zjgcjy/pykd
1
0
Fork 0
mirror of https://github.com/ivellioscolin/pykd.git synced 2025-04-20 03:23:23 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

[0.2.x] added : searchMemory routine ( Search in virtual memory )

Browse Source 
git-svn-id: https://pykd.svn.codeplex.com/svn@83704 9b283d60-5439-405e-af05-b73fd8c4d996
This commit is contained in:
SND\kernelnet_cp 2013-05-17 11:18:11 +00:00 committed by Mikhail I. Izmestev
parent a26edc8208
commit 60c71e8ff1
6 changed files with 80 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pykd/dbgmem.h
View File

@ -12,7 +12,7 @@ bool readMemoryUnsafeNoSafe( ULONG64 offset, PVOID buffer, ULONG length, bool ph
bool isVaValid( ULONG64 addr ); bool isVaValid( ULONG64 addr );
bool compareMemory( ULONG64 addr1, ULONG64 addr2, ULONG length, bool phyAddr = FALSE ); bool compareMemory( ULONG64 addr1, ULONG64 addr2, ULONG length, bool phyAddr = FALSE );
ULONG getVaProtect( ULONG64 offset ); ULONG getVaProtect( ULONG64 offset );
ULONG64 searchMemory( ULONG64 offset, ULONG length, const std::string& pattern );
void findMemoryRegion( ULONG64 beginOffset, ULONG64 *startOffset, ULONG64* length ); void findMemoryRegion( ULONG64 beginOffset, ULONG64 *startOffset, ULONG64* length );
python::tuple findMemoryRegionPy( ULONG64 beginOffset ); python::tuple findMemoryRegionPy( ULONG64 beginOffset );

2
pykd/pykdver.h
View File

@ -2,7 +2,7 @@
#define PYKD_VERSION_MAJOR 0 #define PYKD_VERSION_MAJOR 0
#define PYKD_VERSION_MINOR 2 #define PYKD_VERSION_MINOR 2
#define PYKD_VERSION_SUBVERSION 0 #define PYKD_VERSION_SUBVERSION 0
#define PYKD_VERSION_BUILDNO 20 #define PYKD_VERSION_BUILDNO 21
#define __VER_STR2__(x) #x #define __VER_STR2__(x) #x

3
pykd/python/pymod.cpp
View File

@ -155,7 +155,8 @@ BOOST_PYTHON_MODULE( pykd )
"Check if the virtual address is valid" ); "Check if the virtual address is valid" );
python::def( "compareMemory", &compareMemory, compareMemory_( python::args( "offset1", "offset2", "length", "phyAddr" ), python::def( "compareMemory", &compareMemory, compareMemory_( python::args( "offset1", "offset2", "length", "phyAddr" ),
"Compare two memory buffers by virtual or physical addresses" ) ); "Compare two memory buffers by virtual or physical addresses" ) );
python::def( "searchMemory", &searchMemory,
"Search in virtual memory" );
python::def( "findMemoryRegion", &findMemoryRegionPy, python::def( "findMemoryRegion", &findMemoryRegionPy,
"Return address of begining valid memory region nearest to offset" ); "Return address of begining valid memory region nearest to offset" );
python::def( "getVaProtect", &getVaProtect, python::def( "getVaProtect", &getVaProtect,

17
pykd/win/memory.cpp
View File

@ -228,6 +228,23 @@ void findMemoryRegion( ULONG64 beginOffset, ULONG64 *startOffset, ULONG64* lengt
/////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////
ULONG64 searchMemory( ULONG64 offset, ULONG length, const std::string& pattern )
{
PyThread_StateRestore pyThreadRestore( g_dbgEng->pystate );
offset = addr64NoSafe(offset);
ULONG64 foundOffset;
HRESULT hres = g_dbgEng->dataspace->SearchVirtual( offset, length, (PVOID)pattern.c_str(), (ULONG)pattern.size(), 1, &foundOffset );
if ( FAILED( hres ) )
return 0LL;
return foundOffset;
}
///////////////////////////////////////////////////////////////////////////////////
ULONG getVaProtect( ULONG64 offset ) ULONG getVaProtect( ULONG64 offset )
{ {
PyThread_StateRestore pyThreadRestore( g_dbgEng->pystate ); PyThread_StateRestore pyThreadRestore( g_dbgEng->pystate );

56
snippets/findtag.py Normal file
View File

@ -0,0 +1,56 @@
from pykd import *
from sys import argv
nt = module("nt")
LDR_DATA_TABLE_ENTRY = nt.type("_LDR_DATA_TABLE_ENTRY")
def getModuleList():
ldrLst = typedVarList( nt.PsLoadedModuleList, LDR_DATA_TABLE_ENTRY, "InLoadOrderLinks.Flink")
return [ module(m.DllBase) for m in ldrLst ]
def findTagInModule(mod, tag):
matchLst = []
begin = mod.begin()
end = mod.end()
offset = begin
size = mod.size()
while True:
match = searchMemory( offset, size, tag )
if not match:
break;
matchLst.append(match)
offset = match + 1
size = end - offset
return matchLst
def main():
if len(argv) < 2:
print "You should note tag's value"
return
if len(argv[1])!=4:
print "Tag must have 4 symbols length"
return
tag = argv[1]
modLst = getModuleList()
for m in modLst:
matchLst = findTagInModule( m, tag )
if len(matchLst) == 0:
#print m.name(), "tag not found"
pass
else:
print m.name(), "found", len(matchLst), "entries"
for offset in matchLst:
print "\t", hex(offset)
if __name__=="__main__":
main()

7
snippets/nbl.py
View File

@ -349,7 +349,7 @@ class EthernetType:
return self.typeVal == IPv6 return self.typeVal == IPv6
def __str__( self ): def __str__( self ):
return { IPv4 : "IPv4", ARP : "ARP", IPv6 : "IPv6" }.get( self.typeVal, self.typeVal ) return { IPv4 : "IPv4", ARP : "ARP", IPv6 : "IPv6" }.get( self.typeVal, str(self.typeVal) )
def getNextLayerPacket( self, dataPos ): def getNextLayerPacket( self, dataPos ):
return { return {
@ -388,7 +388,7 @@ class EthernetPacket:
def __str__( self): def __str__( self):
s = "Ethernet header: " s = "Ethernet header: "
if self.parsed: if self.parsed:
@ -409,8 +409,7 @@ class NetPacket:
def __init__( self, rawData, startProtocol="eth", beginOffset=0 ): def __init__( self, rawData, startProtocol="eth", beginOffset=0 ):
self.rawData = rawData self.rawData = rawData
dataPos = iter( self.rawData[ beginOffset : ] ) dataPos = iter( self.rawData[ beginOffset : ] )
self.mediaParsed = { self.mediaParsed = {
"eth" : lambda : EthernetPacket( dataPos ), "eth" : lambda : EthernetPacket( dataPos ),