zjgcjy/pykd
1
0
Fork 0
mirror of https://github.com/ivellioscolin/pykd.git synced 2025-04-21 04:13:22 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

[snippets] updated: nbl.py ( added ARP parsing )

Browse Source 
git-svn-id: https://pykd.svn.codeplex.com/svn@66516 9b283d60-5439-405e-af05-b73fd8c4d996
This commit is contained in:
SND\kernelnet_cp 2011-06-09 14:09:03 +00:00
parent 2c3d26da91
commit 32f3428469
2 changed files with 141 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

147
snippets/nbl.py
View File

@ -249,16 +249,49 @@ class Ip6Packet():
else: else:
s += "MALFORMED\n" s += "MALFORMED\n"
return "" return s
class ARPPacket(): class ARPPacket():
def __init__( self, dataPos ): def __init__( self, dataPos ):
self.parsed = False
try:
self.HWType = getNetWord( dataPos )
self.PType = getNetWord( dataPos )
self.HLen = dataPos.next()
self.PLen = dataPos.next()
self.oper = getNetWord( dataPos )
self.senderHWAddr = EthernetAddress( dataPos )
self.senderPAddr = IpAddress( dataPos )
self.targetHWAddr = EthernetAddress( dataPos )
self.targetPAddr = IpAddress( dataPos )
self.parsed = True
except StopIteration:
pass pass
def __str__( self ): def __str__( self ):
return "" s = "ARP Packet: "
if self.parsed:
s += "OK\n"
s += { 0x100: "REQUEST", 0x200: "REPLAY" }.get(self.oper, hex(self.oper) ) + "\n"
s += "HTYPE: " + { 0x100: "Ethernet", }.get( self.HWType, hex( self.HWType) ) + " "
s += "PTYPE: " + { IPv4: "IPv4", }.get( self.PType, hex( self.PType) ) + " "
s += "HLEN: %x " % self.HLen
s += "PLEN: %x " % self.PLen
s += "\nSender: " + str(self.senderHWAddr) + " " + str( self.senderPAddr )
s += "\nTarget: " + str(self.targetHWAddr) + " " + str( self.targetPAddr ) + "\n"
else:
s += "MALFORMED\n"
return s
class EthernetType: class EthernetType:
@ -281,8 +314,8 @@ class EthernetType:
def getNextLayerPacket( self, dataPos ): def getNextLayerPacket( self, dataPos ):
return { return {
IPv4 : lambda x : IpPacket(x), IPv4 : lambda x : IpPacket(x),
ARP : lambda x : Ip6Packet(x), ARP : lambda x : ARPPacket(x),
IPv6 : lambda x : ARPPacket(x), IPv6 : lambda x : Ip6Packet(x),
}.get( self.typeVal, lambda x : "" )( dataPos ) }.get( self.typeVal, lambda x : "" )( dataPos )
@ -345,17 +378,7 @@ class NetPacket:
return s return s
def getPacketsFromNbl( nblAddr ): def getPacketFromNb( nb ):
pcktList = list()
nbl = typedVar( "ndis", "_NET_BUFFER_LIST", nblAddr )
while nbl:
nb = typedVar( "ndis", "_NET_BUFFER", nbl.FirstNetBuffer )
while nb:
pcktBytes = list() pcktBytes = list()
@ -374,15 +397,93 @@ def getPacketsFromNbl( nblAddr ):
mdl = typedVar( "ndis", "_MDL", mdl.Next ) mdl = typedVar( "ndis", "_MDL", mdl.Next )
pcktList.append( pcktBytes ) return pcktBytes
def getPacketsFromNbl( nblAddr ):
pcktList = list()
nbl = typedVar( "ndis", "_NET_BUFFER_LIST", nblAddr )
while True:
nb = typedVar( "ndis", "_NET_BUFFER", nbl.FirstNetBuffer )
while True:
pcktList.append( getPacketFromNb( nb ) )
if nb.Next == 0:
break
nb = typedVar( "ndis", "_NET_BUFFER", nb.Next ) nb = typedVar( "ndis", "_NET_BUFFER", nb.Next )
if nbl.Next == 0:
break
nbl = typedVar( "ndis", "_NET_BUFFER_LIST", nbl.Next ) nbl = typedVar( "ndis", "_NET_BUFFER_LIST", nbl.Next )
return pcktList return pcktList
def printNblStruct( nblAddr ):
try:
while nblAddr:
dprintln( "NET_BUFFER_LIST %#x" % nblAddr )
nbl = typedVar( "ndis", "_NET_BUFFER_LIST", nblAddr )
nbAddr = nbl.FirstNetBuffer
while nbAddr:
dprint( "\tNET_BUFFER %#x" % nbAddr )
nb = typedVar( "ndis", "_NET_BUFFER", nbAddr )
dprintln( " data length = %d, data offset = %#x " % ( nb.DataLength, nb.DataOffset ) )
mdlAddr = nb.CurrentMdl
while mdlAddr:
dprint( "\t\tMDL %#x" % mdlAddr )
mdl = typedVar( "ndis", "_MDL", mdlAddr )
dprintln( " byte count = %d, byte offset = %#x, mapped addr = %#x" % ( mdl.ByteCount, mdl.ByteOffset, mdl.MappedSystemVa ) )
mdlAddr = mdl.Next
dprintln( str( NetPacket( getPacketFromNb( nb ) ) ) )
nbAddr = nb.Next
nblAddr = nbl.Next
except MemoryException:
dprintln( "\nMemory corruption, stop analyzing" )
except TypeException:
dprintln( "the symbols ar wrong" )
def usage():
dprintln( "!py nbl addr" )
dprintln( "!py nbl /s addr" )
def main(): def main():
if len(sys.argv) < 2: if len(sys.argv) < 2:
@ -392,16 +493,18 @@ def main():
dprintln( "This script is for kernel debugging only" ) dprintln( "This script is for kernel debugging only" )
return return
if len(sys.argv)==2:
pcktList = getPacketsFromNbl( expr(sys.argv[1]) ) pcktList = getPacketsFromNbl( expr(sys.argv[1]) )
parsedPcktList = [ NetPacket(p) for p in pcktList ] parsedPcktList = [ NetPacket(p) for p in pcktList ]
dprintln( "Packet's count: %s " % len(parsedPcktList) )
print "Packet's count: ", len(parsedPcktList)
for p in parsedPcktList: print "\n", p for p in parsedPcktList: print "\n", p
return
if sys.argv[1]=="/s":
printNblStruct( expr(sys.argv[2]) )
return
usage()
if __name__ == "__main__": if __name__ == "__main__":

8
snippets/vmcs.py
View File

@ -99,7 +99,7 @@ def vmcsPrint( addr ):
dprintln( "RevId: %x" % revid ) dprintln( "RevId: %x" % revid )
dprintln("======================") dprintln("======================")
dprintln( "<u>GUEST STATE</u>" ) dprintln( "<u>GUEST STATE</u>", True )
dprintln( "VMCS link pointer: %x" % vmcsGetQword( vmcs, 0x20 ) ) dprintln( "VMCS link pointer: %x" % vmcsGetQword( vmcs, 0x20 ) )
@ -126,7 +126,7 @@ def vmcsPrint( addr ):
dprintln( "IDTR base: %x limit: %x" % ( vmcsGetQword( vmcs, 0x320 ), vmcsGetWord( vmcs, 0x248 ) ) ) dprintln( "IDTR base: %x limit: %x" % ( vmcsGetQword( vmcs, 0x320 ), vmcsGetWord( vmcs, 0x248 ) ) )
dprintln("======================") dprintln("======================")
dprintln( "<u>READ ONLY</u>" ) dprintln( "<u>READ ONLY</u>", True )
dprintln( "VM-instruction error: %x" % vmcsGetQword( vmcs, 0x200 ) ) dprintln( "VM-instruction error: %x" % vmcsGetQword( vmcs, 0x200 ) )
dprintln( "VM-exit reason: %d ( " % vmcsGetQword( vmcs, 0x208 ) + vmcsGetExitReason( vmcsGetQword( vmcs, 0x208 ) ) + " )" ) dprintln( "VM-exit reason: %d ( " % vmcsGetQword( vmcs, 0x208 ) + vmcsGetExitReason( vmcsGetQword( vmcs, 0x208 ) ) + " )" )
@ -139,7 +139,7 @@ def vmcsPrint( addr ):
dprintln("======================") dprintln("======================")
dprintln( "<u>HOST STATE</u>" ) dprintln( "<u>HOST STATE</u>", True )
dprintln( "RIP: %x" % vmcsGetQword( vmcs, 0x3D8 ) ) dprintln( "RIP: %x" % vmcsGetQword( vmcs, 0x3D8 ) )
dprintln( "RIP: %x" % vmcsGetQword( vmcs, 0x3D0 ) ) dprintln( "RIP: %x" % vmcsGetQword( vmcs, 0x3D0 ) )
@ -161,7 +161,7 @@ def vmcsPrint( addr ):
dprintln("======================") dprintln("======================")
dprintln( "<u>CONTROL STATE</u>" ) dprintln( "<u>CONTROL STATE</u>", True )
dprintln( "Pin-based VM-execution controls: %x" % vmcsGetDword( vmcs, 0x40 ) ) dprintln( "Pin-based VM-execution controls: %x" % vmcsGetDword( vmcs, 0x40 ) )
dprintln( "Primary processor-based VM-execution controls: %#x" % vmcsGetDword( vmcs, 0x48 ) ) dprintln( "Primary processor-based VM-execution controls: %#x" % vmcsGetDword( vmcs, 0x48 ) )
dprintln( "Exception bitmap: %x" % vmcsGetDword( vmcs, 0x50 ) ) dprintln( "Exception bitmap: %x" % vmcsGetDword( vmcs, 0x50 ) )