Exemple #1
0
def lsmod(addr_space, profile):
    """ A Generator for modules (uses _KPCR symbols) """
    ## Locate the kpcr struct - this is hard coded right now
    kpcr = NewObject("_KPCR", kpcr_addr, addr_space, profile=profile)

    ## Try to dereference the KdVersionBlock as a 64 bit struct
    DebuggerDataList = kpcr.KdVersionBlock.dereference_as(
        "_DBGKD_GET_VERSION64").DebuggerDataList

    if DebuggerDataList.is_valid():
        offset = DebuggerDataList.dereference().v()
        ## This is a pointer to a _KDDEBUGGER_DATA64 struct. We only
        ## care about the PsActiveProcessHead entry:
        tmp = NewObject("_KDDEBUGGER_DATA64",
                        offset,
                        addr_space,
                        profile=profile).PsLoadedModuleList

        if not tmp.is_valid():
            ## Ok maybe its a 32 bit struct
            tmp = NewObject("_KDDEBUGGER_DATA32",
                            offset,
                            addr_space,
                            profile=profile).PsLoadedModuleList

        ## Try to iterate over the process list in PsActiveProcessHead
        ## (its really a pointer to a _LIST_ENTRY)
        for l in tmp.dereference_as("_LIST_ENTRY").list_of_type(
                "_LDR_MODULE", "InLoadOrderModuleList"):
            yield l
Exemple #2
0
def subkeys(key):
    if not key.is_valid(): return
    if key.SubKeyCounts[0] > 0:
        sk_off = key.SubKeyLists[0]
        sk = NewObject("_CM_KEY_INDEX", sk_off, key.vm, profile=key.profile)
        if not sk or not sk.is_valid():
            pass
        else:
            for i in read_sklist(sk):
                if i.Signature.v() == NK_SIG:
                        yield i
            
    if key.SubKeyCounts[1] > 0:
        sk_off = key.SubKeyLists[1]
        sk = NewObject("_CM_KEY_INDEX", sk_off, key.vm, profile=key.profile)
        if not sk or not sk.is_valid():
            pass
        else:
            for i in read_sklist(sk):
                if i and i.Signature.v() == NK_SIG:
                    yield i
Exemple #3
0
def subkeys(key):
    if not key.is_valid(): return
    if key.SubKeyCounts[0] > 0:
        sk_off = key.SubKeyLists[0]
        sk = NewObject("_CM_KEY_INDEX", sk_off, key.vm, profile=key.profile)
        if not sk or not sk.is_valid():
            pass
        else:
            for i in read_sklist(sk):
                if i.Signature.v() == NK_SIG:
                    yield i

    if key.SubKeyCounts[1] > 0:
        sk_off = key.SubKeyLists[1]
        sk = NewObject("_CM_KEY_INDEX", sk_off, key.vm, profile=key.profile)
        if not sk or not sk.is_valid():
            pass
        else:
            for i in read_sklist(sk):
                if i and i.Signature.v() == NK_SIG:
                    yield i
Exemple #4
0
    def _Peb(self,attr):
        """ Returns a _PEB object which is using the process address space.

        The PEB structure is referencing back into the process address
        space so we need to switch address spaces when we look at
        it. This method ensure this happens automatically.
        """
        process_ad = self.get_process_address_space()
        if process_ad:
            offset =  self.m("Peb").v()
            peb = NewObject("_PEB",offset, vm=process_ad, profile=self.profile,
                            name = "Peb", parent=self)

            if peb.is_valid():
                return peb
Exemple #5
0
    def _Peb(self, attr):
        """ Returns a _PEB object which is using the process address space.

        The PEB structure is referencing back into the process address
        space so we need to switch address spaces when we look at
        it. This method ensure this happens automatically.
        """
        process_ad = self.get_process_address_space()
        if process_ad:
            offset = self.m("Peb").v()
            peb = NewObject("_PEB",
                            offset,
                            vm=process_ad,
                            profile=self.profile,
                            name="Peb",
                            parent=self)

            if peb.is_valid():
                return peb
Exemple #6
0
def lsmod(addr_space, profile):
    """ A Generator for modules (uses _KPCR symbols) """
    ## Locate the kpcr struct - this is hard coded right now
    kpcr = NewObject("_KPCR", kpcr_addr, addr_space, profile=profile)

    ## Try to dereference the KdVersionBlock as a 64 bit struct
    DebuggerDataList = kpcr.KdVersionBlock.dereference_as("_DBGKD_GET_VERSION64").DebuggerDataList

    if DebuggerDataList.is_valid():
        offset = DebuggerDataList.dereference().v()
        ## This is a pointer to a _KDDEBUGGER_DATA64 struct. We only
        ## care about the PsActiveProcessHead entry:
        tmp = NewObject("_KDDEBUGGER_DATA64", offset, addr_space, profile=profile).PsLoadedModuleList

        if not tmp.is_valid():
            ## Ok maybe its a 32 bit struct
            tmp = NewObject("_KDDEBUGGER_DATA32", offset, addr_space, profile=profile).PsLoadedModuleList

        ## Try to iterate over the process list in PsActiveProcessHead
        ## (its really a pointer to a _LIST_ENTRY)
        for l in tmp.dereference_as("_LIST_ENTRY").list_of_type("_LDR_MODULE", "InLoadOrderModuleList"):
            yield l