''
symbolname=pykd.findSymbol(funcaddr)
print 'routine:%x %s driver:%s' % (funcaddr, symbolname, drivername)
except Exception, err:
print traceback.format_exc()
def inspectDispatchRoutine(driverobjectaddr=None):
try:
if driverobjectaddr:
driverinfo = DriverInfo()
if not driverinfo.init1(driverobjectaddr):
print 'fail to get driver info'
return
driverlist = [driverinfo]
else:
driverlist = listDriverByDirectoryObject()
for driverinfo in driverlist:
try:
startaddr = driverinfo.baseaddr
endaddr = driverinfo.baseaddr + driverinfo.modulesize
driverobjectaddr = driverinfo.driverobjectaddr
driverobject = pykd.typedVar('nt!_DRIVER_OBJECT',
driverobjectaddr)
print '=' * 10, 'drvobj:%x %s' % (
driverobjectaddr, driverinfo.filepath), '=' * 10
for i in xrange(28):
funcaddr = pykd.ptrPtr(driverobject.MajorFunction +
i * g_mwordsize)
symbolname = pykd.findSymbol(funcaddr)
if funcaddr < startaddr or funcaddr >= endaddr:
if symbolname.find('+') != -1:
print '%d %s %x %s maybe hooked!!!!!' % (
i, MajorFunction[i], funcaddr, symbolname)
else:
print '%d %s %x %s' % (i, MajorFunction[i],
funcaddr, symbolname)
else:
print '%d %s %x %s' % (i, MajorFunction[i], funcaddr,
symbolname)
except Exception, err:
print traceback.format_exc()
except Exception, err:
print traceback.format_exc()
def listFsNotifyChange():
try:
print '-' * 10 + 'FsNotifyChange' + '-' * 10
head = pykd.getOffset('nt!IopFsNotifyChangeQueueHead')
next = head
while 1:
next = pykd.ptrPtr(next)
if next == head:
break
dirverobjectaddr = pykd.ptrPtr(next + g_mwordsize * 2)
funcaddr = pykd.ptrPtr(next + g_mwordsize * 3)
try:
driverobject = pykd.typedVar('nt!_DRIVER_OBJECT',
dirverobjectaddr)
drivername = pykd.loadUnicodeString(driverobject.DriverName)
except Exception, err:
drivername = ''
symbolname = pykd.findSymbol(funcaddr)
print 'routine:%x %s driver:%s' % (funcaddr, symbolname,
drivername)
except Exception, err:
print traceback.format_exc()
def find_symbol(self, address):
name = ''
if not address in self.address_to_symbols:
self.load_address_symbol(address)
if address in self.address_to_symbols:
name = self.address_to_symbols[address]
else:
if self.use_command_mode:
try:
output = pykd.dbgCommand("u %x L1" % address)
except:
output = ''
if output:
output_lines = output.splitlines()
if len(output_lines) >= 0 and output_lines[0].endswith(
':'):
name = output_lines[0]
else:
name = pykd.findSymbol(address)
return name
def listShutdown():
try:
print '-'*10+'Shutdown'+'-'*10
IRP_MJ_SHUTDOWN=0x10
#define IRP_MJ_SHUTDOWN 0x10
head=pykd.getOffset('nt!IopNotifyShutdownQueueHead')
next=head
while 1:
next=pykd.ptrPtr(next)
if next==head:
break
try:
deviceobjectaddr=pykd.ptrPtr(next+g_mwordsize*2)
deviceobject=pykd.typedVar('nt!_DEVICE_OBJECT', deviceobjectaddr)
driverobject=pykd.typedVar('nt!_DRIVER_OBJECT', int(deviceobject.DriverObject))
funcaddr=pykd.ptrPtr(driverobject.MajorFunction+g_mwordsize*IRP_MJ_SHUTDOWN)
symbolname=pykd.findSymbol(funcaddr)
print 'routine:%x %s' % (funcaddr, symbolname)
except Exception, err:
pass
except Exception, err:
print traceback.format_exc()
def __init__(self, ip):
self.ip = ip
self.symbol = findSymbol(ip)
def main(argv):
if len(argv) == 0:
print "Usage: !py filter.py from_level to_level filtered"
print "Filtered syscalls for 5th level: !py filter.py 5 5 1"
exit(-1)
ntMod = pykd.module("nt")
KeServiceDescriptorTableFilter = int(ntMod.KeServiceDescriptorTableFilter)
win32Mod = pykd.module("win32k")
W32pServiceTableFilter = int(win32Mod.W32pServiceTableFilter)
W32pServiceLimitFilter = pykd.loadDWords(win32Mod.W32pServiceLimitFilter, 1)[0] + 0x1000
print '[*]W32pServiceTableFilter Address:'
print '[*]'+str(hex(W32pServiceTableFilter))
win32BaseMod = pykd.module("win32kbase")
gaWin32KFilterBitmap = int(win32BaseMod.gaWin32KFilterBitmap)
print '[*]gaWin32KFilterBitmap Address:'
print '[*]'+str(hex(gaWin32KFilterBitmap))
start_level = int(argv[0])
end_level = int(argv[1])
filter = int(argv[2])
sum = 0
syscallsLimit = W32pServiceLimitFilter - 0x1000
for i in range(start_level, end_level + 1):
bitmap = pykd.loadQWords(gaWin32KFilterBitmap + i * 8, 1)[0]
print '[*]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-='
print '[*]Bitmap filter level ' + str(hex(i))
if filter:
print '[*]Show Filtered'
else:
print '[*]Show Unfiltered'
if not bitmap:
print '[*] None'
continue
# Check SSSDT ID for 0x1000
for j in range(0x1000, W32pServiceLimitFilter):
# bit index in byte
syscallNum = j & 0xfff
# function offset in W32pServiceTableFilter
offset = pykd.loadDWords(W32pServiceTableFilter + syscallNum * 4, 1)[0]
offset = (0xfffffffff0000000 | (offset >> 4))
# function address
syscall = W32pServiceTableFilter + offset
syscall = syscall % 2**64
# check
check_byte = pykd.loadBytes(bitmap + (syscallNum >> 3), 1)[0]
filtered = check_byte & (1 << (syscallNum & 7))
filtered = filtered != 0
# 1 is filtered,0 is unfiltered
if filtered == filter:
sum = sum + 1
print '[*]'+pykd.findSymbol(syscall) + ' ' + hex(j)
if filter:
print "[*]number of filtered system calls"
else:
print "[*]number of allowed system calls"
print '[*]'+str(syscallsLimit) + "/" + str(sum)
exit(0)
def findSymbol(addr):
return pykd.findSymbol(addr)
def __init__(self, ip):
self.ip = ip
self.symbol = findSymbol(ip)
def inspectIatEatHook(modulelist, eprocessaddr=None, targetmodulebase=None):
try:
if eprocessaddr:
cmdline='.process /P /r %x' % eprocessaddr
r=pykd.dbgCommand(cmdline)
importfunctable=[]
exportfunctable={}
for mo in modulelist:
modulepath=mo.filepath
modulename=mo.name.lower()
s=os.path.splitext(modulename)
if len(s)>=2:
modulebasename=s[0]
else:
modulebasename=modulename
baseaddr=mo.baseaddr
if not os.path.exists(modulepath):
continue
elif not baseaddr:
continue
filedata=open(modulepath, 'rb').read()
pe = pefile.PE(data=filedata, fast_load=True)
if pe.DOS_HEADER.e_magic!=0X5A4D or pe.NT_HEADERS.Signature!=0x4550:
raise Exception("%s is not a pe file" % modulepath)
pe.parse_data_directories(pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_EXPORT'])
if hasattr(pe,'DIRECTORY_ENTRY_EXPORT'):
exporttable=pe.DIRECTORY_ENTRY_EXPORT
for i in exporttable.symbols:
funcoffset=pe.get_rva_from_offset(i.address_offset)
funcaddr=baseaddr+i.address
#print hex(baseaddr+funcoffset) ,hex(funcaddr)
info=ExportFuncInfo(i.name, modulename, baseaddr, funcaddr, funcoffset, i.ordinal, i.forwarder)
exportfunctable[funcaddr]=info
pe.parse_data_directories(pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT'])
if hasattr(pe,'DIRECTORY_ENTRY_IMPORT'):
importtable=pe.DIRECTORY_ENTRY_IMPORT
for importitem in importtable:
importname=importitem.dll
for i in importitem.imports:
#thunkvalue=i.bound
iatoffset=i.address-pe.OPTIONAL_HEADER.ImageBase+baseaddr
funcname=i.name
#print '%s %s %x %x %s' % (importname, funcname, baseaddr, iatoffset, i.ordinal)
info=ImportFuncInfo(funcname, modulename, importname, baseaddr, iatoffset, i.ordinal)
importfunctable.append(info)
#for info in exportfunctable.values():
# print info.funcname, hex(info.funcaddr)
#return
#inspect export table
for info in exportfunctable.values():
if not targetmodulebase or (targetmodulebase==info.baseaddr):
sourceoffsetvalue=info.funcaddr-info.baseaddr
try:
currentoffsetvalue=pykd.ptrDWord(info.funcoffset+info.baseaddr)
except Exception, err:
print 'EATHOOK:(%s!%s) baseaddr:%x offset:%x value:%x<->????????' % (info.modulename, info.funcname, info.baseaddr, info.funcoffset, sourceoffsetvalue)
continue
if sourceoffsetvalue!=currentoffsetvalue:
print 'EATHOOK:(%s!%s) baseaddr:%x offset:%x value:%x<->%x' % (info.modulename, info.funcname, info.baseaddr, info.funcoffset, sourceoffsetvalue, currentoffsetvalue)
print 'inspect EATHOOK completely'
#inspect import table
for i in importfunctable:
if not targetmodulebase or (targetmodulebase==i.baseaddr):
try:
currentfuncaddr=pykd.ptrPtr(i.iatoffset)
except Exception, err:
if i.ordinal:
#by ordinal
print 'IATHOOK:(source:%s import:idx:%s!%d)<->????????' % (i.sourcemodulename, i.importmodulename,i.ordinal)
else:
#by name
print 'IATHOOK:(source:%s import:%s!%s)<->????????' % (i.sourcemodulename, i.importmodulename,i.funcname)
continue
if not exportfunctable.get(currentfuncaddr):
hookfuncname=pykd.findSymbol(currentfuncaddr)
if i.ordinal:
#by ordinal
print 'IATHOOK:(source:%s import:%s!idx:%d)<->%x(%s)' % (i.sourcemodulename, i.importmodulename,i.ordinal, currentfuncaddr, hookfuncname)
else:
#by name
print 'IATHOOK:(source:%s import:%s!%s)<->%x(%s)' % (i.sourcemodulename, i.importmodulename,i.funcname, currentfuncaddr, hookfuncname)