mirror of
https://github.com/ivellioscolin/pykd.git
synced 2025-04-20 19:53:22 +08:00
[snippets] updated: nbl.py ( added ARP parsing )
git-svn-id: https://pykd.svn.codeplex.com/svn@66516 9b283d60-5439-405e-af05-b73fd8c4d996
This commit is contained in:
SND\kernelnet_cp
parent
2c3d26da91
commit
32f3428469
171
snippets/nbl.py
171
snippets/nbl.py
@ -249,16 +249,49 @@ class Ip6Packet():
|
||||
else:
|
||||
s += "MALFORMED\n"
|
||||
|
||||
return ""
|
||||
return s
|
||||
|
||||
|
||||
class ARPPacket():
|
||||
|
||||
def __init__( self, dataPos ):
|
||||
pass
|
||||
|
||||
self.parsed = False
|
||||
|
||||
try:
|
||||
|
||||
self.HWType = getNetWord( dataPos )
|
||||
self.PType = getNetWord( dataPos )
|
||||
self.HLen = dataPos.next()
|
||||
self.PLen = dataPos.next()
|
||||
self.oper = getNetWord( dataPos )
|
||||
self.senderHWAddr = EthernetAddress( dataPos )
|
||||
self.senderPAddr = IpAddress( dataPos )
|
||||
self.targetHWAddr = EthernetAddress( dataPos )
|
||||
self.targetPAddr = IpAddress( dataPos )
|
||||
|
||||
self.parsed = True
|
||||
|
||||
except StopIteration:
|
||||
pass
|
||||
|
||||
def __str__( self ):
|
||||
return ""
|
||||
s = "ARP Packet: "
|
||||
|
||||
if self.parsed:
|
||||
s += "OK\n"
|
||||
s += { 0x100: "REQUEST", 0x200: "REPLAY" }.get(self.oper, hex(self.oper) ) + "\n"
|
||||
s += "HTYPE: " + { 0x100: "Ethernet", }.get( self.HWType, hex( self.HWType) ) + " "
|
||||
s += "PTYPE: " + { IPv4: "IPv4", }.get( self.PType, hex( self.PType) ) + " "
|
||||
s += "HLEN: %x " % self.HLen
|
||||
s += "PLEN: %x " % self.PLen
|
||||
s += "\nSender: " + str(self.senderHWAddr) + " " + str( self.senderPAddr )
|
||||
s += "\nTarget: " + str(self.targetHWAddr) + " " + str( self.targetPAddr ) + "\n"
|
||||
|
||||
else:
|
||||
s += "MALFORMED\n"
|
||||
|
||||
return s
|
||||
|
||||
|
||||
class EthernetType:
|
||||
@ -281,8 +314,8 @@ class EthernetType:
|
||||
def getNextLayerPacket( self, dataPos ):
|
||||
return {
|
||||
IPv4 : lambda x : IpPacket(x),
|
||||
ARP : lambda x : Ip6Packet(x),
|
||||
IPv6 : lambda x : ARPPacket(x),
|
||||
ARP : lambda x : ARPPacket(x),
|
||||
IPv6 : lambda x : Ip6Packet(x),
|
||||
}.get( self.typeVal, lambda x : "" )( dataPos )
|
||||
|
||||
|
||||
@ -345,42 +378,110 @@ class NetPacket:
|
||||
return s
|
||||
|
||||
|
||||
def getPacketFromNb( nb ):
|
||||
|
||||
pcktBytes = list()
|
||||
|
||||
mdl = typedVar( "ndis", "_MDL", nb.CurrentMdl )
|
||||
dataLength = nb.DataLength
|
||||
dataOffset = nb.CurrentMdlOffset
|
||||
|
||||
while dataLength > 0:
|
||||
|
||||
copyData = mdl.ByteCount - dataOffset
|
||||
if copyData > dataLength: copyData = dataLength
|
||||
|
||||
pcktBytes.extend( loadBytes( mdl.MappedSystemVa + dataOffset, copyData ) )
|
||||
|
||||
dataLength -= copyData
|
||||
|
||||
mdl = typedVar( "ndis", "_MDL", mdl.Next )
|
||||
|
||||
return pcktBytes
|
||||
|
||||
|
||||
|
||||
def getPacketsFromNbl( nblAddr ):
|
||||
|
||||
pcktList = list()
|
||||
|
||||
nbl = typedVar( "ndis", "_NET_BUFFER_LIST", nblAddr )
|
||||
|
||||
while nbl:
|
||||
while True:
|
||||
|
||||
nb = typedVar( "ndis", "_NET_BUFFER", nbl.FirstNetBuffer )
|
||||
|
||||
while nb:
|
||||
while True:
|
||||
|
||||
pcktBytes = list()
|
||||
pcktList.append( getPacketFromNb( nb ) )
|
||||
|
||||
mdl = typedVar( "ndis", "_MDL", nb.CurrentMdl )
|
||||
dataLength = nb.DataLength
|
||||
dataOffset = nb.CurrentMdlOffset
|
||||
|
||||
while dataLength > 0:
|
||||
|
||||
copyData = mdl.ByteCount - dataOffset
|
||||
if copyData > dataLength: copyData = dataLength
|
||||
|
||||
pcktBytes.extend( loadBytes( mdl.MappedSystemVa + dataOffset, copyData ) )
|
||||
|
||||
dataLength -= copyData
|
||||
|
||||
mdl = typedVar( "ndis", "_MDL", mdl.Next )
|
||||
|
||||
pcktList.append( pcktBytes )
|
||||
if nb.Next == 0:
|
||||
break
|
||||
|
||||
nb = typedVar( "ndis", "_NET_BUFFER", nb.Next )
|
||||
|
||||
if nbl.Next == 0:
|
||||
break
|
||||
|
||||
nbl = typedVar( "ndis", "_NET_BUFFER_LIST", nbl.Next )
|
||||
|
||||
return pcktList
|
||||
return pcktList
|
||||
|
||||
|
||||
def printNblStruct( nblAddr ):
|
||||
|
||||
|
||||
try:
|
||||
|
||||
while nblAddr:
|
||||
|
||||
dprintln( "NET_BUFFER_LIST %#x" % nblAddr )
|
||||
|
||||
nbl = typedVar( "ndis", "_NET_BUFFER_LIST", nblAddr )
|
||||
|
||||
nbAddr = nbl.FirstNetBuffer
|
||||
|
||||
while nbAddr:
|
||||
|
||||
dprint( "\tNET_BUFFER %#x" % nbAddr )
|
||||
|
||||
nb = typedVar( "ndis", "_NET_BUFFER", nbAddr )
|
||||
|
||||
dprintln( " data length = %d, data offset = %#x " % ( nb.DataLength, nb.DataOffset ) )
|
||||
|
||||
mdlAddr = nb.CurrentMdl
|
||||
|
||||
while mdlAddr:
|
||||
|
||||
dprint( "\t\tMDL %#x" % mdlAddr )
|
||||
|
||||
mdl = typedVar( "ndis", "_MDL", mdlAddr )
|
||||
|
||||
dprintln( " byte count = %d, byte offset = %#x, mapped addr = %#x" % ( mdl.ByteCount, mdl.ByteOffset, mdl.MappedSystemVa ) )
|
||||
|
||||
mdlAddr = mdl.Next
|
||||
|
||||
dprintln( str( NetPacket( getPacketFromNb( nb ) ) ) )
|
||||
|
||||
nbAddr = nb.Next
|
||||
|
||||
nblAddr = nbl.Next
|
||||
|
||||
|
||||
except MemoryException:
|
||||
|
||||
dprintln( "\nMemory corruption, stop analyzing" )
|
||||
|
||||
except TypeException:
|
||||
|
||||
dprintln( "the symbols ar wrong" )
|
||||
|
||||
|
||||
|
||||
|
||||
def usage():
|
||||
dprintln( "!py nbl addr" )
|
||||
dprintln( "!py nbl /s addr" )
|
||||
|
||||
|
||||
def main():
|
||||
@ -392,17 +493,19 @@ def main():
|
||||
dprintln( "This script is for kernel debugging only" )
|
||||
return
|
||||
|
||||
if len(sys.argv)==2:
|
||||
pcktList = getPacketsFromNbl( expr(sys.argv[1]) )
|
||||
parsedPcktList = [ NetPacket(p) for p in pcktList ]
|
||||
dprintln( "Packet's count: %s " % len(parsedPcktList) )
|
||||
for p in parsedPcktList: print "\n", p
|
||||
return
|
||||
|
||||
pcktList = getPacketsFromNbl( expr(sys.argv[1]) )
|
||||
|
||||
parsedPcktList = [ NetPacket(p) for p in pcktList ]
|
||||
|
||||
if sys.argv[1]=="/s":
|
||||
printNblStruct( expr(sys.argv[2]) )
|
||||
return
|
||||
|
||||
print "Packet's count: ", len(parsedPcktList)
|
||||
|
||||
for p in parsedPcktList: print "\n", p
|
||||
|
||||
|
||||
usage()
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
@ -99,7 +99,7 @@ def vmcsPrint( addr ):
|
||||
dprintln( "RevId: %x" % revid )
|
||||
|
||||
dprintln("======================")
|
||||
dprintln( "<u>GUEST STATE</u>" )
|
||||
dprintln( "<u>GUEST STATE</u>", True )
|
||||
|
||||
dprintln( "VMCS link pointer: %x" % vmcsGetQword( vmcs, 0x20 ) )
|
||||
|
||||
@ -126,7 +126,7 @@ def vmcsPrint( addr ):
|
||||
dprintln( "IDTR base: %x limit: %x" % ( vmcsGetQword( vmcs, 0x320 ), vmcsGetWord( vmcs, 0x248 ) ) )
|
||||
|
||||
dprintln("======================")
|
||||
dprintln( "<u>READ ONLY</u>" )
|
||||
dprintln( "<u>READ ONLY</u>", True )
|
||||
|
||||
dprintln( "VM-instruction error: %x" % vmcsGetQword( vmcs, 0x200 ) )
|
||||
dprintln( "VM-exit reason: %d ( " % vmcsGetQword( vmcs, 0x208 ) + vmcsGetExitReason( vmcsGetQword( vmcs, 0x208 ) ) + " )" )
|
||||
@ -139,7 +139,7 @@ def vmcsPrint( addr ):
|
||||
|
||||
|
||||
dprintln("======================")
|
||||
dprintln( "<u>HOST STATE</u>" )
|
||||
dprintln( "<u>HOST STATE</u>", True )
|
||||
dprintln( "RIP: %x" % vmcsGetQword( vmcs, 0x3D8 ) )
|
||||
dprintln( "RIP: %x" % vmcsGetQword( vmcs, 0x3D0 ) )
|
||||
|
||||
@ -161,7 +161,7 @@ def vmcsPrint( addr ):
|
||||
|
||||
|
||||
dprintln("======================")
|
||||
dprintln( "<u>CONTROL STATE</u>" )
|
||||
dprintln( "<u>CONTROL STATE</u>", True )
|
||||
dprintln( "Pin-based VM-execution controls: %x" % vmcsGetDword( vmcs, 0x40 ) )
|
||||
dprintln( "Primary processor-based VM-execution controls: %#x" % vmcsGetDword( vmcs, 0x48 ) )
|
||||
dprintln( "Exception bitmap: %x" % vmcsGetDword( vmcs, 0x50 ) )
|
||||
|
||||
Loading…
Reference in New Issue
Block a user