zjgcjy/pykd
1
0
Fork 0
mirror of https://github.com/ivellioscolin/pykd.git synced 2025-04-21 04:13:22 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

[0.2.x] added : snippet findhandle.py ( search all handle for specified object )

Browse Source 
git-svn-id: https://pykd.svn.codeplex.com/svn@80001 9b283d60-5439-405e-af05-b73fd8c4d996
This commit is contained in:
SND\kernelnet_cp 2012-10-04 07:00:17 +00:00 committed by Mikhail I. Izmestev
parent 8e13e35311
commit 0cfe451562
2 changed files with 52 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
snippets/findhandle.py Normal file
View File

@ -0,0 +1,46 @@
from pykd import *
import ntobj
import sys
nt = module("nt")
def findHanle(objaddr):
processList = typedVarList( nt.PsActiveProcessHead, "nt!_EPROCESS", "ActiveProcessLinks" )
for process in processList:
dprintln( "search in process %x " % process.UniqueProcessId + "".join( [chr(i) for i in process.ImageFileName if i != 0] ) )
objects = ntobj.getListByHandleTable( process.ObjectTable )
for obj in objects:
if obj[0] == objaddr:
dprintln("\tHandle: %x" % ( obj[1],) )
def usage():
dprintln("!py findhandle object_address")
def main():
if not isKernelDebugging():
dprintln("This script for kernel debugging only")
return
if len(sys.argv) < 2:
usage();
return;
objaddr = expr(sys.argv[1])
objectType = ntobj.getType(objaddr)
dprintln("Object Type: " + ntobj.getObjectName(objectType) )
dprintln("Object Name: "+ ntobj.getObjectName(objaddr) )
dprintln("")
findHanle( objaddr )
if __name__ == "__main__":
main()

10
snippets/ntobj.py
View File

@ -124,7 +124,6 @@ def buildObjectName(p):
return objectFullName return objectFullName
HANDLE_VALUE_INC = 4 HANDLE_VALUE_INC = 4
HT_PAGE_SIZE = 4096 HT_PAGE_SIZE = 4096
HT_ENTRY_SIZE = (2 * ptrSize()) HT_ENTRY_SIZE = (2 * ptrSize())
@ -177,11 +176,11 @@ def getListByHandleTable(tableHandles=None, objTypeAddr=0, containHeaders=True):
continue continue
if (0 == objTypeAddr): if (0 == objTypeAddr):
lstObjects.append(p) lstObjects.append( ( p, HandleEntryIndex*HANDLE_VALUE_INC) )
else: else:
pCurrentType = getType(p) pCurrentType = getType(p)
if (addr64(objTypeAddr) == addr64(pCurrentType)): if (addr64(objTypeAddr) == addr64(pCurrentType)):
lstObjects.append(p) lstObjects.append( ( p, HandleEntryIndex*HANDLE_VALUE_INC) )
return lstObjects return lstObjects
@ -230,6 +229,8 @@ def getListByHandleTable(tableHandles=None, objTypeAddr=0, containHeaders=True):
dprintln("ERROR: Unknown handle table level: %u" % nTableLevel) dprintln("ERROR: Unknown handle table level: %u" % nTableLevel)
return list() return list()
NUMBER_HASH_BUCKETS = 37 NUMBER_HASH_BUCKETS = 37
@ -398,7 +399,8 @@ def main():
dprintln(main.__doc__, True) dprintln(main.__doc__, True)
return return
lstObjects = getListByHandleTable(tableHandles, objTypeAddr, containHeaders) lstObjects = [ p[0] for p in getListByHandleTable(tableHandles, objTypeAddr, containHeaders) ]
dprintln("%u objects:" % len(lstObjects)) dprintln("%u objects:" % len(lstObjects))
for object in lstObjects: for object in lstObjects:
objectType = getType(object) objectType = getType(object)