def inspectSSDT():
kernelbase=g_kernelbase
KeServiceDescriptorTable=pykd.getOffset('nt!KeServiceDescriptorTable')
KiServiceTable=pykd.ptrPtr(KeServiceDescriptorTable)
serviceCount=pykd.ptrMWord(KeServiceDescriptorTable+2*g_mwordsize)
print 'nt!KeServiceDescriptorTable:0x%x' % KeServiceDescriptorTable
print 'nt!KiServiceTable:0x%x' % KiServiceTable
print 'serviceCount:0x%x(%d)' % (serviceCount, serviceCount)
ssdttable=pykd.loadPtrs(KiServiceTable, serviceCount)
table_rva=(KiServiceTable-kernelbase)
print 'KiServiceTable rva:0x%x' % table_rva
filedata=open(g_kernelpath, 'rb').read()
pe = pefile.PE(data=filedata, fast_load=True)
if pe.DOS_HEADER.e_magic!=0X5A4D or pe.NT_HEADERS.Signature!=0x4550:
raise Exception("%s is not a pe file" % filepath)
table_fileoffset=pe.get_offset_from_rva(table_rva)
print 'KiServiceTable file offset:0x%x' % table_fileoffset
d=filedata[table_fileoffset:table_fileoffset+g_mwordsize*serviceCount]
number=0
for i in xrange(serviceCount):
source=binascii.b2a_hex(d[i*g_mwordsize:(i+1)*g_mwordsize][::-1])
source=pykd.addr64(int(source, 16))-pykd.addr64(pe.OPTIONAL_HEADER.ImageBase)+kernelbase
symbolname=pykd.findSymbol(source)
current=ssdttable[i]
if source==current:
print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
else:
hooksymbolname=pykd.findSymbol(current)
print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (source, symbolname, current, hooksymbolname)
number+=1
print 'hooked function number:', number
def inspectKernelTimer():
try:
cmdline = '.reload;'
r = pykd.dbgCommand(cmdline)
cmdline = r'!timer'
r = pykd.dbgCommand(cmdline)
r = r.splitlines()
start = 0
idx = 0
for i in r:
i = i.strip()
if i.startswith('List Timer'):
start = 1
continue
if start != 1:
continue
data = i.strip()
pos = data.find('(DPC @ ')
if pos != -1:
endpos = data.find(')', pos)
data = data[pos + len('(DPC @ '):endpos]
dpc = pykd.addr64(int(data, 16))
if dpc <= int(mmhighestuseraddress):
print i, '!!!!!!!!'
else:
dpcobj = pykd.typedVar('nt!_KDPC', dpc)
symbolname = pykd.findSymbol(dpcobj.DeferredRoutine)
print '%d dpc:%x timerfunc:%x %s' % (
idx, int(dpc), int(dpcobj.DeferredRoutine), symbolname)
idx += 1
except Exception, err:
print traceback.format_exc()
def inspectKernelTimer():
try:
cmdline='.reload;'
r=pykd.dbgCommand(cmdline)
cmdline=r'!timer'
r=pykd.dbgCommand(cmdline)
r=r.splitlines()
start=0
idx=0
for i in r:
i=i.strip()
if i.startswith('List Timer'):
start=1
continue
if start!=1:
continue
data=i.strip()
pos=data.find('(DPC @ ')
if pos!=-1:
endpos=data.find(')', pos)
data=data[pos+len('(DPC @ '):endpos]
dpc=pykd.addr64(int(data, 16))
if dpc<=int(mmhighestuseraddress):
print i, '!!!!!!!!'
else:
dpcobj=pykd.typedVar('nt!_KDPC', dpc)
symbolname=pykd.findSymbol(dpcobj.DeferredRoutine)
print '%d dpc:%x timerfunc:%x %s' % (idx, int(dpc), int(dpcobj.DeferredRoutine), symbolname)
idx+=1
except Exception, err:
print traceback.format_exc()
def inspectSSDT():
kernelbase = g_kernelbase
KeServiceDescriptorTable = pykd.getOffset('nt!KeServiceDescriptorTable')
KiServiceTable = pykd.ptrPtr(KeServiceDescriptorTable)
serviceCount = pykd.ptrMWord(KeServiceDescriptorTable + 2 * g_mwordsize)
print 'nt!KeServiceDescriptorTable:0x%x' % KeServiceDescriptorTable
print 'nt!KiServiceTable:0x%x' % KiServiceTable
print 'serviceCount:0x%x(%d)' % (serviceCount, serviceCount)
ssdttable = pykd.loadPtrs(KiServiceTable, serviceCount)
table_rva = (KiServiceTable - kernelbase)
print 'KiServiceTable rva:0x%x' % table_rva
filedata = open(g_kernelpath, 'rb').read()
pe = pefile.PE(data=filedata, fast_load=True)
if pe.DOS_HEADER.e_magic != 0X5A4D or pe.NT_HEADERS.Signature != 0x4550:
raise Exception("%s is not a pe file" % filepath)
table_fileoffset = pe.get_offset_from_rva(table_rva)
print 'KiServiceTable file offset:0x%x' % table_fileoffset
d = filedata[table_fileoffset:table_fileoffset +
g_mwordsize * serviceCount]
number = 0
for i in xrange(serviceCount):
source = binascii.b2a_hex(d[i * g_mwordsize:(i + 1) *
g_mwordsize][::-1])
source = pykd.addr64(int(source, 16)) - pykd.addr64(
pe.OPTIONAL_HEADER.ImageBase) + kernelbase
symbolname = pykd.findSymbol(source)
current = ssdttable[i]
if source == current:
print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
else:
hooksymbolname = pykd.findSymbol(current)
print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (
source, symbolname, current, hooksymbolname)
number += 1
print 'hooked function number:', number
def inspectShadowSSDT():
r = pykd.dbgCommand('dd win32k L1').split(' ')
win32kbase = pykd.addr64(int(r[0], 16))
print 'wink32.sys baseaddr:0x%x' % win32kbase
W32pServiceTable = pykd.getOffset('win32k!W32pServiceTable')
print 'win32k!W32pServiceTable:0x%x' % W32pServiceTable
W32pServiceLimit = pykd.getOffset('win32k!W32pServiceLimit')
W32pServiceLimit = pykd.ptrMWord(W32pServiceLimit)
print 'win32k!W32pServiceLimit:0x%x(%d)' % (W32pServiceLimit,
W32pServiceLimit)
shadowssdttable = pykd.loadPtrs(W32pServiceTable, W32pServiceLimit)
table_rva = (W32pServiceTable - win32kbase)
print 'W32pServiceTable rva:0x%x' % table_rva
win32kname = 'win32k.sys'
windowsdir = win32api.GetWindowsDirectory()
filepath = os.path.join(windowsdir, 'system32', win32kname)
if not os.path.exists(filepath):
raise Exception('%s not exists!' % win32kname)
print 'win32k.sys path:', filepath
filedata = open(filepath, 'rb').read()
pe = pefile.PE(data=filedata, fast_load=True)
if pe.DOS_HEADER.e_magic != 0X5A4D or pe.NT_HEADERS.Signature != 0x4550:
raise Exception("%s is not a pe file" % filepath)
table_fileoffset = pe.get_offset_from_rva(table_rva)
print 'W32pServiceTable file offset:0x%x' % table_fileoffset
d = filedata[table_fileoffset:table_fileoffset +
g_mwordsize * W32pServiceLimit]
number = 0
for i in xrange(W32pServiceLimit):
source = binascii.b2a_hex(d[i * g_mwordsize:(i + 1) *
g_mwordsize][::-1])
source = int(source, 16) - pe.OPTIONAL_HEADER.ImageBase + win32kbase
symbolname = pykd.findSymbol(source)
current = shadowssdttable[i]
if source == current:
print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
else:
hooksymbolname = pykd.findSymbol(current)
print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (
source, symbolname, current, hooksymbolname)
number += 1
print 'hooked function number:', number
def inspectShadowSSDT():
r=pykd.dbgCommand('dd win32k L1').split(' ')
win32kbase=pykd.addr64(int(r[0],16))
print 'wink32.sys baseaddr:0x%x' % win32kbase
W32pServiceTable=pykd.getOffset('win32k!W32pServiceTable')
print 'win32k!W32pServiceTable:0x%x' % W32pServiceTable
W32pServiceLimit=pykd.getOffset('win32k!W32pServiceLimit')
W32pServiceLimit=pykd.ptrMWord(W32pServiceLimit)
print 'win32k!W32pServiceLimit:0x%x(%d)' % (W32pServiceLimit, W32pServiceLimit)
shadowssdttable=pykd.loadPtrs(W32pServiceTable, W32pServiceLimit)
table_rva=(W32pServiceTable-win32kbase)
print 'W32pServiceTable rva:0x%x' % table_rva
win32kname='win32k.sys'
windowsdir=win32api.GetWindowsDirectory()
filepath=os.path.join(windowsdir, 'system32', win32kname)
if not os.path.exists(filepath):
raise Exception('%s not exists!' % win32kname)
print 'win32k.sys path:', filepath
filedata=open(filepath, 'rb').read()
pe = pefile.PE(data=filedata, fast_load=True)
if pe.DOS_HEADER.e_magic!=0X5A4D or pe.NT_HEADERS.Signature!=0x4550:
raise Exception("%s is not a pe file" % filepath)
table_fileoffset=pe.get_offset_from_rva(table_rva)
print 'W32pServiceTable file offset:0x%x' % table_fileoffset
d=filedata[table_fileoffset:table_fileoffset+g_mwordsize*W32pServiceLimit]
number=0
for i in xrange(W32pServiceLimit):
source=binascii.b2a_hex(d[i*g_mwordsize:(i+1)*g_mwordsize][::-1])
source=int(source, 16)-pe.OPTIONAL_HEADER.ImageBase+win32kbase
symbolname=pykd.findSymbol(source)
current=shadowssdttable[i]
if source==current:
print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
else:
hooksymbolname=pykd.findSymbol(current)
print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (source, symbolname, current, hooksymbolname)
number+=1
print 'hooked function number:', number
dprintln( "!py avl [addr] (type)")
if __name__ == "__main__":
if len( sys.argv ) < 2:
printUsage()
quit(0)
showAll = False
args = sys.argv
if '-a' in args:
args.remove('-a')
showAll = True
items = getAVLTable( addr64( expr( sys.argv[1] ) ) )
if showAll:
if len( sys.argv ) == 2:
dprintln( "\n".join( [ "<link cmd=\"db 0x%x\">db 0x%x</link>" % ( entry, entry ) for entry in items ] ), True )
else:
ti = typeInfo(sys.argv[2])
dprintln( "\n".join( [ "<link cmd=\"dt %s 0x%x\">dt %s</link>\n%s" % ( sys.argv[2], entry, sys.argv[2], typedVar(ti, entry) ) for entry in items ] ), True )
else:
if len( sys.argv ) == 2:
dprintln( "\n".join( [ "<link cmd=\"db 0x%x\">db 0x%x</link>" % ( entry, entry ) for entry in items ] ), True )
else:
dprintln( "\n".join( [ "<link cmd=\"dt %s 0x%x\">dt %s</link>" % ( sys.argv[2], entry, sys.argv[2] ) for entry in items ] ), True )
def addr64(addr):
return pykd.addr64(addr)