zjgcjy/pykd
1
0
Fork 0
mirror of https://github.com/ivellioscolin/pykd.git synced 2025-04-21 21:03:23 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

[0.1.x] ~fix scripts

Browse Source 
git-svn-id: https://pykd.svn.codeplex.com/svn@76558 9b283d60-5439-405e-af05-b73fd8c4d996
This commit is contained in:
SND\EreTIk_cp 2012-05-23 09:00:42 +00:00 committed by Mikhail I. Izmestev
parent 580e4837d5
commit c36cf59e41
2 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
snippets/alpc_conn.py
View File

@ -10,9 +10,9 @@ def printConnPort(portAddr):
""" """
Print connection port by port address Print connection port by port address
""" """
port = typedVar("nt", "_ALPC_PORT", portAddr) port = typedVar("nt!_ALPC_PORT", portAddr)
if (port != None): if (port != None):
portCommInfo = typedVar("nt", "_ALPC_COMMUNICATION_INFO", port.CommunicationInfo) portCommInfo = typedVar("nt!_ALPC_COMMUNICATION_INFO", port.CommunicationInfo)
dprintln( dbgCommand("!object %x" % portCommInfo.ConnectionPort) ) dprintln( dbgCommand("!object %x" % portCommInfo.ConnectionPort) )
else: else:
dprintln("Error: query port object by address failed") dprintln("Error: query port object by address failed")
@ -28,7 +28,7 @@ def main():
if (1 == argc_): if (1 == argc_):
portTypeAddr = getOffset("nt", "AlpcPortObjectType") portTypeAddr = getOffset("nt", "AlpcPortObjectType")
if (0 != portTypeAddr): if (0 != portTypeAddr):
objTable = typedVar("nt", "_EPROCESS", getCurrentProcess()).ObjectTable objTable = typedVar("nt!_EPROCESS", getCurrentProcess()).ObjectTable
lstAlpcPorts = ntobj.getListByHandleTable(objTable, ptrPtr(portTypeAddr)) lstAlpcPorts = ntobj.getListByHandleTable(objTable, ptrPtr(portTypeAddr))
for port in lstAlpcPorts: for port in lstAlpcPorts:
dprintln("Port object %x" % port + ", conection port:") dprintln("Port object %x" % port + ", conection port:")

20
snippets/ntobj.py
View File

@ -47,7 +47,7 @@ def getTypeLegacy(p):
# Select platform-specific function for getting object header # Select platform-specific function for getting object header
# Select key body type: nt!CmpKeyObjectType or nt!CmKeyObjectType # Select key body type: nt!CmpKeyObjectType or nt!CmKeyObjectType
if (ptrWord(getOffset("nt", "NtBuildNumber")) >= 7600): if (ptrWord(getOffset("nt!NtBuildNumber")) >= 7600):
getType = getTypeWin7 getType = getTypeWin7
# _kcbObjectType = expr("poi(nt!CmKeyObjectType)") # _kcbObjectType = expr("poi(nt!CmKeyObjectType)")
else: else:
@ -62,7 +62,7 @@ def getObjectNameInfoFromHeader(p):
objHeader = containingRecord(p, "nt", "_OBJECT_HEADER", "Body") objHeader = containingRecord(p, "nt", "_OBJECT_HEADER", "Body")
if (0 == objHeader.NameInfoOffset): if (0 == objHeader.NameInfoOffset):
return None return None
return typedVar("nt", "_OBJECT_HEADER_NAME_INFO", objHeader.getAddress() - objHeader.NameInfoOffset) return typedVar("nt!_OBJECT_HEADER_NAME_INFO", objHeader.getAddress() - objHeader.NameInfoOffset)
def getObjectNameInfoFromInfoMask(p): def getObjectNameInfoFromInfoMask(p):
""" """
@ -74,13 +74,13 @@ def getObjectNameInfoFromInfoMask(p):
offsetNameInfo = ptrByte( getOffset("nt", "ObpInfoMaskToOffset") + (objHeader.InfoMask & 3) ) offsetNameInfo = ptrByte( getOffset("nt", "ObpInfoMaskToOffset") + (objHeader.InfoMask & 3) )
if (0 == offsetNameInfo): if (0 == offsetNameInfo):
return None return None
return typedVar("nt", "_OBJECT_HEADER_NAME_INFO", objHeader.getAddress() - offsetNameInfo) return typedVar("nt!_OBJECT_HEADER_NAME_INFO", objHeader.getAddress() - offsetNameInfo)
# Select platform-specific function for getting name of object # Select platform-specific function for getting name of object
getObjectNameInfo = None getObjectNameInfo = None
try: try:
typeInfo("nt", "_OBJECT_HEADER").NameInfoOffset typeInfo("nt!_OBJECT_HEADER").NameInfoOffset
getObjectNameInfo = getObjectNameInfoFromHeader getObjectNameInfo = getObjectNameInfoFromHeader
except TypeException: except TypeException:
getObjectNameInfo = getObjectNameInfoFromInfoMask getObjectNameInfo = getObjectNameInfoFromInfoMask
@ -150,7 +150,7 @@ def getListByHandleTable(tableHandles=None, objTypeAddr=0, containHeaders=True):
if (0 == entryHandle): if (0 == entryHandle):
return 0 return 0
HandleEntry = typedVar("nt", "_HANDLE_TABLE_ENTRY", entryHandle) HandleEntry = typedVar("nt!_HANDLE_TABLE_ENTRY", entryHandle)
if (0xFFFFFFFE == HandleEntry.NextFreeTableEntry): if (0xFFFFFFFE == HandleEntry.NextFreeTableEntry):
return 0 return 0
@ -159,7 +159,7 @@ def getListByHandleTable(tableHandles=None, objTypeAddr=0, containHeaders=True):
return 0 return 0
if (containHeader): if (containHeader):
objHeader = typedVar("nt", "_OBJECT_HEADER", p) objHeader = typedVar("nt!_OBJECT_HEADER", p)
p = objHeader.Body.getAddress() p = objHeader.Body.getAddress()
return p return p
@ -210,13 +210,13 @@ def getListByHandleTable(tableHandles=None, objTypeAddr=0, containHeaders=True):
return lstObjects return lstObjects
if (None == tableHandles): if (None == tableHandles):
currProcess = typedVar("nt", "_EPROCESS", getCurrentProcess()) currProcess = typedVar("nt!_EPROCESS", getCurrentProcess())
if (None == currProcess): if (None == currProcess):
dprintln("Get current process failed") dprintln("Get current process failed")
return return
tableHandles = currProcess.ObjectTable tableHandles = currProcess.ObjectTable
tableHandles = typedVar("nt", "_HANDLE_TABLE", tableHandles) tableHandles = typedVar("nt!_HANDLE_TABLE", tableHandles)
nMaxHandleIndex = tableHandles.NextHandleNeedingPool & 0xFFFFFFFF nMaxHandleIndex = tableHandles.NextHandleNeedingPool & 0xFFFFFFFF
nTableLevel = (tableHandles.TableCode & 3) nTableLevel = (tableHandles.TableCode & 3)
pTableContent = tableHandles.TableCode - nTableLevel pTableContent = tableHandles.TableCode - nTableLevel
@ -249,7 +249,7 @@ def getListByDirectoryObject(p, objTypeAddr=0):
for i in range(0, NUMBER_HASH_BUCKETS): for i in range(0, NUMBER_HASH_BUCKETS):
bucket = ptrPtr( p + (i * ptrSize()) ) bucket = ptrPtr( p + (i * ptrSize()) )
while bucket: while bucket:
bucketVar = typedVar("nt", "_OBJECT_DIRECTORY_ENTRY", bucket) bucketVar = typedVar("nt!_OBJECT_DIRECTORY_ENTRY", bucket)
if objTypeAddr and (getType(bucketVar.Object) == objTypeAddr): if objTypeAddr and (getType(bucketVar.Object) == objTypeAddr):
result.append(bucketVar.Object) result.append(bucketVar.Object)
elif (not objTypeAddr): elif (not objTypeAddr):
@ -410,7 +410,7 @@ def main():
objectName = buildObjectName(object) objectName = buildObjectName(object)
if len(objectName): if len(objectName):
dprintln( ", name=`" + objectName + "'" ) dprintln( ", name=`" + objectName + "'" )
elif typedVar("nt", "_OBJECT_TYPE", getType(object)).TypeInfo.QueryNameProcedure: elif typedVar("nt!_OBJECT_TYPE", getType(object)).TypeInfo.QueryNameProcedure:
dprintln(", <i>custom</i> name", True) dprintln(", <i>custom</i> name", True)
else: else:
dprintln(" , <_unnamed_>") dprintln(" , <_unnamed_>")