from pykd import * from sys import argv nt = module("nt") LDR_DATA_TABLE_ENTRY = nt.type("_LDR_DATA_TABLE_ENTRY") def getModuleList(): ldrLst = typedVarList( nt.PsLoadedModuleList, LDR_DATA_TABLE_ENTRY, "InLoadOrderLinks.Flink") return [ module(m.DllBase) for m in ldrLst ] def findTagInModule(mod, tag): matchLst = [] begin = mod.begin() end = mod.end() offset = begin size = mod.size() while True: match = searchMemory( offset, size, tag ) if not match: break; matchLst.append(match) offset = match + 1 size = end - offset return matchLst def main(): if len(argv) < 2: print "You should note tag's value" return if len(argv[1])!=4: print "Tag must have 4 symbols length" return tag = str(argv[1]) modLst = getModuleList() for m in modLst: matchLst = findTagInModule( m, tag ) if len(matchLst) == 0: #print m.name(), "tag not found" pass else: print m.name(), "found", len(matchLst), "entries" for offset in matchLst: print "\t", hex(offset) if __name__=="__main__": main()