def calculate(self):
addr_space = utils.load_as(self._config)
modlist = list(modules.lsmod(addr_space))
mods = dict(
(addr_space.address_mask(mod.DllBase), mod) for mod in modlist)
mod_addrs = sorted(mods.keys())
drivers = dtree.DriverIrp(self._config).calculate()
driver_name = "UNKNOWN"
service_key = "UNKNOWN"
driver_name3 = "UNKNOWN"
module_name = "UNKNOWN"
if self._config.ADDR:
find_address = self._config.ADDR
module_name = tasks.find_module(
mods,
mod_addrs,
list(mods.values())[0].obj_vm.address_mask(find_address),
)
if module_name:
module_name = (module_name.BaseDllName
or module_name.FullDllName)
for driver in drivers:
if (driver.DriverStart <= find_address <
driver.DriverStart + driver.DriverSize):
header = driver.get_object_header()
driver_name = header.NameInfo.Name
driver_name = str(driver.get_object_header().NameInfo.Name
or '')
service_key = str(driver.DriverExtension.ServiceKeyName
or '')
driver_name3 = str(driver.DriverName or '')
break
yield (module_name, driver_name, service_key, driver_name3)
else:
for driver in drivers:
driver_name = str(driver.get_object_header().NameInfo.Name
or '')
service_key = str(driver.DriverExtension.ServiceKeyName or '')
driver_name3 = str(driver.DriverName or '')
owning_module = tasks.find_module(
mods,
mod_addrs,
list(mods.values())[0].obj_vm.address_mask(
driver.DriverStart),
)
module_name = "UNKNOWN"
if owning_module:
module_name = (owning_module.BaseDllName
or owning_module.FullDllName)
yield (module_name, driver_name, service_key, driver_name3)
def calculate(self):
addr_space = utils.load_as(self._config)
modlist = list(modules.lsmod(addr_space))
mods = dict(
(addr_space.address_mask(mod.DllBase), mod) for mod in modlist)
mod_addrs = sorted(mods.keys())
drivers = dtree.DriverIrp(self._config).calculate()
found_driver = "UNKNOWN"
if self._config.ADDR:
find_address = self._config.ADDR
found_module = tasks.find_module(
mods, mod_addrs,
mods.values()[0].obj_vm.address_mask(find_address))
if found_module:
found_module = found_module.BaseDllName or found_module.FullDllName
else:
found_module = "UNKNOWN"
for driver in drivers:
if driver.DriverStart <= find_address < driver.DriverStart + driver.DriverSize:
header = driver.get_object_header()
found_driver = header.NameInfo.Name
break
yield (found_module, found_driver)
else:
for driver in drivers:
driver_name = driver.get_object_header().NameInfo.Name
owning_module = tasks.find_module(
mods, mod_addrs,
mods.values()[0].obj_vm.address_mask(driver.DriverStart))
if owning_module:
module_name = owning_module.BaseDllName or owning_module.FullDllName
else:
module_name = "UNKNOWN"
yield (module_name, driver_name)