zjgcjy/pykd
1
0
Fork 0
mirror of https://github.com/ivellioscolin/pykd.git synced 2025-04-21 12:24:52 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

[0.2.x] fixed : speed optimization for ntobj.py

Browse Source 
git-svn-id: https://pykd.svn.codeplex.com/svn@82635 9b283d60-5439-405e-af05-b73fd8c4d996
This commit is contained in:
SND\kernelnet_cp 2013-02-13 16:28:33 +00:00 committed by Mikhail I. Izmestev
parent 5c7857a718
commit a69089a004
2 changed files with 21 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
snippets/findhandle.py
View File

@ -13,6 +13,9 @@ def findHanle(objaddr):
dprintln( "search in process %x " % process.UniqueProcessId + "".join( [chr(i) for i in process.ImageFileName if i != 0] ) ) dprintln( "search in process %x " % process.UniqueProcessId + "".join( [chr(i) for i in process.ImageFileName if i != 0] ) )
if process.ObjectTable == 0:
continue
objects = ntobj.getListByHandleTable( process.ObjectTable ) objects = ntobj.getListByHandleTable( process.ObjectTable )
for obj in objects: for obj in objects:
if obj[0] == objaddr: if obj[0] == objaddr:

28
snippets/ntobj.py
View File

@ -28,12 +28,20 @@ from pykd import *
nt = module("nt") nt = module("nt")
# optimization
OBJECT_HEADER = nt.type("_OBJECT_HEADER")
HANDLE_TABLE_ENTRY = nt.type("_HANDLE_TABLE_ENTRY")
OBJECT_DIRECTORY_ENTRY = nt.type("_OBJECT_DIRECTORY_ENTRY")
OBJECT_HEADER_NAME_INFO = nt.type("_OBJECT_HEADER_NAME_INFO")
def getTypeWin7(p): def getTypeWin7(p):
""" """
Get object header by object pointer Get object header by object pointer
Implementation for Win7+ Implementation for Win7+
""" """
objHeader = nt.containingRecord(p, "_OBJECT_HEADER", "Body") objHeader = containingRecord(p, OBJECT_HEADER, "Body")
tableTypeIndex = nt.ObTypeIndexTable tableTypeIndex = nt.ObTypeIndexTable
return ptrPtr(tableTypeIndex + (ptrSize() * objHeader.TypeIndex)) return ptrPtr(tableTypeIndex + (ptrSize() * objHeader.TypeIndex))
@ -42,7 +50,7 @@ def getTypeLegacy(p):
Get object header by object pointer Get object header by object pointer
Implementation for before Win7 Implementation for before Win7
""" """
objHeader = nt.containingRecord(p, "_OBJECT_HEADER", "Body") objHeader = containingRecord(p, OBJECT_HEADER, "Body")
return objHeader.Type return objHeader.Type
# Select platform-specific function for getting object header # Select platform-specific function for getting object header
@ -59,28 +67,28 @@ def getObjectNameInfoFromHeader(p):
""" """
Get object name information from field NameInfoOffset of object header Get object name information from field NameInfoOffset of object header
""" """
objHeader = nt.containingRecord(p, "_OBJECT_HEADER", "Body") objHeader = containingRecord(p, OBJECT_HEADER, "Body")
if (0 == objHeader.NameInfoOffset): if (0 == objHeader.NameInfoOffset):
return None return None
return nt.typedVar("_OBJECT_HEADER_NAME_INFO", objHeader.getAddress() - objHeader.NameInfoOffset) return typedVar(OBJECT_HEADER_NAME_INFO, objHeader.getAddress() - objHeader.NameInfoOffset)
def getObjectNameInfoFromInfoMask(p): def getObjectNameInfoFromInfoMask(p):
""" """
Get object name information from field NameInfoOffset of object header Get object name information from field NameInfoOffset of object header
""" """
objHeader = nt.containingRecord(p, "_OBJECT_HEADER", "Body") objHeader = containingRecord(p, OBJECT_HEADER, "Body")
if (0 == (objHeader.InfoMask & 2)): if (0 == (objHeader.InfoMask & 2)):
return None return None
offsetNameInfo = ptrByte( nt.ObpInfoMaskToOffset + (objHeader.InfoMask & 3) ) offsetNameInfo = ptrByte( nt.ObpInfoMaskToOffset + (objHeader.InfoMask & 3) )
if (0 == offsetNameInfo): if (0 == offsetNameInfo):
return None return None
return nt.typedVar("_OBJECT_HEADER_NAME_INFO", objHeader.getAddress() - offsetNameInfo) return typedVar(OBJECT_HEADER_NAME_INFO, objHeader.getAddress() - offsetNameInfo)
# Select platform-specific function for getting name of object # Select platform-specific function for getting name of object
getObjectNameInfo = None getObjectNameInfo = None
try: try:
nt.type("_OBJECT_HEADER").NameInfoOffset OBJECT_HEADER.NameInfoOffset
getObjectNameInfo = getObjectNameInfoFromHeader getObjectNameInfo = getObjectNameInfoFromHeader
except TypeException: except TypeException:
getObjectNameInfo = getObjectNameInfoFromInfoMask getObjectNameInfo = getObjectNameInfoFromInfoMask
@ -149,7 +157,7 @@ def getListByHandleTable(tableHandles=None, objTypeAddr=0, containHeaders=True):
if (0 == entryHandle): if (0 == entryHandle):
return 0 return 0
HandleEntry = nt.typedVar("_HANDLE_TABLE_ENTRY", entryHandle) HandleEntry = typedVar( HANDLE_TABLE_ENTRY, entryHandle)
if (0xFFFFFFFE == HandleEntry.NextFreeTableEntry): if (0xFFFFFFFE == HandleEntry.NextFreeTableEntry):
return 0 return 0
@ -158,7 +166,7 @@ def getListByHandleTable(tableHandles=None, objTypeAddr=0, containHeaders=True):
return 0 return 0
if (containHeader): if (containHeader):
objHeader = nt.typedVar("_OBJECT_HEADER", p) objHeader = typedVar( OBJECT_HEADER, p)
p = objHeader.Body.getAddress() p = objHeader.Body.getAddress()
return p return p
@ -250,7 +258,7 @@ def getListByDirectoryObject(p, objTypeAddr=0):
for i in range(0, NUMBER_HASH_BUCKETS): for i in range(0, NUMBER_HASH_BUCKETS):
bucket = ptrPtr( p + (i * ptrSize()) ) bucket = ptrPtr( p + (i * ptrSize()) )
while bucket: while bucket:
bucketVar = nt.typedVar("_OBJECT_DIRECTORY_ENTRY", bucket) bucketVar = typedVar( OBJECT_DIRECTORY_ENTRY, bucket)
if objTypeAddr and (getType(bucketVar.Object) == objTypeAddr): if objTypeAddr and (getType(bucketVar.Object) == objTypeAddr):
result.append(bucketVar.Object) result.append(bucketVar.Object)
elif (not objTypeAddr): elif (not objTypeAddr):