def listProcessByWorkingSetExpansionLinks(sourceprocesslist=[]):
processlist={}
try:
if not sourceprocesslist:
sourceprocesslist=listProcessByPsActiveProcessHead()
WorkingSetExpansionLinks_list=[]
for eproc in sourceprocesslist:
eprocessaddr=eproc.eprocessaddr
if eprocessaddr not in processlist:
#print hex(eprocessaddr)
eprocessobj=pykd.typedVar('nt!_EPROCESS', eprocessaddr)
WorkingSetExpansionLinks=eprocessobj.Vm.WorkingSetExpansionLinks
WorkingSetExpansionLinks=int(WorkingSetExpansionLinks)
if WorkingSetExpansionLinks and WorkingSetExpansionLinks not in WorkingSetExpansionLinks_list:
WorkingSetExpansionLinks_list.append(WorkingSetExpansionLinks)
l=pykd.typedVarList(WorkingSetExpansionLinks, 'nt!_EPROCESS', 'Vm.WorkingSetExpansionLinks')
for i in l:
if int(i) not in processlist:
info=ProcessInfo()
if info.init(i):
processlist[int(i)]=info
except Exception, err:
print traceback.format_exc()
def listModuleByLdrList(eprocessaddr):
modulelist = {}
try:
cmdline = '.process /P %x;.reload;' % eprocessaddr
r = pykd.dbgCommand(cmdline)
eprocessobj = pykd.typedVar('nt!_EPROCESS', eprocessaddr)
if int(eprocessobj.Peb) != 0:
entry = int(eprocessobj.Peb.Ldr.InLoadOrderModuleList)
entryList1 = pykd.typedVarList(entry, 'nt!_LDR_DATA_TABLE_ENTRY',
'InLoadOrderLinks')
entry = int(eprocessobj.Peb.Ldr.InMemoryOrderModuleList)
entryList2 = pykd.typedVarList(entry, 'nt!_LDR_DATA_TABLE_ENTRY',
'InMemoryOrderLinks')
entry = int(eprocessobj.Peb.Ldr.InInitializationOrderModuleList)
entryList3 = pykd.typedVarList(entry, 'nt!_LDR_DATA_TABLE_ENTRY',
'InInitializationOrderLinks')
for entrylist in [entryList1, entryList2, entryList3]:
for ldr in entrylist:
if int(ldr) not in modulelist:
info = ModuleInfo()
if info.init1(ldr):
modulelist[int(ldr)] = info
else:
print 'peb is 0'
except Exception, err:
print traceback.format_exc()
def testTypedVarList(self):
tvl = target.module.typedVarList(target.module.g_listHead,
"listStruct", "next.flink")
self.assertEqual(5, len(tvl))
self.assertEqual([i for i in range(5)], [tv.num for tv in tvl])
tvl = pykd.typedVarList(target.module.g_listHead,
target.module.type("listStruct"), "next.flink")
self.assertEqual(5, len(tvl))
self.assertEqual([i for i in range(5)], [tv.num for tv in tvl])
tvl = pykd.typedVarList(target.module.g_listHead,
target.module.type("listStruct"), "next.flink")
self.assertEqual(5, len(tvl))
self.assertEqual([i for i in range(5)], [tv.num for tv in tvl])
def testTypedVarList(self):
tvl = target.module.typedVarList( target.module.g_listHead, "listStruct", "listEntry" )
self.assertEqual( 3, len( tvl ) )
self.assertEqual( [1,2,3], [ tv.num for tv in tvl ] )
tvl = target.module.typedVarList( target.module.g_listHead, target.module.type("listStruct"), "listEntry" )
self.assertEqual( 3, len( tvl ) )
self.assertEqual( [1,2,3], [ tv.num for tv in tvl ] )
tvl = target.module.typedVarList( target.module.g_listHead1, "listStruct1", "next" )
self.assertEqual( 3, len( tvl ) )
self.assertEqual( [100,200,300], [ tv.num for tv in tvl ] )
tvl = target.module.typedVarList( target.module.g_listHead1, target.module.type("listStruct1"), "next" )
self.assertEqual( 3, len( tvl ) )
self.assertEqual( [100,200,300], [ tv.num for tv in tvl ] )
tvl = target.module.typedVarList( target.module.g_childListHead, target.module.type("ChildEntryTest"), "m_next" )
self.assertEqual( 3, len( tvl ) )
self.assertEqual( [1000,2000,3000], [ tv.m_someBaseFiled2 for tv in tvl ] )
self.assertEqual( [1001,2001,3001], [ tv.m_childFiled1 for tv in tvl ] )
tvl1 = target.module.typedVarList( target.module.g_listHead, "listStruct", "listEntry" )
tvl2 = pykd.typedVarList( target.module.g_listHead, target.moduleName + "!listStruct", "listEntry" )
self.assertEqual( tvl1, tvl2 )
def listProcessByWorkingSetExpansionLinks(sourceprocesslist=[]):
processlist = {}
try:
if not sourceprocesslist:
sourceprocesslist = listProcessByPsActiveProcessHead()
WorkingSetExpansionLinks_list = []
for eproc in sourceprocesslist:
eprocessaddr = eproc.eprocessaddr
if eprocessaddr not in processlist:
#print hex(eprocessaddr)
eprocessobj = pykd.typedVar('nt!_EPROCESS', eprocessaddr)
WorkingSetExpansionLinks = eprocessobj.Vm.WorkingSetExpansionLinks
WorkingSetExpansionLinks = int(WorkingSetExpansionLinks)
if WorkingSetExpansionLinks and WorkingSetExpansionLinks not in WorkingSetExpansionLinks_list:
WorkingSetExpansionLinks_list.append(
WorkingSetExpansionLinks)
l = pykd.typedVarList(WorkingSetExpansionLinks,
'nt!_EPROCESS',
'Vm.WorkingSetExpansionLinks')
for i in l:
if int(i) not in processlist:
info = ProcessInfo()
if info.init(i):
processlist[int(i)] = info
except Exception, err:
print traceback.format_exc()
def listProcessBySessionProcessLinks(sourceprocesslist=[]):
processlist = {}
try:
if not sourceprocesslist:
sourceprocesslist = listProcessByPsActiveProcessHead()
SessionProcessLinks_table = []
for eproc in sourceprocesslist:
eprocessaddr = eproc.eprocessaddr
if eprocessaddr not in processlist:
#print hex(eprocessaddr)
eprocessobj = pykd.typedVar('nt!_EPROCESS', eprocessaddr)
SessionProcessLinks = eprocessobj.SessionProcessLinks
SessionProcessLinks = int(SessionProcessLinks)
if SessionProcessLinks and SessionProcessLinks not in SessionProcessLinks_table:
SessionProcessLinks_table.append(SessionProcessLinks)
l = pykd.typedVarList(SessionProcessLinks, 'nt!_EPROCESS',
'SessionProcessLinks')
for i in l:
if int(i) not in processlist:
info = ProcessInfo()
if info.init(i):
processlist[int(i)] = info
except Exception, err:
print traceback.format_exc()
def listProcessBySessionProcessLinks(sourceprocesslist=[]):
processlist={}
try:
if not sourceprocesslist:
sourceprocesslist=listProcessByPsActiveProcessHead()
SessionProcessLinks_table=[]
for eproc in sourceprocesslist:
eprocessaddr=eproc.eprocessaddr
if eprocessaddr not in processlist:
#print hex(eprocessaddr)
eprocessobj=pykd.typedVar('nt!_EPROCESS', eprocessaddr)
SessionProcessLinks=eprocessobj.SessionProcessLinks
SessionProcessLinks=int(SessionProcessLinks)
if SessionProcessLinks and SessionProcessLinks not in SessionProcessLinks_table:
SessionProcessLinks_table.append(SessionProcessLinks)
l=pykd.typedVarList(SessionProcessLinks, 'nt!_EPROCESS', 'SessionProcessLinks')
for i in l:
if int(i) not in processlist:
info=ProcessInfo()
if info.init(i):
processlist[int(i)]=info
except Exception, err:
print traceback.format_exc()
def reloadModules():
global moduleList
for m in moduleList:
globals()[m.name().lower()] = None
if pykd.isKernelDebugging():
global nt
nt = pykd.loadModule("nt")
modules = pykd.typedVarList(nt.PsLoadedModuleList, "nt",
"_LDR_DATA_TABLE_ENTRY",
"InLoadOrderLinks")
moduleList.append(nt)
else:
ntdll = pykd.loadModule("ntdll")
peb = pykd.typedVar("ntdll", "_PEB", pykd.getCurrentProcess())
ldr = pykd.typedVar("ntdll", "_PEB_LDR_DATA", peb.Ldr)
modules = pykd.typedVarList(ldr.InLoadOrderModuleList.getAddress(),
"ntdll", "_LDR_DATA_TABLE_ENTRY",
"InLoadOrderLinks")
moduleList = []
for m in modules:
baseName = str(pykd.loadUnicodeString(m.BaseDllName.getAddress()))
if baseName == "ntoskrnl.exe":
continue
module = pykd.findModule(m.DllBase)
globals()[module.name().lower()] = module
moduleList.append(module)
def listProcessByPsActiveProcessHead():
processlist=[]
try:
PsActiveProcessHead=pykd.getOffset('nt!PsActiveProcessHead')
l=pykd.typedVarList(PsActiveProcessHead, 'nt!_EPROCESS', 'ActiveProcessLinks')
for i in l:
info=ProcessInfo()
if info.init(i):
processlist.append(info)
except Exception, err:
print traceback.format_exc()
def listThreadByThreadListEntry(eprocessaddr):
threadlist=[]
try:
cmdline='.process /P %x;.reload;' % eprocessaddr
r=pykd.dbgCommand(cmdline)
eprocessobj=pykd.typedVar('nt!_EPROCESS', eprocessaddr)
l=pykd.typedVarList(eprocessobj.ThreadListHead, 'nt!_ETHREAD', 'ThreadListEntry')
for i in l:
info=ThreadInfo(i)
threadlist.append(info)
except Exception, err:
print traceback.format_exc()
def listThreadByThreadListEntry(eprocessaddr):
threadlist = []
try:
cmdline = '.process /P %x;.reload;' % eprocessaddr
r = pykd.dbgCommand(cmdline)
eprocessobj = pykd.typedVar('nt!_EPROCESS', eprocessaddr)
l = pykd.typedVarList(eprocessobj.ThreadListHead, 'nt!_ETHREAD',
'ThreadListEntry')
for i in l:
info = ThreadInfo(i)
threadlist.append(info)
except Exception, err:
print traceback.format_exc()
def listProcessByPsActiveProcessHead():
processlist = []
try:
PsActiveProcessHead = pykd.getOffset('nt!PsActiveProcessHead')
l = pykd.typedVarList(PsActiveProcessHead, 'nt!_EPROCESS',
'ActiveProcessLinks')
for i in l:
info = ProcessInfo()
if info.init(i):
processlist.append(info)
except Exception, err:
print traceback.format_exc()
def listDriverByPsLoadedModuleList():
driverlist=[]
try:
PsLoadedModuleList=pykd.getOffset('nt!PsLoadedModuleList')
l=pykd.typedVarList(PsLoadedModuleList, 'nt!_LDR_DATA_TABLE_ENTRY', 'InLoadOrderLinks')
for i in l:
if int(i.InLoadOrderLinks)==PsLoadedModuleList:
continue
info=DriverInfo()
if info.init2(i):
driverlist.append(info)
except Exception, err:
print traceback.format_exc()
def listDriverByPsLoadedModuleList():
driverlist = []
try:
PsLoadedModuleList = pykd.getOffset('nt!PsLoadedModuleList')
l = pykd.typedVarList(PsLoadedModuleList, 'nt!_LDR_DATA_TABLE_ENTRY',
'InLoadOrderLinks')
for i in l:
if int(i.InLoadOrderLinks) == PsLoadedModuleList:
continue
info = DriverInfo()
if info.init2(i):
driverlist.append(info)
except Exception, err:
print traceback.format_exc()
def listModuleByLdrList(eprocessaddr):
modulelist = {}
try:
cmdline = ".process /P %x;.reload;" % eprocessaddr
r = pykd.dbgCommand(cmdline)
eprocessobj = pykd.typedVar("nt!_EPROCESS", eprocessaddr)
if int(eprocessobj.Peb) != 0:
entry = int(eprocessobj.Peb.Ldr.InLoadOrderModuleList)
entryList1 = pykd.typedVarList(entry, "nt!_LDR_DATA_TABLE_ENTRY", "InLoadOrderLinks")
entry = int(eprocessobj.Peb.Ldr.InMemoryOrderModuleList)
entryList2 = pykd.typedVarList(entry, "nt!_LDR_DATA_TABLE_ENTRY", "InMemoryOrderLinks")
entry = int(eprocessobj.Peb.Ldr.InInitializationOrderModuleList)
entryList3 = pykd.typedVarList(entry, "nt!_LDR_DATA_TABLE_ENTRY", "InInitializationOrderLinks")
for entrylist in [entryList1, entryList2, entryList3]:
for ldr in entrylist:
if int(ldr) not in modulelist:
info = ModuleInfo()
if info.init1(ldr):
modulelist[int(ldr)] = info
else:
print "peb is 0"
except Exception, err:
print traceback.format_exc()
import pykd
# Parsing the ProcessList with pykd
if __name__ == "__main__":
if not pykd.isWindbgExt():
print("Script cannot be launched outside Windbg")
quit(0)
pActiveProcessList = pykd.module("nt").PsActiveProcessHead
# pActiveProcessList = pykd.getOffset("nt!PsActiveProcessHead") -> slower than using module("nt")...
processList = pykd.typedVarList(pActiveProcessList, "nt!_EPROCESS",
"ActiveProcessLinks")
for i, process in enumerate(processList):
pykd.dprint("Process " + str(i) + ":")
name = pykd.loadCStr(process.ImageFileName)
print(name)
if __name__ == "__main__":
if not pykd.isWindbgExt():
print("Script cannot be launched outside Windbg")
quit(0)
if len(sys.argv) < 2:
print("Expecting process name as argument")
quit(0)
targetProcessName = sys.argv[1]
pykd.dprintln("Target: " + targetProcessName)
processList = pykd.typedVarList(
pykd.module("nt").PsActiveProcessHead, "nt!_EPROCESS",
"ActiveProcessLinks")
for i, process in enumerate(processList):
if pykd.loadCStr(process.ImageFileName) == targetProcessName:
targetProcessList = pykd.module("nt").typedVar(
"_LIST_ENTRY", process.ActiveProcessLinks)
print("ActiveProcessLinks: 0x%08x" % process.ActiveProcessLinks)
print(targetProcessList)
#prevFlink = module("nt").typedVar("_LIST_ENTRY",targetProcessList.Blink)
#nextBlink = module("nt").typedVar("_LIST_ENTRY",targetProcessList.Flink)
print("prevFlink: 0x%08x" % pykd.ptrQWord(targetProcessList.Blink))
print("nextBlink: 0x%08x" %
pykd.ptrQWord(targetProcessList.Flink + 8))
targetProcessBlink = targetProcessList.Blink