def listCmpCallback(): try: notifyaddr=pykd.getOffset('nt!CmpCallBackVector') count=pykd.getOffset('nt!CmpCallBackCount') count=pykd.ptrPtr(count) print '-'*10+'CmpCallback'+'-'*10 if is_2000(): for i in xrange(count): funcaddr=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8 symbolname=pykd.findSymbol(source) print 'routine:%x %s' % (funcaddr, symbolname) else: if pykd.is64bitSystem(): for i in xrange(count): funcaddr=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8 symbolname=pykd.findSymbol(funcaddr) print 'routine:%x %s' % (funcaddr, symbolname) else: for i in xrange(count): routine_block=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8 funcaddr=pykd.ptrPtr(routine_block+g_mwordsize) symbolname=pykd.findSymbol(funcaddr) print 'routine:%x %s' % (funcaddr, symbolname) except Exception, err: print traceback.format_exc()
def testCtor(self): if pykd.is64bitSystem(): pykd.reg("rax") else: pykd.reg("eax") pykd.reg( 0 )
def listCreateProcess(): try: print '-' * 10 + 'CreateProcess' + '-' * 10 notifyaddr = pykd.getOffset('nt!PspCreateProcessNotifyRoutine') count = pykd.getOffset('nt!PspCreateProcessNotifyRoutineCount') count = pykd.ptrPtr(count) try: excount = pykd.getOffset('nt!PspCreateProcessNotifyRoutineExCount') except: excount = 0 count += excount if is_2000(): for i in xrange(count): funcaddr = pykd.ptrPtr(notifyaddr + i * g_mwordsize) & 0xffffffffffffff8 symbolname = pykd.findSymbol(source) print 'routine:%x %s' % (funcaddr, symbolname) else: if pykd.is64bitSystem(): for i in xrange(count): funcaddr = pykd.ptrPtr(notifyaddr + i * g_mwordsize) & 0xffffffffffffff8 symbolname = pykd.findSymbol(funcaddr) print 'routine:%x %s' % (funcaddr, symbolname) else: for i in xrange(count): routine_block = pykd.ptrPtr( notifyaddr + i * g_mwordsize) & 0xffffffffffffff8 funcaddr = pykd.ptrPtr(routine_block + g_mwordsize) symbolname = pykd.findSymbol(funcaddr) print 'routine:%x %s' % (funcaddr, symbolname) except Exception, err: print traceback.format_exc()
def listCreateProcess(): try: print '-'*10+'CreateProcess'+'-'*10 notifyaddr=pykd.getOffset('nt!PspCreateProcessNotifyRoutine') count=pykd.getOffset('nt!PspCreateProcessNotifyRoutineCount') count=pykd.ptrPtr(count) try: excount=pykd.getOffset('nt!PspCreateProcessNotifyRoutineExCount') except: excount=0 count+=excount if is_2000(): for i in xrange(count): funcaddr=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8 symbolname=pykd.findSymbol(source) print 'routine:%x %s' % (funcaddr, symbolname) else: if pykd.is64bitSystem(): for i in xrange(count): funcaddr=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8 symbolname=pykd.findSymbol(funcaddr) print 'routine:%x %s' % (funcaddr, symbolname) else: for i in xrange(count): routine_block=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8 funcaddr=pykd.ptrPtr(routine_block+g_mwordsize) symbolname=pykd.findSymbol(funcaddr) print 'routine:%x %s' % (funcaddr, symbolname) except Exception, err: print traceback.format_exc()
def listCmpCallback(): try: notifyaddr = pykd.getOffset('nt!CmpCallBackVector') count = pykd.getOffset('nt!CmpCallBackCount') count = pykd.ptrPtr(count) print '-' * 10 + 'CmpCallback' + '-' * 10 if is_2000(): for i in xrange(count): funcaddr = pykd.ptrPtr(notifyaddr + i * g_mwordsize) & 0xffffffffffffff8 symbolname = pykd.findSymbol(source) print 'routine:%x %s' % (funcaddr, symbolname) else: if pykd.is64bitSystem(): for i in xrange(count): funcaddr = pykd.ptrPtr(notifyaddr + i * g_mwordsize) & 0xffffffffffffff8 symbolname = pykd.findSymbol(funcaddr) print 'routine:%x %s' % (funcaddr, symbolname) else: for i in xrange(count): routine_block = pykd.ptrPtr( notifyaddr + i * g_mwordsize) & 0xffffffffffffff8 funcaddr = pykd.ptrPtr(routine_block + g_mwordsize) symbolname = pykd.findSymbol(funcaddr) print 'routine:%x %s' % (funcaddr, symbolname) except Exception, err: print traceback.format_exc()
def is_valid_profile(self, profile): systemVer = pykd.getSystemVersion() minor = 3 if systemVer.buildNumber == 9600 else systemVer.win32Minor #fix for minor version for windows 8.1 return profile.metadata.get('os', 'Unknown').lower() == 'windows' and \ profile.metadata.get('memory_model', '32bit') == ( '64bit' if pykd.is64bitSystem() else '32bit' ) and \ profile.metadata.get('major', 0) == systemVer.win32Major and \ profile.metadata.get('minor', 0) == minor
def testGPR(self): if pykd.is64bitSystem(): rax = pykd.cpuReg("rax") self.assertEqual(rax, pykd.reg("rax")) rip = pykd.cpuReg("rip") self.assertEqual(rip, pykd.reg("rip")) else: eax = pykd.cpuReg("eax") self.assertEqual(eax, pykd.reg("eax")) eip = pykd.cpuReg("eip") self.assertEqual(eip, pykd.reg("eip"))
def testGpr(self): if pykd.is64bitSystem(): pykd.reg("rax") pykd.reg("rbx") pykd.reg("rcx") pykd.reg("rdx") pykd.reg("rdi") pykd.reg("rsi") pykd.reg("rbp") pykd.reg("rsp") pykd.reg("rip") else: pykd.reg("eax") pykd.reg("ebx") pykd.reg("ecx") pykd.reg("edx") pykd.reg("edi") pykd.reg("esi") pykd.reg("ebp") pykd.reg("esp") pykd.reg("eip")
def get_arch(): if pykd.is64bitSystem(): return 'x86-64' return 'x86'
def listSocket(): try: r = pykd.dbgCommand('.reload tcpip.sys') if is_2000(): print 'no support' elif is_xp() or is_2003(): AddrObjTable = pykd.getOffset('tcpip!AddrObjTable') AddrObjTable = pykd.ptrPtr(AddrObjTable) AddrObjTableSize = pykd.getOffset('tcpip!AddrObjTableSize') AddrObjTableSize = pykd.ptrPtr(AddrObjTableSize) print '=' * 20 print 'AddrObjTable:%x AddrObjTableSize:%d' % (AddrObjTable, AddrObjTableSize) if pykd.is64bitSystem(): Next_offset = 0 localIP_offset = 0x58 #4bytes LocalPort_offset = 0x5c #2bytes Protocol_offset = 0x5e #2bytes pid_offset = 0x238 #4bytes else: if is_xp(): Next_offset = 0 localIP_offset = 0x2c #4bytes LocalPort_offset = 0x30 #2bytes Protocol_offset = 0x32 #2bytes pid_offset = 0x148 #4bytes elif is_2003(): Next_offset = 0 localIP_offset = 0x30 #4bytes LocalPort_offset = 0x34 #2bytes Protocol_offset = 0x36 #2bytes pid_offset = 0x14c #4bytes print 'local remote protocol pid' for i in xrange(AddrObjTableSize): obj = pykd.ptrPtr(AddrObjTable + i * g_mwordsize) while obj != 0: LocalIP = pykd.ptrMWord(obj + localIP_offset) LocalPort = pykd.ptrWord(obj + LocalPort_offset) LocalPort = socket.htons(LocalPort) Protocol = pykd.ptrWord(obj + Protocol_offset) pid = pykd.ptrMWord(obj + pid_offset) Protocol = g_protocols.get(Protocol) print '%16s:%5d *.* %10s %d' % (socket.inet_ntoa( struct.pack('I', LocalIP)), LocalPort, Protocol, pid) obj = pykd.ptrPtr(obj + Next_offset) print '=' * 20 TCBTable = pykd.getOffset('tcpip!TCBTable') TCBTable = pykd.ptrPtr(TCBTable) MaxHashTableSize = pykd.getOffset('tcpip!MaxHashTableSize') MaxHashTableSize = pykd.ptrPtr(MaxHashTableSize) print 'TCBTable:%x MaxHashTableSize:%d' % (TCBTable, MaxHashTableSize) Next_offset = 0 RemoteIP_offset = 0x0c #4bytes LocalIP_offset = 0x10 #4bytes RemotePort_offset = 0x14 #2bytes LocalPort_offset = 0x16 #2bytes pid_offset = 0x18 #4bytes print 'local remote protocol pid' for i in xrange(MaxHashTableSize): obj = pykd.ptrPtr(TCBTable + i * g_mwordsize) while obj != 0: RemoteIP = pykd.ptrMWord(obj + RemoteIP_offset) LocalIP = pykd.ptrMWord(obj + LocalIP_offset) RemotePort = pykd.ptrWord(obj + RemotePort_offset) RemotePort = socket.htons(RemotePort) LocalPort = pykd.ptrWord(obj + LocalPort_offset) LocalPort = socket.htons(LocalPort) pid = pykd.ptrMWord(obj + pid_offset) print '%16s:%5d %16s:%5d TCP %d' % ( socket.inet_ntoa(struct.pack('I', LocalIP)), LocalPort, socket.inet_ntoa(struct.pack( 'I', RemoteIP)), RemotePort, pid) obj = pykd.ptrPtr(obj + Next_offset) else: print 'no support' except Exception, err: print err
import shutil if not os.path.exists(kernelbasepath): shutil.copy(g_kernelpath, kernelbasepath) g_currentprocess = pykd.typedVar("nt!_EPROCESS", pykd.getCurrentProcess()) print "current process:%x" % g_currentprocess.getAddress() print "kernel:%s base:%x size:%x(%d)" % (g_kernelpath, g_kernelbase, g_kernelsize, g_kernelsize) print pykd.getProcessorMode() g_cpunumber = pykd.ptrMWord(pykd.getOffset("nt!KeNumberProcessors")) print "cpunumber:", g_cpunumber print platform.platform() g_version = platform.win32_ver()[0] if pykd.is64bitSystem(): g_mwordsize = 8 else: g_mwordsize = 4 print print print "=" * 20 def is_xp(): return g_version == "XP" def is_vista(): return g_version == "VISTA"
def testGetAddress(self): if not pykd.is64bitSystem(): tv = target.module.typedVar("structTest", 0x80000000) self.assertEqual(0xFFFFFFFF80000000, tv.getAddress()) self.assertEqual(0xFFFFFFFF80000000, tv)
def listSocket(): try: r=pykd.dbgCommand('.reload tcpip.sys') if is_2000(): print 'no support' elif is_xp() or is_2003(): AddrObjTable=pykd.getOffset('tcpip!AddrObjTable') AddrObjTable=pykd.ptrPtr(AddrObjTable) AddrObjTableSize=pykd.getOffset('tcpip!AddrObjTableSize') AddrObjTableSize=pykd.ptrPtr(AddrObjTableSize) print '='*20 print 'AddrObjTable:%x AddrObjTableSize:%d' % (AddrObjTable, AddrObjTableSize) if pykd.is64bitSystem(): Next_offset=0 localIP_offset=0x58 #4bytes LocalPort_offset=0x5c#2bytes Protocol_offset=0x5e #2bytes pid_offset=0x238 #4bytes else: if is_xp(): Next_offset=0 localIP_offset=0x2c #4bytes LocalPort_offset=0x30#2bytes Protocol_offset=0x32 #2bytes pid_offset=0x148 #4bytes elif is_2003(): Next_offset=0 localIP_offset=0x30 #4bytes LocalPort_offset=0x34#2bytes Protocol_offset=0x36 #2bytes pid_offset=0x14c #4bytes print 'local remote protocol pid' for i in xrange(AddrObjTableSize): obj=pykd.ptrPtr(AddrObjTable+i*g_mwordsize) while obj!=0: LocalIP=pykd.ptrMWord(obj+localIP_offset) LocalPort=pykd.ptrWord(obj+LocalPort_offset) LocalPort=socket.htons(LocalPort) Protocol=pykd.ptrWord(obj+Protocol_offset) pid=pykd.ptrMWord(obj+pid_offset) Protocol=g_protocols.get(Protocol) print '%16s:%5d *.* %10s %d' % (socket.inet_ntoa(struct.pack('I', LocalIP)), LocalPort, Protocol, pid) obj=pykd.ptrPtr(obj+Next_offset) print '='*20 TCBTable=pykd.getOffset('tcpip!TCBTable') TCBTable=pykd.ptrPtr(TCBTable) MaxHashTableSize=pykd.getOffset('tcpip!MaxHashTableSize') MaxHashTableSize=pykd.ptrPtr(MaxHashTableSize) print 'TCBTable:%x MaxHashTableSize:%d' % (TCBTable, MaxHashTableSize) Next_offset=0 RemoteIP_offset=0x0c#4bytes LocalIP_offset=0x10#4bytes RemotePort_offset=0x14#2bytes LocalPort_offset=0x16 #2bytes pid_offset=0x18 #4bytes print 'local remote protocol pid' for i in xrange(MaxHashTableSize): obj=pykd.ptrPtr(TCBTable+i*g_mwordsize) while obj!=0: RemoteIP=pykd.ptrMWord(obj+RemoteIP_offset) LocalIP=pykd.ptrMWord(obj+LocalIP_offset) RemotePort=pykd.ptrWord(obj+RemotePort_offset) RemotePort=socket.htons(RemotePort) LocalPort=pykd.ptrWord(obj+LocalPort_offset) LocalPort=socket.htons(LocalPort) pid=pykd.ptrMWord(obj+pid_offset) print '%16s:%5d %16s:%5d TCP %d' % (socket.inet_ntoa(struct.pack('I', LocalIP)), LocalPort, socket.inet_ntoa(struct.pack('I', RemoteIP)), RemotePort, pid) obj=pykd.ptrPtr(obj+Next_offset) else: print 'no support' except Exception, err: print err
kernelbasepath=os.path.join(g_system32dir, imagename) import shutil if not os.path.exists(kernelbasepath): shutil.copy(g_kernelpath, kernelbasepath) g_currentprocess=pykd.typedVar('nt!_EPROCESS', pykd.getCurrentProcess()) print 'current process:%x' % g_currentprocess.getAddress() print 'kernel:%s base:%x size:%x(%d)' % (g_kernelpath, g_kernelbase, g_kernelsize, g_kernelsize) print pykd.getProcessorMode() g_cpunumber=pykd.ptrMWord(pykd.getOffset('nt!KeNumberProcessors')) print 'cpunumber:', g_cpunumber print platform.platform() g_version=platform.win32_ver()[0] if pykd.is64bitSystem(): g_mwordsize=8 else: g_mwordsize=4 print print print '='*20 def is_xp(): return g_version=='XP' def is_vista(): return g_version=='VISTA' def is_2008(): return g_version=='2008'