def inspectSSDT():
kernelbase=g_kernelbase
KeServiceDescriptorTable=pykd.getOffset('nt!KeServiceDescriptorTable')
KiServiceTable=pykd.ptrPtr(KeServiceDescriptorTable)
serviceCount=pykd.ptrMWord(KeServiceDescriptorTable+2*g_mwordsize)
print 'nt!KeServiceDescriptorTable:0x%x' % KeServiceDescriptorTable
print 'nt!KiServiceTable:0x%x' % KiServiceTable
print 'serviceCount:0x%x(%d)' % (serviceCount, serviceCount)
ssdttable=pykd.loadPtrs(KiServiceTable, serviceCount)
table_rva=(KiServiceTable-kernelbase)
print 'KiServiceTable rva:0x%x' % table_rva
filedata=open(g_kernelpath, 'rb').read()
pe = pefile.PE(data=filedata, fast_load=True)
if pe.DOS_HEADER.e_magic!=0X5A4D or pe.NT_HEADERS.Signature!=0x4550:
raise Exception("%s is not a pe file" % filepath)
table_fileoffset=pe.get_offset_from_rva(table_rva)
print 'KiServiceTable file offset:0x%x' % table_fileoffset
d=filedata[table_fileoffset:table_fileoffset+g_mwordsize*serviceCount]
number=0
for i in xrange(serviceCount):
source=binascii.b2a_hex(d[i*g_mwordsize:(i+1)*g_mwordsize][::-1])
source=pykd.addr64(int(source, 16))-pykd.addr64(pe.OPTIONAL_HEADER.ImageBase)+kernelbase
symbolname=pykd.findSymbol(source)
current=ssdttable[i]
if source==current:
print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
else:
hooksymbolname=pykd.findSymbol(current)
print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (source, symbolname, current, hooksymbolname)
number+=1
print 'hooked function number:', number
def dereference(self, pointer, target_id=0):
"""
Recursively dereference a pointer for display
"""
fmt = ('<' if self.get_byte_order() == 'little' else '>') + {2: 'H', 4: 'L', 8: 'Q'}[self.get_addr_size()]
addr = pointer
chain = []
# recursively dereference
for i in range(0, self.max_deref):
try:
[ptr] = pykd.loadPtrs(addr, 1)
if ptr in chain:
break
chain.append(('pointer', addr))
addr = ptr
except:
log.exception("Dereferencing pointer 0x{:X}".format(addr))
break
# get some info for the last pointer
# first try to resolve a symbol context for the address
if len(chain):
p, addr = chain[-1]
output = pykd.findSymbol(addr)
sym = True
try:
# if there's no symbol found, pykd returns a hex string of the address
if int(output, 16) == addr:
sym = False
log.debug("no symbol context")
except:
pass
if sym:
chain.append(('symbol', output.strip()))
else:
log.debug("no symbol context")
mem = pykd.loadBytes(addr, 2)
if mem[0] < 127:
if mem[1] == 0:
a = []
for i in range(0, self.max_string, 2):
mem = pykd.loadBytes(addr + i, 2)
if mem == [0, 0]:
break
a.extend(mem)
output = array.array('B', a).tostring().decode('UTF-16').encode('latin1')
chain.append(('unicode', output))
else:
output = pykd.loadCStr(addr)
chain.append(('string', output))
log.debug("chain: {}".format(chain))
return chain
def dereference(self, pointer, target_id=0):
"""
Recursively dereference a pointer for display
"""
fmt = ('<' if self.get_byte_order() == 'little' else '>') + {2: 'H', 4: 'L', 8: 'Q'}[self.get_addr_size()]
addr = pointer
chain = []
# recursively dereference
for i in range(0, self.max_deref):
try:
[ptr] = pykd.loadPtrs(addr, 1)
if ptr in chain:
break
chain.append(('pointer', addr))
addr = ptr
except:
log.exception("Dereferencing pointer 0x{:X}".format(addr))
break
# get some info for the last pointer
# first try to resolve a symbol context for the address
if len(chain):
p, addr = chain[-1]
output = pykd.findSymbol(addr)
sym = True
try:
# if there's no symbol found, pykd returns a hex string of the address
if int(output, 16) == addr:
sym = False
log.debug("no symbol context")
except:
pass
if sym:
chain.append(('symbol', output.strip()))
else:
log.debug("no symbol context")
mem = pykd.loadBytes(addr, 2)
if mem[0] < 127:
if mem[1] == 0:
a = []
for i in range(0, self.max_string, 2):
mem = pykd.loadBytes(addr + i, 2)
if mem == [0, 0]:
break
a.extend(mem)
output = array.array('B', a).tostring().decode('UTF-16').encode('latin1')
chain.append(('unicode', output))
else:
output = pykd.loadCStr(addr)
chain.append(('string', output))
log.debug("chain: {}".format(chain))
return chain
def smart_dereference(self, addr):
ptr_values, is_cyclic = [addr], False
for _ in xrange(MAX_DEREF):
try:
val = pykd.loadPtrs(addr, 1)[0] & PTRMASK
ptr_values.append(val)
if val in ptr_values[:-1:]: # cyclic dereference
is_cyclic = True
break
else:
addr = val
except pykd.MemoryException: # no more dereference
break
return ptr_values, is_cyclic
def inspectShadowSSDT():
r = pykd.dbgCommand('dd win32k L1').split(' ')
win32kbase = pykd.addr64(int(r[0], 16))
print 'wink32.sys baseaddr:0x%x' % win32kbase
W32pServiceTable = pykd.getOffset('win32k!W32pServiceTable')
print 'win32k!W32pServiceTable:0x%x' % W32pServiceTable
W32pServiceLimit = pykd.getOffset('win32k!W32pServiceLimit')
W32pServiceLimit = pykd.ptrMWord(W32pServiceLimit)
print 'win32k!W32pServiceLimit:0x%x(%d)' % (W32pServiceLimit,
W32pServiceLimit)
shadowssdttable = pykd.loadPtrs(W32pServiceTable, W32pServiceLimit)
table_rva = (W32pServiceTable - win32kbase)
print 'W32pServiceTable rva:0x%x' % table_rva
win32kname = 'win32k.sys'
windowsdir = win32api.GetWindowsDirectory()
filepath = os.path.join(windowsdir, 'system32', win32kname)
if not os.path.exists(filepath):
raise Exception('%s not exists!' % win32kname)
print 'win32k.sys path:', filepath
filedata = open(filepath, 'rb').read()
pe = pefile.PE(data=filedata, fast_load=True)
if pe.DOS_HEADER.e_magic != 0X5A4D or pe.NT_HEADERS.Signature != 0x4550:
raise Exception("%s is not a pe file" % filepath)
table_fileoffset = pe.get_offset_from_rva(table_rva)
print 'W32pServiceTable file offset:0x%x' % table_fileoffset
d = filedata[table_fileoffset:table_fileoffset +
g_mwordsize * W32pServiceLimit]
number = 0
for i in xrange(W32pServiceLimit):
source = binascii.b2a_hex(d[i * g_mwordsize:(i + 1) *
g_mwordsize][::-1])
source = int(source, 16) - pe.OPTIONAL_HEADER.ImageBase + win32kbase
symbolname = pykd.findSymbol(source)
current = shadowssdttable[i]
if source == current:
print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
else:
hooksymbolname = pykd.findSymbol(current)
print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (
source, symbolname, current, hooksymbolname)
number += 1
print 'hooked function number:', number
def inspectShadowSSDT():
r=pykd.dbgCommand('dd win32k L1').split(' ')
win32kbase=pykd.addr64(int(r[0],16))
print 'wink32.sys baseaddr:0x%x' % win32kbase
W32pServiceTable=pykd.getOffset('win32k!W32pServiceTable')
print 'win32k!W32pServiceTable:0x%x' % W32pServiceTable
W32pServiceLimit=pykd.getOffset('win32k!W32pServiceLimit')
W32pServiceLimit=pykd.ptrMWord(W32pServiceLimit)
print 'win32k!W32pServiceLimit:0x%x(%d)' % (W32pServiceLimit, W32pServiceLimit)
shadowssdttable=pykd.loadPtrs(W32pServiceTable, W32pServiceLimit)
table_rva=(W32pServiceTable-win32kbase)
print 'W32pServiceTable rva:0x%x' % table_rva
win32kname='win32k.sys'
windowsdir=win32api.GetWindowsDirectory()
filepath=os.path.join(windowsdir, 'system32', win32kname)
if not os.path.exists(filepath):
raise Exception('%s not exists!' % win32kname)
print 'win32k.sys path:', filepath
filedata=open(filepath, 'rb').read()
pe = pefile.PE(data=filedata, fast_load=True)
if pe.DOS_HEADER.e_magic!=0X5A4D or pe.NT_HEADERS.Signature!=0x4550:
raise Exception("%s is not a pe file" % filepath)
table_fileoffset=pe.get_offset_from_rva(table_rva)
print 'W32pServiceTable file offset:0x%x' % table_fileoffset
d=filedata[table_fileoffset:table_fileoffset+g_mwordsize*W32pServiceLimit]
number=0
for i in xrange(W32pServiceLimit):
source=binascii.b2a_hex(d[i*g_mwordsize:(i+1)*g_mwordsize][::-1])
source=int(source, 16)-pe.OPTIONAL_HEADER.ImageBase+win32kbase
symbolname=pykd.findSymbol(source)
current=shadowssdttable[i]
if source==current:
print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
else:
hooksymbolname=pykd.findSymbol(current)
print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (source, symbolname, current, hooksymbolname)
number+=1
print 'hooked function number:', number
def inspectSSDT():
kernelbase = g_kernelbase
KeServiceDescriptorTable = pykd.getOffset('nt!KeServiceDescriptorTable')
KiServiceTable = pykd.ptrPtr(KeServiceDescriptorTable)
serviceCount = pykd.ptrMWord(KeServiceDescriptorTable + 2 * g_mwordsize)
print 'nt!KeServiceDescriptorTable:0x%x' % KeServiceDescriptorTable
print 'nt!KiServiceTable:0x%x' % KiServiceTable
print 'serviceCount:0x%x(%d)' % (serviceCount, serviceCount)
ssdttable = pykd.loadPtrs(KiServiceTable, serviceCount)
table_rva = (KiServiceTable - kernelbase)
print 'KiServiceTable rva:0x%x' % table_rva
filedata = open(g_kernelpath, 'rb').read()
pe = pefile.PE(data=filedata, fast_load=True)
if pe.DOS_HEADER.e_magic != 0X5A4D or pe.NT_HEADERS.Signature != 0x4550:
raise Exception("%s is not a pe file" % filepath)
table_fileoffset = pe.get_offset_from_rva(table_rva)
print 'KiServiceTable file offset:0x%x' % table_fileoffset
d = filedata[table_fileoffset:table_fileoffset +
g_mwordsize * serviceCount]
number = 0
for i in xrange(serviceCount):
source = binascii.b2a_hex(d[i * g_mwordsize:(i + 1) *
g_mwordsize][::-1])
source = pykd.addr64(int(source, 16)) - pykd.addr64(
pe.OPTIONAL_HEADER.ImageBase) + kernelbase
symbolname = pykd.findSymbol(source)
current = ssdttable[i]
if source == current:
print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
else:
hooksymbolname = pykd.findSymbol(current)
print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (
source, symbolname, current, hooksymbolname)
number += 1
print 'hooked function number:', number
def testPtrArray(self):
lst = pykd.loadPtrs(target.module.arrIntMatrixPtrs, 3)
self.assertEqual(3, len(lst))
def deref_ptr(ptr):
try:
return pykd.loadPtrs(ptr, 1)[0] & context.PTRMASK
except pykd.MemoryException:
return None
