def svclist(vdb, line):
'''
List the running service names and pids.
Usage: svclist
'''
cols = []
pids = []
names = []
descrs = []
for pid, name, descr in vdb.trace._getSvcList():
pids.append('%d' % pid)
names.append(name)
descrs.append(descr)
names = e_cli.columnstr(names)
for i in xrange(len(pids)):
vdb.vprint('%8s %s %s' % (pids[i], names[i], descrs[i]))
def svclist(vdb, line):
'''
List the running service names and pids.
Usage: svclist
'''
cols = []
pids = []
names = []
descrs = []
for pid, name, descr in vdb.trace._getSvcList():
pids.append('%d' % pid)
names.append(name)
descrs.append(descr)
names = e_cli.columnstr(names)
for i in range(len(pids)):
vdb.vprint('%8s %s %s' % (pids[i], names[i], descrs[i]))
inmem = False
elif opt == '-S':
showsecs = True
elif opt == '-E':
showexps = True
t = vdb.trace
bases = t.getMeta("LibraryBases")
paths = t.getMeta("LibraryPaths")
names = args
if len(names) == 0:
names = t.getNormalizedLibNames()
names.sort()
names = e_cli.columnstr(names)
for libname in names:
base = bases.get(libname.strip(), None)
if base == None:
base = vdb.trace.parseExpression(libname)
path = paths.get(base, "unknown")
try:
pobj = PE.peFromMemoryObject(t, base)
except Exception, e:
vdb.vprint('Error: %s (0x%.8x) %s' % (libname, base, e))
continue
if showimps:
ldeps = {}
try:
def pe(vdb, line):
"""
Show extended info about loaded PE binaries.
Usage: pe [opts] [<libname>...]
-I Show PE import files.
-m Toggle inmem/ondisk behavior (directly mapped DLLs)
-N Show full NT header
-t Show PE timestamp information
-E Show PE exports
-S Show PE sections
-v Show FileVersion from VS_VERSIONINFO
-V Show all keys from VS_VERSIONINFO
NOTE: "libname" may be a vtrace expression:
Examples:
# Show the imports from a PE loaded at 0x777c0000
pe -I 0x777c0000
# Show the exports from advapi32.dll
pe -E advapi32
# Show the build timestamp of the PE pointed to by a register
pe -t esi
"""
#-v Show PE version information
argv = e_cli.splitargs(line)
try:
opts, args = getopt.getopt(argv, "EImNStvV")
except Exception:
return vdb.do_help('pe')
inmem = True
showsecs = False
showvers = False
showtime = False
showimps = False
shownthd = False
showexps = False
showvsin = False
for opt, optarg in opts:
if opt == '-I':
showimps = True
elif opt == '-t':
showtime = True
elif opt == '-v':
showvers = True
elif opt == '-V':
showvsin = True
elif opt == '-N':
shownthd = True
elif opt == '-m':
inmem = False
elif opt == '-S':
showsecs = True
elif opt == '-E':
showexps = True
t = vdb.trace
bases = t.getMeta("LibraryBases")
paths = t.getMeta("LibraryPaths")
names = args
if len(names) == 0:
names = t.getNormalizedLibNames()
names.sort()
names = e_cli.columnstr(names)
for libname in names:
base = bases.get(libname.strip(), None)
if base is None:
base = vdb.trace.parseExpression(libname)
path = paths.get(base, "unknown")
try:
pobj = PE.peFromMemoryObject(t, base)
except Exception as e:
vdb.vprint('Error: %s (0x%.8x) %s' % (libname, base, e))
continue
if showimps:
ldeps = {}
try:
for rva, lname, fname in pobj.getImports():
ldeps[lname.lower()] = True
lnames = ldeps.keys()
lnames.sort()
vdb.vprint('0x%.8x - %.30s' % (base, libname))
for lname in lnames:
vdb.vprint(' %s' % lname)
except Exception as e:
vdb.vprint('Import Parser Error On %s: %s' % (libname, e))
elif showvers:
version = 'Unknown!'
vs = pobj.getVS_VERSIONINFO()
if vs is not None:
version = vs.getVersionValue('FileVersion')
vdb.vprint('%s: %s' % (libname.rjust(30), version))
elif showvsin:
vs = pobj.getVS_VERSIONINFO()
vdb.vprint('==== %s' % libname)
if vs is None:
vdb.vprint('no VS_VERSIONINFO...')
else:
vskeys = vs.getVersionKeys()
vskeys.sort()
for vskey in vskeys:
vsval = vs.getVersionValue(vskey)
vdb.vprint('%s: %s' % (vskey.rjust(20), vsval[:50]))
elif showtime:
tstamp = pobj.IMAGE_NT_HEADERS.FileHeader.TimeDateStamp
vdb.vprint('0x%.8x - %.30s 0x%.8x' % (base, libname, tstamp))
elif shownthd:
t = pobj.IMAGE_NT_HEADERS.tree(reprmax=32)
vdb.vprint(t)
elif showsecs:
for sec in pobj.getSections():
vdb.vprint(sec.tree(reprmax=32))
elif showexps:
vdb.vprint('[Ord] [Address] [Name]')
for fva, ford, name in pobj.getExports():
vdb.vprint('%.4d 0x%.8x %s' % (ford, fva, name))
else:
vdb.vprint('0x%.8x - %.30s %s' % (base, libname, path))
inmem = False
elif opt == '-S':
showsecs = True
elif opt == '-E':
showexps = True
t = vdb.trace
bases = t.getMeta("LibraryBases")
paths = t.getMeta("LibraryPaths")
names = args
if len(names) == 0:
names = t.getNormalizedLibNames()
names.sort()
names = e_cli.columnstr(names)
for libname in names:
base = bases.get(libname.strip(), None)
if base == None:
base = vdb.trace.parseExpression(libname)
path = paths.get(base, "unknown")
try:
pobj = PE.peFromMemoryObject(t, base)
except Exception, e:
vdb.vprint('Error: %s (0x%.8x) %s' % (libname, base, e))
continue
if showimps:
ldeps = {}
try:
def pe(vdb, line):
"""
Show extended info about loaded PE binaries.
Usage: pe [opts] [<libname>...]
-I Show PE import files.
-m Toggle inmem/ondisk behavior (directly mapped DLLs)
-N Show full NT header
-t Show PE timestamp information
-E Show PE exports
-S Show PE sections
-v Show FileVersion from VS_VERSIONINFO
-V Show all keys from VS_VERSIONINFO
NOTE: "libname" may be a vtrace expression:
Examples:
# Show the imports from a PE loaded at 0x777c0000
pe -I 0x777c0000
# Show the exports from advapi32.dll
pe -E advapi32
# Show the build timestamp of the PE pointed to by a register
pe -t esi
"""
#-v Show PE version information
argv = e_cli.splitargs(line)
try:
opts,args = getopt.getopt(argv, "EImNStvV")
except Exception as e:
return vdb.do_help('pe')
inmem = True
showsecs = False
showvers = False
showtime = False
showimps = False
shownthd = False
showexps = False
showvsin = False
for opt,optarg in opts:
if opt == '-I':
showimps = True
elif opt == '-t':
showtime = True
elif opt == '-v':
showvers = True
elif opt == '-V':
showvsin = True
elif opt == '-N':
shownthd = True
elif opt == '-m':
inmem = False
elif opt == '-S':
showsecs = True
elif opt == '-E':
showexps = True
t = vdb.trace
bases = t.getMeta("LibraryBases")
paths = t.getMeta("LibraryPaths")
names = args
if len(names) == 0:
names = t.getNormalizedLibNames()
names.sort()
names = e_cli.columnstr(names)
for libname in names:
base = bases.get(libname.strip(), None)
if base == None:
base = vdb.trace.parseExpression(libname)
path = paths.get(base, "unknown")
try:
pobj = PE.peFromMemoryObject(t, base)
except Exception as e:
vdb.vprint('Error: %s (0x%.8x) %s' % (libname, base, e))
continue
if showimps:
ldeps = {}
try:
for rva,lname,fname in pobj.getImports():
ldeps[lname.lower()] = True
lnames = list(ldeps.keys())
lnames.sort()
vdb.vprint('0x%.8x - %.30s' % (base, libname))
for lname in lnames:
vdb.vprint(' %s' % lname)
except Exception as e:
vdb.vprint('Import Parser Error On %s: %s' % (libname, e))
elif showvers:
version = 'Unknown!'
vs = pobj.getVS_VERSIONINFO()
if vs != None:
version = vs.getVersionValue('FileVersion')
vdb.vprint('%s: %s' % (libname.rjust(30),version))
elif showvsin:
vs = pobj.getVS_VERSIONINFO()
vdb.vprint('==== %s' % libname)
if vs == None:
vdb.vprint('no VS_VERSIONINFO...')
else:
vskeys = vs.getVersionKeys()
vskeys.sort()
for vskey in vskeys:
vsval = vs.getVersionValue(vskey)
vdb.vprint('%s: %s' % (vskey.rjust(20), vsval[:50]))
elif showtime:
tstamp = pobj.IMAGE_NT_HEADERS.FileHeader.TimeDateStamp
vdb.vprint('0x%.8x - %.30s 0x%.8x' % (base, libname, tstamp))
elif shownthd:
t = pobj.IMAGE_NT_HEADERS.tree(reprmax=32)
vdb.vprint(t)
elif showsecs:
for sec in pobj.getSections():
vdb.vprint(sec.tree(reprmax=32))
elif showexps:
vdb.vprint('[Ord] [Address] [Name]')
for fva, ford, name in pobj.getExports():
vdb.vprint('%.4d 0x%.8x %s' % (ford, fva, name))
else:
vdb.vprint('0x%.8x - %.30s %s' % (base, libname, path))