From bd52d71c3239facb1d7935506653d1a846f02d03 Mon Sep 17 00:00:00 2001 From: "SND\\kernelnet_cp" Date: Wed, 23 May 2012 13:51:12 +0000 Subject: [PATCH] [0.1.x] updated : snippets git-svn-id: https://pykd.svn.codeplex.com/svn@76567 9b283d60-5439-405e-af05-b73fd8c4d996 --- snippets/nbl.py | 1 + snippets/reload.py | 29 ------------ snippets/stlp.py | 87 ----------------------------------- snippets/wfp.py | 110 ++++++++++++++++++++++++++++++++++++++------- 4 files changed, 96 insertions(+), 131 deletions(-) delete mode 100644 snippets/reload.py delete mode 100644 snippets/stlp.py diff --git a/snippets/nbl.py b/snippets/nbl.py index e2cb988..8e91d04 100644 --- a/snippets/nbl.py +++ b/snippets/nbl.py @@ -487,6 +487,7 @@ def usage(): def main(): if len(sys.argv) < 2: + usage() return if not isKernelDebugging(): diff --git a/snippets/reload.py b/snippets/reload.py deleted file mode 100644 index 89d98c4..0000000 --- a/snippets/reload.py +++ /dev/null @@ -1,29 +0,0 @@ -# -# -# - -import sys -from pykd import * - -def symreload(): - - reloadModule( "/f" ) - - PsLoadedModuleList = getOffset( "nt", "PsLoadedModuleList" ) - - loadedModulesInfo = typedVarList( PsLoadedModuleList, "nt", "_LDR_DATA_TABLE_ENTRY", "InLoadOrderLinks" ) - - for module in loadedModulesInfo: - - if "" == getPdbFile( module.DllBase ): - baseName = loadUnicodeString( module.BaseDllName.getAddress() ) - if baseName=="ntoskrnl.exe": baseName = "nt" - reloadModule( " /u " + str(baseName) ) - -if __name__ == "__main__": - - if not isSessionStart(): - dprintln( "script is launch out of windbg" ) - quit( 0 ) - - symreload() \ No newline at end of file diff --git a/snippets/stlp.py b/snippets/stlp.py deleted file mode 100644 index e5c4d5a..0000000 --- a/snippets/stlp.py +++ /dev/null @@ -1,87 +0,0 @@ -"""Dump STLPort containers""" - -import sys -from pykd import * - -def ptr_t(): - return is64bitSystem() and ulonglong_t or ulong_t - -StlpNodeBase = typeInfo() -StlpNodeBase.append(ptr_t(), "color") -StlpNodeBase.append(ptr_t(), "parent") -StlpNodeBase.append(ptr_t(), "left") -StlpNodeBase.append(ptr_t(), "right") - -StlpMap = typeInfo() -StlpMap.append(StlpNodeBase, "header") -StlpMap.append(ptr_t(), "node_count") - -def stlpMapIncrement(addr): - node = StlpNodeBase.load(addr) - - if (node.right != 0): - node = StlpNodeBase.load(node.right) - while (node.left != 0): - node = StlpNodeBase.load(node.left) - else: - ynode = StlpNodeBase.load(node.parent) - while (node.getAddress() == ynode.right): - node = ynode - ynode = StlpNodeBase.load(ynode.parent) - # check special case: This is necessary if _M_node is the - # _M_head and the tree contains only a single node __y. In - # that case parent, left and right all point to __y! - if (node.right != ynode.getAddress()): - node = ynode - - return node.getAddress() - - -def dumpStlportMap(addr): - """Returns the list of addresses of pair""" - addrList = list() - #dprintln("Map address: 0x%x" % addr) - map = StlpMap.load(addr) - #dprintln("Map node count: %u" % map.node_count) - - count = 0 - begin = map.header.left - end = addr - it = begin - while (it and it != end): - addrList.append(it + map.header.sizeof()) - it = stlpMapIncrement(it) - count += 1 - - if (count != map.node_count): - dprintln("Error: map was dumped incorrectly.") - - return addrList - - -def printUsage(): - dprintln("Usage:") - dprintln("!py stlp map [\"accurate map pair type\"]") - dprintln("Use dt command to retrive accurate map pair type:") - dprintln("dt -r ModuleName!stlp_std::pair*") - dprintln("Find required type in the list and copy paste it as script parameter. Don't forget about quotes.") - -if __name__ == "__main__": - mapAddr = 0 - - argc = len(sys.argv) - if (argc < 3 or sys.argv[1] != "map"): - printUsage() - quit(0) - else: - mapAddr = int(expr(sys.argv[2])) - - addrList = dumpStlportMap(mapAddr) - for addr in addrList: - if (argc == 3): - dprintln("0x%x" % addr) - else: - s = "dt -r " + sys.argv[3] + " 0x%x" % addr - #println(s) - dprintln("------------------------------------------------") - dprintln(dbgCommand(s)) diff --git a/snippets/wfp.py b/snippets/wfp.py index 155fe36..10fc463 100644 --- a/snippets/wfp.py +++ b/snippets/wfp.py @@ -6,19 +6,7 @@ from pykd import * fwpsLayer = typeInfo( "FWPS_BUILTIN_LAYERS_" ).asMap() fwpsDataType = typeInfo( "FWP_DATA_TYPE_" ).asMap() - -layerRe = re.compile( 'LAYER' ) -discardRe = re.compile( 'DISCARD' ) - -fwpsFields = {} - -for layerId, v in fwpsLayer.items(): - if discardRe.search( v ): - continue - try: - fwpsFields[ layerId ] = typeInfo( layerRe.sub( 'FIELDS', v, 1 ) + '_' ).asMap() - except: - pass +fwpDirection = typeInfo( "FWP_DIRECTION_" ).asMap() def printBlob( blob ): bb = loadBytes( blob.data, blob.size ) @@ -48,6 +36,9 @@ def printFwpsValue( value ): }.get( fwpsDataType[ value.type ], lambda : "---" )() def wfpFixedValues( addr ): + + dprintln( "FWPS_INCOMING_VALUES0:" ) + inFixedValue = typedVar( "FWPS_INCOMING_VALUES0_", addr ) dprintln( " Layer: " + fwpsLayer[ inFixedValue.layerId ] ) @@ -55,14 +46,103 @@ def wfpFixedValues( addr ): values = [ x.value for x in typedVarArray( int(inFixedValue.incomingValue), "FWPS_INCOMING_VALUE0_", inFixedValue.valueCount ) ] + layerName = fwpsLayer[ inFixedValue.layerId ] + + discardRe = re.compile( '_DISCARD' ) + layerName = discardRe.sub( '', layerName, 1 ) + + layerRe = re.compile( 'LAYER' ) + fwpsFields = typeInfo( layerRe.sub( 'FIELDS', layerName, 1 ) + '_' ).asMap() + for i in range( 0, len(values) ): - dprintln( " " + fwpsFields[ inFixedValue.layerId ][ i ] ) + dprintln( " " + fwpsFields[ i ] ) dprintln( " Type: " + fwpsDataType[ values[i].type ] ) dprintln( " Value: " + printFwpsValue( values[i] ) ) +def printDiscardReason( discardReason ): + return "" + +def printBlobAsStr( blob ): + return loadWChars( blob.data, blob.size ) + +def printFwpsMetaValue( valueIndex, inMetaValues ): + + return { + 0x00000001 : lambda x: printDiscardReason( x.discardMetadata ), + 0x00000002 : lambda x: "%#x" % inMetaValues.flowHandle, + 0x00000004 : lambda x: "%#x" % inMetaValues.ipHeaderSize, + 0x00000008 : lambda x: printBlobAsStr( x.processPath.deref() ), + 0x00000010 : lambda x: "%#lx" % inMetaValues.token, + 0x00000020 : lambda x: "%#lx" % inMetaValues.processId, + 0x00000040 : lambda x: "%#x" % inMetaValues.flags, + 0x00000080 : lambda x: "%#lx" % inMetaValues.reserved, + 0x00000100 : lambda x: "%#x" % inMetaValues.sourceInterfaceIndex, + 0x00000200 : lambda x: "%#x" % inMetaValues.destinationInterfaceIndex, + 0x00000400 : lambda x: "%#x" % inMetaValues.transportHeaderSize, + 0x00000800 : lambda x: "%#x" % inMetaValues.compartmentId, + 0x00001000 : lambda x: "id: %x offset: %x length: %x" % ( x.fragmentMetadata.fragmentIdentification, x.fragmentMetadata.fragmentOffset, x.fragmentMetadata.fragmentLength ), + 0x00002000 : lambda x: "%#x" % x.pathMtu, + 0x00004000 : lambda x: "%#lx" % x.completionHandle, + 0x00008000 : lambda x: "%#lx" % x.transportEndpointHandle, + 0x00010000 : lambda x: "Data: %#lx, Length: %#x" % ( x.controlData, x.controlDataLength ), + 0x00020000 : lambda x: "Zone: %d Level: %d" % ( x.remoteScopeId.Zone, x.remoteScopeId.Level ), + 0x00040000 : lambda x: fwpDirection[ x.packetDirection ], + }.get( valueIndex, lambda x: "" )( inMetaValues ) + + +def wfpMetaValues( addr ): + + dprintln( "FWPS_INCOMING_METADATA_VALUES0:" ) + + fwpsMetadataFields = { + 0x00000001 : "FWPS_METADATA_FIELD_DISCARD_REASON", + 0x00000002 : "FWPS_METADATA_FIELD_FLOW_HANDLE", + 0x00000004 : "FWPS_METADATA_FIELD_IP_HEADER_SIZE", + 0x00000008 : "FWPS_METADATA_FIELD_PROCESS_PATH", + 0x00000010 : "FWPS_METADATA_FIELD_TOKEN", + 0x00000020 : "FWPS_METADATA_FIELD_PROCESS_ID", + 0x00000040 : "FWPS_METADATA_FIELD_SYSTEM_FLAGS", + 0x00000080 : "FWPS_METADATA_FIELD_RESERVED", + 0x00000100 : "FWPS_METADATA_FIELD_SOURCE_INTERFACE_INDEX", + 0x00000200 : "FWPS_METADATA_FIELD_DESTINATION_INTERFACE_INDEX", + 0x00000400 : "FWPS_METADATA_FIELD_TRANSPORT_HEADER_SIZE", + 0x00000800 : "FWPS_METADATA_FIELD_COMPARTMENT_ID", + 0x00001000 : "FWPS_METADATA_FIELD_FRAGMENT_DATA", + 0x00002000 : "FWPS_METADATA_FIELD_PATH_MTU", + 0x00004000 : "FWPS_METADATA_FIELD_COMPLETION_HANDLE", + 0x00008000 : "FWPS_METADATA_FIELD_TRANSPORT_ENDPOINT_HANDLE", + 0x00010000 : "FWPS_METADATA_FIELD_TRANSPORT_CONTROL_DATA", + 0x00020000 : "FWPS_METADATA_FIELD_REMOTE_SCOPE_ID", + 0x00040000 : "FWPS_METADATA_FIELD_PACKET_DIRECTION", + 0x00080000 : "FWPS_METADATA_FIELD_PACKET_SYSTEM_CRITICAL", + 0x00100000 : "FWPS_METADATA_FIELD_FORWARD_LAYER_OUTBOUND_PASS_THRU", + 0x00200000 : "FWPS_METADATA_FIELD_FORWARD_LAYER_INBOUND_PASS_THRU", + 0x00400000 : "FWPS_METADATA_FIELD_ALE_CLASSIFY_REQUIRED", + 0x00800000 : "FWPS_METADATA_FIELD_TRANSPORT_HEADER_INCLUDE_HEADER", + 0x01000000 : "FWPS_METADATA_FIELD_DESTINATION_PREFIX", + 0x02000000 : "FWPS_METADATA_FIELD_ETHER_FRAME_LENGTH", + 0x04000000 : "FWPS_METADATA_FIELD_PARENT_ENDPOINT_HANDLE", + 0x08000000 : "FWPS_METADATA_FIELD_ICMP_ID_AND_SEQUENCE", + 0x10000000 : "FWPS_METADATA_FIELD_LOCAL_REDIRECT_TARGET_PID", + 0x20000000 : "FWPS_METADATA_FIELD_ORIGINAL_DESTINATION", + 0x40000000 : "FWPS_METADATA_FIELD_REDIRECT_RECORD_HANDLE", + 0x80000000 : "FWPS_METADATA_FIELD_SUB_PROCESS_TAG" + } + + inMetaValues = typedVar( "FWPS_INCOMING_METADATA_VALUES0_", addr ) + + for i in ( 1 << i for i in range( 0, 32) ): + if inMetaValues.currentMetadataValues & i: + dprint( " " ) + dprint( fwpsMetadataFields.get( i, "Unknown filed %#010x" % i ) + ": " ) + dprint( printFwpsMetaValue( i, inMetaValues ) ) + dprintln("") + + def usage(): dprintln( "Usage:" ) - + dprintln( "!py wfp /fixed addr") + dprintln( "!py wfp /meta addr" ) def main():