class IDebugSymbolsTestCase(unittest.TestCase): def setUp(self): pass @classmethod def setUpClass(self): windows.winproxy.SetThreadAffinityMask(dwThreadAffinityMask=(1 << 0)) self.kdbg = LocalKernelDebugger() modules = windows.utils.get_kernel_modules() self.modules = modules self.ntkernelbase = modules[0].Base self.kernelpath = modules[0].ImageName[:] self.kernelpath = os.path.expandvars(self.kernelpath.replace("\SystemRoot", "%SystemRoot%")) self.kernelmod = winproxy.LoadLibraryA(self.kernelpath) pe = windows.pe_parse.PEFile(self.kernelmod) self.NtCreateFileVA = pe.exports['NtCreateFile'] - self.kernelmod + self.ntkernelbase def tearDown(self): #self.kdbg.detach() self.kdbg = None def test_get_symbol_offset(self): # IDebugSymbols::GetOffsetByName x = self.kdbg.get_symbol_offset("nt") self.assertEqual(x, self.ntkernelbase) @RequireSymbol("ntdll!NtCreateFile") def test_get_symbol_offset_user(self): # IDebugSymbols::GetOffsetByName x = windows.utils.get_func_addr("ntdll", "NtCreateFile") y = self.kdbg.get_symbol_offset("ntdll!NtCreateFile") self.assertEqual(x, y) @RequireSymbol("nt!NtCreateFile") def test_get_symbol(self): # IDebugSymbols::GetNameByOffset x = self.kdbg.get_symbol(self.NtCreateFileVA) self.assertEqual(x[0], 'nt!NtCreateFile') self.assertEqual(x[1], 0x00) @RequireSymbol("ntdll!NtCreateFile") def test_get_symbol_user(self): # IDebugSymbols::GetNameByOffset x = windows.utils.get_func_addr("ntdll", "NtCreateFile") y = self.kdbg.get_symbol(x) self.assertIn(y[0], ["ntdll!NtCreateFile", "ntdll!ZwCreateFile"]) def test_get_number_modules(self): # IDebugSymbols::GetNumberModules loaded, unloaded = self.kdbg.get_number_modules() def test_get_module_by_index(self): # IDebugSymbols::GetModuleByIndex for i in range(self.kdbg.get_number_modules()[0]): x = self.kdbg.get_module_by_index(i) if x == self.ntkernelbase: return raise AssertionError("ntoskrnl not found") def test_get_module_name_by_index(self): # IDebugSymbols::GetModuleNames for i in range(self.kdbg.get_number_modules()[0]): x = self.kdbg.get_module_name_by_index(i) if x[1] == "nt": return raise AssertionError("ntoskrnl not found") def test_symbol_match(self): # IDebugSymbols::StartSymbolMatch | IDebugSymbols::GetNextSymbolMatch | IDebugSymbols::EndSymbolMatch x = list(self.kdbg.symbol_match("nt!NtCreateF*")) self.assertEqual(x[0][0], 'nt!NtCreateFile') self.assertEqual(x[0][1], self.NtCreateFileVA)