def execute(self): from vtypes import xpsp2types xpsp2types['_KDDEBUGGER_DATA64'][1]['MmUnloadedDrivers'] = [ 0x220, ['unsigned long long']] xpsp2types['_KDDEBUGGER_DATA64'][1]['MmLastUnloadedDriver'] = [ 0x228, ['unsigned long long']] profile = Profile() profile.add_types(unloaded_mod_types) (addr_space, symtab, types) = load_and_identify_image(self.op, self.opts) KdDebuggerDataBlock = find_kddebuggerdatablock(addr_space, types) if not KdDebuggerDataBlock: return 0 dbg_block = Object("_KDDEBUGGER_DATA64", KdDebuggerDataBlock, addr_space, profile=Profile()) drv_list_addr = Object('unsigned long', dbg_block.MmUnloadedDrivers, addr_space, profile=profile).v() drv_count = Object('unsigned long', dbg_block.MmLastUnloadedDriver, addr_space, profile=profile).v() print "%-20s %-10s %-10s %s" % ("Name", "Start", "End", "Timestamp") i = 0 while i < drv_count: drv = Object('_UNLOADED_MODULE', drv_list_addr+(i*0x18), addr_space, profile=profile) ts_win = drv.Timestamp.HighPart << 32 | drv.Timestamp.LowPart ts_unix = windows_to_unix_time(ts_win) print "%-20s %#08x %#08x %s" % (drv.Name.Buffer, drv.Start.v(), drv.End.v(), ctime(ts_unix)) i += 1
def execute(self): from vtypes import xpsp2types xpsp2types['_KDDEBUGGER_DATA64'][1]['MmUnloadedDrivers'] = [ 0x220, ['unsigned long long'] ] xpsp2types['_KDDEBUGGER_DATA64'][1]['MmLastUnloadedDriver'] = [ 0x228, ['unsigned long long'] ] profile = Profile() profile.add_types(unloaded_mod_types) (addr_space, symtab, types) = load_and_identify_image(self.op, self.opts) KdDebuggerDataBlock = find_kddebuggerdatablock(addr_space, types) if not KdDebuggerDataBlock: return 0 dbg_block = Object("_KDDEBUGGER_DATA64", KdDebuggerDataBlock, addr_space, profile=Profile()) drv_list_addr = Object('unsigned long', dbg_block.MmUnloadedDrivers, addr_space, profile=profile).v() drv_count = Object('unsigned long', dbg_block.MmLastUnloadedDriver, addr_space, profile=profile).v() print "%-20s %-10s %-10s %s" % ("Name", "Start", "End", "Timestamp") i = 0 while i < drv_count: drv = Object('_UNLOADED_MODULE', drv_list_addr + (i * 0x18), addr_space, profile=profile) ts_win = drv.Timestamp.HighPart << 32 | drv.Timestamp.LowPart ts_unix = windows_to_unix_time(ts_win) print "%-20s %#08x %#08x %s" % (drv.Name.Buffer, drv.Start.v(), drv.End.v(), ctime(ts_unix)) i += 1
def dd_to_crash(addr_space, types, symbol_table, opts): outfile = opts.outfile filename = opts.filename DirectoryTableBaseValue = addr_space.pgd_vaddr PsActiveProcessHead = find_psactiveprocesshead(addr_space, types) PsLoadedModuleList = find_psloadedmodulelist(addr_space, types) MmPfnDatabase = find_mmpfndatabase(addr_space, types) KdDebuggerDataBlock = find_kddebuggerdatablock(addr_space, types) NumberOfProcessors = find_numberprocessors(addr_space, types) SuiteMask = find_suitemask(addr_space, types) SystemTime = find_systemtime(addr_space, types) num_pages = os.path.getsize(filename) / 4096 page_count = num_pages new_hdr = write_long_phys(DirectoryTableBaseValue, ['_DMP_HEADER', 'DirectoryTableBase'], dump_hdr, types) new_hdr = write_long_phys(PsLoadedModuleList, ['_DMP_HEADER', 'PsLoadedModuleList'], new_hdr, types) new_hdr = write_long_phys(PsActiveProcessHead, ['_DMP_HEADER', 'PsActiveProcessHead'], new_hdr, types) new_hdr = write_long_phys(KdDebuggerDataBlock, ['_DMP_HEADER', 'KdDebuggerDataBlock'], new_hdr, types) new_hdr = write_long_phys(NumberOfProcessors, ['_DMP_HEADER', 'NumberProcessors'], new_hdr, types) new_hdr = write_long_phys(MmPfnDatabase, ['_DMP_HEADER', 'PfnDataBase'], new_hdr, types) new_hdr = write_long_phys(SuiteMask, ['_DMP_HEADER', 'SuiteMask'], new_hdr, types) new_hdr = write_long_long_phys(SystemTime, ['_DMP_HEADER', 'SystemTime'], new_hdr, types) if addr_space.pae == True: new_hdr = write_char_phys(pae_enabled, ['_DMP_HEADER', 'PaeEnabled'], new_hdr, types) new_hdr = new_hdr[:100] + struct.pack('=L',num_of_runs) +\ struct.pack('=L',num_pages) +\ struct.pack('=L',0x00000000) +\ struct.pack('=L',num_pages) +\ new_hdr[116:] MI = open(outfile, 'wb') MI.write("%s" % new_hdr) FILEOPEN = open(filename, 'rb') offset = 0 end = os.path.getsize(filename) widgets = [ 'Convert: ', Percentage(), ' ', Bar(marker=RotatingMarker()), ' ', ETA() ] pbar = ProgressBar(widgets=widgets, maxval=end).start() while offset <= end: fdata = FILEOPEN.read(0x1000) if fdata == None: break MI.write("%s" % fdata) pbar.update(offset) offset += 0x1000 pbar.finish() print FILEOPEN.close() MI.close() return
def dd_to_crash(addr_space, types, symbol_table, opts): outfile = opts.outfile filename = opts.filename DirectoryTableBaseValue = addr_space.pgd_vaddr PsActiveProcessHead = find_psactiveprocesshead(addr_space, types) PsLoadedModuleList = find_psloadedmodulelist(addr_space,types) MmPfnDatabase = find_mmpfndatabase(addr_space, types) KdDebuggerDataBlock = find_kddebuggerdatablock(addr_space, types) NumberOfProcessors = find_numberprocessors(addr_space, types) SuiteMask = find_suitemask(addr_space, types) SystemTime = find_systemtime(addr_space, types) num_pages = os.path.getsize(filename)/4096 page_count = num_pages new_hdr = write_long_phys(DirectoryTableBaseValue,['_DMP_HEADER', 'DirectoryTableBase'],dump_hdr,types) new_hdr = write_long_phys(PsLoadedModuleList,['_DMP_HEADER', 'PsLoadedModuleList'],new_hdr,types) new_hdr = write_long_phys(PsActiveProcessHead,['_DMP_HEADER', 'PsActiveProcessHead'],new_hdr,types) new_hdr = write_long_phys(KdDebuggerDataBlock,['_DMP_HEADER', 'KdDebuggerDataBlock'],new_hdr,types) new_hdr = write_long_phys(NumberOfProcessors,['_DMP_HEADER', 'NumberProcessors'],new_hdr,types) new_hdr = write_long_phys(MmPfnDatabase,['_DMP_HEADER', 'PfnDataBase'],new_hdr,types) new_hdr = write_long_phys(SuiteMask,['_DMP_HEADER', 'SuiteMask'],new_hdr,types) new_hdr = write_long_long_phys(SystemTime,['_DMP_HEADER', 'SystemTime'],new_hdr,types) if addr_space.pae == True: new_hdr = write_char_phys(pae_enabled,['_DMP_HEADER', 'PaeEnabled'],new_hdr,types) new_hdr = new_hdr[:100] + struct.pack('=L',num_of_runs) +\ struct.pack('=L',num_pages) +\ struct.pack('=L',0x00000000) +\ struct.pack('=L',num_pages) +\ new_hdr[116:] MI=open(outfile,'wb') MI.write("%s"%new_hdr) FILEOPEN = open(filename, 'rb') offset = 0 end = os.path.getsize(filename) widgets = ['Convert: ', Percentage(), ' ', Bar(marker=RotatingMarker()), ' ', ETA()] pbar = ProgressBar(widgets=widgets, maxval=end).start() while offset <= end: fdata = FILEOPEN.read(0x1000) if fdata == None: break MI.write("%s"%fdata) pbar.update(offset) offset+=0x1000 pbar.finish() print FILEOPEN.close() MI.close() return