zjgcjy/pykd
1
0
Fork 0
mirror of https://github.com/ivellioscolin/pykd.git synced 2025-04-20 19:53:22 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

[0.2.x] fixed : phidecheck.py script

Browse Source 
git-svn-id: https://pykd.svn.codeplex.com/svn@81602 9b283d60-5439-405e-af05-b73fd8c4d996
This commit is contained in:
SND\kernelnet_cp 2012-12-03 06:28:25 +00:00 committed by Mikhail I. Izmestev
parent 1e4f7166b8
commit e521125903
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
snippets/phidecheck.py
View File

@ -13,19 +13,19 @@ if __name__ == "__main__":
quit(0)
# build list from PsActiveProcessHead
pActiveProcessList = getOffset("nt", "PsActiveProcessHead")
lstTypedActiveProcesses = typedVarList(pActiveProcessList, "nt", "_EPROCESS", "ActiveProcessLinks")
pActiveProcessList = getOffset("nt!PsActiveProcessHead")
lstTypedActiveProcesses = typedVarList(pActiveProcessList, "nt!_EPROCESS", "ActiveProcessLinks")
lstActiveProcesses = [process.getAddress() for process in lstTypedActiveProcesses]
# build list from PspCidTable
pCidTable = ptrPtr(getOffset("nt", "PspCidTable"))
pProcessType = ptrPtr(getOffset("nt", "PsProcessType"))
pCidTable = ptrPtr(getOffset("nt!PspCidTable"))
pProcessType = ptrPtr(getOffset("nt!PsProcessType"))
lstProcessTable = ntobj.getListByHandleTable(pCidTable, pProcessType, False)
# compare lists and print result
founded = 0
for processFromTable in lstProcessTable:
if (0 == lstActiveProcesses.count(processFromTable)):
dprintln("!process 0x%X removed from PsActiveProcessHead" % processFromTable)
if (0 == lstActiveProcesses.count( addr64(processFromTable[0]) )):
dprintln("!process 0x%X removed from PsActiveProcessHead" % processFromTable[0] )
founded += 1
dprintln("checked %u processes" % len(lstProcessTable) + (", %u hidden" % founded if (0 != founded) else ", hidden not found"))