コード例 #1
0
def listCmpCallback():
    try:
        notifyaddr=pykd.getOffset('nt!CmpCallBackVector')
        count=pykd.getOffset('nt!CmpCallBackCount')
        count=pykd.ptrPtr(count)
      
        print '-'*10+'CmpCallback'+'-'*10
        if is_2000():
            for i in xrange(count):
                funcaddr=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8
                symbolname=pykd.findSymbol(source)
                print 'routine:%x %s' % (funcaddr, symbolname)
        else:
            if pykd.is64bitSystem():
                for i in xrange(count):
                    funcaddr=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8
                    symbolname=pykd.findSymbol(funcaddr)
                    print 'routine:%x %s' % (funcaddr, symbolname)
            else:
                for i in xrange(count):
                    routine_block=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8
                    funcaddr=pykd.ptrPtr(routine_block+g_mwordsize)
                    symbolname=pykd.findSymbol(funcaddr)
                    print 'routine:%x %s' % (funcaddr, symbolname)
      
    except Exception, err:
        print traceback.format_exc()
コード例 #2
0
 def testCtor(self):
     if pykd.is64bitSystem():
         pykd.reg("rax")
     else:
         pykd.reg("eax")
          
     pykd.reg( 0 )
コード例 #3
0
def listCreateProcess():
    try:
        print '-' * 10 + 'CreateProcess' + '-' * 10
        notifyaddr = pykd.getOffset('nt!PspCreateProcessNotifyRoutine')
        count = pykd.getOffset('nt!PspCreateProcessNotifyRoutineCount')
        count = pykd.ptrPtr(count)
        try:
            excount = pykd.getOffset('nt!PspCreateProcessNotifyRoutineExCount')
        except:
            excount = 0
        count += excount
        if is_2000():
            for i in xrange(count):
                funcaddr = pykd.ptrPtr(notifyaddr +
                                       i * g_mwordsize) & 0xffffffffffffff8
                symbolname = pykd.findSymbol(source)
                print 'routine:%x %s' % (funcaddr, symbolname)
        else:
            if pykd.is64bitSystem():
                for i in xrange(count):
                    funcaddr = pykd.ptrPtr(notifyaddr +
                                           i * g_mwordsize) & 0xffffffffffffff8
                    symbolname = pykd.findSymbol(funcaddr)
                    print 'routine:%x %s' % (funcaddr, symbolname)
            else:
                for i in xrange(count):
                    routine_block = pykd.ptrPtr(
                        notifyaddr + i * g_mwordsize) & 0xffffffffffffff8
                    funcaddr = pykd.ptrPtr(routine_block + g_mwordsize)
                    symbolname = pykd.findSymbol(funcaddr)
                    print 'routine:%x %s' % (funcaddr, symbolname)

    except Exception, err:
        print traceback.format_exc()
コード例 #4
0
def listCreateProcess():
    try:
        print '-'*10+'CreateProcess'+'-'*10
        notifyaddr=pykd.getOffset('nt!PspCreateProcessNotifyRoutine')
        count=pykd.getOffset('nt!PspCreateProcessNotifyRoutineCount')
        count=pykd.ptrPtr(count)
        try:
            excount=pykd.getOffset('nt!PspCreateProcessNotifyRoutineExCount') 
        except:
            excount=0
        count+=excount
        if is_2000():
            for i in xrange(count):
                funcaddr=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8
                symbolname=pykd.findSymbol(source)
                print 'routine:%x %s' % (funcaddr, symbolname)
        else:
            if pykd.is64bitSystem():
                for i in xrange(count):
                    funcaddr=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8
                    symbolname=pykd.findSymbol(funcaddr)
                    print 'routine:%x %s' % (funcaddr, symbolname)
            else:
                for i in xrange(count):
                    routine_block=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8
                    funcaddr=pykd.ptrPtr(routine_block+g_mwordsize)
                    symbolname=pykd.findSymbol(funcaddr)
                    print 'routine:%x %s' % (funcaddr, symbolname)
      
    except Exception, err:
        print traceback.format_exc()
コード例 #5
0
def listCmpCallback():
    try:
        notifyaddr = pykd.getOffset('nt!CmpCallBackVector')
        count = pykd.getOffset('nt!CmpCallBackCount')
        count = pykd.ptrPtr(count)

        print '-' * 10 + 'CmpCallback' + '-' * 10
        if is_2000():
            for i in xrange(count):
                funcaddr = pykd.ptrPtr(notifyaddr +
                                       i * g_mwordsize) & 0xffffffffffffff8
                symbolname = pykd.findSymbol(source)
                print 'routine:%x %s' % (funcaddr, symbolname)
        else:
            if pykd.is64bitSystem():
                for i in xrange(count):
                    funcaddr = pykd.ptrPtr(notifyaddr +
                                           i * g_mwordsize) & 0xffffffffffffff8
                    symbolname = pykd.findSymbol(funcaddr)
                    print 'routine:%x %s' % (funcaddr, symbolname)
            else:
                for i in xrange(count):
                    routine_block = pykd.ptrPtr(
                        notifyaddr + i * g_mwordsize) & 0xffffffffffffff8
                    funcaddr = pykd.ptrPtr(routine_block + g_mwordsize)
                    symbolname = pykd.findSymbol(funcaddr)
                    print 'routine:%x %s' % (funcaddr, symbolname)

    except Exception, err:
        print traceback.format_exc()
コード例 #6
0
ファイル: windbg.py プロジェクト: Alpha-10000/Volatility
    def is_valid_profile(self, profile):

        systemVer = pykd.getSystemVersion()
        minor = 3 if systemVer.buildNumber == 9600 else systemVer.win32Minor #fix for minor version for windows 8.1

        return profile.metadata.get('os', 'Unknown').lower() == 'windows' and \
            profile.metadata.get('memory_model', '32bit') == ( '64bit' if pykd.is64bitSystem() else '32bit' ) and \
            profile.metadata.get('major', 0) == systemVer.win32Major and \
            profile.metadata.get('minor', 0) == minor
コード例 #7
0
    def is_valid_profile(self, profile):

        systemVer = pykd.getSystemVersion()
        minor = 3 if systemVer.buildNumber == 9600 else systemVer.win32Minor  #fix for minor version for windows 8.1

        return profile.metadata.get('os', 'Unknown').lower() == 'windows' and \
            profile.metadata.get('memory_model', '32bit') == ( '64bit' if pykd.is64bitSystem() else '32bit' ) and \
            profile.metadata.get('major', 0) == systemVer.win32Major and \
            profile.metadata.get('minor', 0) == minor
コード例 #8
0
ファイル: regtest.py プロジェクト: RHongwei/pykd
    def testGPR(self):

        if pykd.is64bitSystem():

            rax = pykd.cpuReg("rax")
            self.assertEqual(rax, pykd.reg("rax"))

            rip = pykd.cpuReg("rip")
            self.assertEqual(rip, pykd.reg("rip"))

        else:

            eax = pykd.cpuReg("eax")
            self.assertEqual(eax, pykd.reg("eax"))

            eip = pykd.cpuReg("eip")
            self.assertEqual(eip, pykd.reg("eip"))
コード例 #9
0
 def testGpr(self):
     if pykd.is64bitSystem():
         pykd.reg("rax")
         pykd.reg("rbx")
         pykd.reg("rcx")
         pykd.reg("rdx")
         pykd.reg("rdi")
         pykd.reg("rsi")
         pykd.reg("rbp")
         pykd.reg("rsp")
         pykd.reg("rip")
     else:
         pykd.reg("eax")
         pykd.reg("ebx")
         pykd.reg("ecx")
         pykd.reg("edx")
         pykd.reg("edi")
         pykd.reg("esi")
         pykd.reg("ebp")
         pykd.reg("esp")
         pykd.reg("eip")
コード例 #10
0
ファイル: pykd_engine.py プロジェクト: HackerTool/shadow
def get_arch():
    if pykd.is64bitSystem():
        return 'x86-64'

    return 'x86'
コード例 #11
0
def get_arch():
    if pykd.is64bitSystem():
        return 'x86-64'

    return 'x86'
コード例 #12
0
ファイル: network_op.py プロジェクト: x9090/pyInspector
def listSocket():
    try:
        r = pykd.dbgCommand('.reload tcpip.sys')
        if is_2000():
            print 'no support'
        elif is_xp() or is_2003():
            AddrObjTable = pykd.getOffset('tcpip!AddrObjTable')
            AddrObjTable = pykd.ptrPtr(AddrObjTable)
            AddrObjTableSize = pykd.getOffset('tcpip!AddrObjTableSize')
            AddrObjTableSize = pykd.ptrPtr(AddrObjTableSize)
            print '=' * 20
            print 'AddrObjTable:%x AddrObjTableSize:%d' % (AddrObjTable,
                                                           AddrObjTableSize)
            if pykd.is64bitSystem():
                Next_offset = 0
                localIP_offset = 0x58  #4bytes
                LocalPort_offset = 0x5c  #2bytes
                Protocol_offset = 0x5e  #2bytes
                pid_offset = 0x238  #4bytes
            else:
                if is_xp():
                    Next_offset = 0
                    localIP_offset = 0x2c  #4bytes
                    LocalPort_offset = 0x30  #2bytes
                    Protocol_offset = 0x32  #2bytes
                    pid_offset = 0x148  #4bytes

                elif is_2003():
                    Next_offset = 0
                    localIP_offset = 0x30  #4bytes
                    LocalPort_offset = 0x34  #2bytes
                    Protocol_offset = 0x36  #2bytes
                    pid_offset = 0x14c  #4bytes

            print 'local remote protocol pid'
            for i in xrange(AddrObjTableSize):
                obj = pykd.ptrPtr(AddrObjTable + i * g_mwordsize)
                while obj != 0:
                    LocalIP = pykd.ptrMWord(obj + localIP_offset)
                    LocalPort = pykd.ptrWord(obj + LocalPort_offset)
                    LocalPort = socket.htons(LocalPort)
                    Protocol = pykd.ptrWord(obj + Protocol_offset)
                    pid = pykd.ptrMWord(obj + pid_offset)
                    Protocol = g_protocols.get(Protocol)
                    print '%16s:%5d *.* %10s %d' % (socket.inet_ntoa(
                        struct.pack('I', LocalIP)), LocalPort, Protocol, pid)
                    obj = pykd.ptrPtr(obj + Next_offset)

            print '=' * 20

            TCBTable = pykd.getOffset('tcpip!TCBTable')
            TCBTable = pykd.ptrPtr(TCBTable)
            MaxHashTableSize = pykd.getOffset('tcpip!MaxHashTableSize')
            MaxHashTableSize = pykd.ptrPtr(MaxHashTableSize)
            print 'TCBTable:%x MaxHashTableSize:%d' % (TCBTable,
                                                       MaxHashTableSize)

            Next_offset = 0
            RemoteIP_offset = 0x0c  #4bytes
            LocalIP_offset = 0x10  #4bytes
            RemotePort_offset = 0x14  #2bytes
            LocalPort_offset = 0x16  #2bytes
            pid_offset = 0x18  #4bytes

            print 'local remote protocol pid'
            for i in xrange(MaxHashTableSize):
                obj = pykd.ptrPtr(TCBTable + i * g_mwordsize)
                while obj != 0:
                    RemoteIP = pykd.ptrMWord(obj + RemoteIP_offset)
                    LocalIP = pykd.ptrMWord(obj + LocalIP_offset)
                    RemotePort = pykd.ptrWord(obj + RemotePort_offset)
                    RemotePort = socket.htons(RemotePort)
                    LocalPort = pykd.ptrWord(obj + LocalPort_offset)
                    LocalPort = socket.htons(LocalPort)
                    pid = pykd.ptrMWord(obj + pid_offset)
                    print '%16s:%5d %16s:%5d  TCP %d' % (
                        socket.inet_ntoa(struct.pack('I', LocalIP)), LocalPort,
                        socket.inet_ntoa(struct.pack(
                            'I', RemoteIP)), RemotePort, pid)
                    obj = pykd.ptrPtr(obj + Next_offset)
        else:
            print 'no support'

    except Exception, err:
        print err
コード例 #13
0
ファイル: common.py プロジェクト: AlQalamX/pyInspector
import shutil

if not os.path.exists(kernelbasepath):
    shutil.copy(g_kernelpath, kernelbasepath)

g_currentprocess = pykd.typedVar("nt!_EPROCESS", pykd.getCurrentProcess())
print "current process:%x" % g_currentprocess.getAddress()

print "kernel:%s base:%x size:%x(%d)" % (g_kernelpath, g_kernelbase, g_kernelsize, g_kernelsize)

print pykd.getProcessorMode()
g_cpunumber = pykd.ptrMWord(pykd.getOffset("nt!KeNumberProcessors"))
print "cpunumber:", g_cpunumber
print platform.platform()
g_version = platform.win32_ver()[0]
if pykd.is64bitSystem():
    g_mwordsize = 8
else:
    g_mwordsize = 4
print
print
print "=" * 20


def is_xp():
    return g_version == "XP"


def is_vista():
    return g_version == "VISTA"
コード例 #14
0
 def testGetAddress(self):
     if not pykd.is64bitSystem():
         tv = target.module.typedVar("structTest", 0x80000000)
         self.assertEqual(0xFFFFFFFF80000000, tv.getAddress())
         self.assertEqual(0xFFFFFFFF80000000, tv)
コード例 #15
0
ファイル: network_op.py プロジェクト: AlQalamX/pyInspector
def listSocket():
    try:
        r=pykd.dbgCommand('.reload tcpip.sys')
        if is_2000():
            print 'no support'
        elif is_xp() or is_2003():
            AddrObjTable=pykd.getOffset('tcpip!AddrObjTable')
            AddrObjTable=pykd.ptrPtr(AddrObjTable)
            AddrObjTableSize=pykd.getOffset('tcpip!AddrObjTableSize')
            AddrObjTableSize=pykd.ptrPtr(AddrObjTableSize)
            print '='*20
            print 'AddrObjTable:%x AddrObjTableSize:%d' % (AddrObjTable, AddrObjTableSize)
            if pykd.is64bitSystem():
                Next_offset=0
                localIP_offset=0x58 #4bytes
                LocalPort_offset=0x5c#2bytes
                Protocol_offset=0x5e #2bytes
                pid_offset=0x238 #4bytes
            else:
                if is_xp():
                    Next_offset=0
                    localIP_offset=0x2c #4bytes
                    LocalPort_offset=0x30#2bytes
                    Protocol_offset=0x32 #2bytes
                    pid_offset=0x148 #4bytes
                    
                elif is_2003():
                    Next_offset=0
                    localIP_offset=0x30 #4bytes
                    LocalPort_offset=0x34#2bytes
                    Protocol_offset=0x36 #2bytes
                    pid_offset=0x14c #4bytes
            
            print 'local remote protocol pid'
            for i in xrange(AddrObjTableSize):
                obj=pykd.ptrPtr(AddrObjTable+i*g_mwordsize)
                while obj!=0:
                    LocalIP=pykd.ptrMWord(obj+localIP_offset)
                    LocalPort=pykd.ptrWord(obj+LocalPort_offset)
                    LocalPort=socket.htons(LocalPort)
                    Protocol=pykd.ptrWord(obj+Protocol_offset)
                    pid=pykd.ptrMWord(obj+pid_offset)
                    Protocol=g_protocols.get(Protocol)
                    print '%16s:%5d *.* %10s %d' % (socket.inet_ntoa(struct.pack('I', LocalIP)), LocalPort, Protocol, pid)
                    obj=pykd.ptrPtr(obj+Next_offset)

            print '='*20
            
            TCBTable=pykd.getOffset('tcpip!TCBTable')
            TCBTable=pykd.ptrPtr(TCBTable)
            MaxHashTableSize=pykd.getOffset('tcpip!MaxHashTableSize')
            MaxHashTableSize=pykd.ptrPtr(MaxHashTableSize)
            print 'TCBTable:%x MaxHashTableSize:%d' % (TCBTable, MaxHashTableSize)
            
            Next_offset=0
            RemoteIP_offset=0x0c#4bytes
            LocalIP_offset=0x10#4bytes
            RemotePort_offset=0x14#2bytes
            LocalPort_offset=0x16 #2bytes
            pid_offset=0x18 #4bytes
                
            print 'local remote protocol pid'
            for i in xrange(MaxHashTableSize):
                obj=pykd.ptrPtr(TCBTable+i*g_mwordsize)
                while obj!=0:
                    RemoteIP=pykd.ptrMWord(obj+RemoteIP_offset)
                    LocalIP=pykd.ptrMWord(obj+LocalIP_offset)
                    RemotePort=pykd.ptrWord(obj+RemotePort_offset)
                    RemotePort=socket.htons(RemotePort)
                    LocalPort=pykd.ptrWord(obj+LocalPort_offset)
                    LocalPort=socket.htons(LocalPort)
                    pid=pykd.ptrMWord(obj+pid_offset)
                    print '%16s:%5d %16s:%5d  TCP %d' % (socket.inet_ntoa(struct.pack('I', LocalIP)), LocalPort, socket.inet_ntoa(struct.pack('I', RemoteIP)), RemotePort, pid)
                    obj=pykd.ptrPtr(obj+Next_offset)
        else:
            print 'no support'
        
        
    except Exception, err:
        print err
コード例 #16
0
ファイル: common.py プロジェクト: x9090/pyInspector
kernelbasepath=os.path.join(g_system32dir, imagename)
import shutil
if not os.path.exists(kernelbasepath):
    shutil.copy(g_kernelpath, kernelbasepath)

g_currentprocess=pykd.typedVar('nt!_EPROCESS', pykd.getCurrentProcess())
print 'current process:%x' % g_currentprocess.getAddress()

print 'kernel:%s base:%x size:%x(%d)' % (g_kernelpath, g_kernelbase, g_kernelsize, g_kernelsize)

print pykd.getProcessorMode()
g_cpunumber=pykd.ptrMWord(pykd.getOffset('nt!KeNumberProcessors'))
print 'cpunumber:', g_cpunumber
print platform.platform()
g_version=platform.win32_ver()[0]
if pykd.is64bitSystem():
    g_mwordsize=8
else:
    g_mwordsize=4
print
print
print '='*20

def is_xp():
    return  g_version=='XP'

def is_vista():
    return  g_version=='VISTA'
    
def is_2008():
    return  g_version=='2008'