def is_executable(addr): if pykd.isKernelDebugging(): return False # we need to find a way to get the memory protection information in kernel debug mode if "Execute" in str(pykd.getVaProtect(addr)): return True else: return False
def is_writable(self, address): if pykd.isKernelDebugging(): return False if "Write" in str(pykd.getVaProtect(address)): return True else: return False
def __init__(self, base, config, *args, **kwargs): self.as_assert(base == None) self.as_assert(config.LOCATION=='windbg') self.as_assert(pykd.isKernelDebugging()) self.dtb = pykd.reg('cr3') self.nt = pykd.module('nt') config.KDBG = self.nt.KdCopyDataBlock self.pageSize = pykd.pageSize() self.lowPage = pykd.ptrMWord(self.nt.MmLowestPhysicalPage) self.highPage = pykd.ptrMWord(self.nt.MmHighestPhysicalPage) self.spaces = [ ( self.lowPage*self.pageSize, (self.highPage -self.lowPage )*self.pageSize) ] super(PykdAddressSpace,self).__init__(base,config) self.name = "WinDBG Address Space"
def __init__(self, base, config, *args, **kwargs): self.as_assert(base == None) self.as_assert(config.LOCATION == 'windbg') self.as_assert(pykd.isKernelDebugging()) self.dtb = pykd.reg('cr3') self.nt = pykd.module('nt') config.KDBG = self.nt.KdCopyDataBlock self.pageSize = pykd.pageSize() self.lowPage = pykd.ptrMWord(self.nt.MmLowestPhysicalPage) self.highPage = pykd.ptrMWord(self.nt.MmHighestPhysicalPage) self.spaces = [(self.lowPage * self.pageSize, (self.highPage - self.lowPage) * self.pageSize)] super(PykdAddressSpace, self).__init__(base, config) self.name = "WinDBG Address Space"
def reloadModules(): global moduleList for m in moduleList: globals()[m.name().lower()] = None if pykd.isKernelDebugging(): global nt nt = pykd.loadModule("nt") modules = pykd.typedVarList(nt.PsLoadedModuleList, "nt", "_LDR_DATA_TABLE_ENTRY", "InLoadOrderLinks") moduleList.append(nt) else: ntdll = pykd.loadModule("ntdll") peb = pykd.typedVar("ntdll", "_PEB", pykd.getCurrentProcess()) ldr = pykd.typedVar("ntdll", "_PEB_LDR_DATA", peb.Ldr) modules = pykd.typedVarList(ldr.InLoadOrderModuleList.getAddress(), "ntdll", "_LDR_DATA_TABLE_ENTRY", "InLoadOrderLinks") moduleList = [] for m in modules: baseName = str(pykd.loadUnicodeString(m.BaseDllName.getAddress())) if baseName == "ntoskrnl.exe": continue module = pykd.findModule(m.DllBase) globals()[module.name().lower()] = module moduleList.append(module)
def isKernelDebugging(): return pykd.isKernelDebugging("r")
return sympath + newdir else: return sympath + ";" + newdir g_windowsdir = win32api.GetWindowsDirectory() g_system32dir = os.path.join(g_windowsdir, "system32") config = open("config.txt", "rb").read() config = json.loads(config) windbgpath = config.get("windbgpath") if not os.path.exists(windbgpath): raise Exception("%s not exists, modify your config.txt" % windbgpath) pykd.attachKernel() if not pykd.isKernelDebugging(): raise Exception("not a kernel debugging") print "load symbol, wait...." g_sympath = config.get("sympath") if not g_sympath: raise Exception("%s can not be null") print "your sympath:%s" % g_sympath g_sympath = add_symbolpath(g_sympath, g_windowsdir) g_sympath = add_symbolpath(g_sympath, g_system32dir) pykd.dbgCommand(".sympath %s" % g_sympath) pykd.dbgCommand(".reload *") print "load symbol ok!" windbgextdirs = ["winxp", "winext"] default_exts = ["kdexts.dll", "ext.dll", "exts.dll", "kext.dll", "kdexts.dll", "ntsdexts.dll"]
def testIsKernelDebugging(self): self.assertFalse(pykd.isKernelDebugging())
print '[+] Finding target pid %d...' % opts.pid process = Process(opts.pid) print '[+] Current privileges:' print '\n%s\n' % tabulate( { "Privilege": process.current_privileges.keys(), "State": process.current_privileges.values() }, headers="keys") if opts.enable: for priv in opts.enable: if process.enable_privilege(priv): print '[+] %s enabled' % priv else: print '[-] Could not enable %s' % priv if opts.disable: for priv in opts.disable: if process.disable_privilege(priv): print '[+] %s disabled' % priv else: print '[-] Could not disable %s' % priv if __name__ == "__main__": if not pykd.isKernelDebugging(): print 'Currently not kd!' run(parse_args())