diff --git a/snippets/findhandle.py b/snippets/findhandle.py new file mode 100644 index 0000000..f3d41e0 --- /dev/null +++ b/snippets/findhandle.py @@ -0,0 +1,46 @@ +from pykd import * +import ntobj +import sys + +nt = module("nt") + + +def findHanle(objaddr): + + processList = typedVarList( nt.PsActiveProcessHead, "nt!_EPROCESS", "ActiveProcessLinks" ) + + for process in processList: + + dprintln( "search in process %x " % process.UniqueProcessId + "".join( [chr(i) for i in process.ImageFileName if i != 0] ) ) + + objects = ntobj.getListByHandleTable( process.ObjectTable ) + for obj in objects: + if obj[0] == objaddr: + dprintln("\tHandle: %x" % ( obj[1],) ) + + +def usage(): + dprintln("!py findhandle object_address") + +def main(): + + if not isKernelDebugging(): + dprintln("This script for kernel debugging only") + return + + if len(sys.argv) < 2: + usage(); + return; + + objaddr = expr(sys.argv[1]) + + objectType = ntobj.getType(objaddr) + + dprintln("Object Type: " + ntobj.getObjectName(objectType) ) + dprintln("Object Name: "+ ntobj.getObjectName(objaddr) ) + dprintln("") + + findHanle( objaddr ) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/snippets/ntobj.py b/snippets/ntobj.py index 8ef9486..c14a1be 100644 --- a/snippets/ntobj.py +++ b/snippets/ntobj.py @@ -124,7 +124,6 @@ def buildObjectName(p): return objectFullName - HANDLE_VALUE_INC = 4 HT_PAGE_SIZE = 4096 HT_ENTRY_SIZE = (2 * ptrSize()) @@ -177,11 +176,11 @@ def getListByHandleTable(tableHandles=None, objTypeAddr=0, containHeaders=True): continue if (0 == objTypeAddr): - lstObjects.append(p) + lstObjects.append( ( p, HandleEntryIndex*HANDLE_VALUE_INC) ) else: pCurrentType = getType(p) if (addr64(objTypeAddr) == addr64(pCurrentType)): - lstObjects.append(p) + lstObjects.append( ( p, HandleEntryIndex*HANDLE_VALUE_INC) ) return lstObjects @@ -230,6 +229,8 @@ def getListByHandleTable(tableHandles=None, objTypeAddr=0, containHeaders=True): dprintln("ERROR: Unknown handle table level: %u" % nTableLevel) return list() + + NUMBER_HASH_BUCKETS = 37 @@ -398,7 +399,8 @@ def main(): dprintln(main.__doc__, True) return - lstObjects = getListByHandleTable(tableHandles, objTypeAddr, containHeaders) + lstObjects = [ p[0] for p in getListByHandleTable(tableHandles, objTypeAddr, containHeaders) ] + dprintln("%u objects:" % len(lstObjects)) for object in lstObjects: objectType = getType(object)