mirror of
https://github.com/ivellioscolin/pykd.git
synced 2025-04-19 02:53:22 +08:00
[0.3.x] added : ldr.py sample
git-svn-id: https://pykd.svn.codeplex.com/svn@85130 9b283d60-5439-405e-af05-b73fd8c4d996
This commit is contained in:
SND\kernelnet_cp
Mikhail I. Izmestev
parent
128394ff85
commit
bb9b0ea5f6
74
samples/samples.py
Normal file
74
samples/samples.py
Normal file
@ -0,0 +1,74 @@
|
|||||||
|
|
||||||
|
import sys
|
||||||
|
import os.path
|
||||||
|
|
||||||
|
from pykd import dprintln
|
||||||
|
from pykd import dprint
|
||||||
|
|
||||||
|
def printAllSamples():
|
||||||
|
dprintln( "<b>User mode</b>", True)
|
||||||
|
dprintln( "Get critical sections list <link cmd=\"!py samples run um.critlist\">Run</link> <link cmd=\"!py samples source um.critlist\">Source</link>", True)
|
||||||
|
dprintln( "Get module list from PEB <link cmd=\"!py samples run um.ldr\">Run</link> <link cmd=\"!py samples source um.ldr\">Source</link>", True)
|
||||||
|
dprintln( "<b>Kernel mode</b>", True )
|
||||||
|
dprintln( "Get process list <link cmd=\"!py samples run km.proclist\">Run</link> <link cmd=\"!py samples source km.proclist\">Source</link>", True)
|
||||||
|
dprintln( "Get kernel service list <link cmd=\"!py samples run km.ssdt\">Run</link> <link cmd=\"!py samples source km.ssdt\">Source</link>", True)
|
||||||
|
dprintln( "Get driver object <link cmd=\"!py samples run km.drvobj\">Run</link> <link cmd=\"!py samples source km.drvobj\">Source</link>", True)
|
||||||
|
dprintln( "" )
|
||||||
|
|
||||||
|
def runSample( sampleName ):
|
||||||
|
|
||||||
|
try:
|
||||||
|
packageName, moduleName = sampleName.split(".")
|
||||||
|
|
||||||
|
module = __import__( name = sampleName, fromlist = moduleName )
|
||||||
|
|
||||||
|
module.__dict__[ "run" ]()
|
||||||
|
|
||||||
|
except ImportError:
|
||||||
|
dprintln("import error")
|
||||||
|
pass
|
||||||
|
|
||||||
|
dprintln( "" )
|
||||||
|
dprintln( "<link cmd=\"!py samples\">Sample list</link>", True )
|
||||||
|
dprintln( "" )
|
||||||
|
|
||||||
|
def printSample( sampleName ):
|
||||||
|
|
||||||
|
try:
|
||||||
|
packageName, moduleName = sampleName.split(".")
|
||||||
|
|
||||||
|
module = __import__( name = sampleName, fromlist = moduleName )
|
||||||
|
|
||||||
|
fileName = os.path.dirname( module.__dict__["__file__"] )
|
||||||
|
fileName = os.path.join( fileName, moduleName + ".py" )
|
||||||
|
|
||||||
|
with open( fileName ) as f:
|
||||||
|
for line in f:
|
||||||
|
dprint( line )
|
||||||
|
|
||||||
|
except ImportError:
|
||||||
|
dprintln("import error")
|
||||||
|
pass
|
||||||
|
|
||||||
|
dprintln( "" )
|
||||||
|
dprintln( "<link cmd=\"!py samples\">Sample list</link>", True )
|
||||||
|
dprintln( "" )
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
if len(sys.argv) <= 2:
|
||||||
|
return printAllSamples()
|
||||||
|
|
||||||
|
if sys.argv[1] == "run":
|
||||||
|
runSample( sys.argv[2] )
|
||||||
|
|
||||||
|
if sys.argv[1] == "source":
|
||||||
|
printSample( sys.argv[2] )
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
0
samples/um/__init__.py
Normal file
0
samples/um/__init__.py
Normal file
59
samples/um/ldr.py
Normal file
59
samples/um/ldr.py
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
from pykd import *
|
||||||
|
|
||||||
|
def main():
|
||||||
|
pass
|
||||||
|
|
||||||
|
def listModuleFromLdr64():
|
||||||
|
|
||||||
|
dprintln( "<u>64 bit modules:</u>", True )
|
||||||
|
|
||||||
|
peb = typedVar( "ntdll!PEB", getProcessOffset(getCurrentProcess()) )
|
||||||
|
|
||||||
|
moduleLst = typedVarList( peb.Ldr.deref().InMemoryOrderModuleList, "ntdll!_LDR_DATA_TABLE_ENTRY", "InMemoryOrderLinks" )
|
||||||
|
|
||||||
|
for mod in moduleLst:
|
||||||
|
name = typedVar( "ntdll!_UNICODE_STRING", mod.BaseDllName )
|
||||||
|
dprintln(loadWChars(name.Buffer, name.Length/2))
|
||||||
|
|
||||||
|
try:
|
||||||
|
|
||||||
|
peb32 = typedVar( "ntdll32!_PEB", getProcessOffset(getCurrentProcess()) - pageSize() )
|
||||||
|
|
||||||
|
dprintln( "\n<u>32 bit modules:</u>", True)
|
||||||
|
|
||||||
|
moduleLst = typedVarList( peb32.Ldr.deref().InMemoryOrderModuleList, "ntdll32!_LDR_DATA_TABLE_ENTRY", "InMemoryOrderLinks" )
|
||||||
|
|
||||||
|
for mod in moduleLst:
|
||||||
|
name = typedVar( "ntdll32!_UNICODE_STRING", mod.BaseDllName )
|
||||||
|
dprintln(loadWChars(name.Buffer, name.Length/2))
|
||||||
|
|
||||||
|
except BaseException:
|
||||||
|
pass
|
||||||
|
|
||||||
|
def listModuleFromLdr():
|
||||||
|
|
||||||
|
peb = typedVar( "ntdll!PEB", getProcessOffset(getCurrentProcess()) )
|
||||||
|
|
||||||
|
moduleLst = typedVarList( peb.Ldr.deref().InMemoryOrderModuleList, "ntdll!_LDR_DATA_TABLE_ENTRY", "InMemoryOrderLinks" )
|
||||||
|
|
||||||
|
for mod in moduleLst:
|
||||||
|
dprintln(loadUnicodeString(mod.BaseDllName))
|
||||||
|
|
||||||
|
|
||||||
|
def run():
|
||||||
|
|
||||||
|
while True:
|
||||||
|
|
||||||
|
if isKernelDebugging():
|
||||||
|
dprintln( "not a user debugging" )
|
||||||
|
break
|
||||||
|
|
||||||
|
if is64bitSystem():
|
||||||
|
listModuleFromLdr64()
|
||||||
|
else:
|
||||||
|
listModuleFromLdr()
|
||||||
|
|
||||||
|
break
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
run()
|
||||||
Loading…
Reference in New Issue
Block a user