From bb9b0ea5f680ef04896188acecb062d505c2df3c Mon Sep 17 00:00:00 2001 From: "SND\\kernelnet_cp" Date: Mon, 9 Sep 2013 16:08:10 +0000 Subject: [PATCH] [0.3.x] added : ldr.py sample git-svn-id: https://pykd.svn.codeplex.com/svn@85130 9b283d60-5439-405e-af05-b73fd8c4d996 --- samples/samples.py | 74 ++++++++++++++++++++++++++++++++++++++++++ samples/um/__init__.py | 0 samples/um/ldr.py | 59 +++++++++++++++++++++++++++++++++ 3 files changed, 133 insertions(+) create mode 100644 samples/samples.py create mode 100644 samples/um/__init__.py create mode 100644 samples/um/ldr.py diff --git a/samples/samples.py b/samples/samples.py new file mode 100644 index 0000000..f9a6d24 --- /dev/null +++ b/samples/samples.py @@ -0,0 +1,74 @@ + +import sys +import os.path + +from pykd import dprintln +from pykd import dprint + +def printAllSamples(): + dprintln( "User mode", True) + dprintln( "Get critical sections list Run Source", True) + dprintln( "Get module list from PEB Run Source", True) + dprintln( "Kernel mode", True ) + dprintln( "Get process list Run Source", True) + dprintln( "Get kernel service list Run Source", True) + dprintln( "Get driver object Run Source", True) + dprintln( "" ) + +def runSample( sampleName ): + + try: + packageName, moduleName = sampleName.split(".") + + module = __import__( name = sampleName, fromlist = moduleName ) + + module.__dict__[ "run" ]() + + except ImportError: + dprintln("import error") + pass + + dprintln( "" ) + dprintln( "Sample list", True ) + dprintln( "" ) + +def printSample( sampleName ): + + try: + packageName, moduleName = sampleName.split(".") + + module = __import__( name = sampleName, fromlist = moduleName ) + + fileName = os.path.dirname( module.__dict__["__file__"] ) + fileName = os.path.join( fileName, moduleName + ".py" ) + + with open( fileName ) as f: + for line in f: + dprint( line ) + + except ImportError: + dprintln("import error") + pass + + dprintln( "" ) + dprintln( "Sample list", True ) + dprintln( "" ) + + +def main(): + if len(sys.argv) <= 2: + return printAllSamples() + + if sys.argv[1] == "run": + runSample( sys.argv[2] ) + + if sys.argv[1] == "source": + printSample( sys.argv[2] ) + + +if __name__ == "__main__": + main() + + + + diff --git a/samples/um/__init__.py b/samples/um/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/samples/um/ldr.py b/samples/um/ldr.py new file mode 100644 index 0000000..184cfee --- /dev/null +++ b/samples/um/ldr.py @@ -0,0 +1,59 @@ +from pykd import * + +def main(): + pass + +def listModuleFromLdr64(): + + dprintln( "64 bit modules:", True ) + + peb = typedVar( "ntdll!PEB", getProcessOffset(getCurrentProcess()) ) + + moduleLst = typedVarList( peb.Ldr.deref().InMemoryOrderModuleList, "ntdll!_LDR_DATA_TABLE_ENTRY", "InMemoryOrderLinks" ) + + for mod in moduleLst: + name = typedVar( "ntdll!_UNICODE_STRING", mod.BaseDllName ) + dprintln(loadWChars(name.Buffer, name.Length/2)) + + try: + + peb32 = typedVar( "ntdll32!_PEB", getProcessOffset(getCurrentProcess()) - pageSize() ) + + dprintln( "\n32 bit modules:", True) + + moduleLst = typedVarList( peb32.Ldr.deref().InMemoryOrderModuleList, "ntdll32!_LDR_DATA_TABLE_ENTRY", "InMemoryOrderLinks" ) + + for mod in moduleLst: + name = typedVar( "ntdll32!_UNICODE_STRING", mod.BaseDllName ) + dprintln(loadWChars(name.Buffer, name.Length/2)) + + except BaseException: + pass + +def listModuleFromLdr(): + + peb = typedVar( "ntdll!PEB", getProcessOffset(getCurrentProcess()) ) + + moduleLst = typedVarList( peb.Ldr.deref().InMemoryOrderModuleList, "ntdll!_LDR_DATA_TABLE_ENTRY", "InMemoryOrderLinks" ) + + for mod in moduleLst: + dprintln(loadUnicodeString(mod.BaseDllName)) + + +def run(): + + while True: + + if isKernelDebugging(): + dprintln( "not a user debugging" ) + break + + if is64bitSystem(): + listModuleFromLdr64() + else: + listModuleFromLdr() + + break + +if __name__ == "__main__": + run() \ No newline at end of file