Пример #1
0
def listCmpCallback():
    try:
        notifyaddr=pykd.getOffset('nt!CmpCallBackVector')
        count=pykd.getOffset('nt!CmpCallBackCount')
        count=pykd.ptrPtr(count)
      
        print '-'*10+'CmpCallback'+'-'*10
        if is_2000():
            for i in xrange(count):
                funcaddr=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8
                symbolname=pykd.findSymbol(source)
                print 'routine:%x %s' % (funcaddr, symbolname)
        else:
            if pykd.is64bitSystem():
                for i in xrange(count):
                    funcaddr=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8
                    symbolname=pykd.findSymbol(funcaddr)
                    print 'routine:%x %s' % (funcaddr, symbolname)
            else:
                for i in xrange(count):
                    routine_block=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8
                    funcaddr=pykd.ptrPtr(routine_block+g_mwordsize)
                    symbolname=pykd.findSymbol(funcaddr)
                    print 'routine:%x %s' % (funcaddr, symbolname)
      
    except Exception, err:
        print traceback.format_exc()
Пример #2
0
def listCreateProcess():
    try:
        print '-' * 10 + 'CreateProcess' + '-' * 10
        notifyaddr = pykd.getOffset('nt!PspCreateProcessNotifyRoutine')
        count = pykd.getOffset('nt!PspCreateProcessNotifyRoutineCount')
        count = pykd.ptrPtr(count)
        try:
            excount = pykd.getOffset('nt!PspCreateProcessNotifyRoutineExCount')
        except:
            excount = 0
        count += excount
        if is_2000():
            for i in xrange(count):
                funcaddr = pykd.ptrPtr(notifyaddr +
                                       i * g_mwordsize) & 0xffffffffffffff8
                symbolname = pykd.findSymbol(source)
                print 'routine:%x %s' % (funcaddr, symbolname)
        else:
            if pykd.is64bitSystem():
                for i in xrange(count):
                    funcaddr = pykd.ptrPtr(notifyaddr +
                                           i * g_mwordsize) & 0xffffffffffffff8
                    symbolname = pykd.findSymbol(funcaddr)
                    print 'routine:%x %s' % (funcaddr, symbolname)
            else:
                for i in xrange(count):
                    routine_block = pykd.ptrPtr(
                        notifyaddr + i * g_mwordsize) & 0xffffffffffffff8
                    funcaddr = pykd.ptrPtr(routine_block + g_mwordsize)
                    symbolname = pykd.findSymbol(funcaddr)
                    print 'routine:%x %s' % (funcaddr, symbolname)

    except Exception, err:
        print traceback.format_exc()
Пример #3
0
def listCreateProcess():
    try:
        print '-'*10+'CreateProcess'+'-'*10
        notifyaddr=pykd.getOffset('nt!PspCreateProcessNotifyRoutine')
        count=pykd.getOffset('nt!PspCreateProcessNotifyRoutineCount')
        count=pykd.ptrPtr(count)
        try:
            excount=pykd.getOffset('nt!PspCreateProcessNotifyRoutineExCount') 
        except:
            excount=0
        count+=excount
        if is_2000():
            for i in xrange(count):
                funcaddr=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8
                symbolname=pykd.findSymbol(source)
                print 'routine:%x %s' % (funcaddr, symbolname)
        else:
            if pykd.is64bitSystem():
                for i in xrange(count):
                    funcaddr=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8
                    symbolname=pykd.findSymbol(funcaddr)
                    print 'routine:%x %s' % (funcaddr, symbolname)
            else:
                for i in xrange(count):
                    routine_block=pykd.ptrPtr(notifyaddr+i*g_mwordsize)&0xffffffffffffff8
                    funcaddr=pykd.ptrPtr(routine_block+g_mwordsize)
                    symbolname=pykd.findSymbol(funcaddr)
                    print 'routine:%x %s' % (funcaddr, symbolname)
      
    except Exception, err:
        print traceback.format_exc()
Пример #4
0
def listCmpCallback():
    try:
        notifyaddr = pykd.getOffset('nt!CmpCallBackVector')
        count = pykd.getOffset('nt!CmpCallBackCount')
        count = pykd.ptrPtr(count)

        print '-' * 10 + 'CmpCallback' + '-' * 10
        if is_2000():
            for i in xrange(count):
                funcaddr = pykd.ptrPtr(notifyaddr +
                                       i * g_mwordsize) & 0xffffffffffffff8
                symbolname = pykd.findSymbol(source)
                print 'routine:%x %s' % (funcaddr, symbolname)
        else:
            if pykd.is64bitSystem():
                for i in xrange(count):
                    funcaddr = pykd.ptrPtr(notifyaddr +
                                           i * g_mwordsize) & 0xffffffffffffff8
                    symbolname = pykd.findSymbol(funcaddr)
                    print 'routine:%x %s' % (funcaddr, symbolname)
            else:
                for i in xrange(count):
                    routine_block = pykd.ptrPtr(
                        notifyaddr + i * g_mwordsize) & 0xffffffffffffff8
                    funcaddr = pykd.ptrPtr(routine_block + g_mwordsize)
                    symbolname = pykd.findSymbol(funcaddr)
                    print 'routine:%x %s' % (funcaddr, symbolname)

    except Exception, err:
        print traceback.format_exc()
Пример #5
0
 def testNamespace(self):
     ti1 = pykd.typeInfo(target.moduleName, "Namespace1::Class1")
     ti2 = pykd.typeInfo(target.moduleName,
                         "Namespace1::Namespace2::Class2")
     var3 = pykd.typedVar(
         ti1, pykd.getOffset(target.moduleName, "Namespace1::var3"))
     var4 = pykd.typedVar(
         ti1,
         pykd.getOffset(target.moduleName, "Namespace1::Namespace2::var4"))
     self.assertEqual(var3.m_field1, 50)
Пример #6
0
def inspectShadowSSDT():
    r = pykd.dbgCommand('dd win32k L1').split(' ')
    win32kbase = pykd.addr64(int(r[0], 16))
    print 'wink32.sys baseaddr:0x%x' % win32kbase

    W32pServiceTable = pykd.getOffset('win32k!W32pServiceTable')
    print 'win32k!W32pServiceTable:0x%x' % W32pServiceTable

    W32pServiceLimit = pykd.getOffset('win32k!W32pServiceLimit')
    W32pServiceLimit = pykd.ptrMWord(W32pServiceLimit)
    print 'win32k!W32pServiceLimit:0x%x(%d)' % (W32pServiceLimit,
                                                W32pServiceLimit)
    shadowssdttable = pykd.loadPtrs(W32pServiceTable, W32pServiceLimit)

    table_rva = (W32pServiceTable - win32kbase)
    print 'W32pServiceTable rva:0x%x' % table_rva

    win32kname = 'win32k.sys'
    windowsdir = win32api.GetWindowsDirectory()
    filepath = os.path.join(windowsdir, 'system32', win32kname)
    if not os.path.exists(filepath):
        raise Exception('%s not exists!' % win32kname)

    print 'win32k.sys path:', filepath
    filedata = open(filepath, 'rb').read()
    pe = pefile.PE(data=filedata, fast_load=True)
    if pe.DOS_HEADER.e_magic != 0X5A4D or pe.NT_HEADERS.Signature != 0x4550:
        raise Exception("%s is not a pe file" % filepath)

    table_fileoffset = pe.get_offset_from_rva(table_rva)
    print 'W32pServiceTable file offset:0x%x' % table_fileoffset
    d = filedata[table_fileoffset:table_fileoffset +
                 g_mwordsize * W32pServiceLimit]
    number = 0
    for i in xrange(W32pServiceLimit):
        source = binascii.b2a_hex(d[i * g_mwordsize:(i + 1) *
                                    g_mwordsize][::-1])
        source = int(source, 16) - pe.OPTIONAL_HEADER.ImageBase + win32kbase
        symbolname = pykd.findSymbol(source)
        current = shadowssdttable[i]
        if source == current:
            print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
        else:
            hooksymbolname = pykd.findSymbol(current)
            print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (
                source, symbolname, current, hooksymbolname)
            number += 1
    print 'hooked function number:', number
Пример #7
0
def listModuleByLdrHash(eprocessaddr):
    modulelist = {}
    try:
        cmdline = '.process /P %x;.reload;' % eprocessaddr
        r = pykd.dbgCommand(cmdline)
        try:
            LdrpHashTable = pykd.getOffset('ntdll!LdrpHashTable')
        except:
            print 'get LdrpHashTable symbol fail, maybe ldr is null'
            return []
        if int(LdrpHashTable) != 0:
            for i in xrange(26):
                listhead = LdrpHashTable + i * 2 * g_mwordsize
                hashlink = listhead
                while 1:
                    hashlink = pykd.ptrPtr(hashlink)
                    if hashlink == listhead:
                        break
                    ldr = pykd.containingRecord(hashlink,
                                                'nt!_LDR_DATA_TABLE_ENTRY',
                                                'HashLinks')
                    if int(ldr) not in modulelist:
                        info = ModuleInfo()
                        if info.init1(ldr):
                            modulelist[int(ldr)] = info

    except Exception, err:
        print traceback.format_exc()
Пример #8
0
 def testArrayField(self):
     v7 = pykd.typedVar(target.moduleName, "Type7",
                        pykd.getOffset(target.moduleName, "var7"))
     self.assertEqual(v7.field1[1].field1, 10)
     self.assertEqual(v7.field1[5].field2, 20)
     self.assertEqual(v7.field2[1][0].field1, 10)
     self.assertEqual(v7.field2[0][1].field2, 20)
Пример #9
0
    def resolve_symbol(self, symbol):
        offset = 0
        if symbol.find('+') >= 0:
            addr_toks = addr_str.split("+")
            if len(addr_toks) > 1:
                symbol = addr_toks[0]
                offset = windbgtool.util.convert_to_int(addr_toks[1], 16)

        if symbol in self.symbol_to_address:
            return self.symbol_to_address[symbol] + offset

        if symbol.find("!") >= 0:
            (module_name, function_name) = symbol.split('!', 1)
            if module_name.find(".") >= 0:
                module_name = module_name.split('.')[0]
            self.load_symbols([
                module_name,
            ])

        if symbol in self.symbol_to_address:
            return self.symbol_to_address[symbol] + offset

        try:
            return pykd.getOffset(symbol) + offset
        except:
            return 0
Пример #10
0
def listModuleByLdrHash(eprocessaddr):
    modulelist = {}
    try:
        cmdline = ".process /P %x;.reload;" % eprocessaddr
        r = pykd.dbgCommand(cmdline)
        try:
            LdrpHashTable = pykd.getOffset("ntdll!LdrpHashTable")
        except:
            print "get LdrpHashTable symbol fail, maybe ldr is null"
            return []
        if int(LdrpHashTable) != 0:
            for i in xrange(26):
                listhead = LdrpHashTable + i * 2 * g_mwordsize
                hashlink = listhead
                while 1:
                    hashlink = pykd.ptrPtr(hashlink)
                    if hashlink == listhead:
                        break
                    ldr = pykd.containingRecord(hashlink, "nt!_LDR_DATA_TABLE_ENTRY", "HashLinks")
                    if int(ldr) not in modulelist:
                        info = ModuleInfo()
                        if info.init1(ldr):
                            modulelist[int(ldr)] = info

    except Exception, err:
        print traceback.format_exc()
Пример #11
0
def inspectSSDT():
    kernelbase=g_kernelbase
    KeServiceDescriptorTable=pykd.getOffset('nt!KeServiceDescriptorTable')    
    KiServiceTable=pykd.ptrPtr(KeServiceDescriptorTable)
    serviceCount=pykd.ptrMWord(KeServiceDescriptorTable+2*g_mwordsize)
    print 'nt!KeServiceDescriptorTable:0x%x' % KeServiceDescriptorTable
    print 'nt!KiServiceTable:0x%x' % KiServiceTable
    print 'serviceCount:0x%x(%d)' % (serviceCount, serviceCount)
    ssdttable=pykd.loadPtrs(KiServiceTable, serviceCount)
    
    table_rva=(KiServiceTable-kernelbase)
    print 'KiServiceTable rva:0x%x' % table_rva
    
    filedata=open(g_kernelpath, 'rb').read()
    pe = pefile.PE(data=filedata, fast_load=True)
    if pe.DOS_HEADER.e_magic!=0X5A4D or pe.NT_HEADERS.Signature!=0x4550:
        raise Exception("%s is not a pe file" % filepath)

    table_fileoffset=pe.get_offset_from_rva(table_rva)
    print 'KiServiceTable file offset:0x%x' % table_fileoffset
    d=filedata[table_fileoffset:table_fileoffset+g_mwordsize*serviceCount]
    number=0
    for i in xrange(serviceCount):
        source=binascii.b2a_hex(d[i*g_mwordsize:(i+1)*g_mwordsize][::-1])
        source=pykd.addr64(int(source, 16))-pykd.addr64(pe.OPTIONAL_HEADER.ImageBase)+kernelbase
        symbolname=pykd.findSymbol(source)
        current=ssdttable[i]
        if source==current:
            print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
        else:
            hooksymbolname=pykd.findSymbol(current)
            print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (source, symbolname, current, hooksymbolname)
            number+=1
    print 'hooked function number:', number
Пример #12
0
def listShutdown():
    try:
        print '-' * 10 + 'Shutdown' + '-' * 10

        IRP_MJ_SHUTDOWN = 0x10
        #define IRP_MJ_SHUTDOWN                 0x10
        head = pykd.getOffset('nt!IopNotifyShutdownQueueHead')
        next = head
        while 1:
            next = pykd.ptrPtr(next)
            if next == head:
                break
            try:
                deviceobjectaddr = pykd.ptrPtr(next + g_mwordsize * 2)
                deviceobject = pykd.typedVar('nt!_DEVICE_OBJECT',
                                             deviceobjectaddr)
                driverobject = pykd.typedVar('nt!_DRIVER_OBJECT',
                                             int(deviceobject.DriverObject))
                funcaddr = pykd.ptrPtr(driverobject.MajorFunction +
                                       g_mwordsize * IRP_MJ_SHUTDOWN)
                symbolname = pykd.findSymbol(funcaddr)
                print 'routine:%x %s' % (funcaddr, symbolname)
            except Exception, err:
                pass
    except Exception, err:
        print traceback.format_exc()
Пример #13
0
 def testPtrField(self):
     v6 = pykd.typedVar(target.moduleName, "Type6",
                        pykd.getOffset(target.moduleName, "var6"))
     self.assertEqual(v6.field1, 10)
     self.assertEqual(v6.field2.field1, 10)
     self.assertEqual(v6.field2.field2, 20)
     self.assertNotEqual(v6.field2, 0)
     self.assertEqual(v6.field3[0].field1, 10)
     self.assertEqual(v6.field3[1].field2, 20)
Пример #14
0
def inspectShadowSSDT():
    r=pykd.dbgCommand('dd win32k L1').split(' ')
    win32kbase=pykd.addr64(int(r[0],16))
    print 'wink32.sys baseaddr:0x%x' % win32kbase
    
    W32pServiceTable=pykd.getOffset('win32k!W32pServiceTable')
    print 'win32k!W32pServiceTable:0x%x' % W32pServiceTable
        
    W32pServiceLimit=pykd.getOffset('win32k!W32pServiceLimit')
    W32pServiceLimit=pykd.ptrMWord(W32pServiceLimit)
    print 'win32k!W32pServiceLimit:0x%x(%d)' % (W32pServiceLimit, W32pServiceLimit)
    shadowssdttable=pykd.loadPtrs(W32pServiceTable, W32pServiceLimit)
    
    table_rva=(W32pServiceTable-win32kbase)
    print 'W32pServiceTable rva:0x%x' % table_rva
    
    win32kname='win32k.sys'
    windowsdir=win32api.GetWindowsDirectory()
    filepath=os.path.join(windowsdir, 'system32', win32kname)
    if not os.path.exists(filepath):
        raise Exception('%s not exists!' % win32kname)

    print 'win32k.sys path:', filepath
    filedata=open(filepath, 'rb').read()
    pe = pefile.PE(data=filedata, fast_load=True)
    if pe.DOS_HEADER.e_magic!=0X5A4D or pe.NT_HEADERS.Signature!=0x4550:
        raise Exception("%s is not a pe file" % filepath)

    table_fileoffset=pe.get_offset_from_rva(table_rva)
    print 'W32pServiceTable file offset:0x%x' % table_fileoffset
    d=filedata[table_fileoffset:table_fileoffset+g_mwordsize*W32pServiceLimit]
    number=0
    for i in xrange(W32pServiceLimit):
        source=binascii.b2a_hex(d[i*g_mwordsize:(i+1)*g_mwordsize][::-1])
        source=int(source, 16)-pe.OPTIONAL_HEADER.ImageBase+win32kbase
        symbolname=pykd.findSymbol(source)
        current=shadowssdttable[i]
        if source==current:
            print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
        else:
            hooksymbolname=pykd.findSymbol(current)
            print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (source, symbolname, current, hooksymbolname)
            number+=1
    print 'hooked function number:', number
 def testSymbol(self):
     self.assertEqual(
         target.module.rva("FastcallFunc"),
         target.module.offset("FastcallFunc") - target.module.begin())
     self.assertEqual(target.module.rva("FastcallFunc"),
                      target.module.FastcallFunc - target.module.begin())
     self.assertEqual(
         target.module.rva("FastcallFunc"),
         pykd.getOffset(target.module.name() + "!FastcallFunc") -
         target.module.begin())
Пример #16
0
 def testSymbol(self):
     self.assertEqual(
         target.module.rva("FuncWithName0"),
         target.module.offset("FuncWithName0") - target.module.begin())
     self.assertEqual(target.module.rva("FuncWithName0"),
                      target.module.FuncWithName0 - target.module.begin())
     self.assertEqual(
         target.module.rva("FuncWithName0"),
         pykd.getOffset(target.module.name() + "!FuncWithName0") -
         target.module.begin())
Пример #17
0
def inspectMsgHook():
    msglist = []
    try:
        gSharedInfo = pykd.getOffset('win32k!gSharedInfo')
        serverinfo = pykd.ptrPtr(gSharedInfo)
        aheList = pykd.ptrPtr(gSharedInfo + g_mwordsize)
        if is_2000() or is_xp():
            count = pykd.ptrPtr(serverinfo + g_mwordsize * 2)
        else:
            count = pykd.ptrPtr(serverinfo + g_mwordsize * 1)

        for i in xrange(count):
            entry = aheList + i * 3 * g_mwordsize
            phook = pykd.ptrPtr(entry)  #head
            type = pykd.ptrByte(entry + 2 * g_mwordsize)
            if type != 5:
                continue

            try:
                handle = pykd.ptrPtr(phook)
                msgtype = pykd.ptrPtr(phook + 6 * g_mwordsize)
                funcoffset = pykd.ptrPtr(phook + 7 * g_mwordsize)
                flags = pykd.ptrPtr(phook + 8 * g_mwordsize)
                if flags & 1:
                    bGlobal = 1
                else:
                    bGlobal = 0

                pti = pykd.ptrPtr(phook + 2 * g_mwordsize)
                threadobjectaddr = pykd.ptrPtr(pti)
                threadobject = pykd.typedVar('nt!_ETHREAD', threadobjectaddr)
                pid = int(threadobject.Cid.UniqueProcess)
                tid = (threadobject.Cid.UniqueThread)
                try:
                    processobject = pykd.typedVar('nt!_EPROCESS',
                                                  threadobject.ThreadsProcess)
                except Exception, err:
                    processobject = pykd.typedVar('nt!_EPROCESS',
                                                  threadobject.Tcb.Process)
                processpath = pykd.loadUnicodeString(
                    processobject.SeAuditProcessCreationInfo.ImageFileName.Name
                )

                msginfo = MsgInfo(handle=handle,
                                  pid=pid,
                                  tid=tid,
                                  msgtype=msgtype,
                                  funcoffset=funcoffset,
                                  bGlobal=bGlobal,
                                  processpath=processpath)
                msglist.append(msginfo)

            except Exception, err:
                print err
Пример #18
0
def listProcessByPsActiveProcessHead():
    processlist=[]
    try:
        PsActiveProcessHead=pykd.getOffset('nt!PsActiveProcessHead')
        l=pykd.typedVarList(PsActiveProcessHead, 'nt!_EPROCESS', 'ActiveProcessLinks')
        for i in l:
            info=ProcessInfo()
            if info.init(i):
                processlist.append(info)
            
    except Exception, err:
        print traceback.format_exc()
Пример #19
0
def listProcessByPsActiveProcessHead():
    processlist = []
    try:
        PsActiveProcessHead = pykd.getOffset('nt!PsActiveProcessHead')
        l = pykd.typedVarList(PsActiveProcessHead, 'nt!_EPROCESS',
                              'ActiveProcessLinks')
        for i in l:
            info = ProcessInfo()
            if info.init(i):
                processlist.append(info)

    except Exception, err:
        print traceback.format_exc()
Пример #20
0
def listSeFileSystem():
    try:
        print '-' * 10 + 'SeFileSystem' + '-' * 10
        head = pykd.getOffset('nt!SeFileSystemNotifyRoutinesHead')
        next = head
        while 1:
            next = pykd.ptrPtr(next)
            if not next:
                break
            funcaddr = pykd.ptrPtr(next + g_mwordsize)
            symbolname = pykd.findSymbol(funcaddr)
            print 'routine:%x %s' % (funcaddr, symbolname)
    except Exception, err:
        print traceback.format_exc()
Пример #21
0
def listIopTimer():
    try:
        print '-' * 10 + 'IopTimer' + '-' * 10
        head = pykd.getOffset('nt!IopTimerQueueHead')
        next = head
        while 1:
            next = pykd.ptrPtr(next)
            if next == head:
                break
            funcaddr = pykd.ptrPtr(next + g_mwordsize * 2)
            symbolname = pykd.findSymbol(funcaddr)
            print 'routine:%x %s' % (funcaddr, symbolname)
    except Exception, err:
        print traceback.format_exc()
Пример #22
0
def listBugCheckReasonCallback():
    try:
        print '-' * 10 + 'BugCheckReasonCallback' + '-' * 10
        head = pykd.getOffset('nt!KeBugCheckReasonCallbackListHead')
        next = head
        while 1:
            next = pykd.ptrPtr(next)
            if next == head:
                break
            funcaddr = pykd.ptrPtr(next + g_mwordsize * 2)
            symbolname = pykd.findSymbol(funcaddr)
            print 'routine:%x %s' % (funcaddr, symbolname)
    except Exception, err:
        print traceback.format_exc()
Пример #23
0
def listDriverByPsLoadedModuleList():
    driverlist=[]
    try:
        PsLoadedModuleList=pykd.getOffset('nt!PsLoadedModuleList')
        l=pykd.typedVarList(PsLoadedModuleList, 'nt!_LDR_DATA_TABLE_ENTRY', 'InLoadOrderLinks')
        for i in l:
            if int(i.InLoadOrderLinks)==PsLoadedModuleList:
                continue
            info=DriverInfo()
            if info.init2(i):
                driverlist.append(info)

    except Exception, err:
        print traceback.format_exc()
Пример #24
0
def listBugCheckReasonCallback():
    try:
        print '-'*10+'BugCheckReasonCallback'+'-'*10
        head=pykd.getOffset('nt!KeBugCheckReasonCallbackListHead')
        next=head
        while 1:
            next=pykd.ptrPtr(next)
            if next==head:
                break
            funcaddr=pykd.ptrPtr(next+g_mwordsize*2)
            symbolname=pykd.findSymbol(funcaddr)
            print 'routine:%x %s' % (funcaddr, symbolname)
    except Exception, err:
        print traceback.format_exc()
Пример #25
0
def listSeFileSystem():
    try:
        print '-'*10+'SeFileSystem'+'-'*10
        head=pykd.getOffset('nt!SeFileSystemNotifyRoutinesHead')
        next=head
        while 1:
            next=pykd.ptrPtr(next)
            if not next:
                break
            funcaddr=pykd.ptrPtr(next+g_mwordsize)
            symbolname=pykd.findSymbol(funcaddr)
            print 'routine:%x %s' % (funcaddr, symbolname)
    except Exception, err:
        print traceback.format_exc()
Пример #26
0
def listIopTimer():
    try:
        print '-'*10+'IopTimer'+'-'*10
        head=pykd.getOffset('nt!IopTimerQueueHead')
        next=head
        while 1:
            next=pykd.ptrPtr(next)
            if next==head:
                break
            funcaddr=pykd.ptrPtr(next+g_mwordsize*2)
            symbolname=pykd.findSymbol(funcaddr)
            print 'routine:%x %s' % (funcaddr, symbolname)
    except Exception, err:
        print traceback.format_exc()
Пример #27
0
def listDriverByPsLoadedModuleList():
    driverlist = []
    try:
        PsLoadedModuleList = pykd.getOffset('nt!PsLoadedModuleList')
        l = pykd.typedVarList(PsLoadedModuleList, 'nt!_LDR_DATA_TABLE_ENTRY',
                              'InLoadOrderLinks')
        for i in l:
            if int(i.InLoadOrderLinks) == PsLoadedModuleList:
                continue
            info = DriverInfo()
            if info.init2(i):
                driverlist.append(info)

    except Exception, err:
        print traceback.format_exc()
Пример #28
0
def listPlugPlay():
    try:
        print '-' * 10 + 'PlugPlay' + '-' * 10
        table = pykd.getOffset('nt!IopDeviceClassNotifyList')
        for i in xrange(13):
            head = table + g_mwordsize * i * 2
            next = head
            while 1:
                next = pykd.ptrPtr(next)
                if next == head:
                    break
                funcaddr = pykd.ptrPtr(next + g_mwordsize * 5)
                symbolname = pykd.findSymbol(funcaddr)
                print 'routine:%x %s' % (funcaddr, symbolname)
    except Exception, err:
        print traceback.format_exc()
Пример #29
0
def listPlugPlay():
    try:
        print '-'*10+'PlugPlay'+'-'*10
        table=pykd.getOffset('nt!IopDeviceClassNotifyList')
        for i in xrange(13):
            head=table+g_mwordsize*i*2
            next=head
            while 1:
                next=pykd.ptrPtr(next)
                if next==head:
                    break
                funcaddr=pykd.ptrPtr(next+g_mwordsize*5)
                symbolname=pykd.findSymbol(funcaddr)
                print 'routine:%x %s' % (funcaddr, symbolname)
    except Exception, err:
        print traceback.format_exc()
Пример #30
0
def inspectMsgHook():
    msglist=[]
    try:
        gSharedInfo=pykd.getOffset('win32k!gSharedInfo')
        serverinfo=pykd.ptrPtr(gSharedInfo)
        aheList=pykd.ptrPtr(gSharedInfo+g_mwordsize)
        if is_2000() or is_xp():
            count=pykd.ptrPtr(serverinfo+g_mwordsize*2)
        else:
            count=pykd.ptrPtr(serverinfo+g_mwordsize*1)
        
        for i in xrange(count):
            entry=aheList+i*3*g_mwordsize
            phook=pykd.ptrPtr(entry) #head
            type=pykd.ptrByte(entry+2*g_mwordsize)
            if type!=5:
                continue
            
            try:
                handle=pykd.ptrPtr(phook)
                msgtype=pykd.ptrPtr(phook+6*g_mwordsize)
                funcoffset=pykd.ptrPtr(phook+7*g_mwordsize)
                flags=pykd.ptrPtr(phook+8*g_mwordsize)
                if flags&1:
                    bGlobal=1
                else:
                    bGlobal=0
                    
                pti=pykd.ptrPtr(phook+2*g_mwordsize)
                threadobjectaddr=pykd.ptrPtr(pti)
                threadobject=pykd.typedVar('nt!_ETHREAD', threadobjectaddr)
                pid=int(threadobject.Cid.UniqueProcess)
                tid=(threadobject.Cid.UniqueThread)
                try:
                    processobject=pykd.typedVar('nt!_EPROCESS', threadobject.ThreadsProcess)
                except Exception, err:
                    processobject=pykd.typedVar('nt!_EPROCESS', threadobject.Tcb.Process)
                processpath=pykd.loadUnicodeString(processobject.SeAuditProcessCreationInfo.ImageFileName.Name)
                
                msginfo=MsgInfo(handle=handle, pid=pid, tid=tid, msgtype=msgtype, funcoffset=funcoffset, bGlobal=bGlobal, processpath=processpath)
                msglist.append(msginfo)

            except Exception, err:
                print err
Пример #31
0
def listFsNotifyChange():
    try:
        print '-'*10+'FsNotifyChange'+'-'*10
        head=pykd.getOffset('nt!IopFsNotifyChangeQueueHead')
        next=head
        while 1:
            next=pykd.ptrPtr(next)
            if next==head:
                break
            dirverobjectaddr=pykd.ptrPtr(next+g_mwordsize*2)
            funcaddr=pykd.ptrPtr(next+g_mwordsize*3)
            try:
                driverobject=pykd.typedVar('nt!_DRIVER_OBJECT', dirverobjectaddr) 
                drivername=pykd.loadUnicodeString(driverobject.DriverName)
            except Exception, err:
                drivername=''
            symbolname=pykd.findSymbol(funcaddr)
            print 'routine:%x %s driver:%s' % (funcaddr, symbolname, drivername)
    except Exception, err:
        print traceback.format_exc()
Пример #32
0
def listFsNotifyChange():
    try:
        print '-' * 10 + 'FsNotifyChange' + '-' * 10
        head = pykd.getOffset('nt!IopFsNotifyChangeQueueHead')
        next = head
        while 1:
            next = pykd.ptrPtr(next)
            if next == head:
                break
            dirverobjectaddr = pykd.ptrPtr(next + g_mwordsize * 2)
            funcaddr = pykd.ptrPtr(next + g_mwordsize * 3)
            try:
                driverobject = pykd.typedVar('nt!_DRIVER_OBJECT',
                                             dirverobjectaddr)
                drivername = pykd.loadUnicodeString(driverobject.DriverName)
            except Exception, err:
                drivername = ''
            symbolname = pykd.findSymbol(funcaddr)
            print 'routine:%x %s driver:%s' % (funcaddr, symbolname,
                                               drivername)
    except Exception, err:
        print traceback.format_exc()
Пример #33
0
def inspectSSDT():
    kernelbase = g_kernelbase
    KeServiceDescriptorTable = pykd.getOffset('nt!KeServiceDescriptorTable')
    KiServiceTable = pykd.ptrPtr(KeServiceDescriptorTable)
    serviceCount = pykd.ptrMWord(KeServiceDescriptorTable + 2 * g_mwordsize)
    print 'nt!KeServiceDescriptorTable:0x%x' % KeServiceDescriptorTable
    print 'nt!KiServiceTable:0x%x' % KiServiceTable
    print 'serviceCount:0x%x(%d)' % (serviceCount, serviceCount)
    ssdttable = pykd.loadPtrs(KiServiceTable, serviceCount)

    table_rva = (KiServiceTable - kernelbase)
    print 'KiServiceTable rva:0x%x' % table_rva

    filedata = open(g_kernelpath, 'rb').read()
    pe = pefile.PE(data=filedata, fast_load=True)
    if pe.DOS_HEADER.e_magic != 0X5A4D or pe.NT_HEADERS.Signature != 0x4550:
        raise Exception("%s is not a pe file" % filepath)

    table_fileoffset = pe.get_offset_from_rva(table_rva)
    print 'KiServiceTable file offset:0x%x' % table_fileoffset
    d = filedata[table_fileoffset:table_fileoffset +
                 g_mwordsize * serviceCount]
    number = 0
    for i in xrange(serviceCount):
        source = binascii.b2a_hex(d[i * g_mwordsize:(i + 1) *
                                    g_mwordsize][::-1])
        source = pykd.addr64(int(source, 16)) - pykd.addr64(
            pe.OPTIONAL_HEADER.ImageBase) + kernelbase
        symbolname = pykd.findSymbol(source)
        current = ssdttable[i]
        if source == current:
            print 'source:0x%x current:0x%x %s' % (source, current, symbolname)
        else:
            hooksymbolname = pykd.findSymbol(current)
            print 'source:0x%x %s <-> current:0x%x %s hooked!!!!!!!' % (
                source, symbolname, current, hooksymbolname)
            number += 1
    print 'hooked function number:', number
Пример #34
0
def listShutdown():
    try:
        print '-'*10+'Shutdown'+'-'*10
        
        IRP_MJ_SHUTDOWN=0x10
        #define IRP_MJ_SHUTDOWN                 0x10
        head=pykd.getOffset('nt!IopNotifyShutdownQueueHead')
        next=head
        while 1:
            next=pykd.ptrPtr(next)
            if next==head:
                break
            try:
                deviceobjectaddr=pykd.ptrPtr(next+g_mwordsize*2)
                deviceobject=pykd.typedVar('nt!_DEVICE_OBJECT', deviceobjectaddr) 
                driverobject=pykd.typedVar('nt!_DRIVER_OBJECT', int(deviceobject.DriverObject))  
                funcaddr=pykd.ptrPtr(driverobject.MajorFunction+g_mwordsize*IRP_MJ_SHUTDOWN)
                symbolname=pykd.findSymbol(funcaddr)
                print 'routine:%x %s' % (funcaddr, symbolname)
            except Exception, err:
                pass
    except Exception, err:
        print traceback.format_exc()
Пример #35
0
 def testTypedVarByAddress(self):
     var5 = pykd.typedVar(
         pykd.getOffset(target.moduleName, "Namespace3::var5"))
     self.assertEqual(var5.m_field1, 5)
Пример #36
0
def getOffset(arg1):
    return pykd.getOffset(arg1)
Пример #37
0
def sym_off_to_addr(sym_off):
    sym_off = sym_off.split("+")
    if len(sym_off) > 1:
        return pykd.getOffset(sym_off[0]) + int(sym_off[1], 16)
    else:
        return pykd.getOffset(sym_off[0])
Пример #38
0
def listSocket():
    try:
        r=pykd.dbgCommand('.reload tcpip.sys')
        if is_2000():
            print 'no support'
        elif is_xp() or is_2003():
            AddrObjTable=pykd.getOffset('tcpip!AddrObjTable')
            AddrObjTable=pykd.ptrPtr(AddrObjTable)
            AddrObjTableSize=pykd.getOffset('tcpip!AddrObjTableSize')
            AddrObjTableSize=pykd.ptrPtr(AddrObjTableSize)
            print '='*20
            print 'AddrObjTable:%x AddrObjTableSize:%d' % (AddrObjTable, AddrObjTableSize)
            if pykd.is64bitSystem():
                Next_offset=0
                localIP_offset=0x58 #4bytes
                LocalPort_offset=0x5c#2bytes
                Protocol_offset=0x5e #2bytes
                pid_offset=0x238 #4bytes
            else:
                if is_xp():
                    Next_offset=0
                    localIP_offset=0x2c #4bytes
                    LocalPort_offset=0x30#2bytes
                    Protocol_offset=0x32 #2bytes
                    pid_offset=0x148 #4bytes
                    
                elif is_2003():
                    Next_offset=0
                    localIP_offset=0x30 #4bytes
                    LocalPort_offset=0x34#2bytes
                    Protocol_offset=0x36 #2bytes
                    pid_offset=0x14c #4bytes
            
            print 'local remote protocol pid'
            for i in xrange(AddrObjTableSize):
                obj=pykd.ptrPtr(AddrObjTable+i*g_mwordsize)
                while obj!=0:
                    LocalIP=pykd.ptrMWord(obj+localIP_offset)
                    LocalPort=pykd.ptrWord(obj+LocalPort_offset)
                    LocalPort=socket.htons(LocalPort)
                    Protocol=pykd.ptrWord(obj+Protocol_offset)
                    pid=pykd.ptrMWord(obj+pid_offset)
                    Protocol=g_protocols.get(Protocol)
                    print '%16s:%5d *.* %10s %d' % (socket.inet_ntoa(struct.pack('I', LocalIP)), LocalPort, Protocol, pid)
                    obj=pykd.ptrPtr(obj+Next_offset)

            print '='*20
            
            TCBTable=pykd.getOffset('tcpip!TCBTable')
            TCBTable=pykd.ptrPtr(TCBTable)
            MaxHashTableSize=pykd.getOffset('tcpip!MaxHashTableSize')
            MaxHashTableSize=pykd.ptrPtr(MaxHashTableSize)
            print 'TCBTable:%x MaxHashTableSize:%d' % (TCBTable, MaxHashTableSize)
            
            Next_offset=0
            RemoteIP_offset=0x0c#4bytes
            LocalIP_offset=0x10#4bytes
            RemotePort_offset=0x14#2bytes
            LocalPort_offset=0x16 #2bytes
            pid_offset=0x18 #4bytes
                
            print 'local remote protocol pid'
            for i in xrange(MaxHashTableSize):
                obj=pykd.ptrPtr(TCBTable+i*g_mwordsize)
                while obj!=0:
                    RemoteIP=pykd.ptrMWord(obj+RemoteIP_offset)
                    LocalIP=pykd.ptrMWord(obj+LocalIP_offset)
                    RemotePort=pykd.ptrWord(obj+RemotePort_offset)
                    RemotePort=socket.htons(RemotePort)
                    LocalPort=pykd.ptrWord(obj+LocalPort_offset)
                    LocalPort=socket.htons(LocalPort)
                    pid=pykd.ptrMWord(obj+pid_offset)
                    print '%16s:%5d %16s:%5d  TCP %d' % (socket.inet_ntoa(struct.pack('I', LocalIP)), LocalPort, socket.inet_ntoa(struct.pack('I', RemoteIP)), RemotePort, pid)
                    obj=pykd.ptrPtr(obj+Next_offset)
        else:
            print 'no support'
        
        
    except Exception, err:
        print err
Пример #39
0
 def testTemplates(self):
     ti3 = pykd.typeInfo(target.moduleName, "Namespace3::Class3<int>")
     var5 = pykd.typedVar(
         ti3, pykd.getOffset(target.moduleName, "Namespace3::var5"))
     self.assertEqual(var5.m_field1, 5)
Пример #40
0
#!/usr/bin/env python
# -*- coding: utf-8 -*
# author: SAI
import os,sys,time
import traceback
import pykd
from common import *
mmhighestuseraddress=pykd.ptrPtr(pykd.getOffset('nt!MmHighestUserAddress'))
class ProcessInfo(object):
    def init(self, eprocessobj):
        try:
            if eprocessobj.ObjectTable<mmhighestuseraddress or eprocessobj.VadRoot<mmhighestuseraddress or eprocessobj.QuotaBlock<mmhighestuseraddress:
                return False
        
            self.eprocessaddr=int(eprocessobj)
            self.pid=int(eprocessobj.UniqueProcessId)
            self.parentpid=int(eprocessobj.InheritedFromUniqueProcessId)
            self.peb=int(eprocessobj.Peb)
            filepath=pykd.loadUnicodeString(eprocessobj.SeAuditProcessCreationInfo.ImageFileName.Name)
            filepath=revise_filepath(filepath)
            name=pykd.loadChars(eprocessobj.ImageFileName, 16)
            if name.startswith('\x00'):
                name=''
            name=name.strip('\x00')
            self.filepath, self.name=guess_filepath(filepath, name)
            return True
            
        except Exception, err:
            print traceback.format_exc()
            return False
        
Пример #41
0
 def get_address(self, name):
     return pykd.getOffset(name)
Пример #42
0
def listSocket():
    try:
        r = pykd.dbgCommand('.reload tcpip.sys')
        if is_2000():
            print 'no support'
        elif is_xp() or is_2003():
            AddrObjTable = pykd.getOffset('tcpip!AddrObjTable')
            AddrObjTable = pykd.ptrPtr(AddrObjTable)
            AddrObjTableSize = pykd.getOffset('tcpip!AddrObjTableSize')
            AddrObjTableSize = pykd.ptrPtr(AddrObjTableSize)
            print '=' * 20
            print 'AddrObjTable:%x AddrObjTableSize:%d' % (AddrObjTable,
                                                           AddrObjTableSize)
            if pykd.is64bitSystem():
                Next_offset = 0
                localIP_offset = 0x58  #4bytes
                LocalPort_offset = 0x5c  #2bytes
                Protocol_offset = 0x5e  #2bytes
                pid_offset = 0x238  #4bytes
            else:
                if is_xp():
                    Next_offset = 0
                    localIP_offset = 0x2c  #4bytes
                    LocalPort_offset = 0x30  #2bytes
                    Protocol_offset = 0x32  #2bytes
                    pid_offset = 0x148  #4bytes

                elif is_2003():
                    Next_offset = 0
                    localIP_offset = 0x30  #4bytes
                    LocalPort_offset = 0x34  #2bytes
                    Protocol_offset = 0x36  #2bytes
                    pid_offset = 0x14c  #4bytes

            print 'local remote protocol pid'
            for i in xrange(AddrObjTableSize):
                obj = pykd.ptrPtr(AddrObjTable + i * g_mwordsize)
                while obj != 0:
                    LocalIP = pykd.ptrMWord(obj + localIP_offset)
                    LocalPort = pykd.ptrWord(obj + LocalPort_offset)
                    LocalPort = socket.htons(LocalPort)
                    Protocol = pykd.ptrWord(obj + Protocol_offset)
                    pid = pykd.ptrMWord(obj + pid_offset)
                    Protocol = g_protocols.get(Protocol)
                    print '%16s:%5d *.* %10s %d' % (socket.inet_ntoa(
                        struct.pack('I', LocalIP)), LocalPort, Protocol, pid)
                    obj = pykd.ptrPtr(obj + Next_offset)

            print '=' * 20

            TCBTable = pykd.getOffset('tcpip!TCBTable')
            TCBTable = pykd.ptrPtr(TCBTable)
            MaxHashTableSize = pykd.getOffset('tcpip!MaxHashTableSize')
            MaxHashTableSize = pykd.ptrPtr(MaxHashTableSize)
            print 'TCBTable:%x MaxHashTableSize:%d' % (TCBTable,
                                                       MaxHashTableSize)

            Next_offset = 0
            RemoteIP_offset = 0x0c  #4bytes
            LocalIP_offset = 0x10  #4bytes
            RemotePort_offset = 0x14  #2bytes
            LocalPort_offset = 0x16  #2bytes
            pid_offset = 0x18  #4bytes

            print 'local remote protocol pid'
            for i in xrange(MaxHashTableSize):
                obj = pykd.ptrPtr(TCBTable + i * g_mwordsize)
                while obj != 0:
                    RemoteIP = pykd.ptrMWord(obj + RemoteIP_offset)
                    LocalIP = pykd.ptrMWord(obj + LocalIP_offset)
                    RemotePort = pykd.ptrWord(obj + RemotePort_offset)
                    RemotePort = socket.htons(RemotePort)
                    LocalPort = pykd.ptrWord(obj + LocalPort_offset)
                    LocalPort = socket.htons(LocalPort)
                    pid = pykd.ptrMWord(obj + pid_offset)
                    print '%16s:%5d %16s:%5d  TCP %d' % (
                        socket.inet_ntoa(struct.pack('I', LocalIP)), LocalPort,
                        socket.inet_ntoa(struct.pack(
                            'I', RemoteIP)), RemotePort, pid)
                    obj = pykd.ptrPtr(obj + Next_offset)
        else:
            print 'no support'

    except Exception, err:
        print err
Пример #43
0
def sym_off_to_addr(sym_off):
    sym_off = sym_off.split("+")
    if len(sym_off) > 1:
        return pykd.getOffset(sym_off[0]) + int(sym_off[1], 16)
    else:
        return pykd.getOffset(sym_off[0])
Пример #44
0
    if not fl:
        raise Exception("%s not exists, have you installed the latest windbg?" % extdirpath)

    dirpath = fl[0]
    l = os.listdir(dirpath)
    for i in l:
        filepath = os.path.join(dirpath, i)
        if i in default_exts:
            print "load", filepath
            pykd.dbgCommand(".load %s" % filepath)

print "load extensions ok"
nt = pykd.module("nt")
g_kernelsize = int(nt.size())
g_kernelbase = int(nt.begin())
module_entry = pykd.ptrMWord(pykd.getOffset("nt!PsLoadedModuleList"))
module_entry = pykd.typedVar("nt!_LDR_DATA_TABLE_ENTRY", module_entry)
kernelpath = pykd.loadUnicodeString(module_entry.FullDllName)
name = os.path.basename(kernelpath)
g_kernelpath = os.path.join(g_system32dir, name)
if not os.path.exists(g_kernelpath):
    raise Exception("can't find %s" % g_kernelpath)
imagename = nt.image()
kernelbasepath = os.path.join(g_system32dir, imagename)
import shutil

if not os.path.exists(kernelbasepath):
    shutil.copy(g_kernelpath, kernelbasepath)

g_currentprocess = pykd.typedVar("nt!_EPROCESS", pykd.getCurrentProcess())
print "current process:%x" % g_currentprocess.getAddress()
Пример #45
0
def getOffset(funName):
    return pykd.getOffset(funName)
Пример #46
0
 def __init__(self):
     addr = pykd.getOffset("ntdll!RtlReAllocateHeap")
     if addr is None:
         return
     self.bp_init = pykd.setBp(addr, self.enter_call_back)
     self.bp_end = None
Пример #47
0
#!/usr/bin/env python
# -*- coding: utf-8 -*
# author: SAI
import os, sys, time
import traceback
import pykd
from common import *
mmhighestuseraddress = pykd.ptrPtr(pykd.getOffset('nt!MmHighestUserAddress'))


def inspectKernelTimer():
    try:
        cmdline = '.reload;'
        r = pykd.dbgCommand(cmdline)
        cmdline = r'!timer'
        r = pykd.dbgCommand(cmdline)
        r = r.splitlines()
        start = 0
        idx = 0
        for i in r:
            i = i.strip()
            if i.startswith('List Timer'):
                start = 1
                continue

            if start != 1:
                continue

            data = i.strip()
            pos = data.find('(DPC @ ')
            if pos != -1:
Пример #48
0
 def resolve_name(self, name):  # return None on fail
     try:
         return pykd.getOffset(name)
     except BaseException:
         return None