def execute(self):
from vtypes import xpsp2types
xpsp2types['_KDDEBUGGER_DATA64'][1]['MmUnloadedDrivers'] = [ 0x220, ['unsigned long long']]
xpsp2types['_KDDEBUGGER_DATA64'][1]['MmLastUnloadedDriver'] = [ 0x228, ['unsigned long long']]
profile = Profile()
profile.add_types(unloaded_mod_types)
(addr_space, symtab, types) = load_and_identify_image(self.op, self.opts)
KdDebuggerDataBlock = find_kddebuggerdatablock(addr_space, types)
if not KdDebuggerDataBlock:
return 0
dbg_block = Object("_KDDEBUGGER_DATA64", KdDebuggerDataBlock,
addr_space, profile=Profile())
drv_list_addr = Object('unsigned long', dbg_block.MmUnloadedDrivers, addr_space, profile=profile).v()
drv_count = Object('unsigned long', dbg_block.MmLastUnloadedDriver, addr_space, profile=profile).v()
print "%-20s %-10s %-10s %s" % ("Name", "Start", "End", "Timestamp")
i = 0
while i < drv_count:
drv = Object('_UNLOADED_MODULE', drv_list_addr+(i*0x18), addr_space, profile=profile)
ts_win = drv.Timestamp.HighPart << 32 | drv.Timestamp.LowPart
ts_unix = windows_to_unix_time(ts_win)
print "%-20s %#08x %#08x %s" % (drv.Name.Buffer, drv.Start.v(), drv.End.v(), ctime(ts_unix))
i += 1
def execute(self):
from vtypes import xpsp2types
xpsp2types['_KDDEBUGGER_DATA64'][1]['MmUnloadedDrivers'] = [
0x220, ['unsigned long long']
]
xpsp2types['_KDDEBUGGER_DATA64'][1]['MmLastUnloadedDriver'] = [
0x228, ['unsigned long long']
]
profile = Profile()
profile.add_types(unloaded_mod_types)
(addr_space, symtab,
types) = load_and_identify_image(self.op, self.opts)
KdDebuggerDataBlock = find_kddebuggerdatablock(addr_space, types)
if not KdDebuggerDataBlock:
return 0
dbg_block = Object("_KDDEBUGGER_DATA64",
KdDebuggerDataBlock,
addr_space,
profile=Profile())
drv_list_addr = Object('unsigned long',
dbg_block.MmUnloadedDrivers,
addr_space,
profile=profile).v()
drv_count = Object('unsigned long',
dbg_block.MmLastUnloadedDriver,
addr_space,
profile=profile).v()
print "%-20s %-10s %-10s %s" % ("Name", "Start", "End", "Timestamp")
i = 0
while i < drv_count:
drv = Object('_UNLOADED_MODULE',
drv_list_addr + (i * 0x18),
addr_space,
profile=profile)
ts_win = drv.Timestamp.HighPart << 32 | drv.Timestamp.LowPart
ts_unix = windows_to_unix_time(ts_win)
print "%-20s %#08x %#08x %s" % (drv.Name.Buffer, drv.Start.v(),
drv.End.v(), ctime(ts_unix))
i += 1
def dd_to_crash(addr_space, types, symbol_table, opts):
outfile = opts.outfile
filename = opts.filename
DirectoryTableBaseValue = addr_space.pgd_vaddr
PsActiveProcessHead = find_psactiveprocesshead(addr_space, types)
PsLoadedModuleList = find_psloadedmodulelist(addr_space, types)
MmPfnDatabase = find_mmpfndatabase(addr_space, types)
KdDebuggerDataBlock = find_kddebuggerdatablock(addr_space, types)
NumberOfProcessors = find_numberprocessors(addr_space, types)
SuiteMask = find_suitemask(addr_space, types)
SystemTime = find_systemtime(addr_space, types)
num_pages = os.path.getsize(filename) / 4096
page_count = num_pages
new_hdr = write_long_phys(DirectoryTableBaseValue,
['_DMP_HEADER', 'DirectoryTableBase'], dump_hdr,
types)
new_hdr = write_long_phys(PsLoadedModuleList,
['_DMP_HEADER', 'PsLoadedModuleList'], new_hdr,
types)
new_hdr = write_long_phys(PsActiveProcessHead,
['_DMP_HEADER', 'PsActiveProcessHead'], new_hdr,
types)
new_hdr = write_long_phys(KdDebuggerDataBlock,
['_DMP_HEADER', 'KdDebuggerDataBlock'], new_hdr,
types)
new_hdr = write_long_phys(NumberOfProcessors,
['_DMP_HEADER', 'NumberProcessors'], new_hdr,
types)
new_hdr = write_long_phys(MmPfnDatabase, ['_DMP_HEADER', 'PfnDataBase'],
new_hdr, types)
new_hdr = write_long_phys(SuiteMask, ['_DMP_HEADER', 'SuiteMask'], new_hdr,
types)
new_hdr = write_long_long_phys(SystemTime, ['_DMP_HEADER', 'SystemTime'],
new_hdr, types)
if addr_space.pae == True:
new_hdr = write_char_phys(pae_enabled, ['_DMP_HEADER', 'PaeEnabled'],
new_hdr, types)
new_hdr = new_hdr[:100] + struct.pack('=L',num_of_runs) +\
struct.pack('=L',num_pages) +\
struct.pack('=L',0x00000000) +\
struct.pack('=L',num_pages) +\
new_hdr[116:]
MI = open(outfile, 'wb')
MI.write("%s" % new_hdr)
FILEOPEN = open(filename, 'rb')
offset = 0
end = os.path.getsize(filename)
widgets = [
'Convert: ',
Percentage(), ' ',
Bar(marker=RotatingMarker()), ' ',
ETA()
]
pbar = ProgressBar(widgets=widgets, maxval=end).start()
while offset <= end:
fdata = FILEOPEN.read(0x1000)
if fdata == None:
break
MI.write("%s" % fdata)
pbar.update(offset)
offset += 0x1000
pbar.finish()
print
FILEOPEN.close()
MI.close()
return
def dd_to_crash(addr_space, types, symbol_table, opts):
outfile = opts.outfile
filename = opts.filename
DirectoryTableBaseValue = addr_space.pgd_vaddr
PsActiveProcessHead = find_psactiveprocesshead(addr_space, types)
PsLoadedModuleList = find_psloadedmodulelist(addr_space,types)
MmPfnDatabase = find_mmpfndatabase(addr_space, types)
KdDebuggerDataBlock = find_kddebuggerdatablock(addr_space, types)
NumberOfProcessors = find_numberprocessors(addr_space, types)
SuiteMask = find_suitemask(addr_space, types)
SystemTime = find_systemtime(addr_space, types)
num_pages = os.path.getsize(filename)/4096
page_count = num_pages
new_hdr = write_long_phys(DirectoryTableBaseValue,['_DMP_HEADER', 'DirectoryTableBase'],dump_hdr,types)
new_hdr = write_long_phys(PsLoadedModuleList,['_DMP_HEADER', 'PsLoadedModuleList'],new_hdr,types)
new_hdr = write_long_phys(PsActiveProcessHead,['_DMP_HEADER', 'PsActiveProcessHead'],new_hdr,types)
new_hdr = write_long_phys(KdDebuggerDataBlock,['_DMP_HEADER', 'KdDebuggerDataBlock'],new_hdr,types)
new_hdr = write_long_phys(NumberOfProcessors,['_DMP_HEADER', 'NumberProcessors'],new_hdr,types)
new_hdr = write_long_phys(MmPfnDatabase,['_DMP_HEADER', 'PfnDataBase'],new_hdr,types)
new_hdr = write_long_phys(SuiteMask,['_DMP_HEADER', 'SuiteMask'],new_hdr,types)
new_hdr = write_long_long_phys(SystemTime,['_DMP_HEADER', 'SystemTime'],new_hdr,types)
if addr_space.pae == True:
new_hdr = write_char_phys(pae_enabled,['_DMP_HEADER', 'PaeEnabled'],new_hdr,types)
new_hdr = new_hdr[:100] + struct.pack('=L',num_of_runs) +\
struct.pack('=L',num_pages) +\
struct.pack('=L',0x00000000) +\
struct.pack('=L',num_pages) +\
new_hdr[116:]
MI=open(outfile,'wb')
MI.write("%s"%new_hdr)
FILEOPEN = open(filename, 'rb')
offset = 0
end = os.path.getsize(filename)
widgets = ['Convert: ', Percentage(), ' ', Bar(marker=RotatingMarker()),
' ', ETA()]
pbar = ProgressBar(widgets=widgets, maxval=end).start()
while offset <= end:
fdata = FILEOPEN.read(0x1000)
if fdata == None:
break
MI.write("%s"%fdata)
pbar.update(offset)
offset+=0x1000
pbar.finish()
print
FILEOPEN.close()
MI.close()
return
