def enter_call_back(self):
self.condition = False
time = datetime.datetime.now()
current_free_size = (hex(pykd.ptrMWord(pykd.reg("esp") +
0xC))).replace('L', '')
# logging everything except Free[0]
if (current_free_size != "0x0"):
self.condition = True
self.out = str(time)
self.out += ", RtlFreeHeap("
if arch_bits == 32:
esp = pykd.reg(stack_pointer)
self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
self.out += hex(pykd.ptrPtr(esp + 0xC)) + ") = "
else:
self.out += hex(pykd.reg("rcx")) + " , "
self.out += hex(pykd.reg("rdx")) + " , "
self.out += hex(pykd.reg("r8")) + ") = "
if self.bp_end == None:
disas = pykd.dbgCommand("uf ntdll!RtlFreeHeap").split('\n')
for i in disas:
if 'ret' in i:
self.ret_addr = format64(i.split()[0])
break
self.bp_end = pykd.setBp(int(self.ret_addr, 16),
self.return_call_back)
return False
def enter_call_back(self):
self.condition = False
time = datetime.datetime.now()
current_alloc_size = (hex(pykd.ptrMWord(pykd.reg("esp") +
0xC))).replace('L', '')
if (current_alloc_size == alloc_size) or "null" in alloc_size:
self.condition = True
self.out = str(time)
self.out += ", RtlAllocateHeap("
if arch_bits == 32:
esp = pykd.reg("esp")
self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0xC)) + ") = "
else:
self.out += hex(pykd.reg("rcx")) + " , "
self.out += hex(pykd.reg("rdx")) + " , "
self.out += hex(pykd.reg("r8")) + ") = "
if self.condition:
disas = pykd.dbgCommand("uf ntdll!RtlAllocateHeap").split('\n')
for i in disas:
if 'ret' in i:
self.ret_addr = format64(i.split()[0])
break
self.bp_end = pykd.setBp(int(self.ret_addr, 16),
self.return_call_back)
return False
def enter_call_back(self, bp):
self.out = "RtlAllocateHeap("
esp = pykd.reg("esp")
self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0xC)) + ") = "
if self.bp_end == None:
self.ret_addr = pykd.dbgCommand("dd esp L1").split()[1]
self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back)
return False
def enter_call_back(self, bp):
self.out = "RtlAllocateHeap("
esp = pykd.reg("esp")
self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0xC)) + ") = "
if self.bp_end == None:
self.ret_addr = pykd.dbgCommand("dd esp L1").split()[1]
self.bp_end = pykd.setBp(int(self.ret_addr, 16),
self.return_call_back)
return False
def enter_call_back(self,bp):
self.out = "RtlAllocateHeap("
esp = pykd.reg("esp")
self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0xC)) + ") = "
if self.bp_end == None:
disas = pykd.dbgCommand("uf ntdll!RtlAllocateHeap").split('\n')
for i in disas:
if 'ret' in i:
self.ret_addr = i.split()[0]
break
self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back)
return False
def inspectSSDT():
kernelbase=g_kernelbase
KeServiceDescriptorTable=pykd.getOffset('nt!KeServiceDescriptorTable')
KiServiceTable=pykd.ptrPtr(KeServiceDescriptorTable)
serviceCount=pykd.ptrMWord(KeServiceDescriptorTable+2*g_mwordsize)
print 'nt!KeServiceDescriptorTable:0x%x' % KeServiceDescriptorTable
print 'nt!KiServiceTable:0x%x' % KiServiceTable
print 'serviceCount:0x%x(%d)' % (serviceCount, serviceCount)
ssdttable=pykd.loadPtrs(KiServiceTable, serviceCount)
table_rva=(KiServiceTable-kernelbase)
print 'KiServiceTable rva:0x%x' % table_rva
filedata=open(g_kernelpath, 'rb').read()
pe = pefile.PE(data=filedata, fast_load=True)
if pe.DOS_HEADER.e_magic!=0X5A4D or pe.NT_HEADERS.Signature!=0x4550:
raise Exception("%s is not a pe file" % filepath)
table_fileoffset=pe.get_offset_from_rva(table_rva)
print 'KiServiceTable file offset:0x%x' % table_fileoffset
d=filedata[table_fileoffset:table_fileoffset+g_mwordsize*serviceCount]
number=0
for i in xrange(serviceCount):
source=binascii.b2a_hex(d[i*g_mwordsize:(i+1)*g_mwordsize][::-1])
source=pykd.addr64(int(source, 16))-pykd.addr64(pe.OPTIONAL_HEADER.ImageBase)+kernelbase
symbolname=pykd.findSymbol(source)
current=ssdttable[i]
if source==current:
print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
else:
hooksymbolname=pykd.findSymbol(current)
print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (source, symbolname, current, hooksymbolname)
number+=1
print 'hooked function number:', number
def __init__(self, base, config, *args, **kwargs):
self.as_assert(base == None)
self.as_assert(config.LOCATION=='windbg')
self.as_assert(pykd.isKernelDebugging())
self.dtb = pykd.reg('cr3')
self.nt = pykd.module('nt')
config.KDBG = self.nt.KdCopyDataBlock
self.pageSize = pykd.pageSize()
self.lowPage = pykd.ptrMWord(self.nt.MmLowestPhysicalPage)
self.highPage = pykd.ptrMWord(self.nt.MmHighestPhysicalPage)
self.spaces = [ ( self.lowPage*self.pageSize, (self.highPage -self.lowPage )*self.pageSize) ]
super(PykdAddressSpace,self).__init__(base,config)
self.name = "WinDBG Address Space"
def enter_call_back(self,bp):
self.out = "RtlReAllocateHeap("
if arch_bits == 32:
esp = pykd.reg(stack_pointer)
self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
self.out += hex(pykd.ptrPtr(esp + 0xC)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0x10)) + ") = "
else:
self.out += hex(pykd.reg("rcx")) + " , "
self.out += hex(pykd.reg("rdx")) + " , "
self.out += hex(pykd.reg("r8")) + " , "
self.out += hex(pykd.reg("r9")) + ") = "
if self.bp_end == None:
self.ret_addr = pykd.dbgCommand("dd esp L1").split()[1]
self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back)
return False
def __init__(self, base, config, *args, **kwargs):
self.as_assert(base == None)
self.as_assert(config.LOCATION == 'windbg')
self.as_assert(pykd.isKernelDebugging())
self.dtb = pykd.reg('cr3')
self.nt = pykd.module('nt')
config.KDBG = self.nt.KdCopyDataBlock
self.pageSize = pykd.pageSize()
self.lowPage = pykd.ptrMWord(self.nt.MmLowestPhysicalPage)
self.highPage = pykd.ptrMWord(self.nt.MmHighestPhysicalPage)
self.spaces = [(self.lowPage * self.pageSize,
(self.highPage - self.lowPage) * self.pageSize)]
super(PykdAddressSpace, self).__init__(base, config)
self.name = "WinDBG Address Space"
def enter_call_back(self, bp):
self.out = "RtlReAllocateHeap("
if arch_bits == 32:
esp = pykd.reg(stack_pointer)
self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
self.out += hex(pykd.ptrPtr(esp + 0xC)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0x10)) + ") = "
else:
self.out += hex(pykd.reg("rcx")) + " , "
self.out += hex(pykd.reg("rdx")) + " , "
self.out += hex(pykd.reg("r8")) + " , "
self.out += hex(pykd.reg("r9")) + ") = "
if self.bp_end == None:
self.ret_addr = pykd.dbgCommand("dd esp L1").split()[1]
self.bp_end = pykd.setBp(int(self.ret_addr, 16),
self.return_call_back)
return False
def enter_call_back(self, bp):
self.out = "RtlAllocateHeap("
if arch_bits == 32:
esp = pykd.reg(stack_pointer)
self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0xC)) + ") = "
else:
self.out += hex(pykd.reg("rcx")) + " , "
self.out += hex(pykd.reg("rdx")) + " , "
self.out += hex(pykd.reg("r8")) + ") = "
if self.bp_end == None:
disas = pykd.dbgCommand("uf ntdll!RtlAllocateHeap").split("\n")
for i in disas:
if "ret" in i:
self.ret_addr = i.split()[0]
break
self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back)
return False
def enter_call_back(self):
self.out = "RtlAllocateHeap("
if arch_bits == 32:
esp = pykd.reg(stack_pointer)
self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0xC)) + ") = "
else:
self.out += hex(pykd.reg("rcx")) + " , "
self.out += hex(pykd.reg("rdx")) + " , "
self.out += hex(pykd.reg("r8")) + ") = "
if self.bp_end is None:
disas = pykd.dbgCommand("uf ntdll!RtlAllocateHeap").split('\n')
for i in disas:
if 'ret' in i:
self.ret_addr = i.split()[0]
break
self.bp_end = pykd.setBp(pykd.expr(self.ret_addr),
self.return_call_back)
return False
def enter_call_back(self):
time = datetime.datetime.now()
self.out = str(time)
self.out += ", VirtualAlloc("
if arch_bits == 32:
esp = pykd.reg(stack_pointer)
self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0xC)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0x10)) + ") = "
else:
self.out += hex(pykd.reg("rcx")) + " , "
self.out += hex(pykd.reg("rdx")) + " , "
self.out += hex(pykd.reg("r8")) + " , "
self.out += hex(pykd.reg("r9")) + ") = "
if self.bp_end == None:
disas = pykd.dbgCommand("uf kernelbase!VirtualAlloc").split('\n')
for i in disas:
if 'ret' in i:
self.ret_addr = format64(i.split()[0])
break
self.bp_end = pykd.setBp(int(self.ret_addr, 16),
self.return_call_back)
return False
def inspectShadowSSDT():
r = pykd.dbgCommand('dd win32k L1').split(' ')
win32kbase = pykd.addr64(int(r[0], 16))
print 'wink32.sys baseaddr:0x%x' % win32kbase
W32pServiceTable = pykd.getOffset('win32k!W32pServiceTable')
print 'win32k!W32pServiceTable:0x%x' % W32pServiceTable
W32pServiceLimit = pykd.getOffset('win32k!W32pServiceLimit')
W32pServiceLimit = pykd.ptrMWord(W32pServiceLimit)
print 'win32k!W32pServiceLimit:0x%x(%d)' % (W32pServiceLimit,
W32pServiceLimit)
shadowssdttable = pykd.loadPtrs(W32pServiceTable, W32pServiceLimit)
table_rva = (W32pServiceTable - win32kbase)
print 'W32pServiceTable rva:0x%x' % table_rva
win32kname = 'win32k.sys'
windowsdir = win32api.GetWindowsDirectory()
filepath = os.path.join(windowsdir, 'system32', win32kname)
if not os.path.exists(filepath):
raise Exception('%s not exists!' % win32kname)
print 'win32k.sys path:', filepath
filedata = open(filepath, 'rb').read()
pe = pefile.PE(data=filedata, fast_load=True)
if pe.DOS_HEADER.e_magic != 0X5A4D or pe.NT_HEADERS.Signature != 0x4550:
raise Exception("%s is not a pe file" % filepath)
table_fileoffset = pe.get_offset_from_rva(table_rva)
print 'W32pServiceTable file offset:0x%x' % table_fileoffset
d = filedata[table_fileoffset:table_fileoffset +
g_mwordsize * W32pServiceLimit]
number = 0
for i in xrange(W32pServiceLimit):
source = binascii.b2a_hex(d[i * g_mwordsize:(i + 1) *
g_mwordsize][::-1])
source = int(source, 16) - pe.OPTIONAL_HEADER.ImageBase + win32kbase
symbolname = pykd.findSymbol(source)
current = shadowssdttable[i]
if source == current:
print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
else:
hooksymbolname = pykd.findSymbol(current)
print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (
source, symbolname, current, hooksymbolname)
number += 1
print 'hooked function number:', number
def inspectShadowSSDT():
r=pykd.dbgCommand('dd win32k L1').split(' ')
win32kbase=pykd.addr64(int(r[0],16))
print 'wink32.sys baseaddr:0x%x' % win32kbase
W32pServiceTable=pykd.getOffset('win32k!W32pServiceTable')
print 'win32k!W32pServiceTable:0x%x' % W32pServiceTable
W32pServiceLimit=pykd.getOffset('win32k!W32pServiceLimit')
W32pServiceLimit=pykd.ptrMWord(W32pServiceLimit)
print 'win32k!W32pServiceLimit:0x%x(%d)' % (W32pServiceLimit, W32pServiceLimit)
shadowssdttable=pykd.loadPtrs(W32pServiceTable, W32pServiceLimit)
table_rva=(W32pServiceTable-win32kbase)
print 'W32pServiceTable rva:0x%x' % table_rva
win32kname='win32k.sys'
windowsdir=win32api.GetWindowsDirectory()
filepath=os.path.join(windowsdir, 'system32', win32kname)
if not os.path.exists(filepath):
raise Exception('%s not exists!' % win32kname)
print 'win32k.sys path:', filepath
filedata=open(filepath, 'rb').read()
pe = pefile.PE(data=filedata, fast_load=True)
if pe.DOS_HEADER.e_magic!=0X5A4D or pe.NT_HEADERS.Signature!=0x4550:
raise Exception("%s is not a pe file" % filepath)
table_fileoffset=pe.get_offset_from_rva(table_rva)
print 'W32pServiceTable file offset:0x%x' % table_fileoffset
d=filedata[table_fileoffset:table_fileoffset+g_mwordsize*W32pServiceLimit]
number=0
for i in xrange(W32pServiceLimit):
source=binascii.b2a_hex(d[i*g_mwordsize:(i+1)*g_mwordsize][::-1])
source=int(source, 16)-pe.OPTIONAL_HEADER.ImageBase+win32kbase
symbolname=pykd.findSymbol(source)
current=shadowssdttable[i]
if source==current:
print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
else:
hooksymbolname=pykd.findSymbol(current)
print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (source, symbolname, current, hooksymbolname)
number+=1
print 'hooked function number:', number
def inspectSSDT():
kernelbase = g_kernelbase
KeServiceDescriptorTable = pykd.getOffset('nt!KeServiceDescriptorTable')
KiServiceTable = pykd.ptrPtr(KeServiceDescriptorTable)
serviceCount = pykd.ptrMWord(KeServiceDescriptorTable + 2 * g_mwordsize)
print 'nt!KeServiceDescriptorTable:0x%x' % KeServiceDescriptorTable
print 'nt!KiServiceTable:0x%x' % KiServiceTable
print 'serviceCount:0x%x(%d)' % (serviceCount, serviceCount)
ssdttable = pykd.loadPtrs(KiServiceTable, serviceCount)
table_rva = (KiServiceTable - kernelbase)
print 'KiServiceTable rva:0x%x' % table_rva
filedata = open(g_kernelpath, 'rb').read()
pe = pefile.PE(data=filedata, fast_load=True)
if pe.DOS_HEADER.e_magic != 0X5A4D or pe.NT_HEADERS.Signature != 0x4550:
raise Exception("%s is not a pe file" % filepath)
table_fileoffset = pe.get_offset_from_rva(table_rva)
print 'KiServiceTable file offset:0x%x' % table_fileoffset
d = filedata[table_fileoffset:table_fileoffset +
g_mwordsize * serviceCount]
number = 0
for i in xrange(serviceCount):
source = binascii.b2a_hex(d[i * g_mwordsize:(i + 1) *
g_mwordsize][::-1])
source = pykd.addr64(int(source, 16)) - pykd.addr64(
pe.OPTIONAL_HEADER.ImageBase) + kernelbase
symbolname = pykd.findSymbol(source)
current = ssdttable[i]
if source == current:
print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
else:
hooksymbolname = pykd.findSymbol(current)
print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (
source, symbolname, current, hooksymbolname)
number += 1
print 'hooked function number:', number
if not fl:
raise Exception('%s not exists, have you installed the latest windbg?' % extdirpath)
dirpath=fl[0]
l=os.listdir(dirpath)
for i in l:
filepath=os.path.join(dirpath, i)
if i in default_exts:
print 'load', filepath
pykd.dbgCommand('.load %s' % filepath)
print 'load extensions ok'
nt = pykd.module( "nt" )
g_kernelsize=int(nt.size())
g_kernelbase=int(nt.begin())
module_entry=pykd.ptrMWord(pykd.getOffset('nt!PsLoadedModuleList'))
module_entry=pykd.typedVar('nt!_LDR_DATA_TABLE_ENTRY', module_entry)
kernelpath=pykd.loadUnicodeString(module_entry.FullDllName)
name=os.path.basename(kernelpath)
g_kernelpath=os.path.join(g_system32dir, name)
if not os.path.exists(g_kernelpath):
raise Exception("can't find %s" % g_kernelpath)
imagename=nt.image()
kernelbasepath=os.path.join(g_system32dir, imagename)
import shutil
if not os.path.exists(kernelbasepath):
shutil.copy(g_kernelpath, kernelbasepath)
g_currentprocess=pykd.typedVar('nt!_EPROCESS', pykd.getCurrentProcess())
print 'current process:%x' % g_currentprocess.getAddress()
def listSocket():
try:
r=pykd.dbgCommand('.reload tcpip.sys')
if is_2000():
print 'no support'
elif is_xp() or is_2003():
AddrObjTable=pykd.getOffset('tcpip!AddrObjTable')
AddrObjTable=pykd.ptrPtr(AddrObjTable)
AddrObjTableSize=pykd.getOffset('tcpip!AddrObjTableSize')
AddrObjTableSize=pykd.ptrPtr(AddrObjTableSize)
print '='*20
print 'AddrObjTable:%x AddrObjTableSize:%d' % (AddrObjTable, AddrObjTableSize)
if pykd.is64bitSystem():
Next_offset=0
localIP_offset=0x58 #4bytes
LocalPort_offset=0x5c#2bytes
Protocol_offset=0x5e #2bytes
pid_offset=0x238 #4bytes
else:
if is_xp():
Next_offset=0
localIP_offset=0x2c #4bytes
LocalPort_offset=0x30#2bytes
Protocol_offset=0x32 #2bytes
pid_offset=0x148 #4bytes
elif is_2003():
Next_offset=0
localIP_offset=0x30 #4bytes
LocalPort_offset=0x34#2bytes
Protocol_offset=0x36 #2bytes
pid_offset=0x14c #4bytes
print 'local remote protocol pid'
for i in xrange(AddrObjTableSize):
obj=pykd.ptrPtr(AddrObjTable+i*g_mwordsize)
while obj!=0:
LocalIP=pykd.ptrMWord(obj+localIP_offset)
LocalPort=pykd.ptrWord(obj+LocalPort_offset)
LocalPort=socket.htons(LocalPort)
Protocol=pykd.ptrWord(obj+Protocol_offset)
pid=pykd.ptrMWord(obj+pid_offset)
Protocol=g_protocols.get(Protocol)
print '%16s:%5d *.* %10s %d' % (socket.inet_ntoa(struct.pack('I', LocalIP)), LocalPort, Protocol, pid)
obj=pykd.ptrPtr(obj+Next_offset)
print '='*20
TCBTable=pykd.getOffset('tcpip!TCBTable')
TCBTable=pykd.ptrPtr(TCBTable)
MaxHashTableSize=pykd.getOffset('tcpip!MaxHashTableSize')
MaxHashTableSize=pykd.ptrPtr(MaxHashTableSize)
print 'TCBTable:%x MaxHashTableSize:%d' % (TCBTable, MaxHashTableSize)
Next_offset=0
RemoteIP_offset=0x0c#4bytes
LocalIP_offset=0x10#4bytes
RemotePort_offset=0x14#2bytes
LocalPort_offset=0x16 #2bytes
pid_offset=0x18 #4bytes
print 'local remote protocol pid'
for i in xrange(MaxHashTableSize):
obj=pykd.ptrPtr(TCBTable+i*g_mwordsize)
while obj!=0:
RemoteIP=pykd.ptrMWord(obj+RemoteIP_offset)
LocalIP=pykd.ptrMWord(obj+LocalIP_offset)
RemotePort=pykd.ptrWord(obj+RemotePort_offset)
RemotePort=socket.htons(RemotePort)
LocalPort=pykd.ptrWord(obj+LocalPort_offset)
LocalPort=socket.htons(LocalPort)
pid=pykd.ptrMWord(obj+pid_offset)
print '%16s:%5d %16s:%5d TCP %d' % (socket.inet_ntoa(struct.pack('I', LocalIP)), LocalPort, socket.inet_ntoa(struct.pack('I', RemoteIP)), RemotePort, pid)
obj=pykd.ptrPtr(obj+Next_offset)
else:
print 'no support'
except Exception, err:
print err
if not fl:
raise Exception("%s not exists, have you installed the latest windbg?" % extdirpath)
dirpath = fl[0]
l = os.listdir(dirpath)
for i in l:
filepath = os.path.join(dirpath, i)
if i in default_exts:
print "load", filepath
pykd.dbgCommand(".load %s" % filepath)
print "load extensions ok"
nt = pykd.module("nt")
g_kernelsize = int(nt.size())
g_kernelbase = int(nt.begin())
module_entry = pykd.ptrMWord(pykd.getOffset("nt!PsLoadedModuleList"))
module_entry = pykd.typedVar("nt!_LDR_DATA_TABLE_ENTRY", module_entry)
kernelpath = pykd.loadUnicodeString(module_entry.FullDllName)
name = os.path.basename(kernelpath)
g_kernelpath = os.path.join(g_system32dir, name)
if not os.path.exists(g_kernelpath):
raise Exception("can't find %s" % g_kernelpath)
imagename = nt.image()
kernelbasepath = os.path.join(g_system32dir, imagename)
import shutil
if not os.path.exists(kernelbasepath):
shutil.copy(g_kernelpath, kernelbasepath)
g_currentprocess = pykd.typedVar("nt!_EPROCESS", pykd.getCurrentProcess())
print "current process:%x" % g_currentprocess.getAddress()
def listSocket():
try:
r = pykd.dbgCommand('.reload tcpip.sys')
if is_2000():
print 'no support'
elif is_xp() or is_2003():
AddrObjTable = pykd.getOffset('tcpip!AddrObjTable')
AddrObjTable = pykd.ptrPtr(AddrObjTable)
AddrObjTableSize = pykd.getOffset('tcpip!AddrObjTableSize')
AddrObjTableSize = pykd.ptrPtr(AddrObjTableSize)
print '=' * 20
print 'AddrObjTable:%x AddrObjTableSize:%d' % (AddrObjTable,
AddrObjTableSize)
if pykd.is64bitSystem():
Next_offset = 0
localIP_offset = 0x58 #4bytes
LocalPort_offset = 0x5c #2bytes
Protocol_offset = 0x5e #2bytes
pid_offset = 0x238 #4bytes
else:
if is_xp():
Next_offset = 0
localIP_offset = 0x2c #4bytes
LocalPort_offset = 0x30 #2bytes
Protocol_offset = 0x32 #2bytes
pid_offset = 0x148 #4bytes
elif is_2003():
Next_offset = 0
localIP_offset = 0x30 #4bytes
LocalPort_offset = 0x34 #2bytes
Protocol_offset = 0x36 #2bytes
pid_offset = 0x14c #4bytes
print 'local remote protocol pid'
for i in xrange(AddrObjTableSize):
obj = pykd.ptrPtr(AddrObjTable + i * g_mwordsize)
while obj != 0:
LocalIP = pykd.ptrMWord(obj + localIP_offset)
LocalPort = pykd.ptrWord(obj + LocalPort_offset)
LocalPort = socket.htons(LocalPort)
Protocol = pykd.ptrWord(obj + Protocol_offset)
pid = pykd.ptrMWord(obj + pid_offset)
Protocol = g_protocols.get(Protocol)
print '%16s:%5d *.* %10s %d' % (socket.inet_ntoa(
struct.pack('I', LocalIP)), LocalPort, Protocol, pid)
obj = pykd.ptrPtr(obj + Next_offset)
print '=' * 20
TCBTable = pykd.getOffset('tcpip!TCBTable')
TCBTable = pykd.ptrPtr(TCBTable)
MaxHashTableSize = pykd.getOffset('tcpip!MaxHashTableSize')
MaxHashTableSize = pykd.ptrPtr(MaxHashTableSize)
print 'TCBTable:%x MaxHashTableSize:%d' % (TCBTable,
MaxHashTableSize)
Next_offset = 0
RemoteIP_offset = 0x0c #4bytes
LocalIP_offset = 0x10 #4bytes
RemotePort_offset = 0x14 #2bytes
LocalPort_offset = 0x16 #2bytes
pid_offset = 0x18 #4bytes
print 'local remote protocol pid'
for i in xrange(MaxHashTableSize):
obj = pykd.ptrPtr(TCBTable + i * g_mwordsize)
while obj != 0:
RemoteIP = pykd.ptrMWord(obj + RemoteIP_offset)
LocalIP = pykd.ptrMWord(obj + LocalIP_offset)
RemotePort = pykd.ptrWord(obj + RemotePort_offset)
RemotePort = socket.htons(RemotePort)
LocalPort = pykd.ptrWord(obj + LocalPort_offset)
LocalPort = socket.htons(LocalPort)
pid = pykd.ptrMWord(obj + pid_offset)
print '%16s:%5d %16s:%5d TCP %d' % (
socket.inet_ntoa(struct.pack('I', LocalIP)), LocalPort,
socket.inet_ntoa(struct.pack(
'I', RemoteIP)), RemotePort, pid)
obj = pykd.ptrPtr(obj + Next_offset)
else:
print 'no support'
except Exception, err:
print err