zjgcjy/pykd
1
0
Fork 0
mirror of https://github.com/ivellioscolin/pykd.git synced 2025-04-20 03:23:23 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

[0.3.x] branch : km/samples

Browse Source 
git-svn-id: https://pykd.svn.codeplex.com/svn@85158 9b283d60-5439-405e-af05-b73fd8c4d996
This commit is contained in:
SND\kernelnet_cp 2013-09-11 08:09:27 +00:00 committed by Mikhail I. Izmestev
parent e8375fb680
commit 967dee7c12
10 changed files with 267 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
pykd/memaccess.cpp Normal file
View File

@ -0,0 +1,45 @@
#include "stdafx.h"
#include "kdlib\exceptions.h"
#include "memaccess.h"
namespace pykd {
///////////////////////////////////////////////////////////////////////////////
std::wstring loadUnicodeStr(kdlib::MEMOFFSET_64 offset)
{
unsigned short length = kdlib::ptrWord( offset );
unsigned short maximumLength = kdlib::ptrWord( offset + 2 );
kdlib::MEMOFFSET_64 buffer = kdlib::ptrPtr( offset + kdlib::ptrSize() );
if ( maximumLength < length )
throw kdlib::DbgException("Corrupted UNICODE_STRING structure");
if ( length == 0 )
return std::wstring();
return kdlib::loadWChars( buffer, length/2 );
}
///////////////////////////////////////////////////////////////////////////////
std::string loadAnsiStr(kdlib::MEMOFFSET_64 offset)
{
unsigned short length = kdlib::ptrWord( offset );
unsigned short maximumLength = kdlib::ptrWord( offset + 2 );
kdlib::MEMOFFSET_64 buffer = kdlib::ptrPtr( offset + kdlib::ptrSize() );
if ( maximumLength < length )
throw kdlib::DbgException("Corrupted UNICODE_STRING structure");
if ( length == 0 )
return std::string();
return kdlib::loadChars( buffer, length );
}
///////////////////////////////////////////////////////////////////////////////
}; // end pykd namespace

4
pykd/memaccess.h
View File

@ -79,5 +79,9 @@ inline python::list loadPtrArray( kdlib::MEMOFFSET_64 offset, unsigned long cou
return vectorToList( kdlib::loadPtrs(offset, count) ); return vectorToList( kdlib::loadPtrs(offset, count) );
} }
std::wstring loadUnicodeStr(kdlib::MEMOFFSET_64 offset);
std::string loadAnsiStr(kdlib::MEMOFFSET_64 offset);
} // end namespace pykd } // end namespace pykd

1
pykd/pykd.vcxproj
View File

@ -272,6 +272,7 @@
</PrecompiledHeader> </PrecompiledHeader>
</ClCompile> </ClCompile>
<ClCompile Include="eventhandler.cpp" /> <ClCompile Include="eventhandler.cpp" />
<ClCompile Include="memaccess.cpp" />
<ClCompile Include="pymod.cpp" /> <ClCompile Include="pymod.cpp" />
<ClCompile Include="stdafx.cpp"> <ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader> <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>

3
pykd/pykd.vcxproj.filters
View File

@ -80,6 +80,9 @@
<ClCompile Include="cpucontext.cpp"> <ClCompile Include="cpucontext.cpp">
<Filter>Source Files</Filter> <Filter>Source Files</Filter>
</ClCompile> </ClCompile>
<ClCompile Include="memaccess.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<None Include="pykd.def"> <None Include="pykd.def">

8
pykd/pymod.cpp
View File

@ -210,10 +210,10 @@ BOOST_PYTHON_MODULE( pykd )
"Load string from the target buffer containing 0-terminated ansi-string" ); "Load string from the target buffer containing 0-terminated ansi-string" );
python::def( "loadWStr", &kdlib::loadWStr, python::def( "loadWStr", &kdlib::loadWStr,
"Load string from the target buffer containing 0-terminated unicode-string" ); "Load string from the target buffer containing 0-terminated unicode-string" );
//python::def( "loadUnicodeString", &loadUnicodeStr, python::def( "loadUnicodeString", &loadUnicodeStr,
// "Return string represention of windows UNICODE_STRING type" ); "Return string represention of windows UNICODE_STRING type" );
//python::def( "loadAnsiString", &loadAnsiStr, python::def( "loadAnsiString", &loadAnsiStr,
// "Return string represention of windows ANSI_STRING type" ); "Return string represention of windows ANSI_STRING type" );
python::def( "loadFloats", &loadFloats, loadFloats_( python::args( "offset", "count", "phyAddr" ), python::def( "loadFloats", &loadFloats, loadFloats_( python::args( "offset", "count", "phyAddr" ),
"Read the block of the target's memory and return it as list of floats" ) ); "Read the block of the target's memory and return it as list of floats" ) );
python::def( "loadDoubles", &loadDoubles, loadDoubles_( python::args( "offset", "count", "phyAddr" ), python::def( "loadDoubles", &loadDoubles, loadDoubles_( python::args( "offset", "count", "phyAddr" ),

2
pykd/stladaptor.h
View File

@ -8,6 +8,7 @@ namespace python = boost::python;
namespace pykd { namespace pykd {
template<typename T> template<typename T>
inline
python::list vectorToList( const std::vector<T> &v ) { python::list vectorToList( const std::vector<T> &v ) {
python::list lst; python::list lst;
for ( std::vector<T>::const_iterator it = v.begin(); it != v.end(); ++it ) for ( std::vector<T>::const_iterator it = v.begin(); it != v.end(); ++it )
@ -16,6 +17,7 @@ python::list vectorToList( const std::vector<T> &v ) {
} }
template<> template<>
inline
python::list vectorToList<char>( const std::vector<char> &v ) { python::list vectorToList<char>( const std::vector<char> &v ) {
python::list lst; python::list lst;
for ( std::vector<char>::const_iterator it = v.begin(); it != v.end(); ++it ) for ( std::vector<char>::const_iterator it = v.begin(); it != v.end(); ++it )

0
samples/km/__init__.py Normal file
View File

110
samples/km/drvobj.py Normal file
View File

@ -0,0 +1,110 @@
from pykd import *
import sys
def loadSymbols():
global nt
nt = module( "nt" )
def getObjNameFromObjHeader( objHeader ):
if hasattr( objHeader, "NameInfoOffset"):
objName = typedVar( "nt!_OBJECT_HEADER_NAME_INFO", objHeader.getAddress() - objHeader.NameInfoOffset )
else:
if (0 == (objHeader.InfoMask & 2)):
return ""
offsetNameInfo = ptrByte( nt.ObpInfoMaskToOffset + (objHeader.InfoMask & 3) )
if (0 == offsetNameInfo):
return ""
objName = nt.typedVar("_OBJECT_HEADER_NAME_INFO", objHeader.getAddress() - offsetNameInfo)
return loadUnicodeString( objName.Name.getAddress() )
def getObjTypeFromObjHeader( objHeader ):
if hasattr( objHeader, "Type"):
return objHeader.Type
return ptrPtr( nt.ObTypeIndexTable + ptrSize() * objHeader.TypeIndex )
def getObjectInDir( dirObj, objName ):
if objName.find( "\\" ) != -1:
( dirSubName, objSubName ) = objName.split("\\", 1)
else:
dirSubName = objName
for i in range( 0, 37 ):
if dirObj.HashBuckets[i] != 0:
dirEntry = typedVar( "nt!_OBJECT_DIRECTORY_ENTRY", dirObj.HashBuckets[i] )
while dirEntry != 0:
objHeader = containingRecord( dirEntry.Object, "nt!_OBJECT_HEADER", "Body" )
objName = getObjNameFromObjHeader( objHeader )
if objName.lower() == dirSubName.lower():
if getObjTypeFromObjHeader( objHeader ) == ptrPtr( nt.ObpDirectoryObjectType ):
return getObjectInDir( typedVar( "nt!_OBJECT_DIRECTORY", dirEntry.Object), objSubName )
else:
return dirEntry.Object
if dirEntry.ChainLink != 0:
dirEntry = typedVar( "nt!_OBJECT_DIRECTORY_ENTRY", dirEntry.ChainLink )
else:
dirEntry = 0
def getObjectByName( objName ):
if len(objName)==0:
return
if objName[0] != '\\':
return
rootDir = typedVar( "nt!_OBJECT_DIRECTORY", ptrPtr( nt.ObpRootDirectoryObject ) )
return getObjectInDir( rootDir, objName[1:] )
def printDrvMajorTable( drvName ):
objName = "\\Driver\\" + drvName
drvObjPtr = getObjectByName( objName )
if drvObjPtr == None:
dprintln( "object not found" )
return
drvObj = typedVar( "nt!_DRIVER_OBJECT", drvObjPtr )
for i in range( len(drvObj.MajorFunction) ):
dprintln( "MajorFunction[%d] = %s" % ( i, findSymbol( drvObj.MajorFunction[i] ) ) )
def run():
if not isWindbgExt():
if not loadDump( sys.argv[1] ):
dprintln( sys.argv[1] + " - load failed" )
return
if not isKernelDebugging():
dprintln( "not a kernel debugging" )
return
loadSymbols();
printDrvMajorTable( "afd" )
if __name__ == "__main__":
run()

30
samples/km/proclist.py Normal file
View File

@ -0,0 +1,30 @@
import sys
from pykd import *
def processInfo():
nt = module( "nt" )
processList = typedVarList( nt.PsActiveProcessHead, "nt!_EPROCESS", "ActiveProcessLinks" )
for process in processList:
print "".join( [chr(i) for i in process.ImageFileName if i != 0] )
def run():
if not isWindbgExt():
if not loadDump( sys.argv[1] ):
dprintln( sys.argv[1] + " - load failed" )
return
if not isKernelDebugging():
dprintln( "not a kernel debugging" )
return
processInfo()
if __name__ == "__main__":
run()

67
samples/km/ssdt.py Normal file
View File

@ -0,0 +1,67 @@
from pykd import *
import sys
def checkSSDT():
nt = module( "nt" )
if is64bitSystem():
def getServiceAddrWlh(Start, Offset):
return Start + (Offset / 16)
def getServiceAddr2k3(Start, Offset):
return Start + (Offset & ~0xf)
if (ptrWord(nt.NtBuildNumber) == 3790):
getServiceAddr = getServiceAddr2k3
else:
getServiceAddr = getServiceAddrWlh
serviceTableHeader = loadQWords( nt.KeServiceDescriptorTable, 4 )
serviceTableStart = serviceTableHeader[0]
serviceCount = serviceTableHeader[2]
dprintln( "ServiceTable start: %(1)x count: %(2)x" % { "1" : serviceTableStart, "2" : serviceCount } )
serviceTable = loadSignDWords( serviceTableStart, serviceCount )
for i in range( 0, serviceCount ):
routineAddress = getServiceAddr(serviceTableStart, serviceTable[i]);
dprintln( "[%u] " % i + findSymbol( routineAddress ) )
else:
serviceTableHeader = loadDWords( nt.KeServiceDescriptorTable, 4 )
serviceTableStart = serviceTableHeader[0]
serviceCount = serviceTableHeader[2]
dprintln( "ServiceTable start: %(1)x count: %(2)x" % { "1" : serviceTableStart, "2" : serviceCount } )
serviceTable = loadPtrs( serviceTableStart, serviceCount )
for i in range( 0, serviceCount ):
dprintln( "[%u] " % i + findSymbol( serviceTable[i] ) )
def run():
while True:
if not isWindbgExt():
if not loadDump( sys.argv[1] ):
dprintln( sys.argv[1] + " - load failed" )
break
if not isKernelDebugging():
dprintln( "not a kernel debugging" )
break
checkSSDT()
break
if __name__ == "__main__":
run()