From 32f3428469d481bef3989c5c340d62064fac2fba Mon Sep 17 00:00:00 2001 From: "SND\\kernelnet_cp" Date: Thu, 9 Jun 2011 14:09:03 +0000 Subject: [PATCH] [snippets] updated: nbl.py ( added ARP parsing ) git-svn-id: https://pykd.svn.codeplex.com/svn@66516 9b283d60-5439-405e-af05-b73fd8c4d996 --- snippets/nbl.py | 171 +++++++++++++++++++++++++++++++++++++---------- snippets/vmcs.py | 8 +-- 2 files changed, 141 insertions(+), 38 deletions(-) diff --git a/snippets/nbl.py b/snippets/nbl.py index c1a40a6..e2cb988 100644 --- a/snippets/nbl.py +++ b/snippets/nbl.py @@ -249,16 +249,49 @@ class Ip6Packet(): else: s += "MALFORMED\n" - return "" + return s class ARPPacket(): def __init__( self, dataPos ): - pass + + self.parsed = False + + try: + + self.HWType = getNetWord( dataPos ) + self.PType = getNetWord( dataPos ) + self.HLen = dataPos.next() + self.PLen = dataPos.next() + self.oper = getNetWord( dataPos ) + self.senderHWAddr = EthernetAddress( dataPos ) + self.senderPAddr = IpAddress( dataPos ) + self.targetHWAddr = EthernetAddress( dataPos ) + self.targetPAddr = IpAddress( dataPos ) + + self.parsed = True + + except StopIteration: + pass def __str__( self ): - return "" + s = "ARP Packet: " + + if self.parsed: + s += "OK\n" + s += { 0x100: "REQUEST", 0x200: "REPLAY" }.get(self.oper, hex(self.oper) ) + "\n" + s += "HTYPE: " + { 0x100: "Ethernet", }.get( self.HWType, hex( self.HWType) ) + " " + s += "PTYPE: " + { IPv4: "IPv4", }.get( self.PType, hex( self.PType) ) + " " + s += "HLEN: %x " % self.HLen + s += "PLEN: %x " % self.PLen + s += "\nSender: " + str(self.senderHWAddr) + " " + str( self.senderPAddr ) + s += "\nTarget: " + str(self.targetHWAddr) + " " + str( self.targetPAddr ) + "\n" + + else: + s += "MALFORMED\n" + + return s class EthernetType: @@ -281,8 +314,8 @@ class EthernetType: def getNextLayerPacket( self, dataPos ): return { IPv4 : lambda x : IpPacket(x), - ARP : lambda x : Ip6Packet(x), - IPv6 : lambda x : ARPPacket(x), + ARP : lambda x : ARPPacket(x), + IPv6 : lambda x : Ip6Packet(x), }.get( self.typeVal, lambda x : "" )( dataPos ) @@ -345,42 +378,110 @@ class NetPacket: return s +def getPacketFromNb( nb ): + + pcktBytes = list() + + mdl = typedVar( "ndis", "_MDL", nb.CurrentMdl ) + dataLength = nb.DataLength + dataOffset = nb.CurrentMdlOffset + + while dataLength > 0: + + copyData = mdl.ByteCount - dataOffset + if copyData > dataLength: copyData = dataLength + + pcktBytes.extend( loadBytes( mdl.MappedSystemVa + dataOffset, copyData ) ) + + dataLength -= copyData + + mdl = typedVar( "ndis", "_MDL", mdl.Next ) + + return pcktBytes + + + def getPacketsFromNbl( nblAddr ): pcktList = list() nbl = typedVar( "ndis", "_NET_BUFFER_LIST", nblAddr ) - while nbl: + while True: nb = typedVar( "ndis", "_NET_BUFFER", nbl.FirstNetBuffer ) - while nb: + while True: - pcktBytes = list() + pcktList.append( getPacketFromNb( nb ) ) - mdl = typedVar( "ndis", "_MDL", nb.CurrentMdl ) - dataLength = nb.DataLength - dataOffset = nb.CurrentMdlOffset - - while dataLength > 0: - - copyData = mdl.ByteCount - dataOffset - if copyData > dataLength: copyData = dataLength - - pcktBytes.extend( loadBytes( mdl.MappedSystemVa + dataOffset, copyData ) ) - - dataLength -= copyData - - mdl = typedVar( "ndis", "_MDL", mdl.Next ) - - pcktList.append( pcktBytes ) + if nb.Next == 0: + break nb = typedVar( "ndis", "_NET_BUFFER", nb.Next ) + if nbl.Next == 0: + break + nbl = typedVar( "ndis", "_NET_BUFFER_LIST", nbl.Next ) - return pcktList + return pcktList + + +def printNblStruct( nblAddr ): + + + try: + + while nblAddr: + + dprintln( "NET_BUFFER_LIST %#x" % nblAddr ) + + nbl = typedVar( "ndis", "_NET_BUFFER_LIST", nblAddr ) + + nbAddr = nbl.FirstNetBuffer + + while nbAddr: + + dprint( "\tNET_BUFFER %#x" % nbAddr ) + + nb = typedVar( "ndis", "_NET_BUFFER", nbAddr ) + + dprintln( " data length = %d, data offset = %#x " % ( nb.DataLength, nb.DataOffset ) ) + + mdlAddr = nb.CurrentMdl + + while mdlAddr: + + dprint( "\t\tMDL %#x" % mdlAddr ) + + mdl = typedVar( "ndis", "_MDL", mdlAddr ) + + dprintln( " byte count = %d, byte offset = %#x, mapped addr = %#x" % ( mdl.ByteCount, mdl.ByteOffset, mdl.MappedSystemVa ) ) + + mdlAddr = mdl.Next + + dprintln( str( NetPacket( getPacketFromNb( nb ) ) ) ) + + nbAddr = nb.Next + + nblAddr = nbl.Next + + + except MemoryException: + + dprintln( "\nMemory corruption, stop analyzing" ) + + except TypeException: + + dprintln( "the symbols ar wrong" ) + + + + +def usage(): + dprintln( "!py nbl addr" ) + dprintln( "!py nbl /s addr" ) def main(): @@ -392,17 +493,19 @@ def main(): dprintln( "This script is for kernel debugging only" ) return + if len(sys.argv)==2: + pcktList = getPacketsFromNbl( expr(sys.argv[1]) ) + parsedPcktList = [ NetPacket(p) for p in pcktList ] + dprintln( "Packet's count: %s " % len(parsedPcktList) ) + for p in parsedPcktList: print "\n", p + return - pcktList = getPacketsFromNbl( expr(sys.argv[1]) ) - - parsedPcktList = [ NetPacket(p) for p in pcktList ] - + if sys.argv[1]=="/s": + printNblStruct( expr(sys.argv[2]) ) + return - print "Packet's count: ", len(parsedPcktList) - - for p in parsedPcktList: print "\n", p - - + usage() + if __name__ == "__main__": main() \ No newline at end of file diff --git a/snippets/vmcs.py b/snippets/vmcs.py index a9ea54e..c6f7575 100644 --- a/snippets/vmcs.py +++ b/snippets/vmcs.py @@ -99,7 +99,7 @@ def vmcsPrint( addr ): dprintln( "RevId: %x" % revid ) dprintln("======================") - dprintln( "GUEST STATE" ) + dprintln( "GUEST STATE", True ) dprintln( "VMCS link pointer: %x" % vmcsGetQword( vmcs, 0x20 ) ) @@ -126,7 +126,7 @@ def vmcsPrint( addr ): dprintln( "IDTR base: %x limit: %x" % ( vmcsGetQword( vmcs, 0x320 ), vmcsGetWord( vmcs, 0x248 ) ) ) dprintln("======================") - dprintln( "READ ONLY" ) + dprintln( "READ ONLY", True ) dprintln( "VM-instruction error: %x" % vmcsGetQword( vmcs, 0x200 ) ) dprintln( "VM-exit reason: %d ( " % vmcsGetQword( vmcs, 0x208 ) + vmcsGetExitReason( vmcsGetQword( vmcs, 0x208 ) ) + " )" ) @@ -139,7 +139,7 @@ def vmcsPrint( addr ): dprintln("======================") - dprintln( "HOST STATE" ) + dprintln( "HOST STATE", True ) dprintln( "RIP: %x" % vmcsGetQword( vmcs, 0x3D8 ) ) dprintln( "RIP: %x" % vmcsGetQword( vmcs, 0x3D0 ) ) @@ -161,7 +161,7 @@ def vmcsPrint( addr ): dprintln("======================") - dprintln( "CONTROL STATE" ) + dprintln( "CONTROL STATE", True ) dprintln( "Pin-based VM-execution controls: %x" % vmcsGetDword( vmcs, 0x40 ) ) dprintln( "Primary processor-based VM-execution controls: %#x" % vmcsGetDword( vmcs, 0x48 ) ) dprintln( "Exception bitmap: %x" % vmcsGetDword( vmcs, 0x50 ) )