[0.2.x] added : searchMemory routine ( Search in virtual memory )

git-svn-id: https://pykd.svn.codeplex.com/svn@83704 9b283d60-5439-405e-af05-b73fd8c4d996
2025-04-20 03:23:23 +08:00 · 2013-05-17 11:18:11 +00:00 · 2013-05-17 11:18:11 +00:00 · 60c71e8ff1
commit 60c71e8ff1
parent a26edc8208
6 changed files with 80 additions and 7 deletions
--- a/pykd/dbgmem.h
+++ b/pykd/dbgmem.h
@ -12,7 +12,7 @@ bool readMemoryUnsafeNoSafe( ULONG64 offset, PVOID buffer, ULONG length, bool ph
 bool isVaValid( ULONG64 addr );
 bool compareMemory( ULONG64 addr1, ULONG64 addr2, ULONG length, bool phyAddr = FALSE );
 ULONG getVaProtect( ULONG64 offset );
-
+ULONG64 searchMemory( ULONG64 offset, ULONG length, const std::string& pattern );
 void findMemoryRegion( ULONG64 beginOffset, ULONG64 *startOffset, ULONG64* length );
 python::tuple findMemoryRegionPy( ULONG64 beginOffset );

--- a/pykd/pykdver.h
+++ b/pykd/pykdver.h
@ -2,7 +2,7 @@
 #define PYKD_VERSION_MAJOR      0
 #define PYKD_VERSION_MINOR      2
 #define PYKD_VERSION_SUBVERSION 0
-#define PYKD_VERSION_BUILDNO    20
+#define PYKD_VERSION_BUILDNO    21


 #define __VER_STR2__(x) #x
--- a/pykd/python/pymod.cpp
+++ b/pykd/python/pymod.cpp
@ -155,7 +155,8 @@ BOOST_PYTHON_MODULE( pykd )
        "Check if the virtual address is valid" );
    python::def( "compareMemory", &compareMemory, compareMemory_( python::args( "offset1", "offset2", "length", "phyAddr" ),
        "Compare two memory buffers by virtual or physical addresses" ) );
-
+    python::def( "searchMemory", &searchMemory, 
+        "Search in virtual memory" );
    python::def( "findMemoryRegion", &findMemoryRegionPy,
        "Return address of begining valid memory region nearest to offset" );
    python::def( "getVaProtect", &getVaProtect,
--- a/pykd/win/memory.cpp
+++ b/pykd/win/memory.cpp
@ -228,6 +228,23 @@ void findMemoryRegion( ULONG64 beginOffset, ULONG64 *startOffset, ULONG64* lengt

 ///////////////////////////////////////////////////////////////////////////////////

+ULONG64 searchMemory( ULONG64 offset, ULONG length, const std::string& pattern )
+{
+    PyThread_StateRestore pyThreadRestore( g_dbgEng->pystate );
+
+    offset = addr64NoSafe(offset);
+
+    ULONG64 foundOffset;
+    HRESULT hres = g_dbgEng->dataspace->SearchVirtual( offset, length, (PVOID)pattern.c_str(), (ULONG)pattern.size(), 1, &foundOffset );
+
+    if ( FAILED( hres ) )
+        return 0LL;
+
+    return foundOffset;
+}
+
+///////////////////////////////////////////////////////////////////////////////////
+
 ULONG getVaProtect( ULONG64 offset )
 {
    PyThread_StateRestore pyThreadRestore( g_dbgEng->pystate );
--- a/snippets/findtag.py
+++ b/snippets/findtag.py
@ -0,0 +1,56 @@
+from pykd import *
+from sys import argv
+
+nt = module("nt")
+LDR_DATA_TABLE_ENTRY = nt.type("_LDR_DATA_TABLE_ENTRY")
+    
+
+def getModuleList():
+    ldrLst = typedVarList( nt.PsLoadedModuleList, LDR_DATA_TABLE_ENTRY, "InLoadOrderLinks.Flink")
+    return [ module(m.DllBase) for m in ldrLst ]  
+    
+def findTagInModule(mod, tag):
+    
+    matchLst = []
+    begin = mod.begin()
+    end = mod.end()
+    offset = begin
+    size = mod.size()
+    while True:
+        match = searchMemory( offset, size, tag )
+        if not match:
+            break;
+        matchLst.append(match)
+        offset = match + 1
+        size = end - offset
+    return matchLst
+    
+    
+def main():
+
+    if len(argv) < 2:
+        print "You should note tag's value"
+        return
+
+    if len(argv[1])!=4:
+        print "Tag must have 4 symbols length"
+        return
+        
+    tag = argv[1]      
+
+    modLst = getModuleList()
+    for m in modLst:
+        matchLst = findTagInModule( m, tag )
+        if len(matchLst) == 0:
+            #print m.name(), "tag not found"
+            pass
+        else:
+            print m.name(), "found", len(matchLst), "entries"
+            for offset in matchLst:
+                print "\t", hex(offset)
+   
+   
+if __name__=="__main__":
+    main()
+
+
--- a/snippets/nbl.py
+++ b/snippets/nbl.py
@ -349,7 +349,7 @@ class EthernetType:
        return self.typeVal == IPv6

    def __str__( self ):
-        return { IPv4 : "IPv4", ARP : "ARP", IPv6 : "IPv6" }.get( self.typeVal, self.typeVal )    
+        return { IPv4 : "IPv4", ARP : "ARP", IPv6 : "IPv6" }.get( self.typeVal, str(self.typeVal) )    

    def getNextLayerPacket( self, dataPos ):
        return {  
@ -411,7 +411,6 @@ class NetPacket:
        self.rawData = rawData
        dataPos = iter( self.rawData[ beginOffset : ] )        
        
-        
        self.mediaParsed = {
            "eth" : lambda : EthernetPacket( dataPos ),
            "ip4" : lambda : IpPacket( dataPos ),