def process_list(addr_space, types, symbol_table=None):
"""
Get the virtual addresses of all Windows processes
"""
plist = []
PsActiveProcessHead = find_psactiveprocesshead(addr_space, types)
if not PsActiveProcessHead is None:
(offset, tmp) = get_obj_offset(types,
['_EPROCESS', 'ActiveProcessLinks'])
first_process = PsActiveProcessHead - offset
current = read_obj(addr_space, types,
['_EPROCESS', 'ActiveProcessLinks', 'Flink'],
first_process)
if current is None:
print "Unable to read beginning of process list 0x%x. Try a different DTB?" % (
first_process)
return plist
this_process = current - offset
while current != PsActiveProcessHead:
Type = read_obj(addr_space, types,
['_EPROCESS', 'Pcb', 'Header', 'Type'],
this_process)
if not Type == 0x03:
break
plist.append(this_process)
current = read_obj(addr_space, types,
['_EPROCESS', 'ActiveProcessLinks', 'Flink'],
this_process)
if current == None:
plist.append(this_process)
break
this_process = current - offset
return plist
def process_list(addr_space, types, symbol_table=None):
"""
Get the virtual addresses of all Windows processes
"""
plist = []
PsActiveProcessHead = find_psactiveprocesshead(addr_space,types)
if not PsActiveProcessHead is None:
(offset, tmp) = get_obj_offset(types, ['_EPROCESS', 'ActiveProcessLinks'])
first_process = PsActiveProcessHead - offset
current = read_obj(addr_space, types, ['_EPROCESS', 'ActiveProcessLinks', 'Flink'],
first_process)
if current is None:
print "Unable to read beginning of process list 0x%x. Try a different DTB?" % (first_process)
return plist
this_process = current - offset
while current != PsActiveProcessHead:
Type = read_obj(addr_space, types, ['_EPROCESS', 'Pcb', 'Header','Type'], this_process)
if not Type == 0x03:
break
plist.append(this_process)
current = read_obj(addr_space, types, ['_EPROCESS', 'ActiveProcessLinks', 'Flink'],
this_process)
if current == None:
plist.append(this_process)
break
this_process = current - offset
return plist
def dd_to_crash(addr_space, types, symbol_table, opts):
outfile = opts.outfile
filename = opts.filename
DirectoryTableBaseValue = addr_space.pgd_vaddr
PsActiveProcessHead = find_psactiveprocesshead(addr_space, types)
PsLoadedModuleList = find_psloadedmodulelist(addr_space, types)
MmPfnDatabase = find_mmpfndatabase(addr_space, types)
KdDebuggerDataBlock = find_kddebuggerdatablock(addr_space, types)
NumberOfProcessors = find_numberprocessors(addr_space, types)
SuiteMask = find_suitemask(addr_space, types)
SystemTime = find_systemtime(addr_space, types)
num_pages = os.path.getsize(filename) / 4096
page_count = num_pages
new_hdr = write_long_phys(DirectoryTableBaseValue,
['_DMP_HEADER', 'DirectoryTableBase'], dump_hdr,
types)
new_hdr = write_long_phys(PsLoadedModuleList,
['_DMP_HEADER', 'PsLoadedModuleList'], new_hdr,
types)
new_hdr = write_long_phys(PsActiveProcessHead,
['_DMP_HEADER', 'PsActiveProcessHead'], new_hdr,
types)
new_hdr = write_long_phys(KdDebuggerDataBlock,
['_DMP_HEADER', 'KdDebuggerDataBlock'], new_hdr,
types)
new_hdr = write_long_phys(NumberOfProcessors,
['_DMP_HEADER', 'NumberProcessors'], new_hdr,
types)
new_hdr = write_long_phys(MmPfnDatabase, ['_DMP_HEADER', 'PfnDataBase'],
new_hdr, types)
new_hdr = write_long_phys(SuiteMask, ['_DMP_HEADER', 'SuiteMask'], new_hdr,
types)
new_hdr = write_long_long_phys(SystemTime, ['_DMP_HEADER', 'SystemTime'],
new_hdr, types)
if addr_space.pae == True:
new_hdr = write_char_phys(pae_enabled, ['_DMP_HEADER', 'PaeEnabled'],
new_hdr, types)
new_hdr = new_hdr[:100] + struct.pack('=L',num_of_runs) +\
struct.pack('=L',num_pages) +\
struct.pack('=L',0x00000000) +\
struct.pack('=L',num_pages) +\
new_hdr[116:]
MI = open(outfile, 'wb')
MI.write("%s" % new_hdr)
FILEOPEN = open(filename, 'rb')
offset = 0
end = os.path.getsize(filename)
widgets = [
'Convert: ',
Percentage(), ' ',
Bar(marker=RotatingMarker()), ' ',
ETA()
]
pbar = ProgressBar(widgets=widgets, maxval=end).start()
while offset <= end:
fdata = FILEOPEN.read(0x1000)
if fdata == None:
break
MI.write("%s" % fdata)
pbar.update(offset)
offset += 0x1000
pbar.finish()
print
FILEOPEN.close()
MI.close()
return
def dd_to_crash(addr_space, types, symbol_table, opts):
outfile = opts.outfile
filename = opts.filename
DirectoryTableBaseValue = addr_space.pgd_vaddr
PsActiveProcessHead = find_psactiveprocesshead(addr_space, types)
PsLoadedModuleList = find_psloadedmodulelist(addr_space,types)
MmPfnDatabase = find_mmpfndatabase(addr_space, types)
KdDebuggerDataBlock = find_kddebuggerdatablock(addr_space, types)
NumberOfProcessors = find_numberprocessors(addr_space, types)
SuiteMask = find_suitemask(addr_space, types)
SystemTime = find_systemtime(addr_space, types)
num_pages = os.path.getsize(filename)/4096
page_count = num_pages
new_hdr = write_long_phys(DirectoryTableBaseValue,['_DMP_HEADER', 'DirectoryTableBase'],dump_hdr,types)
new_hdr = write_long_phys(PsLoadedModuleList,['_DMP_HEADER', 'PsLoadedModuleList'],new_hdr,types)
new_hdr = write_long_phys(PsActiveProcessHead,['_DMP_HEADER', 'PsActiveProcessHead'],new_hdr,types)
new_hdr = write_long_phys(KdDebuggerDataBlock,['_DMP_HEADER', 'KdDebuggerDataBlock'],new_hdr,types)
new_hdr = write_long_phys(NumberOfProcessors,['_DMP_HEADER', 'NumberProcessors'],new_hdr,types)
new_hdr = write_long_phys(MmPfnDatabase,['_DMP_HEADER', 'PfnDataBase'],new_hdr,types)
new_hdr = write_long_phys(SuiteMask,['_DMP_HEADER', 'SuiteMask'],new_hdr,types)
new_hdr = write_long_long_phys(SystemTime,['_DMP_HEADER', 'SystemTime'],new_hdr,types)
if addr_space.pae == True:
new_hdr = write_char_phys(pae_enabled,['_DMP_HEADER', 'PaeEnabled'],new_hdr,types)
new_hdr = new_hdr[:100] + struct.pack('=L',num_of_runs) +\
struct.pack('=L',num_pages) +\
struct.pack('=L',0x00000000) +\
struct.pack('=L',num_pages) +\
new_hdr[116:]
MI=open(outfile,'wb')
MI.write("%s"%new_hdr)
FILEOPEN = open(filename, 'rb')
offset = 0
end = os.path.getsize(filename)
widgets = ['Convert: ', Percentage(), ' ', Bar(marker=RotatingMarker()),
' ', ETA()]
pbar = ProgressBar(widgets=widgets, maxval=end).start()
while offset <= end:
fdata = FILEOPEN.read(0x1000)
if fdata == None:
break
MI.write("%s"%fdata)
pbar.update(offset)
offset+=0x1000
pbar.finish()
print
FILEOPEN.close()
MI.close()
return