diff --git a/pykd-0.3-2010.sln b/pykd-0.3-2010.sln index 3455214..20343a9 100644 --- a/pykd-0.3-2010.sln +++ b/pykd-0.3-2010.sln @@ -52,8 +52,11 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "snippets", "snippets", "{AA snippets\cr4.py = snippets\cr4.py snippets\ctlcode.py = snippets\ctlcode.py snippets\export.py = snippets\export.py + snippets\findtag.py = snippets\findtag.py snippets\gdt.py = snippets\gdt.py + snippets\help.py = snippets\help.py snippets\iat.py = snippets\iat.py + snippets\pytowiki.py = snippets\pytowiki.py EndProjectSection EndProject Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "um", "um", "{EEFC9510-DFA7-439E-801E-48FCE72766AD}" diff --git a/pykd/memaccess.h b/pykd/memaccess.h index 026615d..e6a4ea0 100644 --- a/pykd/memaccess.h +++ b/pykd/memaccess.h @@ -83,5 +83,17 @@ std::wstring loadUnicodeStr(kdlib::MEMOFFSET_64 offset); std::string loadAnsiStr(kdlib::MEMOFFSET_64 offset); +inline kdlib::MEMOFFSET_64 searchMemoryLst( kdlib::MEMOFFSET_64 beginOffset, unsigned long length, const python::list &pattern ) +{ + return kdlib::searchMemory( beginOffset, length, listToVector(pattern) ); +} + +inline kdlib::MEMOFFSET_64 searchMemoryStr( kdlib::MEMOFFSET_64 beginOffset, unsigned long length, const std::string &pattern ) +{ + const char* p = pattern.c_str(); + return kdlib::searchMemory( beginOffset, length, std::vector( p, p + pattern.length() ) ); +} + + } // end namespace pykd diff --git a/pykd/pymod.cpp b/pykd/pymod.cpp index 9949bab..81213f6 100644 --- a/pykd/pymod.cpp +++ b/pykd/pymod.cpp @@ -156,6 +156,10 @@ BOOST_PYTHON_MODULE( pykd ) "Check if the virtual address is valid" ); python::def( "compareMemory", &kdlib::compareMemory, compareMemory_( python::args( "offset1", "offset2", "length", "phyAddr" ), "Compare two memory buffers by virtual or physical addresses" ) ); + python::def( "searchMemory", &pykd::searchMemoryLst, + "Search in virtual memory" ); + python::def( "searchMemory", &pykd::searchMemoryStr, + "Search in virtual memory" ); //python::def( "findMemoryRegion", &kdlib::findMemoryRegion, // "Return address of begining valid memory region nearest to offset" ); //python::def( "getVaProtect", &kdlib::getVaProtect, diff --git a/pykd/stladaptor.h b/pykd/stladaptor.h index 887bc8b..1b07ce3 100644 --- a/pykd/stladaptor.h +++ b/pykd/stladaptor.h @@ -25,4 +25,20 @@ python::list vectorToList( const std::vector &v ) { return lst; } + +template +inline +std::vector listToVector( const python::list &lst ) +{ + std::vector vec( python::len(lst) ); + + for ( long i = 0; i < python::len(lst); ++i ) + { + T v = python::extract(lst[i]); + vec[i] =v; + } + + return vec; +} + } // end namespace pykd diff --git a/snippets/findtag.py b/snippets/findtag.py new file mode 100644 index 0000000..d3fa9de --- /dev/null +++ b/snippets/findtag.py @@ -0,0 +1,56 @@ +from pykd import * +from sys import argv + +nt = module("nt") +LDR_DATA_TABLE_ENTRY = nt.type("_LDR_DATA_TABLE_ENTRY") + + +def getModuleList(): + ldrLst = typedVarList( nt.PsLoadedModuleList, LDR_DATA_TABLE_ENTRY, "InLoadOrderLinks.Flink") + return [ module(m.DllBase) for m in ldrLst ] + +def findTagInModule(mod, tag): + + matchLst = [] + begin = mod.begin() + end = mod.end() + offset = begin + size = mod.size() + while True: + match = searchMemory( offset, size, tag ) + if not match: + break; + matchLst.append(match) + offset = match + 1 + size = end - offset + return matchLst + + +def main(): + + if len(argv) < 2: + print "You should note tag's value" + return + + if len(argv[1])!=4: + print "Tag must have 4 symbols length" + return + + tag = argv[1] + + modLst = getModuleList() + for m in modLst: + matchLst = findTagInModule( m, tag ) + if len(matchLst) == 0: + #print m.name(), "tag not found" + pass + else: + print m.name(), "found", len(matchLst), "entries" + for offset in matchLst: + print "\t", hex(offset) + + +if __name__=="__main__": + main() + +