Exemplo n.º 1
0
def inspectSSDT():
    kernelbase=g_kernelbase
    KeServiceDescriptorTable=pykd.getOffset('nt!KeServiceDescriptorTable')    
    KiServiceTable=pykd.ptrPtr(KeServiceDescriptorTable)
    serviceCount=pykd.ptrMWord(KeServiceDescriptorTable+2*g_mwordsize)
    print 'nt!KeServiceDescriptorTable:0x%x' % KeServiceDescriptorTable
    print 'nt!KiServiceTable:0x%x' % KiServiceTable
    print 'serviceCount:0x%x(%d)' % (serviceCount, serviceCount)
    ssdttable=pykd.loadPtrs(KiServiceTable, serviceCount)
    
    table_rva=(KiServiceTable-kernelbase)
    print 'KiServiceTable rva:0x%x' % table_rva
    
    filedata=open(g_kernelpath, 'rb').read()
    pe = pefile.PE(data=filedata, fast_load=True)
    if pe.DOS_HEADER.e_magic!=0X5A4D or pe.NT_HEADERS.Signature!=0x4550:
        raise Exception("%s is not a pe file" % filepath)

    table_fileoffset=pe.get_offset_from_rva(table_rva)
    print 'KiServiceTable file offset:0x%x' % table_fileoffset
    d=filedata[table_fileoffset:table_fileoffset+g_mwordsize*serviceCount]
    number=0
    for i in xrange(serviceCount):
        source=binascii.b2a_hex(d[i*g_mwordsize:(i+1)*g_mwordsize][::-1])
        source=pykd.addr64(int(source, 16))-pykd.addr64(pe.OPTIONAL_HEADER.ImageBase)+kernelbase
        symbolname=pykd.findSymbol(source)
        current=ssdttable[i]
        if source==current:
            print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
        else:
            hooksymbolname=pykd.findSymbol(current)
            print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (source, symbolname, current, hooksymbolname)
            number+=1
    print 'hooked function number:', number
Exemplo n.º 2
0
def inspectKernelTimer():
    try:
        cmdline = '.reload;'
        r = pykd.dbgCommand(cmdline)
        cmdline = r'!timer'
        r = pykd.dbgCommand(cmdline)
        r = r.splitlines()
        start = 0
        idx = 0
        for i in r:
            i = i.strip()
            if i.startswith('List Timer'):
                start = 1
                continue

            if start != 1:
                continue

            data = i.strip()
            pos = data.find('(DPC @ ')
            if pos != -1:
                endpos = data.find(')', pos)
                data = data[pos + len('(DPC @ '):endpos]
                dpc = pykd.addr64(int(data, 16))
                if dpc <= int(mmhighestuseraddress):
                    print i, '!!!!!!!!'
                else:
                    dpcobj = pykd.typedVar('nt!_KDPC', dpc)
                    symbolname = pykd.findSymbol(dpcobj.DeferredRoutine)
                    print '%d dpc:%x timerfunc:%x %s' % (
                        idx, int(dpc), int(dpcobj.DeferredRoutine), symbolname)
                idx += 1
    except Exception, err:
        print traceback.format_exc()
Exemplo n.º 3
0
def inspectKernelTimer():
    try:
        cmdline='.reload;'
        r=pykd.dbgCommand(cmdline)
        cmdline=r'!timer'
        r=pykd.dbgCommand(cmdline)
        r=r.splitlines()
        start=0
        idx=0
        for i in r:   
            i=i.strip() 
            if i.startswith('List Timer'):
                start=1
                continue
            
            if start!=1:
                continue
            
            data=i.strip()
            pos=data.find('(DPC @ ')
            if pos!=-1:
                endpos=data.find(')', pos)
                data=data[pos+len('(DPC @ '):endpos]
                dpc=pykd.addr64(int(data, 16))
                if dpc<=int(mmhighestuseraddress):
                    print i, '!!!!!!!!'
                else:
                    dpcobj=pykd.typedVar('nt!_KDPC', dpc)
                    symbolname=pykd.findSymbol(dpcobj.DeferredRoutine)
                    print '%d dpc:%x timerfunc:%x %s' % (idx, int(dpc), int(dpcobj.DeferredRoutine), symbolname)
                idx+=1
    except Exception, err:
        print traceback.format_exc()     
Exemplo n.º 4
0
def inspectSSDT():
    kernelbase = g_kernelbase
    KeServiceDescriptorTable = pykd.getOffset('nt!KeServiceDescriptorTable')
    KiServiceTable = pykd.ptrPtr(KeServiceDescriptorTable)
    serviceCount = pykd.ptrMWord(KeServiceDescriptorTable + 2 * g_mwordsize)
    print 'nt!KeServiceDescriptorTable:0x%x' % KeServiceDescriptorTable
    print 'nt!KiServiceTable:0x%x' % KiServiceTable
    print 'serviceCount:0x%x(%d)' % (serviceCount, serviceCount)
    ssdttable = pykd.loadPtrs(KiServiceTable, serviceCount)

    table_rva = (KiServiceTable - kernelbase)
    print 'KiServiceTable rva:0x%x' % table_rva

    filedata = open(g_kernelpath, 'rb').read()
    pe = pefile.PE(data=filedata, fast_load=True)
    if pe.DOS_HEADER.e_magic != 0X5A4D or pe.NT_HEADERS.Signature != 0x4550:
        raise Exception("%s is not a pe file" % filepath)

    table_fileoffset = pe.get_offset_from_rva(table_rva)
    print 'KiServiceTable file offset:0x%x' % table_fileoffset
    d = filedata[table_fileoffset:table_fileoffset +
                 g_mwordsize * serviceCount]
    number = 0
    for i in xrange(serviceCount):
        source = binascii.b2a_hex(d[i * g_mwordsize:(i + 1) *
                                    g_mwordsize][::-1])
        source = pykd.addr64(int(source, 16)) - pykd.addr64(
            pe.OPTIONAL_HEADER.ImageBase) + kernelbase
        symbolname = pykd.findSymbol(source)
        current = ssdttable[i]
        if source == current:
            print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
        else:
            hooksymbolname = pykd.findSymbol(current)
            print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (
                source, symbolname, current, hooksymbolname)
            number += 1
    print 'hooked function number:', number
Exemplo n.º 5
0
def inspectShadowSSDT():
    r = pykd.dbgCommand('dd win32k L1').split(' ')
    win32kbase = pykd.addr64(int(r[0], 16))
    print 'wink32.sys baseaddr:0x%x' % win32kbase

    W32pServiceTable = pykd.getOffset('win32k!W32pServiceTable')
    print 'win32k!W32pServiceTable:0x%x' % W32pServiceTable

    W32pServiceLimit = pykd.getOffset('win32k!W32pServiceLimit')
    W32pServiceLimit = pykd.ptrMWord(W32pServiceLimit)
    print 'win32k!W32pServiceLimit:0x%x(%d)' % (W32pServiceLimit,
                                                W32pServiceLimit)
    shadowssdttable = pykd.loadPtrs(W32pServiceTable, W32pServiceLimit)

    table_rva = (W32pServiceTable - win32kbase)
    print 'W32pServiceTable rva:0x%x' % table_rva

    win32kname = 'win32k.sys'
    windowsdir = win32api.GetWindowsDirectory()
    filepath = os.path.join(windowsdir, 'system32', win32kname)
    if not os.path.exists(filepath):
        raise Exception('%s not exists!' % win32kname)

    print 'win32k.sys path:', filepath
    filedata = open(filepath, 'rb').read()
    pe = pefile.PE(data=filedata, fast_load=True)
    if pe.DOS_HEADER.e_magic != 0X5A4D or pe.NT_HEADERS.Signature != 0x4550:
        raise Exception("%s is not a pe file" % filepath)

    table_fileoffset = pe.get_offset_from_rva(table_rva)
    print 'W32pServiceTable file offset:0x%x' % table_fileoffset
    d = filedata[table_fileoffset:table_fileoffset +
                 g_mwordsize * W32pServiceLimit]
    number = 0
    for i in xrange(W32pServiceLimit):
        source = binascii.b2a_hex(d[i * g_mwordsize:(i + 1) *
                                    g_mwordsize][::-1])
        source = int(source, 16) - pe.OPTIONAL_HEADER.ImageBase + win32kbase
        symbolname = pykd.findSymbol(source)
        current = shadowssdttable[i]
        if source == current:
            print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
        else:
            hooksymbolname = pykd.findSymbol(current)
            print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (
                source, symbolname, current, hooksymbolname)
            number += 1
    print 'hooked function number:', number
Exemplo n.º 6
0
def inspectShadowSSDT():
    r=pykd.dbgCommand('dd win32k L1').split(' ')
    win32kbase=pykd.addr64(int(r[0],16))
    print 'wink32.sys baseaddr:0x%x' % win32kbase
    
    W32pServiceTable=pykd.getOffset('win32k!W32pServiceTable')
    print 'win32k!W32pServiceTable:0x%x' % W32pServiceTable
        
    W32pServiceLimit=pykd.getOffset('win32k!W32pServiceLimit')
    W32pServiceLimit=pykd.ptrMWord(W32pServiceLimit)
    print 'win32k!W32pServiceLimit:0x%x(%d)' % (W32pServiceLimit, W32pServiceLimit)
    shadowssdttable=pykd.loadPtrs(W32pServiceTable, W32pServiceLimit)
    
    table_rva=(W32pServiceTable-win32kbase)
    print 'W32pServiceTable rva:0x%x' % table_rva
    
    win32kname='win32k.sys'
    windowsdir=win32api.GetWindowsDirectory()
    filepath=os.path.join(windowsdir, 'system32', win32kname)
    if not os.path.exists(filepath):
        raise Exception('%s not exists!' % win32kname)

    print 'win32k.sys path:', filepath
    filedata=open(filepath, 'rb').read()
    pe = pefile.PE(data=filedata, fast_load=True)
    if pe.DOS_HEADER.e_magic!=0X5A4D or pe.NT_HEADERS.Signature!=0x4550:
        raise Exception("%s is not a pe file" % filepath)

    table_fileoffset=pe.get_offset_from_rva(table_rva)
    print 'W32pServiceTable file offset:0x%x' % table_fileoffset
    d=filedata[table_fileoffset:table_fileoffset+g_mwordsize*W32pServiceLimit]
    number=0
    for i in xrange(W32pServiceLimit):
        source=binascii.b2a_hex(d[i*g_mwordsize:(i+1)*g_mwordsize][::-1])
        source=int(source, 16)-pe.OPTIONAL_HEADER.ImageBase+win32kbase
        symbolname=pykd.findSymbol(source)
        current=shadowssdttable[i]
        if source==current:
            print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
        else:
            hooksymbolname=pykd.findSymbol(current)
            print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (source, symbolname, current, hooksymbolname)
            number+=1
    print 'hooked function number:', number
Exemplo n.º 7
0
    dprintln( "!py avl [addr] (type)")


if __name__ == "__main__":

    if len( sys.argv ) < 2:
        printUsage()
        quit(0)
   
    showAll = False
    args = sys.argv
    if '-a' in args:
        args.remove('-a')
        showAll = True
        
    items = getAVLTable( addr64( expr( sys.argv[1] ) ) )       
        
    if showAll:
        if len( sys.argv ) == 2:
            dprintln( "\n".join( [ "<link cmd=\"db 0x%x\">db 0x%x</link>" % (  entry, entry ) for entry in items ] ), True )
        else:
            ti = typeInfo(sys.argv[2])
            dprintln( "\n".join( [ "<link cmd=\"dt %s 0x%x\">dt %s</link>\n%s" % ( sys.argv[2], entry, sys.argv[2], typedVar(ti, entry) ) for entry in items ] ), True )  
    
    else:
        if len( sys.argv ) == 2:
            dprintln( "\n".join( [ "<link cmd=\"db 0x%x\">db 0x%x</link>" % (  entry, entry ) for entry in items ] ), True )
        else:
            dprintln( "\n".join( [ "<link cmd=\"dt %s 0x%x\">dt %s</link>" % ( sys.argv[2], entry, sys.argv[2] ) for entry in items ] ), True )
 
Exemplo n.º 8
0
def addr64(addr):
    return pykd.addr64(addr)