zjgcjy/pykd
1
0
Fork 0
mirror of https://github.com/ivellioscolin/pykd.git synced 2025-04-20 03:23:23 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

[!] snippets fixed

Browse Source 
git-svn-id: https://pykd.svn.codeplex.com/svn@57939 9b283d60-5439-405e-af05-b73fd8c4d996
This commit is contained in:
SND\kernelnet_cp 2010-11-22 16:02:26 +00:00
parent ed85fb9787
commit 56110ea78f
2 changed files with 26 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
snippets/export.py
View File

@ -12,18 +12,17 @@ def export( moduleName, mask = "*" ):
module = loadModule( moduleName ) module = loadModule( moduleName )
dprintln( "Module: " + moduleName + " base: %x" % module.begin() + " end: %x" % module.end() ) dprintln( "Module: " + moduleName + " base: %x" % module.begin() + " end: %x" % module.end() )
if isKernelDebugging():
systemModule = loadModule( "nt" ) systemModule = loadModule( "nt" )
else:
if systemModule==None: systemModule = loadModule( "ntdll" )
systemModule = loadModule( "ntdll" )
# dosHeader = typedVar( systemModule.name(), "_IMAGE_DOS_HEADER", module.begin() )
if is64bitSystem(): if is64bitSystem():
ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS64", module.begin() + ptrDWord( module.begin() + 0x3c ) ) ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS64", module.begin() + ptrDWord( module.begin() + 0x3c ) )
if ntHeader.OptionalHeader.Magic == 0x10b:
systemModule = loadModule( "ntdll32" )
ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS", module.begin() + ptrDWord( module.begin() + 0x3c ) )
else: else:
ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS", module.begin() + ptrDWord( module.begin() + 0x3c ) ) ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS", module.begin() + ptrDWord( module.begin() + 0x3c ) )

22
snippets/iat.py
View File

@ -15,13 +15,20 @@ def iat( moduleName, mask = "*" ):
if isKernelDebugging(): if isKernelDebugging():
systemModule = loadModule( "nt" ) systemModule = loadModule( "nt" )
else: else:
systemModule = loadModule( "ntdll" ) systemModule = loadModule( "ntdll" )
if is64bitSystem(): if is64bitSystem():
ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS64", module.begin() + ptrDWord( module.begin() + 0x3c ) ) ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS64", module.begin() + ptrDWord( module.begin() + 0x3c ) )
if ntHeader.OptionalHeader.Magic == 0x10b:
systemModule = loadModule( "ntdll32" )
ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS", module.begin() + ptrDWord( module.begin() + 0x3c ) )
pSize = 4
else:
pSize = 8
else: else:
ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS", module.begin() + ptrDWord( module.begin() + 0x3c ) ) ntHeader = typedVar( systemModule.name(), "_IMAGE_NT_HEADERS", module.begin() + ptrDWord( module.begin() + 0x3c ) )
pSize = 4
dprintln( "IAT RVA: %x Size: %x" % ( ntHeader.OptionalHeader.DataDirectory[12].VirtualAddress, ntHeader.OptionalHeader.DataDirectory[12].Size ) ) dprintln( "IAT RVA: %x Size: %x" % ( ntHeader.OptionalHeader.DataDirectory[12].VirtualAddress, ntHeader.OptionalHeader.DataDirectory[12].Size ) )
@ -32,13 +39,20 @@ def iat( moduleName, mask = "*" ):
iatAddr = module.begin() + ntHeader.OptionalHeader.DataDirectory[12].VirtualAddress; iatAddr = module.begin() + ntHeader.OptionalHeader.DataDirectory[12].VirtualAddress;
for i in range( 0, ntHeader.OptionalHeader.DataDirectory[12].Size / ptrSize() ): for i in range( 0, ntHeader.OptionalHeader.DataDirectory[12].Size / pSize ):
iatEntry = ptrPtr( iatAddr + i*ptrSize() )
if ( pSize == 4 ):
iatEntry = ptrDWord( iatAddr + i*pSize )
else:
iatEntry = ptrQWord( iatAddr + i*pSize )
if iatEntry != 0: if iatEntry != 0:
symbolName = findSymbol( iatEntry ) symbolName = findSymbol( iatEntry )
if fnmatch.fnmatch( symbolName, mask ): if fnmatch.fnmatch( symbolName, mask ):
dprintln( symbolName ) dprintln( symbolName )
if __name__ == "__main__": if __name__ == "__main__":