def inspectSSDT(): kernelbase=g_kernelbase KeServiceDescriptorTable=pykd.getOffset('nt!KeServiceDescriptorTable') KiServiceTable=pykd.ptrPtr(KeServiceDescriptorTable) serviceCount=pykd.ptrMWord(KeServiceDescriptorTable+2*g_mwordsize) print 'nt!KeServiceDescriptorTable:0x%x' % KeServiceDescriptorTable print 'nt!KiServiceTable:0x%x' % KiServiceTable print 'serviceCount:0x%x(%d)' % (serviceCount, serviceCount) ssdttable=pykd.loadPtrs(KiServiceTable, serviceCount) table_rva=(KiServiceTable-kernelbase) print 'KiServiceTable rva:0x%x' % table_rva filedata=open(g_kernelpath, 'rb').read() pe = pefile.PE(data=filedata, fast_load=True) if pe.DOS_HEADER.e_magic!=0X5A4D or pe.NT_HEADERS.Signature!=0x4550: raise Exception("%s is not a pe file" % filepath) table_fileoffset=pe.get_offset_from_rva(table_rva) print 'KiServiceTable file offset:0x%x' % table_fileoffset d=filedata[table_fileoffset:table_fileoffset+g_mwordsize*serviceCount] number=0 for i in xrange(serviceCount): source=binascii.b2a_hex(d[i*g_mwordsize:(i+1)*g_mwordsize][::-1]) source=pykd.addr64(int(source, 16))-pykd.addr64(pe.OPTIONAL_HEADER.ImageBase)+kernelbase symbolname=pykd.findSymbol(source) current=ssdttable[i] if source==current: print 'source:0x%x current:0x%x %s' % (source, current, symbolname) else: hooksymbolname=pykd.findSymbol(current) print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (source, symbolname, current, hooksymbolname) number+=1 print 'hooked function number:', number
def dereference(self, pointer, target_id=0): """ Recursively dereference a pointer for display """ fmt = ('<' if self.get_byte_order() == 'little' else '>') + {2: 'H', 4: 'L', 8: 'Q'}[self.get_addr_size()] addr = pointer chain = [] # recursively dereference for i in range(0, self.max_deref): try: [ptr] = pykd.loadPtrs(addr, 1) if ptr in chain: break chain.append(('pointer', addr)) addr = ptr except: log.exception("Dereferencing pointer 0x{:X}".format(addr)) break # get some info for the last pointer # first try to resolve a symbol context for the address if len(chain): p, addr = chain[-1] output = pykd.findSymbol(addr) sym = True try: # if there's no symbol found, pykd returns a hex string of the address if int(output, 16) == addr: sym = False log.debug("no symbol context") except: pass if sym: chain.append(('symbol', output.strip())) else: log.debug("no symbol context") mem = pykd.loadBytes(addr, 2) if mem[0] < 127: if mem[1] == 0: a = [] for i in range(0, self.max_string, 2): mem = pykd.loadBytes(addr + i, 2) if mem == [0, 0]: break a.extend(mem) output = array.array('B', a).tostring().decode('UTF-16').encode('latin1') chain.append(('unicode', output)) else: output = pykd.loadCStr(addr) chain.append(('string', output)) log.debug("chain: {}".format(chain)) return chain
def smart_dereference(self, addr): ptr_values, is_cyclic = [addr], False for _ in xrange(MAX_DEREF): try: val = pykd.loadPtrs(addr, 1)[0] & PTRMASK ptr_values.append(val) if val in ptr_values[:-1:]: # cyclic dereference is_cyclic = True break else: addr = val except pykd.MemoryException: # no more dereference break return ptr_values, is_cyclic
def inspectShadowSSDT(): r = pykd.dbgCommand('dd win32k L1').split(' ') win32kbase = pykd.addr64(int(r[0], 16)) print 'wink32.sys baseaddr:0x%x' % win32kbase W32pServiceTable = pykd.getOffset('win32k!W32pServiceTable') print 'win32k!W32pServiceTable:0x%x' % W32pServiceTable W32pServiceLimit = pykd.getOffset('win32k!W32pServiceLimit') W32pServiceLimit = pykd.ptrMWord(W32pServiceLimit) print 'win32k!W32pServiceLimit:0x%x(%d)' % (W32pServiceLimit, W32pServiceLimit) shadowssdttable = pykd.loadPtrs(W32pServiceTable, W32pServiceLimit) table_rva = (W32pServiceTable - win32kbase) print 'W32pServiceTable rva:0x%x' % table_rva win32kname = 'win32k.sys' windowsdir = win32api.GetWindowsDirectory() filepath = os.path.join(windowsdir, 'system32', win32kname) if not os.path.exists(filepath): raise Exception('%s not exists!' % win32kname) print 'win32k.sys path:', filepath filedata = open(filepath, 'rb').read() pe = pefile.PE(data=filedata, fast_load=True) if pe.DOS_HEADER.e_magic != 0X5A4D or pe.NT_HEADERS.Signature != 0x4550: raise Exception("%s is not a pe file" % filepath) table_fileoffset = pe.get_offset_from_rva(table_rva) print 'W32pServiceTable file offset:0x%x' % table_fileoffset d = filedata[table_fileoffset:table_fileoffset + g_mwordsize * W32pServiceLimit] number = 0 for i in xrange(W32pServiceLimit): source = binascii.b2a_hex(d[i * g_mwordsize:(i + 1) * g_mwordsize][::-1]) source = int(source, 16) - pe.OPTIONAL_HEADER.ImageBase + win32kbase symbolname = pykd.findSymbol(source) current = shadowssdttable[i] if source == current: print 'source:0x%x current:0x%x %s' % (source, current, symbolname) else: hooksymbolname = pykd.findSymbol(current) print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % ( source, symbolname, current, hooksymbolname) number += 1 print 'hooked function number:', number
def inspectShadowSSDT(): r=pykd.dbgCommand('dd win32k L1').split(' ') win32kbase=pykd.addr64(int(r[0],16)) print 'wink32.sys baseaddr:0x%x' % win32kbase W32pServiceTable=pykd.getOffset('win32k!W32pServiceTable') print 'win32k!W32pServiceTable:0x%x' % W32pServiceTable W32pServiceLimit=pykd.getOffset('win32k!W32pServiceLimit') W32pServiceLimit=pykd.ptrMWord(W32pServiceLimit) print 'win32k!W32pServiceLimit:0x%x(%d)' % (W32pServiceLimit, W32pServiceLimit) shadowssdttable=pykd.loadPtrs(W32pServiceTable, W32pServiceLimit) table_rva=(W32pServiceTable-win32kbase) print 'W32pServiceTable rva:0x%x' % table_rva win32kname='win32k.sys' windowsdir=win32api.GetWindowsDirectory() filepath=os.path.join(windowsdir, 'system32', win32kname) if not os.path.exists(filepath): raise Exception('%s not exists!' % win32kname) print 'win32k.sys path:', filepath filedata=open(filepath, 'rb').read() pe = pefile.PE(data=filedata, fast_load=True) if pe.DOS_HEADER.e_magic!=0X5A4D or pe.NT_HEADERS.Signature!=0x4550: raise Exception("%s is not a pe file" % filepath) table_fileoffset=pe.get_offset_from_rva(table_rva) print 'W32pServiceTable file offset:0x%x' % table_fileoffset d=filedata[table_fileoffset:table_fileoffset+g_mwordsize*W32pServiceLimit] number=0 for i in xrange(W32pServiceLimit): source=binascii.b2a_hex(d[i*g_mwordsize:(i+1)*g_mwordsize][::-1]) source=int(source, 16)-pe.OPTIONAL_HEADER.ImageBase+win32kbase symbolname=pykd.findSymbol(source) current=shadowssdttable[i] if source==current: print 'source:0x%x current:0x%x %s' % (source, current, symbolname) else: hooksymbolname=pykd.findSymbol(current) print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (source, symbolname, current, hooksymbolname) number+=1 print 'hooked function number:', number
def inspectSSDT(): kernelbase = g_kernelbase KeServiceDescriptorTable = pykd.getOffset('nt!KeServiceDescriptorTable') KiServiceTable = pykd.ptrPtr(KeServiceDescriptorTable) serviceCount = pykd.ptrMWord(KeServiceDescriptorTable + 2 * g_mwordsize) print 'nt!KeServiceDescriptorTable:0x%x' % KeServiceDescriptorTable print 'nt!KiServiceTable:0x%x' % KiServiceTable print 'serviceCount:0x%x(%d)' % (serviceCount, serviceCount) ssdttable = pykd.loadPtrs(KiServiceTable, serviceCount) table_rva = (KiServiceTable - kernelbase) print 'KiServiceTable rva:0x%x' % table_rva filedata = open(g_kernelpath, 'rb').read() pe = pefile.PE(data=filedata, fast_load=True) if pe.DOS_HEADER.e_magic != 0X5A4D or pe.NT_HEADERS.Signature != 0x4550: raise Exception("%s is not a pe file" % filepath) table_fileoffset = pe.get_offset_from_rva(table_rva) print 'KiServiceTable file offset:0x%x' % table_fileoffset d = filedata[table_fileoffset:table_fileoffset + g_mwordsize * serviceCount] number = 0 for i in xrange(serviceCount): source = binascii.b2a_hex(d[i * g_mwordsize:(i + 1) * g_mwordsize][::-1]) source = pykd.addr64(int(source, 16)) - pykd.addr64( pe.OPTIONAL_HEADER.ImageBase) + kernelbase symbolname = pykd.findSymbol(source) current = ssdttable[i] if source == current: print 'source:0x%x current:0x%x %s' % (source, current, symbolname) else: hooksymbolname = pykd.findSymbol(current) print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % ( source, symbolname, current, hooksymbolname) number += 1 print 'hooked function number:', number
def testPtrArray(self): lst = pykd.loadPtrs(target.module.arrIntMatrixPtrs, 3) self.assertEqual(3, len(lst))
def deref_ptr(ptr): try: return pykd.loadPtrs(ptr, 1)[0] & context.PTRMASK except pykd.MemoryException: return None