def typedVarList(va, typename, flink):
if typename == "ntdll!_LDR_DATA_TABLE_ENTRY" and flink == "InMemoryOrderLinks.Flink":
# TODO: fill in x64 offsets
va = script.ReadPtr(int(va) + archValue(0x0008, 0x0000))
result = []
while va != 0 and len(result) < 10:
entry = typeStruct("_LDR_DATA_TABLE_ENTRY", va)
entry.BaseDllName = typeStruct("UNICODE_STRING",
va + archValue(0x001c, 0x0000))
result.append(entry)
va = script.ReadPtr(va)
pass
return result
else:
notImplemented()
def typedVarList(va, typename, flink):
if typename == "ntdll!_LDR_DATA_TABLE_ENTRY" and flink == "InMemoryOrderLinks.Flink":
start = va + archValue(0x0008, 0x0010)
va = script.ReadPtr(start)
result = []
while va != start and len(result) < 50:
entry = typeStruct("_LDR_DATA_TABLE_ENTRY", va)
# This is actually _LDR_DATA_TABLE_ENTRY.FullDllName
entry.BaseDllName = typeStruct("UNICODE_STRING",
va + archValue(0x001c, 0x0038))
result.append(entry)
va = script.ReadPtr(va)
return result
else:
notImplemented()
def loadUnicodeString(va):
va = int(va)
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa380518(v=vs.85).aspx
Length = script.ReadWord(va)
va += 2
MaximumLength = script.ReadWord(va)
va += 2
if is64bitSystem():
va += 4
Buffer = script.ReadPtr(va)
if Length > MaximumLength or not script.IsValidPtr(Buffer):
raise DbgException("Corrupted UNICODE_STRING structure")
A = array.array("u")
A.fromstring(script.Read(Buffer, Length))
return A.tounicode().rstrip(u'\0')
def ptrPtr(va):
return script.ReadPtr(va)