zjgcjy/pykd
1
0
Fork 0
mirror of https://github.com/ivellioscolin/pykd.git synced 2025-04-19 19:13:22 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

[0.1.x] ~refactoring (use one module object)

Browse Source 
git-svn-id: https://pykd.svn.codeplex.com/svn@76559 9b283d60-5439-405e-af05-b73fd8c4d996
This commit is contained in:
SND\EreTIk_cp 2012-05-23 09:28:50 +00:00 committed by Mikhail I. Izmestev
parent c36cf59e41
commit 7e5d195ec9
1 changed files with 14 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
snippets/ntobj.py
View File

@ -26,14 +26,14 @@ Work with NT Object tree manager
from pykd import *
nt = loadModule("nt")
def getTypeWin7(p):
"""
Get object header by object pointer
Implementation for Win7+
"""
objHeader = containingRecord(p, "nt", "_OBJECT_HEADER", "Body")
objHeader = nt.containingRecord(p, "_OBJECT_HEADER", "Body")
tableTypeIndex = getOffset("nt", "ObTypeIndexTable")
return ptrPtr(tableTypeIndex + (ptrSize() * objHeader.TypeIndex))
@ -42,7 +42,7 @@ def getTypeLegacy(p):
Get object header by object pointer
Implementation for before Win7
"""
objHeader = containingRecord(p, "nt", "_OBJECT_HEADER", "Body")
objHeader = nt.containingRecord(p, "_OBJECT_HEADER", "Body")
return objHeader.Type
# Select platform-specific function for getting object header
@ -59,28 +59,28 @@ def getObjectNameInfoFromHeader(p):
"""
Get object name information from field NameInfoOffset of object header
"""
objHeader = containingRecord(p, "nt", "_OBJECT_HEADER", "Body")
objHeader = nt.containingRecord(p, "_OBJECT_HEADER", "Body")
if (0 == objHeader.NameInfoOffset):
return None
return typedVar("nt!_OBJECT_HEADER_NAME_INFO", objHeader.getAddress() - objHeader.NameInfoOffset)
return nt.typedVar("_OBJECT_HEADER_NAME_INFO", objHeader.getAddress() - objHeader.NameInfoOffset)
def getObjectNameInfoFromInfoMask(p):
"""
Get object name information from field NameInfoOffset of object header
"""
objHeader = containingRecord(p, "nt", "_OBJECT_HEADER", "Body")
objHeader = nt.containingRecord(p, "_OBJECT_HEADER", "Body")
if (0 == (objHeader.InfoMask & 2)):
return None
offsetNameInfo = ptrByte( getOffset("nt", "ObpInfoMaskToOffset") + (objHeader.InfoMask & 3) )
if (0 == offsetNameInfo):
return None
return typedVar("nt!_OBJECT_HEADER_NAME_INFO", objHeader.getAddress() - offsetNameInfo)
return nt.typedVar("_OBJECT_HEADER_NAME_INFO", objHeader.getAddress() - offsetNameInfo)
# Select platform-specific function for getting name of object
getObjectNameInfo = None
try:
typeInfo("nt!_OBJECT_HEADER").NameInfoOffset
nt.type("_OBJECT_HEADER").NameInfoOffset
getObjectNameInfo = getObjectNameInfoFromHeader
except TypeException:
getObjectNameInfo = getObjectNameInfoFromInfoMask
@ -150,7 +150,7 @@ def getListByHandleTable(tableHandles=None, objTypeAddr=0, containHeaders=True):
if (0 == entryHandle):
return 0
HandleEntry = typedVar("nt!_HANDLE_TABLE_ENTRY", entryHandle)
HandleEntry = nt.typedVar("_HANDLE_TABLE_ENTRY", entryHandle)
if (0xFFFFFFFE == HandleEntry.NextFreeTableEntry):
return 0
@ -159,7 +159,7 @@ def getListByHandleTable(tableHandles=None, objTypeAddr=0, containHeaders=True):
return 0
if (containHeader):
objHeader = typedVar("nt!_OBJECT_HEADER", p)
objHeader = nt.typedVar("_OBJECT_HEADER", p)
p = objHeader.Body.getAddress()
return p
@ -210,13 +210,13 @@ def getListByHandleTable(tableHandles=None, objTypeAddr=0, containHeaders=True):
return lstObjects
if (None == tableHandles):
currProcess = typedVar("nt!_EPROCESS", getCurrentProcess())
currProcess = nt.typedVar("_EPROCESS", getCurrentProcess())
if (None == currProcess):
dprintln("Get current process failed")
return
tableHandles = currProcess.ObjectTable
tableHandles = typedVar("nt!_HANDLE_TABLE", tableHandles)
tableHandles = nt.typedVar("_HANDLE_TABLE", tableHandles)
nMaxHandleIndex = tableHandles.NextHandleNeedingPool & 0xFFFFFFFF
nTableLevel = (tableHandles.TableCode & 3)
pTableContent = tableHandles.TableCode - nTableLevel
@ -249,7 +249,7 @@ def getListByDirectoryObject(p, objTypeAddr=0):
for i in range(0, NUMBER_HASH_BUCKETS):
bucket = ptrPtr( p + (i * ptrSize()) )
while bucket:
bucketVar = typedVar("nt!_OBJECT_DIRECTORY_ENTRY", bucket)
bucketVar = nt.typedVar("_OBJECT_DIRECTORY_ENTRY", bucket)
if objTypeAddr and (getType(bucketVar.Object) == objTypeAddr):
result.append(bucketVar.Object)
elif (not objTypeAddr):
@ -410,7 +410,7 @@ def main():
objectName = buildObjectName(object)
if len(objectName):
dprintln( ", name=`" + objectName + "'" )
elif typedVar("nt!_OBJECT_TYPE", getType(object)).TypeInfo.QueryNameProcedure:
elif nt.typedVar("_OBJECT_TYPE", getType(object)).TypeInfo.QueryNameProcedure:
dprintln(", <i>custom</i> name", True)
else:
dprintln(" , <_unnamed_>")