From a7765dfb9e13a8b5a78cf58b76e2f27561448b58 Mon Sep 17 00:00:00 2001 From: "SND\\kernelnet_cp" Date: Tue, 6 Jul 2010 14:53:05 +0000 Subject: [PATCH] git-svn-id: https://pykd.svn.codeplex.com/svn@50346 9b283d60-5439-405e-af05-b73fd8c4d996 --- kdar/cmd.py | 5 ---- kdar/drvobj.py | 11 --------- kdar/idt.py | 62 -------------------------------------------------- 3 files changed, 78 deletions(-) delete mode 100644 kdar/cmd.py delete mode 100644 kdar/drvobj.py delete mode 100644 kdar/idt.py diff --git a/kdar/cmd.py b/kdar/cmd.py deleted file mode 100644 index b43f101..0000000 --- a/kdar/cmd.py +++ /dev/null @@ -1,5 +0,0 @@ -from pykd import * - -s = dbgCommand( "dt nt!_DRIVER_OBJECT" ) - -dprintln( s ) \ No newline at end of file diff --git a/kdar/drvobj.py b/kdar/drvobj.py deleted file mode 100644 index 9b60816..0000000 --- a/kdar/drvobj.py +++ /dev/null @@ -1,11 +0,0 @@ -from pykd import * - - -drvObj = typedVar( "nt", "_DRIVER_OBJECT", addr64( 0x82000c08 ) ) - -dprintln( "DriverName.Length = %(1)d" % { "1" : drvObj.DriverName.Length } ) - -for i,f in drvObj.MajorFunction.iteritems(): - - dprintln( "MajorFunction[%(1)d] = " % { "1" : i } + findSymbol( addr64( f ) ) ) - diff --git a/kdar/idt.py b/kdar/idt.py deleted file mode 100644 index 5f8e2b3..0000000 --- a/kdar/idt.py +++ /dev/null @@ -1,62 +0,0 @@ -from pykd import * - - -if not is64bitSystem(): - - dprintln( "check interrupt handlers...\n" ) - - idtr = reg( "idtr" ) - - nt = loadModule( "nt" ) - nt.KiInterruptDispatch = getOffset( "nt", "KiInterruptDispatch" ) - nt.KiChainedDispatch = getOffset( "nt", "KiChainedDispatch" ) - nt.KiInterruptTemplate = getOffset( "nt", "KiInterruptTemplate" ) - - hal = loadModule( "hal" ) - - - ErrorCount = 0 - - for i in range(0,255): - - idtEntry = typedVar( "nt", "_KIDTENTRY", idtr + i*8 ) - - if idtEntry.Selector == 8: - - InterruptHandler = ( idtEntry.ExtendedOffset * 0x10000 ) + idtEntry.Offset - - if InterruptHandler != 0 and not nt.contain( InterruptHandler ) and not hal.contain( InterruptHandler ): - - kinterrupt = containingRecord( InterruptHandler, "nt", "_KINTERRUPT", "DispatchCode" ) - - dprintln ( "KINTERRUPT: %(1)x" % { "1" : kinterrupt.getAddress() } ) - - if addr64( kinterrupt.DispatchAddress ) != nt.KiInterruptDispatch and addr64( kinterrupt.DispatchAddress ) != nt.KiChainedDispatch: - dprintln ( "Threat!!! KINTERRUPT::DispatchAddress PATCHED" ) - ErrorCount += 1 - - if findModule( kinterrupt.ServiceRoutine ) == None: - dprintln ( "Threat!!! KINTERRUPT::ServiceRoutine (%(1)x) out of any module" % { "1" : kinterrupt.ServiceRoutine } ) - ErrorCount += 1 - - if not compareMemory( nt.KiInterruptTemplate, InterruptHandler, 98 ): - dprintln ( "Threat!!! KINTERRUPT::DispatchCode area PATCHED" ) - ErrorCount += 1 - - - dprintln ( "" ) - - - dprintln( "check end: %(1)d threats" % { "1" : ErrorCount } ) - - -else: - - dprintln( "x64 is not supported" ) - - - - - - -