def init1(self, ldr):
try:
if not int(ldr):
return False
filepath = revise_filepath(pykd.loadUnicodeString(ldr.FullDllName))
name = pykd.loadUnicodeString(ldr.BaseDllName)
self.filepath, self.name = guess_filepath(filepath, name)
self.baseaddr = int(ldr.DllBase)
self.entrypoint = int(ldr.EntryPoint)
self.size = int(ldr.SizeOfImage)
return True
except Exception, err:
print traceback.format_exc()
return False
def init1(self, ldr):
try:
if not int(ldr):
return False
filepath = revise_filepath(pykd.loadUnicodeString(ldr.FullDllName))
name = pykd.loadUnicodeString(ldr.BaseDllName)
self.filepath, self.name = guess_filepath(filepath, name)
self.baseaddr = int(ldr.DllBase)
self.entrypoint = int(ldr.EntryPoint)
self.size = int(ldr.SizeOfImage)
return True
except Exception, err:
print traceback.format_exc()
return False
def init2(self, ldr):
try:
if not int(ldr):
return False
DriverSection=pykd.typedVar('nt!_LDR_DATA_TABLE_ENTRY', ldr)
self.driverobjectaddr=0
filepath=revise_filepath(pykd.loadUnicodeString(DriverSection.FullDllName))
name=pykd.loadUnicodeString(DriverSection.BaseDllName)
self.filepath, self.name=guess_filepath(filepath, name)
self.baseaddr=int(DriverSection.DllBase)
self.modulesize=int(DriverSection.SizeOfImage)
self.entrypoint=int(DriverSection.EntryPoint)
return True
except Exception, err:
print traceback.format_exc()
return False
def init2(self, ldr):
try:
if not int(ldr):
return False
DriverSection = pykd.typedVar('nt!_LDR_DATA_TABLE_ENTRY', ldr)
self.driverobjectaddr = 0
filepath = revise_filepath(
pykd.loadUnicodeString(DriverSection.FullDllName))
name = pykd.loadUnicodeString(DriverSection.BaseDllName)
self.filepath, self.name = guess_filepath(filepath, name)
self.baseaddr = int(DriverSection.DllBase)
self.modulesize = int(DriverSection.SizeOfImage)
self.entrypoint = int(DriverSection.EntryPoint)
return True
except Exception, err:
print traceback.format_exc()
return False
def inspectMsgHook():
msglist = []
try:
gSharedInfo = pykd.getOffset('win32k!gSharedInfo')
serverinfo = pykd.ptrPtr(gSharedInfo)
aheList = pykd.ptrPtr(gSharedInfo + g_mwordsize)
if is_2000() or is_xp():
count = pykd.ptrPtr(serverinfo + g_mwordsize * 2)
else:
count = pykd.ptrPtr(serverinfo + g_mwordsize * 1)
for i in xrange(count):
entry = aheList + i * 3 * g_mwordsize
phook = pykd.ptrPtr(entry) #head
type = pykd.ptrByte(entry + 2 * g_mwordsize)
if type != 5:
continue
try:
handle = pykd.ptrPtr(phook)
msgtype = pykd.ptrPtr(phook + 6 * g_mwordsize)
funcoffset = pykd.ptrPtr(phook + 7 * g_mwordsize)
flags = pykd.ptrPtr(phook + 8 * g_mwordsize)
if flags & 1:
bGlobal = 1
else:
bGlobal = 0
pti = pykd.ptrPtr(phook + 2 * g_mwordsize)
threadobjectaddr = pykd.ptrPtr(pti)
threadobject = pykd.typedVar('nt!_ETHREAD', threadobjectaddr)
pid = int(threadobject.Cid.UniqueProcess)
tid = (threadobject.Cid.UniqueThread)
try:
processobject = pykd.typedVar('nt!_EPROCESS',
threadobject.ThreadsProcess)
except Exception, err:
processobject = pykd.typedVar('nt!_EPROCESS',
threadobject.Tcb.Process)
processpath = pykd.loadUnicodeString(
processobject.SeAuditProcessCreationInfo.ImageFileName.Name
)
msginfo = MsgInfo(handle=handle,
pid=pid,
tid=tid,
msgtype=msgtype,
funcoffset=funcoffset,
bGlobal=bGlobal,
processpath=processpath)
msglist.append(msginfo)
except Exception, err:
print err
def reloadModules():
global moduleList
for m in moduleList:
globals()[m.name().lower()] = None
if pykd.isKernelDebugging():
global nt
nt = pykd.loadModule("nt")
modules = pykd.typedVarList(nt.PsLoadedModuleList, "nt",
"_LDR_DATA_TABLE_ENTRY",
"InLoadOrderLinks")
moduleList.append(nt)
else:
ntdll = pykd.loadModule("ntdll")
peb = pykd.typedVar("ntdll", "_PEB", pykd.getCurrentProcess())
ldr = pykd.typedVar("ntdll", "_PEB_LDR_DATA", peb.Ldr)
modules = pykd.typedVarList(ldr.InLoadOrderModuleList.getAddress(),
"ntdll", "_LDR_DATA_TABLE_ENTRY",
"InLoadOrderLinks")
moduleList = []
for m in modules:
baseName = str(pykd.loadUnicodeString(m.BaseDllName.getAddress()))
if baseName == "ntoskrnl.exe":
continue
module = pykd.findModule(m.DllBase)
globals()[module.name().lower()] = module
moduleList.append(module)
def inspectMsgHook():
msglist=[]
try:
gSharedInfo=pykd.getOffset('win32k!gSharedInfo')
serverinfo=pykd.ptrPtr(gSharedInfo)
aheList=pykd.ptrPtr(gSharedInfo+g_mwordsize)
if is_2000() or is_xp():
count=pykd.ptrPtr(serverinfo+g_mwordsize*2)
else:
count=pykd.ptrPtr(serverinfo+g_mwordsize*1)
for i in xrange(count):
entry=aheList+i*3*g_mwordsize
phook=pykd.ptrPtr(entry) #head
type=pykd.ptrByte(entry+2*g_mwordsize)
if type!=5:
continue
try:
handle=pykd.ptrPtr(phook)
msgtype=pykd.ptrPtr(phook+6*g_mwordsize)
funcoffset=pykd.ptrPtr(phook+7*g_mwordsize)
flags=pykd.ptrPtr(phook+8*g_mwordsize)
if flags&1:
bGlobal=1
else:
bGlobal=0
pti=pykd.ptrPtr(phook+2*g_mwordsize)
threadobjectaddr=pykd.ptrPtr(pti)
threadobject=pykd.typedVar('nt!_ETHREAD', threadobjectaddr)
pid=int(threadobject.Cid.UniqueProcess)
tid=(threadobject.Cid.UniqueThread)
try:
processobject=pykd.typedVar('nt!_EPROCESS', threadobject.ThreadsProcess)
except Exception, err:
processobject=pykd.typedVar('nt!_EPROCESS', threadobject.Tcb.Process)
processpath=pykd.loadUnicodeString(processobject.SeAuditProcessCreationInfo.ImageFileName.Name)
msginfo=MsgInfo(handle=handle, pid=pid, tid=tid, msgtype=msgtype, funcoffset=funcoffset, bGlobal=bGlobal, processpath=processpath)
msglist.append(msginfo)
except Exception, err:
print err
def init1(self, driverobjectaddr):
try:
driverobject=pykd.typedVar('nt!_DRIVER_OBJECT', driverobjectaddr)
ldr=int(driverobject.DriverSection)
if self.init2(ldr):
self.driverobjectaddr=int(driverobject)
return True
self.driverobjectaddr=int(driverobject)
filepath=revise_filepath(pykd.loadUnicodeString(driverobject.DriverName))
self.filepath, self.name=guess_filepath(filepath)
self.baseaddr=int(driverobject.DriverStart)
self.modulesize=int(driverobject.DriverSize)
self.entrypoint=0
return True
except Exception, err:
print traceback.format_exc()
return False
def listFsNotifyChange():
try:
print '-'*10+'FsNotifyChange'+'-'*10
head=pykd.getOffset('nt!IopFsNotifyChangeQueueHead')
next=head
while 1:
next=pykd.ptrPtr(next)
if next==head:
break
dirverobjectaddr=pykd.ptrPtr(next+g_mwordsize*2)
funcaddr=pykd.ptrPtr(next+g_mwordsize*3)
try:
driverobject=pykd.typedVar('nt!_DRIVER_OBJECT', dirverobjectaddr)
drivername=pykd.loadUnicodeString(driverobject.DriverName)
except Exception, err:
drivername=''
symbolname=pykd.findSymbol(funcaddr)
print 'routine:%x %s driver:%s' % (funcaddr, symbolname, drivername)
except Exception, err:
print traceback.format_exc()
def init1(self, driverobjectaddr):
try:
driverobject = pykd.typedVar('nt!_DRIVER_OBJECT', driverobjectaddr)
ldr = int(driverobject.DriverSection)
if self.init2(ldr):
self.driverobjectaddr = int(driverobject)
return True
self.driverobjectaddr = int(driverobject)
filepath = revise_filepath(
pykd.loadUnicodeString(driverobject.DriverName))
self.filepath, self.name = guess_filepath(filepath)
self.baseaddr = int(driverobject.DriverStart)
self.modulesize = int(driverobject.DriverSize)
self.entrypoint = 0
return True
except Exception, err:
print traceback.format_exc()
return False
def main():
nt_module = pykd.module("nt")
ObpTypeDirectoryObject_addr = int(nt_module.ObpTypeDirectoryObject)
ObpTypeDirectoryObject_value = pykd.loadQWords(ObpTypeDirectoryObject_addr,
1)[0]
dict_entry_list = pykd.loadQWords(ObpTypeDirectoryObject_value, 37)
print 'TypeName PoolTag PoolType'
for dict_entry in dict_entry_list:
if dict_entry == 0:
continue
type_obj_addr = pykd.loadQWords(dict_entry + 8, 1)[0]
name_str = pykd.loadUnicodeString(type_obj_addr + 0x10)
key_str = pykd.loadCStr(type_obj_addr + 0xc0)
pool_type = pykd.loadDWords(type_obj_addr + 0x40 + 0x24, 1)[0]
if pool_type == 1:
pool_type = 'PagedPool'
elif pool_type == 0x200:
pool_type = 'NonPagedPoolNx'
print '%s\n%s\n%s\n' % (name_str, key_str, pool_type)
def init(self, eprocessobj):
try:
if eprocessobj.ObjectTable<mmhighestuseraddress or eprocessobj.VadRoot<mmhighestuseraddress or eprocessobj.QuotaBlock<mmhighestuseraddress:
return False
self.eprocessaddr=int(eprocessobj)
self.pid=int(eprocessobj.UniqueProcessId)
self.parentpid=int(eprocessobj.InheritedFromUniqueProcessId)
self.peb=int(eprocessobj.Peb)
filepath=pykd.loadUnicodeString(eprocessobj.SeAuditProcessCreationInfo.ImageFileName.Name)
filepath=revise_filepath(filepath)
name=pykd.loadChars(eprocessobj.ImageFileName, 16)
if name.startswith('\x00'):
name=''
name=name.strip('\x00')
self.filepath, self.name=guess_filepath(filepath, name)
return True
except Exception, err:
print traceback.format_exc()
return False
def listFsNotifyChange():
try:
print '-' * 10 + 'FsNotifyChange' + '-' * 10
head = pykd.getOffset('nt!IopFsNotifyChangeQueueHead')
next = head
while 1:
next = pykd.ptrPtr(next)
if next == head:
break
dirverobjectaddr = pykd.ptrPtr(next + g_mwordsize * 2)
funcaddr = pykd.ptrPtr(next + g_mwordsize * 3)
try:
driverobject = pykd.typedVar('nt!_DRIVER_OBJECT',
dirverobjectaddr)
drivername = pykd.loadUnicodeString(driverobject.DriverName)
except Exception, err:
drivername = ''
symbolname = pykd.findSymbol(funcaddr)
print 'routine:%x %s driver:%s' % (funcaddr, symbolname,
drivername)
except Exception, err:
print traceback.format_exc()
def init(self, eprocessobj):
try:
if eprocessobj.ObjectTable < mmhighestuseraddress or eprocessobj.VadRoot < mmhighestuseraddress or eprocessobj.QuotaBlock < mmhighestuseraddress:
return False
self.eprocessaddr = int(eprocessobj)
self.pid = int(eprocessobj.UniqueProcessId)
self.parentpid = int(eprocessobj.InheritedFromUniqueProcessId)
self.peb = int(eprocessobj.Peb)
filepath = pykd.loadUnicodeString(
eprocessobj.SeAuditProcessCreationInfo.ImageFileName.Name)
filepath = revise_filepath(filepath)
name = pykd.loadChars(eprocessobj.ImageFileName, 16)
if name.startswith('\x00'):
name = ''
name = name.strip('\x00')
self.filepath, self.name = guess_filepath(filepath, name)
return True
except Exception, err:
print traceback.format_exc()
return False
dirpath = fl[0]
l = os.listdir(dirpath)
for i in l:
filepath = os.path.join(dirpath, i)
if i in default_exts:
print "load", filepath
pykd.dbgCommand(".load %s" % filepath)
print "load extensions ok"
nt = pykd.module("nt")
g_kernelsize = int(nt.size())
g_kernelbase = int(nt.begin())
module_entry = pykd.ptrMWord(pykd.getOffset("nt!PsLoadedModuleList"))
module_entry = pykd.typedVar("nt!_LDR_DATA_TABLE_ENTRY", module_entry)
kernelpath = pykd.loadUnicodeString(module_entry.FullDllName)
name = os.path.basename(kernelpath)
g_kernelpath = os.path.join(g_system32dir, name)
if not os.path.exists(g_kernelpath):
raise Exception("can't find %s" % g_kernelpath)
imagename = nt.image()
kernelbasepath = os.path.join(g_system32dir, imagename)
import shutil
if not os.path.exists(kernelbasepath):
shutil.copy(g_kernelpath, kernelbasepath)
g_currentprocess = pykd.typedVar("nt!_EPROCESS", pykd.getCurrentProcess())
print "current process:%x" % g_currentprocess.getAddress()
print "kernel:%s base:%x size:%x(%d)" % (g_kernelpath, g_kernelbase, g_kernelsize, g_kernelsize)
dirpath=fl[0]
l=os.listdir(dirpath)
for i in l:
filepath=os.path.join(dirpath, i)
if i in default_exts:
print 'load', filepath
pykd.dbgCommand('.load %s' % filepath)
print 'load extensions ok'
nt = pykd.module( "nt" )
g_kernelsize=int(nt.size())
g_kernelbase=int(nt.begin())
module_entry=pykd.ptrMWord(pykd.getOffset('nt!PsLoadedModuleList'))
module_entry=pykd.typedVar('nt!_LDR_DATA_TABLE_ENTRY', module_entry)
kernelpath=pykd.loadUnicodeString(module_entry.FullDllName)
name=os.path.basename(kernelpath)
g_kernelpath=os.path.join(g_system32dir, name)
if not os.path.exists(g_kernelpath):
raise Exception("can't find %s" % g_kernelpath)
imagename=nt.image()
kernelbasepath=os.path.join(g_system32dir, imagename)
import shutil
if not os.path.exists(kernelbasepath):
shutil.copy(g_kernelpath, kernelbasepath)
g_currentprocess=pykd.typedVar('nt!_EPROCESS', pykd.getCurrentProcess())
print 'current process:%x' % g_currentprocess.getAddress()
print 'kernel:%s base:%x size:%x(%d)' % (g_kernelpath, g_kernelbase, g_kernelsize, g_kernelsize)
