def print_nline_ptrs(self, start_addr, line_num): for i in range(line_num): pykd.dprint("{:02d}:{:04x}| ".format(i, i * PTRSIZE)) addr = start_addr + i * PTRSIZE if not pykd.isValid(addr): print_err("Invalid memory address: {:#x}".format(addr)) break else: self.print_ptrs(addr)
def print_general_regs(self): for reg_name in self.context.regs_name: reg_data = self.context.regs[reg_name] reg_str = '{:3}: '.format(reg_name.upper()) reg_color = self.set_reg_color(reg_name, color_changed=color.red, color_unchanged=color.lime) pykd.dprint(reg_color(reg_str), dml=True) if pykd.isValid(reg_data): # reg_data is a pointer self.print_ptrs(reg_data) else: pykd.dprintln("{:#x}".format(reg_data))
def print_seg_regs(self): first_print = True for reg_name in self.context.seg_regs_name: reg_data = self.context.regs[reg_name] reg_str = '{:2}={:#x}'.format(reg_name.upper(), reg_data) reg_color = self.set_reg_color(reg_name, color_changed=color.red, color_unchanged=color.green) if first_print: pykd.dprint(reg_color(reg_str), dml=True) first_print = False else: pykd.dprint(" | " + reg_color(reg_str), dml=True) pykd.dprintln("")
def printSample(sampleName): try: packageName, moduleName = sampleName.split(".") module = __import__(name=sampleName, fromlist=moduleName) fileName = os.path.dirname(module.__dict__["__file__"]) fileName = os.path.join(fileName, moduleName + ".py") with open(fileName) as f: for line in f: dprint(line) except ImportError: dprintln("import error") pass dprintln("") dprintln("<link cmd=\"!py samples\">Sample list</link>", True) dprintln("")
def dumpMemory(self, dumpPath, addr, size): lineNumber = 0x40 mapSize = 0x1000 cmdDd = "dd %x L%x" regDd = "[0-9a-fA-F]+ +[0-9a-fA-F]+ +[0-9a-fA-F]+ +[0-9a-fA-F]+ +[0-9a-fA-F]+" if size <= 0: self.winBr.dbiprintf("[E] Invalid dump size : 0x%08x" % size) return pykd.dprint("[+] Dump 0x%08x ( 0x%08x )" % (addr, size)) dSize = size / mapSize if size % mapSize != 0: dSize = dSize + 1 dSize = dSize * mapSize fileName = "dump_0x%x (0x%x).bin" % (addr, dSize) self.lDumpNames.append(fileName) fullPath = dumpPath + fileName f = open(fullPath, "wb") fullLoop = dSize / (lineNumber * 4) ta = addr for l in range(fullLoop): #self.winBr.dbiprintf(" -> 0x%08x" % ta) pykd.dprint(".") cmd = cmdDd % (ta, lineNumber) cmdr = pykd.dbgCommand(cmd) #self.winBr.dbiprintf(cmdr) ta = ta + (lineNumber * 4) bl = re.findall(regDd, cmdr) for i in bl: #self.winBr.dbiprintf(i) rel = i.split() f.write(struct.pack("<L", int(rel[1], 16))) f.write(struct.pack("<L", int(rel[2], 16))) f.write(struct.pack("<L", int(rel[3], 16))) f.write(struct.pack("<L", int(rel[4], 16))) self.winBr.dbiprintf("") f.close() self.winBr.dbiprintf(" -> %s" % fullPath)
import pykd # Parsing the ProcessList with pykd if __name__ == "__main__": if not pykd.isWindbgExt(): print("Script cannot be launched outside Windbg") quit(0) pActiveProcessList = pykd.module("nt").PsActiveProcessHead # pActiveProcessList = pykd.getOffset("nt!PsActiveProcessHead") -> slower than using module("nt")... processList = pykd.typedVarList(pActiveProcessList, "nt!_EPROCESS", "ActiveProcessLinks") for i, process in enumerate(processList): pykd.dprint("Process " + str(i) + ":") name = pykd.loadCStr(process.ImageFileName) print(name)
def searchIatCandidate(self, addr, size): lineNumber = 0x40 mapSize = 0x1000 cmdDd = "dd %x L%x" regDd = "[0-9a-fA-F]+ +[0-9a-fA-F]+ +[0-9a-fA-F]+ +[0-9a-fA-F]+ +[0-9a-fA-F]+" dictCandIat = {} baseAddr = 0 nullCnt = 0 if size <= 0: self.dbiprintf("[E] Invalid dump size : 0x%08x" % size, False) return types.NoneType self.dbiprintf("[+] Searching IAT candidates in 0x%08x ( 0x%08x )" % (addr, size)) dSize = size / mapSize if size % mapSize != 0: dSize = dSize + 1 dSize = dSize * mapSize fullLoop = dSize / (lineNumber * 4) ta = addr for l in range(fullLoop): pykd.dprint(".") cmd = cmdDd % (ta, lineNumber) cmdr = pykd.dbgCommand(cmd) ta = ta + (lineNumber * 4) bl = re.findall(regDd, cmdr) for i in bl: rel = i.split() for j in range(1, len(rel)): valIn = int(rel[j], 16) if valIn == 0: if baseAddr != 0: if nullCnt > 0: nullCnt = 0 baseAddr = 0 else: nullCnt = nullCnt + 1 dictCandIat[ baseAddr] = dictCandIat[baseAddr] + 1 continue nullCnt = 0 sym = self.getSymbolFromAddr(valIn, True) if sym != "": if baseAddr == 0: baseAddr = int(rel[0], 16) + ((j - 1) * 4) dictCandIat[baseAddr] = 1 else: dictCandIat[baseAddr] = dictCandIat[baseAddr] + 1 self.dbiprintf("") maxCnt = -1 maxAddr = 0 if len(dictCandIat) == 0: return types.NoneType self.dbiprintf("[+] Candidates of IAT") for i in dictCandIat.keys(): self.dbiprintf(" - 0x%08x : %d" % (i, dictCandIat[i])) if maxCnt < dictCandIat[i]: maxCnt = dictCandIat[i] maxAddr = i self.dbiprintf(" -> Longest hit : 0x%08x" % maxAddr) self.dbiprintf("") return [maxAddr, maxCnt]