[0.3.x] added : searchMemory routine

git-svn-id: https://pykd.svn.codeplex.com/svn@85266 9b283d60-5439-405e-af05-b73fd8c4d996

pykd-0.3-2010.sln

@@ -52,8 +52,11 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "snippets", "snippets", "{AA
 		snippets\cr4.py = snippets\cr4.py
 		snippets\ctlcode.py = snippets\ctlcode.py
 		snippets\export.py = snippets\export.py
+		snippets\findtag.py = snippets\findtag.py
 		snippets\gdt.py = snippets\gdt.py
+		snippets\help.py = snippets\help.py
 		snippets\iat.py = snippets\iat.py
+		snippets\pytowiki.py = snippets\pytowiki.py
 	EndProjectSection
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "um", "um", "{EEFC9510-DFA7-439E-801E-48FCE72766AD}"

pykd/memaccess.h

@@ -83,5 +83,17 @@ std::wstring loadUnicodeStr(kdlib::MEMOFFSET_64 offset);
 
 std::string loadAnsiStr(kdlib::MEMOFFSET_64 offset);
 
+inline kdlib::MEMOFFSET_64 searchMemoryLst( kdlib::MEMOFFSET_64 beginOffset, unsigned long length, const python::list &pattern )
+{
+    return kdlib::searchMemory( beginOffset, length, listToVector<char>(pattern) );
+}
+
+inline kdlib::MEMOFFSET_64 searchMemoryStr( kdlib::MEMOFFSET_64 beginOffset, unsigned long length, const std::string &pattern  )
+{
+    const char* p = pattern.c_str();
+    return kdlib::searchMemory( beginOffset, length, std::vector<char>( p, p + pattern.length() ) );
+}
+
+
 } // end namespace pykd
 

pykd/pymod.cpp

@@ -156,6 +156,10 @@ BOOST_PYTHON_MODULE( pykd )
         "Check if the virtual address is valid" );
     python::def( "compareMemory", &kdlib::compareMemory, compareMemory_( python::args( "offset1", "offset2", "length", "phyAddr" ),
         "Compare two memory buffers by virtual or physical addresses" ) );
+    python::def( "searchMemory", &pykd::searchMemoryLst, 
+        "Search in virtual memory" );
+    python::def( "searchMemory", &pykd::searchMemoryStr, 
+        "Search in virtual memory" );
     //python::def( "findMemoryRegion", &kdlib::findMemoryRegion,
     //    "Return address of begining valid memory region nearest to offset" );
     //python::def( "getVaProtect", &kdlib::getVaProtect,

pykd/stladaptor.h

@@ -25,4 +25,20 @@ python::list vectorToList<char>( const std::vector<char>  &v ) {
     return lst;
 }
 
+
+template<typename T>
+inline
+std::vector<T> listToVector( const python::list &lst )
+{
+    std::vector<T> vec( python::len(lst) );
+
+    for (  long i = 0; i < python::len(lst); ++i )
+    {
+        T  v = python::extract<T>(lst[i]);
+        vec[i] =v;
+    }
+
+    return vec;
+}
+
 } // end namespace pykd

snippets/findtag.py

@@ -0,0 +1,56 @@
+from pykd import *
+from sys import argv
+
+nt = module("nt")
+LDR_DATA_TABLE_ENTRY = nt.type("_LDR_DATA_TABLE_ENTRY")
+    
+
+def getModuleList():
+    ldrLst = typedVarList( nt.PsLoadedModuleList, LDR_DATA_TABLE_ENTRY, "InLoadOrderLinks.Flink")
+    return [ module(m.DllBase) for m in ldrLst ]  
+    
+def findTagInModule(mod, tag):
+    
+    matchLst = []
+    begin = mod.begin()
+    end = mod.end()
+    offset = begin
+    size = mod.size()
+    while True:
+        match = searchMemory( offset, size, tag )
+        if not match:
+            break;
+        matchLst.append(match)
+        offset = match + 1
+        size = end - offset
+    return matchLst
+    
+    
+def main():
+
+    if len(argv) < 2:
+        print "You should note tag's value"
+        return
+
+    if len(argv[1])!=4:
+        print "Tag must have 4 symbols length"
+        return
+
+    tag = argv[1]
+
+    modLst = getModuleList()
+    for m in modLst:
+        matchLst = findTagInModule( m, tag )
+        if len(matchLst) == 0:
+            #print m.name(), "tag not found"
+            pass
+        else:
+            print m.name(), "found", len(matchLst), "entries"
+            for offset in matchLst:
+                print "\t", hex(offset)
+   
+   
+if __name__=="__main__":
+    main()
+
+