From e396c27fa94fc717b10869e877b96c87ac011773 Mon Sep 17 00:00:00 2001
From: "SND\\kernelnet_cp"
 <SND\kernelnet_cp@9b283d60-5439-405e-af05-b73fd8c4d996>
Date: Mon, 26 Jul 2010 11:38:06 +0000
Subject: [PATCH] idt.py sample added

git-svn-id: https://pykd.svn.codeplex.com/svn@52950 9b283d60-5439-405e-af05-b73fd8c4d996
---
 samples/idt.py | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 samples/idt.py

diff --git a/samples/idt.py b/samples/idt.py
new file mode 100644
index 0000000..17d0f3a
--- /dev/null
+++ b/samples/idt.py
@@ -0,0 +1,69 @@
+from pykd import *
+import sys
+
+def checkInterrupt():
+
+
+    if not is64bitSystem():
+
+        dprintln( "check interrupt handlers...\n" )	
+
+        idtr = reg( "idtr" )
+
+        nt = loadModule( "nt" )
+        nt.KiInterruptDispatch = getOffset( "nt", "KiInterruptDispatch" )          
+        nt.KiChainedDispatch = getOffset( "nt", "KiChainedDispatch" )
+        nt.KiInterruptTemplate = getOffset( "nt", "KiInterruptTemplate" )             
+
+        hal = loadModule( "hal" )
+
+        ErrorCount = 0
+
+        for i in range(0,255):
+
+          idtEntry = typedVar( "nt", "_KIDTENTRY", idtr + i*8 )
+
+          if idtEntry.Selector == 8:
+
+              InterruptHandler = ( idtEntry.ExtendedOffset * 0x10000 ) + idtEntry.Offset
+
+              if InterruptHandler != 0 and not nt.contain( InterruptHandler ) and not hal.contain( InterruptHandler ):
+
+                   kinterrupt = containingRecord( InterruptHandler, "nt", "_KINTERRUPT", "DispatchCode" )
+                 
+                   dprintln ( "KINTERRUPT: %(1)x" % { "1" : kinterrupt.getAddress() } )
+
+                   if addr64( kinterrupt.DispatchAddress ) != nt.KiInterruptDispatch and addr64(  kinterrupt.DispatchAddress ) != nt.KiChainedDispatch:
+                         dprintln ( "Threat!!! KINTERRUPT::DispatchAddress PATCHED" )
+                         ErrorCount += 1
+
+                   if findModule( kinterrupt.ServiceRoutine ) == None:
+                         dprintln ( "Threat!!! KINTERRUPT::ServiceRoutine (%(1)x) out of  any module" % { "1" : kinterrupt.ServiceRoutine } ) 
+                         ErrorCount += 1
+
+                   if not compareMemory( nt.KiInterruptTemplate, InterruptHandler, 98 ):
+                         dprintln ( "Threat!!! KINTERRUPT::DispatchCode area PATCHED" )
+                         ErrorCount += 1
+
+                   dprintln ( "" )
+           
+        dprintln( "check end: %(1)d threats" % { "1" : ErrorCount } )
+
+    else:
+
+       dprintln( "x64 is not supported" )
+
+
+if __name__ == "__main__":
+
+   if not isSessionStart():
+      createSession()
+      loadDump( sys.argv[1] )
+
+   checkInterrupt()
+
+
+
+
+   
+