From dbd8df05d6cc53865ec74761b78c598e196eb164 Mon Sep 17 00:00:00 2001
From: "SND\\kernelnet_cp"
 <SND\kernelnet_cp@9b283d60-5439-405e-af05-b73fd8c4d996>
Date: Tue, 27 Mar 2012 15:50:56 +0000
Subject: [PATCH] [0.1.x] added: snippet wfp.py

git-svn-id: https://pykd.svn.codeplex.com/svn@75089 9b283d60-5439-405e-af05-b73fd8c4d996
---
 snippets/wfp.py | 87 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 87 insertions(+)
 create mode 100644 snippets/wfp.py

diff --git a/snippets/wfp.py b/snippets/wfp.py
new file mode 100644
index 0000000..155fe36
--- /dev/null
+++ b/snippets/wfp.py
@@ -0,0 +1,87 @@
+
+import sys
+import re
+
+from pykd import *
+
+fwpsLayer = typeInfo( "FWPS_BUILTIN_LAYERS_" ).asMap()
+fwpsDataType = typeInfo( "FWP_DATA_TYPE_" ).asMap()
+
+layerRe = re.compile( 'LAYER' )
+discardRe = re.compile( 'DISCARD' )
+
+fwpsFields = {}
+
+for layerId, v in fwpsLayer.items():
+    if discardRe.search( v ):
+        continue
+    try:  
+        fwpsFields[ layerId ] = typeInfo( layerRe.sub( 'FIELDS', v, 1 ) + '_' ).asMap()
+    except:
+        pass
+
+def printBlob( blob ):
+    bb = loadBytes( blob.data, blob.size )
+    str = "\n"
+
+    i = 0
+    for b in bb:
+        str += " %02x" % b  
+        i = ( i + 1 ) % 16
+        if i == 0: str += "\n"
+    str += "\n"
+
+    return str
+
+def printFwpsValue( value ):
+    return { 
+        "FWP_UINT8"  : lambda : "%#x" % value.uint8,
+        "FWP_UINT16" : lambda : "%#x" % value.uint16,
+        "FWP_UINT32" : lambda : "%#x" % value.uint32,
+        "FWP_UINT64" : lambda : "%#x" % value.uint64.deref(),
+        "FWP_INT8"   : lambda : "%#x" % value.int8,
+        "FWP_INT16"  : lambda : "%#x" % value.int16,
+        "FWP_INT32"  : lambda : "%#x" % value.int32,
+        "FWP_INT64"  : lambda : "%#x" % value.int64.deref(),
+        "FWP_BYTE_BLOB_TYPE" : lambda : printBlob( value.byteBlob.deref() ),
+
+    }.get( fwpsDataType[ value.type ], lambda : "---" )()
+
+def wfpFixedValues( addr ):
+    inFixedValue = typedVar( "FWPS_INCOMING_VALUES0_", addr )
+
+    dprintln( " Layer: " + fwpsLayer[ inFixedValue.layerId ] )
+    dprintln( " Value: %d" % inFixedValue.valueCount )
+
+    values = [ x.value for x in typedVarArray( int(inFixedValue.incomingValue), "FWPS_INCOMING_VALUE0_", inFixedValue.valueCount ) ]
+
+    for i in range( 0, len(values) ): 
+        dprintln( "    " + fwpsFields[ inFixedValue.layerId ][ i ] )
+        dprintln( "      Type: " + fwpsDataType[ values[i].type ] )
+        dprintln( "      Value: " +  printFwpsValue( values[i] )  )
+
+def usage():
+    dprintln( "Usage:" )
+
+
+def main():
+
+    if not isKernelDebugging():
+        dprintln( "This script is for kernel debugging only" )
+
+    if len(sys.argv) < 2:
+        usage()
+        return 
+
+    if sys.argv[1]=="/fixed":
+        wfpFixedValues( expr(sys.argv[2]) )
+        return
+
+    if sys.argv[1]=="/meta":
+        wfpMetaValues( expr(sys.argv[2]) )
+        return
+
+    usage()    
+              
+if __name__ == "__main__":
+    main()
\ No newline at end of file