def init1(self, ldr): try: if not int(ldr): return False filepath = revise_filepath(pykd.loadUnicodeString(ldr.FullDllName)) name = pykd.loadUnicodeString(ldr.BaseDllName) self.filepath, self.name = guess_filepath(filepath, name) self.baseaddr = int(ldr.DllBase) self.entrypoint = int(ldr.EntryPoint) self.size = int(ldr.SizeOfImage) return True except Exception, err: print traceback.format_exc() return False
def init2(self, ldr): try: if not int(ldr): return False DriverSection=pykd.typedVar('nt!_LDR_DATA_TABLE_ENTRY', ldr) self.driverobjectaddr=0 filepath=revise_filepath(pykd.loadUnicodeString(DriverSection.FullDllName)) name=pykd.loadUnicodeString(DriverSection.BaseDllName) self.filepath, self.name=guess_filepath(filepath, name) self.baseaddr=int(DriverSection.DllBase) self.modulesize=int(DriverSection.SizeOfImage) self.entrypoint=int(DriverSection.EntryPoint) return True except Exception, err: print traceback.format_exc() return False
def init2(self, ldr): try: if not int(ldr): return False DriverSection = pykd.typedVar('nt!_LDR_DATA_TABLE_ENTRY', ldr) self.driverobjectaddr = 0 filepath = revise_filepath( pykd.loadUnicodeString(DriverSection.FullDllName)) name = pykd.loadUnicodeString(DriverSection.BaseDllName) self.filepath, self.name = guess_filepath(filepath, name) self.baseaddr = int(DriverSection.DllBase) self.modulesize = int(DriverSection.SizeOfImage) self.entrypoint = int(DriverSection.EntryPoint) return True except Exception, err: print traceback.format_exc() return False
def inspectMsgHook(): msglist = [] try: gSharedInfo = pykd.getOffset('win32k!gSharedInfo') serverinfo = pykd.ptrPtr(gSharedInfo) aheList = pykd.ptrPtr(gSharedInfo + g_mwordsize) if is_2000() or is_xp(): count = pykd.ptrPtr(serverinfo + g_mwordsize * 2) else: count = pykd.ptrPtr(serverinfo + g_mwordsize * 1) for i in xrange(count): entry = aheList + i * 3 * g_mwordsize phook = pykd.ptrPtr(entry) #head type = pykd.ptrByte(entry + 2 * g_mwordsize) if type != 5: continue try: handle = pykd.ptrPtr(phook) msgtype = pykd.ptrPtr(phook + 6 * g_mwordsize) funcoffset = pykd.ptrPtr(phook + 7 * g_mwordsize) flags = pykd.ptrPtr(phook + 8 * g_mwordsize) if flags & 1: bGlobal = 1 else: bGlobal = 0 pti = pykd.ptrPtr(phook + 2 * g_mwordsize) threadobjectaddr = pykd.ptrPtr(pti) threadobject = pykd.typedVar('nt!_ETHREAD', threadobjectaddr) pid = int(threadobject.Cid.UniqueProcess) tid = (threadobject.Cid.UniqueThread) try: processobject = pykd.typedVar('nt!_EPROCESS', threadobject.ThreadsProcess) except Exception, err: processobject = pykd.typedVar('nt!_EPROCESS', threadobject.Tcb.Process) processpath = pykd.loadUnicodeString( processobject.SeAuditProcessCreationInfo.ImageFileName.Name ) msginfo = MsgInfo(handle=handle, pid=pid, tid=tid, msgtype=msgtype, funcoffset=funcoffset, bGlobal=bGlobal, processpath=processpath) msglist.append(msginfo) except Exception, err: print err
def reloadModules(): global moduleList for m in moduleList: globals()[m.name().lower()] = None if pykd.isKernelDebugging(): global nt nt = pykd.loadModule("nt") modules = pykd.typedVarList(nt.PsLoadedModuleList, "nt", "_LDR_DATA_TABLE_ENTRY", "InLoadOrderLinks") moduleList.append(nt) else: ntdll = pykd.loadModule("ntdll") peb = pykd.typedVar("ntdll", "_PEB", pykd.getCurrentProcess()) ldr = pykd.typedVar("ntdll", "_PEB_LDR_DATA", peb.Ldr) modules = pykd.typedVarList(ldr.InLoadOrderModuleList.getAddress(), "ntdll", "_LDR_DATA_TABLE_ENTRY", "InLoadOrderLinks") moduleList = [] for m in modules: baseName = str(pykd.loadUnicodeString(m.BaseDllName.getAddress())) if baseName == "ntoskrnl.exe": continue module = pykd.findModule(m.DllBase) globals()[module.name().lower()] = module moduleList.append(module)
def inspectMsgHook(): msglist=[] try: gSharedInfo=pykd.getOffset('win32k!gSharedInfo') serverinfo=pykd.ptrPtr(gSharedInfo) aheList=pykd.ptrPtr(gSharedInfo+g_mwordsize) if is_2000() or is_xp(): count=pykd.ptrPtr(serverinfo+g_mwordsize*2) else: count=pykd.ptrPtr(serverinfo+g_mwordsize*1) for i in xrange(count): entry=aheList+i*3*g_mwordsize phook=pykd.ptrPtr(entry) #head type=pykd.ptrByte(entry+2*g_mwordsize) if type!=5: continue try: handle=pykd.ptrPtr(phook) msgtype=pykd.ptrPtr(phook+6*g_mwordsize) funcoffset=pykd.ptrPtr(phook+7*g_mwordsize) flags=pykd.ptrPtr(phook+8*g_mwordsize) if flags&1: bGlobal=1 else: bGlobal=0 pti=pykd.ptrPtr(phook+2*g_mwordsize) threadobjectaddr=pykd.ptrPtr(pti) threadobject=pykd.typedVar('nt!_ETHREAD', threadobjectaddr) pid=int(threadobject.Cid.UniqueProcess) tid=(threadobject.Cid.UniqueThread) try: processobject=pykd.typedVar('nt!_EPROCESS', threadobject.ThreadsProcess) except Exception, err: processobject=pykd.typedVar('nt!_EPROCESS', threadobject.Tcb.Process) processpath=pykd.loadUnicodeString(processobject.SeAuditProcessCreationInfo.ImageFileName.Name) msginfo=MsgInfo(handle=handle, pid=pid, tid=tid, msgtype=msgtype, funcoffset=funcoffset, bGlobal=bGlobal, processpath=processpath) msglist.append(msginfo) except Exception, err: print err
def init1(self, driverobjectaddr): try: driverobject=pykd.typedVar('nt!_DRIVER_OBJECT', driverobjectaddr) ldr=int(driverobject.DriverSection) if self.init2(ldr): self.driverobjectaddr=int(driverobject) return True self.driverobjectaddr=int(driverobject) filepath=revise_filepath(pykd.loadUnicodeString(driverobject.DriverName)) self.filepath, self.name=guess_filepath(filepath) self.baseaddr=int(driverobject.DriverStart) self.modulesize=int(driverobject.DriverSize) self.entrypoint=0 return True except Exception, err: print traceback.format_exc() return False
def listFsNotifyChange(): try: print '-'*10+'FsNotifyChange'+'-'*10 head=pykd.getOffset('nt!IopFsNotifyChangeQueueHead') next=head while 1: next=pykd.ptrPtr(next) if next==head: break dirverobjectaddr=pykd.ptrPtr(next+g_mwordsize*2) funcaddr=pykd.ptrPtr(next+g_mwordsize*3) try: driverobject=pykd.typedVar('nt!_DRIVER_OBJECT', dirverobjectaddr) drivername=pykd.loadUnicodeString(driverobject.DriverName) except Exception, err: drivername='' symbolname=pykd.findSymbol(funcaddr) print 'routine:%x %s driver:%s' % (funcaddr, symbolname, drivername) except Exception, err: print traceback.format_exc()
def init1(self, driverobjectaddr): try: driverobject = pykd.typedVar('nt!_DRIVER_OBJECT', driverobjectaddr) ldr = int(driverobject.DriverSection) if self.init2(ldr): self.driverobjectaddr = int(driverobject) return True self.driverobjectaddr = int(driverobject) filepath = revise_filepath( pykd.loadUnicodeString(driverobject.DriverName)) self.filepath, self.name = guess_filepath(filepath) self.baseaddr = int(driverobject.DriverStart) self.modulesize = int(driverobject.DriverSize) self.entrypoint = 0 return True except Exception, err: print traceback.format_exc() return False
def main(): nt_module = pykd.module("nt") ObpTypeDirectoryObject_addr = int(nt_module.ObpTypeDirectoryObject) ObpTypeDirectoryObject_value = pykd.loadQWords(ObpTypeDirectoryObject_addr, 1)[0] dict_entry_list = pykd.loadQWords(ObpTypeDirectoryObject_value, 37) print 'TypeName PoolTag PoolType' for dict_entry in dict_entry_list: if dict_entry == 0: continue type_obj_addr = pykd.loadQWords(dict_entry + 8, 1)[0] name_str = pykd.loadUnicodeString(type_obj_addr + 0x10) key_str = pykd.loadCStr(type_obj_addr + 0xc0) pool_type = pykd.loadDWords(type_obj_addr + 0x40 + 0x24, 1)[0] if pool_type == 1: pool_type = 'PagedPool' elif pool_type == 0x200: pool_type = 'NonPagedPoolNx' print '%s\n%s\n%s\n' % (name_str, key_str, pool_type)
def init(self, eprocessobj): try: if eprocessobj.ObjectTable<mmhighestuseraddress or eprocessobj.VadRoot<mmhighestuseraddress or eprocessobj.QuotaBlock<mmhighestuseraddress: return False self.eprocessaddr=int(eprocessobj) self.pid=int(eprocessobj.UniqueProcessId) self.parentpid=int(eprocessobj.InheritedFromUniqueProcessId) self.peb=int(eprocessobj.Peb) filepath=pykd.loadUnicodeString(eprocessobj.SeAuditProcessCreationInfo.ImageFileName.Name) filepath=revise_filepath(filepath) name=pykd.loadChars(eprocessobj.ImageFileName, 16) if name.startswith('\x00'): name='' name=name.strip('\x00') self.filepath, self.name=guess_filepath(filepath, name) return True except Exception, err: print traceback.format_exc() return False
def listFsNotifyChange(): try: print '-' * 10 + 'FsNotifyChange' + '-' * 10 head = pykd.getOffset('nt!IopFsNotifyChangeQueueHead') next = head while 1: next = pykd.ptrPtr(next) if next == head: break dirverobjectaddr = pykd.ptrPtr(next + g_mwordsize * 2) funcaddr = pykd.ptrPtr(next + g_mwordsize * 3) try: driverobject = pykd.typedVar('nt!_DRIVER_OBJECT', dirverobjectaddr) drivername = pykd.loadUnicodeString(driverobject.DriverName) except Exception, err: drivername = '' symbolname = pykd.findSymbol(funcaddr) print 'routine:%x %s driver:%s' % (funcaddr, symbolname, drivername) except Exception, err: print traceback.format_exc()
def init(self, eprocessobj): try: if eprocessobj.ObjectTable < mmhighestuseraddress or eprocessobj.VadRoot < mmhighestuseraddress or eprocessobj.QuotaBlock < mmhighestuseraddress: return False self.eprocessaddr = int(eprocessobj) self.pid = int(eprocessobj.UniqueProcessId) self.parentpid = int(eprocessobj.InheritedFromUniqueProcessId) self.peb = int(eprocessobj.Peb) filepath = pykd.loadUnicodeString( eprocessobj.SeAuditProcessCreationInfo.ImageFileName.Name) filepath = revise_filepath(filepath) name = pykd.loadChars(eprocessobj.ImageFileName, 16) if name.startswith('\x00'): name = '' name = name.strip('\x00') self.filepath, self.name = guess_filepath(filepath, name) return True except Exception, err: print traceback.format_exc() return False
dirpath = fl[0] l = os.listdir(dirpath) for i in l: filepath = os.path.join(dirpath, i) if i in default_exts: print "load", filepath pykd.dbgCommand(".load %s" % filepath) print "load extensions ok" nt = pykd.module("nt") g_kernelsize = int(nt.size()) g_kernelbase = int(nt.begin()) module_entry = pykd.ptrMWord(pykd.getOffset("nt!PsLoadedModuleList")) module_entry = pykd.typedVar("nt!_LDR_DATA_TABLE_ENTRY", module_entry) kernelpath = pykd.loadUnicodeString(module_entry.FullDllName) name = os.path.basename(kernelpath) g_kernelpath = os.path.join(g_system32dir, name) if not os.path.exists(g_kernelpath): raise Exception("can't find %s" % g_kernelpath) imagename = nt.image() kernelbasepath = os.path.join(g_system32dir, imagename) import shutil if not os.path.exists(kernelbasepath): shutil.copy(g_kernelpath, kernelbasepath) g_currentprocess = pykd.typedVar("nt!_EPROCESS", pykd.getCurrentProcess()) print "current process:%x" % g_currentprocess.getAddress() print "kernel:%s base:%x size:%x(%d)" % (g_kernelpath, g_kernelbase, g_kernelsize, g_kernelsize)
dirpath=fl[0] l=os.listdir(dirpath) for i in l: filepath=os.path.join(dirpath, i) if i in default_exts: print 'load', filepath pykd.dbgCommand('.load %s' % filepath) print 'load extensions ok' nt = pykd.module( "nt" ) g_kernelsize=int(nt.size()) g_kernelbase=int(nt.begin()) module_entry=pykd.ptrMWord(pykd.getOffset('nt!PsLoadedModuleList')) module_entry=pykd.typedVar('nt!_LDR_DATA_TABLE_ENTRY', module_entry) kernelpath=pykd.loadUnicodeString(module_entry.FullDllName) name=os.path.basename(kernelpath) g_kernelpath=os.path.join(g_system32dir, name) if not os.path.exists(g_kernelpath): raise Exception("can't find %s" % g_kernelpath) imagename=nt.image() kernelbasepath=os.path.join(g_system32dir, imagename) import shutil if not os.path.exists(kernelbasepath): shutil.copy(g_kernelpath, kernelbasepath) g_currentprocess=pykd.typedVar('nt!_EPROCESS', pykd.getCurrentProcess()) print 'current process:%x' % g_currentprocess.getAddress() print 'kernel:%s base:%x size:%x(%d)' % (g_kernelpath, g_kernelbase, g_kernelsize, g_kernelsize)