From 60c71e8ff1b89a2e3f407f3e8604b177ff183fab Mon Sep 17 00:00:00 2001
From: "SND\\kernelnet_cp"
<SND\kernelnet_cp@9b283d60-5439-405e-af05-b73fd8c4d996>
Date: Fri, 17 May 2013 11:18:11 +0000
Subject: [PATCH] [0.2.x] added : searchMemory routine ( Search in virtual
memory )
git-svn-id: https://pykd.svn.codeplex.com/svn@83704 9b283d60-5439-405e-af05-b73fd8c4d996
---
pykd/dbgmem.h | 2 +-
pykd/pykdver.h | 2 +-
pykd/python/pymod.cpp | 3 ++-
pykd/win/memory.cpp | 17 +++++++++++++
snippets/findtag.py | 56 +++++++++++++++++++++++++++++++++++++++++++
snippets/nbl.py | 7 +++---
6 files changed, 80 insertions(+), 7 deletions(-)
create mode 100644 snippets/findtag.py
diff --git a/pykd/dbgmem.h b/pykd/dbgmem.h
index 0c5d50a..0b346f8 100644
--- a/pykd/dbgmem.h
+++ b/pykd/dbgmem.h
@@ -12,7 +12,7 @@ bool readMemoryUnsafeNoSafe( ULONG64 offset, PVOID buffer, ULONG length, bool ph
bool isVaValid( ULONG64 addr );
bool compareMemory( ULONG64 addr1, ULONG64 addr2, ULONG length, bool phyAddr = FALSE );
ULONG getVaProtect( ULONG64 offset );
-
+ULONG64 searchMemory( ULONG64 offset, ULONG length, const std::string& pattern );
void findMemoryRegion( ULONG64 beginOffset, ULONG64 *startOffset, ULONG64* length );
python::tuple findMemoryRegionPy( ULONG64 beginOffset );
diff --git a/pykd/pykdver.h b/pykd/pykdver.h
index f09e6a5..3f3f688 100644
--- a/pykd/pykdver.h
+++ b/pykd/pykdver.h
@@ -2,7 +2,7 @@
#define PYKD_VERSION_MAJOR 0
#define PYKD_VERSION_MINOR 2
#define PYKD_VERSION_SUBVERSION 0
-#define PYKD_VERSION_BUILDNO 20
+#define PYKD_VERSION_BUILDNO 21
#define __VER_STR2__(x) #x
diff --git a/pykd/python/pymod.cpp b/pykd/python/pymod.cpp
index 6011fe4..55ab7c3 100644
--- a/pykd/python/pymod.cpp
+++ b/pykd/python/pymod.cpp
@@ -155,7 +155,8 @@ BOOST_PYTHON_MODULE( pykd )
"Check if the virtual address is valid" );
python::def( "compareMemory", &compareMemory, compareMemory_( python::args( "offset1", "offset2", "length", "phyAddr" ),
"Compare two memory buffers by virtual or physical addresses" ) );
-
+ python::def( "searchMemory", &searchMemory,
+ "Search in virtual memory" );
python::def( "findMemoryRegion", &findMemoryRegionPy,
"Return address of begining valid memory region nearest to offset" );
python::def( "getVaProtect", &getVaProtect,
diff --git a/pykd/win/memory.cpp b/pykd/win/memory.cpp
index 0e8a17d..78e3499 100644
--- a/pykd/win/memory.cpp
+++ b/pykd/win/memory.cpp
@@ -228,6 +228,23 @@ void findMemoryRegion( ULONG64 beginOffset, ULONG64 *startOffset, ULONG64* lengt
///////////////////////////////////////////////////////////////////////////////////
+ULONG64 searchMemory( ULONG64 offset, ULONG length, const std::string& pattern )
+{
+ PyThread_StateRestore pyThreadRestore( g_dbgEng->pystate );
+
+ offset = addr64NoSafe(offset);
+
+ ULONG64 foundOffset;
+ HRESULT hres = g_dbgEng->dataspace->SearchVirtual( offset, length, (PVOID)pattern.c_str(), (ULONG)pattern.size(), 1, &foundOffset );
+
+ if ( FAILED( hres ) )
+ return 0LL;
+
+ return foundOffset;
+}
+
+///////////////////////////////////////////////////////////////////////////////////
+
ULONG getVaProtect( ULONG64 offset )
{
PyThread_StateRestore pyThreadRestore( g_dbgEng->pystate );
diff --git a/snippets/findtag.py b/snippets/findtag.py
new file mode 100644
index 0000000..a713d4c
--- /dev/null
+++ b/snippets/findtag.py
@@ -0,0 +1,56 @@
+from pykd import *
+from sys import argv
+
+nt = module("nt")
+LDR_DATA_TABLE_ENTRY = nt.type("_LDR_DATA_TABLE_ENTRY")
+
+
+def getModuleList():
+ ldrLst = typedVarList( nt.PsLoadedModuleList, LDR_DATA_TABLE_ENTRY, "InLoadOrderLinks.Flink")
+ return [ module(m.DllBase) for m in ldrLst ]
+
+def findTagInModule(mod, tag):
+
+ matchLst = []
+ begin = mod.begin()
+ end = mod.end()
+ offset = begin
+ size = mod.size()
+ while True:
+ match = searchMemory( offset, size, tag )
+ if not match:
+ break;
+ matchLst.append(match)
+ offset = match + 1
+ size = end - offset
+ return matchLst
+
+
+def main():
+
+ if len(argv) < 2:
+ print "You should note tag's value"
+ return
+
+ if len(argv[1])!=4:
+ print "Tag must have 4 symbols length"
+ return
+
+ tag = argv[1]
+
+ modLst = getModuleList()
+ for m in modLst:
+ matchLst = findTagInModule( m, tag )
+ if len(matchLst) == 0:
+ #print m.name(), "tag not found"
+ pass
+ else:
+ print m.name(), "found", len(matchLst), "entries"
+ for offset in matchLst:
+ print "\t", hex(offset)
+
+
+if __name__=="__main__":
+ main()
+
+
diff --git a/snippets/nbl.py b/snippets/nbl.py
index 15b0a60..6882bc5 100644
--- a/snippets/nbl.py
+++ b/snippets/nbl.py
@@ -349,7 +349,7 @@ class EthernetType:
return self.typeVal == IPv6
def __str__( self ):
- return { IPv4 : "IPv4", ARP : "ARP", IPv6 : "IPv6" }.get( self.typeVal, self.typeVal )
+ return { IPv4 : "IPv4", ARP : "ARP", IPv6 : "IPv6" }.get( self.typeVal, str(self.typeVal) )
def getNextLayerPacket( self, dataPos ):
return {
@@ -388,7 +388,7 @@ class EthernetPacket:
def __str__( self):
-
+
s = "Ethernet header: "
if self.parsed:
@@ -409,8 +409,7 @@ class NetPacket:
def __init__( self, rawData, startProtocol="eth", beginOffset=0 ):
self.rawData = rawData
- dataPos = iter( self.rawData[ beginOffset : ] )
-
+ dataPos = iter( self.rawData[ beginOffset : ] )
self.mediaParsed = {
"eth" : lambda : EthernetPacket( dataPos ),