diff --git a/snippets/alpc_conn.py b/snippets/alpc_conn.py new file mode 100644 index 0000000..6701f10 --- /dev/null +++ b/snippets/alpc_conn.py @@ -0,0 +1,53 @@ +""" +Print connection port for ALPC-port +""" + +import sys +from pykd import * +import ntobj + +def printConnPort(portAddr): + """ + Print connection port by port address + """ + port = typedVar("nt", "_ALPC_PORT", portAddr) + if (port != None): + portCommInfo = typedVar("nt", "_ALPC_COMMUNICATION_INFO", port.CommunicationInfo) + dprintln( dbgCommand("!object %x" % portCommInfo.ConnectionPort) ) + else: + dprintln("Error: query port object by address failed") + +def main(): + """ + Print connection port for ALPC-port + Usage: alpc_server + PORT_OBJ_ADDR - address of ALPC-port. If not specified: + print all ALPC-ports for current process + """ + argc_ = len(sys.argv) + if (1 == argc_): + portTypeAddr = getOffset("nt", "AlpcPortObjectType") + if (0 != portTypeAddr): + objTable = typedVar("nt", "_EPROCESS", getCurrentProcess()).ObjectTable + lstAlpcPorts = ntobj.getListByHandleTable(objTable, ptrPtr(portTypeAddr)) + for port in lstAlpcPorts: + dprintln("Port object %x" % port + ", conection port:") + printConnPort(port) + else: + dprintln("Error: symbol nt!AlpcPortObjectType not found") + elif (2 == argc_): + printConnPort(expr(sys.argv[1])) + else: + dprintln(main.__doc__) + +if __name__ == "__main__": + if not isSessionStart(): + dprintln("Script is launch out of windbg") + quit(0) + + if (False == isKernelDebugging()): + dprintln("This script only for kernel debugging") + quit(0) + + main() + diff --git a/snippets/ntobj.py b/snippets/ntobj.py index 84f12d9..b1b9c76 100644 --- a/snippets/ntobj.py +++ b/snippets/ntobj.py @@ -158,13 +158,13 @@ if __name__ == "__main__": # Print all thread and process # - def printObjectTable(pObejctTable, bHeaders): + def printObjectTable(pObjectTable, bHeaders): """ Print content of object table """ - lstObejcts = getListByHandleTable(pObejctTable, bContainHeaders=bHeaders) - dprintln("%u objects:" % len(lstObejcts)) - for obj in lstObejcts: + lstObjects = getListByHandleTable(pObjectTable, bContainHeaders=bHeaders) + dprintln("%u objects:" % len(lstObjects)) + for obj in lstObjects: dprintln("obj: 0x%X" % obj + " type: 0x%X" % getType(obj))