import sys
import re
from pykd import *
fwpsLayer = typeInfo( "FWPS_BUILTIN_LAYERS_" ).asMap()
fwpsDataType = typeInfo( "FWP_DATA_TYPE_" ).asMap()
layerRe = re.compile( 'LAYER' )
discardRe = re.compile( 'DISCARD' )
fwpsFields = {}
for layerId, v in fwpsLayer.items():
if discardRe.search( v ):
continue
try:
fwpsFields[ layerId ] = typeInfo( layerRe.sub( 'FIELDS', v, 1 ) + '_' ).asMap()
except:
pass
def printBlob( blob ):
bb = loadBytes( blob.data, blob.size )
str = "\n"
i = 0
for b in bb:
str += " %02x" % b
i = ( i + 1 ) % 16
if i == 0: str += "\n"
str += "\n"
return str
def printFwpsValue( value ):
return {
"FWP_UINT8" : lambda : "%#x" % value.uint8,
"FWP_UINT16" : lambda : "%#x" % value.uint16,
"FWP_UINT32" : lambda : "%#x" % value.uint32,
"FWP_UINT64" : lambda : "%#x" % value.uint64.deref(),
"FWP_INT8" : lambda : "%#x" % value.int8,
"FWP_INT16" : lambda : "%#x" % value.int16,
"FWP_INT32" : lambda : "%#x" % value.int32,
"FWP_INT64" : lambda : "%#x" % value.int64.deref(),
"FWP_BYTE_BLOB_TYPE" : lambda : printBlob( value.byteBlob.deref() ),
}.get( fwpsDataType[ value.type ], lambda : "---" )()
def wfpFixedValues( addr ):
inFixedValue = typedVar( "FWPS_INCOMING_VALUES0_", addr )
dprintln( " Layer: " + fwpsLayer[ inFixedValue.layerId ] )
dprintln( " Value: %d" % inFixedValue.valueCount )
values = [ x.value for x in typedVarArray( int(inFixedValue.incomingValue), "FWPS_INCOMING_VALUE0_", inFixedValue.valueCount ) ]
for i in range( 0, len(values) ):
dprintln( " " + fwpsFields[ inFixedValue.layerId ][ i ] )
dprintln( " Type: " + fwpsDataType[ values[i].type ] )
dprintln( " Value: " + printFwpsValue( values[i] ) )
def usage():
dprintln( "Usage:" )
def main():
if not isKernelDebugging():
dprintln( "This script is for kernel debugging only" )
if len(sys.argv) < 2:
usage()
return
if sys.argv[1]=="/fixed":
wfpFixedValues( expr(sys.argv[2]) )
return
if sys.argv[1]=="/meta":
wfpMetaValues( expr(sys.argv[2]) )
return
usage()
if __name__ == "__main__":
main()