From 1d0963832e95a89b9a3aecd67580f662e727362b Mon Sep 17 00:00:00 2001
From: "SND\\kernelnet_cp"
<SND\kernelnet_cp@9b283d60-5439-405e-af05-b73fd8c4d996>
Date: Tue, 10 Apr 2012 05:47:38 +0000
Subject: [PATCH] [0.1.x] added : samples
git-svn-id: https://pykd.svn.codeplex.com/svn@75401 9b283d60-5439-405e-af05-b73fd8c4d996
---
samples/km/drvobj.py | 79 ++++++++++++++++++++++++++++++++++++++++++
samples/km/proclist.py | 32 +++++++++++++++++
samples/km/ssdt.py | 65 ++++++++++++++++++++++++++++++++++
samples/samples.py | 11 ++++++
4 files changed, 187 insertions(+)
create mode 100644 samples/km/drvobj.py
create mode 100644 samples/km/proclist.py
create mode 100644 samples/km/ssdt.py
create mode 100644 samples/samples.py
diff --git a/samples/km/drvobj.py b/samples/km/drvobj.py
new file mode 100644
index 0000000..6defd16
--- /dev/null
+++ b/samples/km/drvobj.py
@@ -0,0 +1,79 @@
+from pykd import *
+import sys
+
+
+def loadSymbols():
+ global nt
+ nt = loadModule( "nt" )
+
+
+def getObjectInDir( dirObj, objName ):
+
+ if objName.find( "\\" ) != -1:
+ ( dirSubName, objSubName ) = objName.split("\\", 1)
+ else:
+ dirSubName = objName
+
+ for i in range( 0, 37 ):
+
+ if dirObj.HashBuckets[i] != 0:
+ dirEntry = typedVar( "nt!_OBJECT_DIRECTORY_ENTRY", dirObj.HashBuckets[i] )
+
+ while dirEntry != 0:
+
+ objHeader = containingRecord( dirEntry.Object, "nt!_OBJECT_HEADER", "Body" )
+
+ objName = typedVar( "nt!_OBJECT_HEADER_NAME_INFO", objHeader.getAddress() - objHeader.NameInfoOffset )
+ name = loadUnicodeString( objName.Name.getAddress() )
+
+ if name.lower() == dirSubName.lower():
+
+ if objHeader.Type == ptrPtr( nt.ObpDirectoryObjectType ):
+ return getObjectInDir( typedVar( "nt!_OBJECT_DIRECTORY", dirEntry.Object), objSubName )
+ else:
+ return dirEntry.Object
+
+ if dirEntry.ChainLink != 0:
+ dirEntry = typedVar( "nt!_OBJECT_DIRECTORY_ENTRY", dirEntry.ChainLink )
+ else:
+ dirEntry = 0
+
+
+def getObjectByName( objName ):
+
+ if len(objName)==0:
+ return
+
+ if objName[0] != '\\':
+ return
+
+ rootDir = typedVar( "nt!_OBJECT_DIRECTORY", ptrPtr( nt.ObpRootDirectoryObject ) )
+
+ return getObjectInDir( rootDir, objName[1:] )
+
+
+
+def printDrvMajorTable( drvName ):
+
+ objName = "\\Driver\\" + drvName
+ drvObjPtr = getObjectByName( objName )
+
+ if drvObjPtr == None:
+ dprintln( "object not found" )
+ return
+
+ drvObj = typedVar( "nt!_DRIVER_OBJECT", drvObjPtr )
+
+ for i in range( len(drvObj.MajorFunction) ):
+ dprintln( "MajorFunction[%d] = %s" % ( i, findSymbol( drvObj.MajorFunction[i] ) ) )
+
+
+
+if __name__ == "__main__":
+
+ if not isWindbgExt():
+ loadDump( sys.argv[1] )
+
+ loadSymbols();
+
+ printDrvMajorTable( "afd" )
\ No newline at end of file
diff --git a/samples/km/proclist.py b/samples/km/proclist.py
new file mode 100644
index 0000000..70f2f0c
--- /dev/null
+++ b/samples/km/proclist.py
@@ -0,0 +1,32 @@
+
+import sys
+from pykd import *
+
+
+def processInfo():
+
+ nt = module( "nt" )
+
+ processList = typedVarList( nt.PsActiveProcessHead, "nt!_EPROCESS", "ActiveProcessLinks" )
+
+ for process in processList:
+ print "".join( [chr(i) for i in process.ImageFileName if i != 0] )
+
+
+def main():
+
+ if not isWindbgExt():
+ if not loadDump( sys.argv[1] ):
+ dprintln( sys.argv[1] + " - load failed" )
+ return
+
+ if not isKernelDebugging():
+ dprintln( "not a kernel debugging" )
+ return
+
+ processInfo()
+
+if __name__ == "__main__":
+ main()
+
+
diff --git a/samples/km/ssdt.py b/samples/km/ssdt.py
new file mode 100644
index 0000000..45adbbb
--- /dev/null
+++ b/samples/km/ssdt.py
@@ -0,0 +1,65 @@
+from pykd import *
+import sys
+
+def checkSSDT():
+
+ nt = loadModule( "nt" )
+
+ if is64bitSystem():
+
+ def getServiceAddrWlh(Start, Offset):
+ return Start + (Offset / 16)
+
+ def getServiceAddr2k3(Start, Offset):
+ return Start + (Offset & ~0xf)
+
+ if (ptrWord(nt.NtBuildNumber) == 3790):
+ getServiceAddr = getServiceAddr2k3
+ else:
+ getServiceAddr = getServiceAddrWlh
+
+ serviceTableHeader = loadQWords( nt.KeServiceDescriptorTable, 4 )
+ serviceTableStart = serviceTableHeader[0]
+ serviceCount = serviceTableHeader[2]
+
+ dprintln( "ServiceTable start: %(1)x count: %(2)x" % { "1" : serviceTableStart, "2" : serviceCount } )
+
+ serviceTable = loadSignDWords( serviceTableStart, serviceCount )
+
+ for i in range( 0, serviceCount ):
+ routineAddress = getServiceAddr(serviceTableStart, serviceTable[i]);
+ dprintln( "[%u] " % i + findSymbol( routineAddress ) )
+
+ else:
+
+ serviceTableHeader = loadDWords( nt.KeServiceDescriptorTable, 4 )
+ serviceTableStart = serviceTableHeader[0]
+ serviceCount = serviceTableHeader[2]
+
+ dprintln( "ServiceTable start: %(1)x count: %(2)x" % { "1" : serviceTableStart, "2" : serviceCount } )
+
+ serviceTable = loadPtrs( serviceTableStart, serviceCount )
+
+ for i in range( 0, serviceCount ):
+ dprintln( "[%u] " % i + findSymbol( serviceTable[i] ) )
+
+
+
+if __name__ == "__main__":
+
+
+ while True:
+
+ if not isWindbgExt():
+ if not loadDump( sys.argv[1] ):
+ dprintln( sys.argv[1] + " - load failed" )
+ break
+
+ if not isKernelDebugging():
+ dprintln( "not a kernel debugging" )
+ break
+
+ checkSSDT()
+ break
+
+
\ No newline at end of file
diff --git a/samples/samples.py b/samples/samples.py
new file mode 100644
index 0000000..0714417
--- /dev/null
+++ b/samples/samples.py
@@ -0,0 +1,11 @@
+from pykd import dprintln
+
+dprintln( "<b>Kernel mode</b>", True )
+dprintln( "<link cmd=\"!py proclist\">Get process list</link>", True )
+dprintln( "<link cmd=\"!py ssdt\">Get kernel service list (SDT)</link>", True )
+dprintln( "<link cmd=\"!py drvobj\">Get driver object</link>", True )
+dprintln("")
+
+dprintln( "<b>User mode</b>", True )
+dprintln("")
+