From 56110ea78fa5b89f9b9f9f44d43ef5c99b5580fa Mon Sep 17 00:00:00 2001
From: "SND\\kernelnet_cp"
<SND\kernelnet_cp@9b283d60-5439-405e-af05-b73fd8c4d996>
Date: Mon, 22 Nov 2010 16:02:26 +0000
Subject: [PATCH] [!] snippets fixed
git-svn-id: https://pykd.svn.codeplex.com/svn@57939 9b283d60-5439-405e-af05-b73fd8c4d996
---
snippets/export.py | 17 ++++++++---------
snippets/iat.py | 22 ++++++++++++++++++----
2 files changed, 26 insertions(+), 13 deletions(-)
diff --git a/snippets/export.py b/snippets/export.py
index 5aaa0fe..7f09c29 100644
--- a/snippets/export.py
+++ b/snippets/export.py
@@ -12,18 +12,17 @@ def export( moduleName, mask = "*" ):
module = loadModule( moduleName )
dprintln( "Module: " + moduleName + " base: %x" % module.begin() + " end: %x" % module.end() )
-
- systemModule = loadModule( "nt" )
-
- if systemModule==None:
- systemModule = loadModule( "ntdll" )
-
-
-# dosHeader = typedVar( systemModule.name(), "_IMAGE_DOS_HEADER", module.begin() )
-
+ if isKernelDebugging():
+ systemModule = loadModule( "nt" )
+ else:
+ systemModule = loadModule( "ntdll" )
+
if is64bitSystem():
ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS64", module.begin() + ptrDWord( module.begin() + 0x3c ) )
+ if ntHeader.OptionalHeader.Magic == 0x10b:
+ systemModule = loadModule( "ntdll32" )
+ ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS", module.begin() + ptrDWord( module.begin() + 0x3c ) )
else:
ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS", module.begin() + ptrDWord( module.begin() + 0x3c ) )
diff --git a/snippets/iat.py b/snippets/iat.py
index f81b66e..f765333 100644
--- a/snippets/iat.py
+++ b/snippets/iat.py
@@ -15,13 +15,20 @@ def iat( moduleName, mask = "*" ):
if isKernelDebugging():
systemModule = loadModule( "nt" )
else:
- systemModule = loadModule( "ntdll" )
-
+ systemModule = loadModule( "ntdll" )
+
if is64bitSystem():
ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS64", module.begin() + ptrDWord( module.begin() + 0x3c ) )
+ if ntHeader.OptionalHeader.Magic == 0x10b:
+ systemModule = loadModule( "ntdll32" )
+ ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS", module.begin() + ptrDWord( module.begin() + 0x3c ) )
+ pSize = 4
+ else:
+ pSize = 8
else:
ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS", module.begin() + ptrDWord( module.begin() + 0x3c ) )
+ pSize = 4
dprintln( "IAT RVA: %x Size: %x" % ( ntHeader.OptionalHeader.DataDirectory[12].VirtualAddress, ntHeader.OptionalHeader.DataDirectory[12].Size ) )
@@ -32,13 +39,20 @@ def iat( moduleName, mask = "*" ):
iatAddr = module.begin() + ntHeader.OptionalHeader.DataDirectory[12].VirtualAddress;
- for i in range( 0, ntHeader.OptionalHeader.DataDirectory[12].Size / ptrSize() ):
- iatEntry = ptrPtr( iatAddr + i*ptrSize() )
+ for i in range( 0, ntHeader.OptionalHeader.DataDirectory[12].Size / pSize ):
+
+ if ( pSize == 4 ):
+ iatEntry = ptrDWord( iatAddr + i*pSize )
+ else:
+ iatEntry = ptrQWord( iatAddr + i*pSize )
+
if iatEntry != 0:
symbolName = findSymbol( iatEntry )
if fnmatch.fnmatch( symbolName, mask ):
dprintln( symbolName )
+
+
if __name__ == "__main__":