mirror of
https://github.com/ivellioscolin/pykd.git
synced 2025-04-21 04:13:22 +08:00
[+] drvobj.py sample added
git-svn-id: https://pykd.svn.codeplex.com/svn@53158 9b283d60-5439-405e-af05-b73fd8c4d996
This commit is contained in:
SND\kernelnet_cp
parent
2575bd6bfa
commit
06b508031a
95
samples/drvobj.py
Normal file
95
samples/drvobj.py
Normal file
@ -0,0 +1,95 @@
|
|||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
from pykd import *
|
||||||
|
import sys
|
||||||
|
|
||||||
|
|
||||||
|
def loadSymbols():
|
||||||
|
|
||||||
|
global nt
|
||||||
|
nt = loadModule( "nt" )
|
||||||
|
nt.ObpRootDirectoryObject = getOffset( "nt", "ObpRootDirectoryObject" )
|
||||||
|
nt.ObpDirectoryObjectType = getOffset( "nt", "ObpDirectoryObjectType" )
|
||||||
|
|
||||||
|
|
||||||
|
def getObjectInDir( dirObj, objName ):
|
||||||
|
|
||||||
|
|
||||||
|
if objName.find( "\\" ) != -1:
|
||||||
|
( dirSubName, objSubName ) = objName.split("\\", 1)
|
||||||
|
else:
|
||||||
|
dirSubName = objName
|
||||||
|
|
||||||
|
for i in range( 0, 37 ):
|
||||||
|
|
||||||
|
if dirObj.HashBuckets[i] != 0:
|
||||||
|
dirEntry = typedVar( "nt", "_OBJECT_DIRECTORY_ENTRY", dirObj.HashBuckets[i] )
|
||||||
|
|
||||||
|
while dirEntry != 0:
|
||||||
|
|
||||||
|
objHeader = containingRecord( dirEntry.Object, "nt", "_OBJECT_HEADER", "Body" )
|
||||||
|
|
||||||
|
objName = typedVar( "nt", "_OBJECT_HEADER_NAME_INFO", objHeader.getAddress() - objHeader.NameInfoOffset )
|
||||||
|
|
||||||
|
name = loadUnicodeString( objName.Name.getAddress() )
|
||||||
|
|
||||||
|
if name.lower() == dirSubName.lower():
|
||||||
|
|
||||||
|
if objHeader.Type == PtrPtr( nt.ObpDirectoryObjectType ):
|
||||||
|
return getObjectInDir( typedVar( "nt", "_OBJECT_DIRECTORY", dirEntry.Object), objSubName )
|
||||||
|
else:
|
||||||
|
return dirEntry.Object
|
||||||
|
|
||||||
|
if dirEntry.ChainLink != 0:
|
||||||
|
dirEntry = typedVar( "nt", "_OBJECT_DIRECTORY_ENTRY", dirEntry.ChainLink )
|
||||||
|
else:
|
||||||
|
dirEntry = 0
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
def getObjectByName( objName ):
|
||||||
|
|
||||||
|
if len(objName)==0:
|
||||||
|
return
|
||||||
|
|
||||||
|
if objName[0] != '\\':
|
||||||
|
return
|
||||||
|
|
||||||
|
rootDir = typedVar( "nt", "_OBJECT_DIRECTORY", PtrPtr( nt.ObpRootDirectoryObject ) )
|
||||||
|
|
||||||
|
return getObjectInDir( rootDir, objName[1:] )
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
def printDrvMajorTable( drvName ):
|
||||||
|
|
||||||
|
objName = "\\Driver\\" + drvName
|
||||||
|
drvObjPtr = getObjectByName( objName )
|
||||||
|
|
||||||
|
if drvObjPtr == None:
|
||||||
|
print "object not found"
|
||||||
|
return
|
||||||
|
|
||||||
|
drvObj = typedVar( "nt", "_DRIVER_OBJECT", drvObjPtr )
|
||||||
|
|
||||||
|
|
||||||
|
for i,k in drvObj.MajorFunction.items():
|
||||||
|
print "MajorFunction[%d] = %s" % ( i, findSymbol( k ) )
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
|
||||||
|
if not isSessionStart():
|
||||||
|
createSession()
|
||||||
|
loadDump( sys.argv[1] )
|
||||||
|
|
||||||
|
loadSymbols();
|
||||||
|
|
||||||
|
|
||||||
|
printDrvMajorTable( "afd" )
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Loading…
Reference in New Issue
Block a user