def lsmod(addr_space, profile): """ A Generator for modules (uses _KPCR symbols) """ ## Locate the kpcr struct - this is hard coded right now kpcr = NewObject("_KPCR", kpcr_addr, addr_space, profile=profile) ## Try to dereference the KdVersionBlock as a 64 bit struct DebuggerDataList = kpcr.KdVersionBlock.dereference_as( "_DBGKD_GET_VERSION64").DebuggerDataList if DebuggerDataList.is_valid(): offset = DebuggerDataList.dereference().v() ## This is a pointer to a _KDDEBUGGER_DATA64 struct. We only ## care about the PsActiveProcessHead entry: tmp = NewObject("_KDDEBUGGER_DATA64", offset, addr_space, profile=profile).PsLoadedModuleList if not tmp.is_valid(): ## Ok maybe its a 32 bit struct tmp = NewObject("_KDDEBUGGER_DATA32", offset, addr_space, profile=profile).PsLoadedModuleList ## Try to iterate over the process list in PsActiveProcessHead ## (its really a pointer to a _LIST_ENTRY) for l in tmp.dereference_as("_LIST_ENTRY").list_of_type( "_LDR_MODULE", "InLoadOrderModuleList"): yield l
def subkeys(key): if not key.is_valid(): return if key.SubKeyCounts[0] > 0: sk_off = key.SubKeyLists[0] sk = NewObject("_CM_KEY_INDEX", sk_off, key.vm, profile=key.profile) if not sk or not sk.is_valid(): pass else: for i in read_sklist(sk): if i.Signature.v() == NK_SIG: yield i if key.SubKeyCounts[1] > 0: sk_off = key.SubKeyLists[1] sk = NewObject("_CM_KEY_INDEX", sk_off, key.vm, profile=key.profile) if not sk or not sk.is_valid(): pass else: for i in read_sklist(sk): if i and i.Signature.v() == NK_SIG: yield i
def _Peb(self,attr): """ Returns a _PEB object which is using the process address space. The PEB structure is referencing back into the process address space so we need to switch address spaces when we look at it. This method ensure this happens automatically. """ process_ad = self.get_process_address_space() if process_ad: offset = self.m("Peb").v() peb = NewObject("_PEB",offset, vm=process_ad, profile=self.profile, name = "Peb", parent=self) if peb.is_valid(): return peb
def _Peb(self, attr): """ Returns a _PEB object which is using the process address space. The PEB structure is referencing back into the process address space so we need to switch address spaces when we look at it. This method ensure this happens automatically. """ process_ad = self.get_process_address_space() if process_ad: offset = self.m("Peb").v() peb = NewObject("_PEB", offset, vm=process_ad, profile=self.profile, name="Peb", parent=self) if peb.is_valid(): return peb
def lsmod(addr_space, profile): """ A Generator for modules (uses _KPCR symbols) """ ## Locate the kpcr struct - this is hard coded right now kpcr = NewObject("_KPCR", kpcr_addr, addr_space, profile=profile) ## Try to dereference the KdVersionBlock as a 64 bit struct DebuggerDataList = kpcr.KdVersionBlock.dereference_as("_DBGKD_GET_VERSION64").DebuggerDataList if DebuggerDataList.is_valid(): offset = DebuggerDataList.dereference().v() ## This is a pointer to a _KDDEBUGGER_DATA64 struct. We only ## care about the PsActiveProcessHead entry: tmp = NewObject("_KDDEBUGGER_DATA64", offset, addr_space, profile=profile).PsLoadedModuleList if not tmp.is_valid(): ## Ok maybe its a 32 bit struct tmp = NewObject("_KDDEBUGGER_DATA32", offset, addr_space, profile=profile).PsLoadedModuleList ## Try to iterate over the process list in PsActiveProcessHead ## (its really a pointer to a _LIST_ENTRY) for l in tmp.dereference_as("_LIST_ENTRY").list_of_type("_LDR_MODULE", "InLoadOrderModuleList"): yield l