mirror of
https://github.com/ivellioscolin/pykd.git
synced 2025-04-19 11:03:23 +08:00
111 lines
2.9 KiB
Python
111 lines
2.9 KiB
Python
from pykd import *
|
|
import sys
|
|
|
|
|
|
def loadSymbols():
|
|
global nt
|
|
nt = module( "nt" )
|
|
|
|
def getObjNameFromObjHeader( objHeader ):
|
|
|
|
if hasattr( objHeader, "NameInfoOffset"):
|
|
objName = typedVar( "nt!_OBJECT_HEADER_NAME_INFO", objHeader.getAddress() - objHeader.NameInfoOffset )
|
|
else:
|
|
if (0 == (objHeader.InfoMask & 2)):
|
|
return ""
|
|
|
|
offsetNameInfo = ptrByte( nt.ObpInfoMaskToOffset + (objHeader.InfoMask & 3) )
|
|
|
|
if (0 == offsetNameInfo):
|
|
return ""
|
|
|
|
objName = nt.typedVar("_OBJECT_HEADER_NAME_INFO", objHeader.getAddress() - offsetNameInfo)
|
|
|
|
return loadUnicodeString( objName.Name.getAddress() )
|
|
|
|
def getObjTypeFromObjHeader( objHeader ):
|
|
|
|
if hasattr( objHeader, "Type"):
|
|
return objHeader.Type
|
|
|
|
return ptrPtr( nt.ObTypeIndexTable + ptrSize() * objHeader.TypeIndex )
|
|
|
|
def getObjectInDir( dirObj, objName ):
|
|
|
|
if objName.find( "\\" ) != -1:
|
|
( dirSubName, objSubName ) = objName.split("\\", 1)
|
|
else:
|
|
dirSubName = objName
|
|
|
|
for i in range( 0, 37 ):
|
|
|
|
if dirObj.HashBuckets[i] != 0:
|
|
dirEntry = typedVar( "nt!_OBJECT_DIRECTORY_ENTRY", dirObj.HashBuckets[i] )
|
|
|
|
while dirEntry != 0:
|
|
|
|
objHeader = containingRecord( dirEntry.Object, "nt!_OBJECT_HEADER", "Body" )
|
|
|
|
objName = getObjNameFromObjHeader( objHeader )
|
|
|
|
if objName.lower() == dirSubName.lower():
|
|
|
|
if getObjTypeFromObjHeader( objHeader ) == ptrPtr( nt.ObpDirectoryObjectType ):
|
|
return getObjectInDir( typedVar( "nt!_OBJECT_DIRECTORY", dirEntry.Object), objSubName )
|
|
else:
|
|
return dirEntry.Object
|
|
|
|
if dirEntry.ChainLink != 0:
|
|
dirEntry = typedVar( "nt!_OBJECT_DIRECTORY_ENTRY", dirEntry.ChainLink )
|
|
else:
|
|
dirEntry = 0
|
|
|
|
|
|
def getObjectByName( objName ):
|
|
|
|
if len(objName)==0:
|
|
return
|
|
|
|
if objName[0] != '\\':
|
|
return
|
|
|
|
rootDir = typedVar( "nt!_OBJECT_DIRECTORY", ptrPtr( nt.ObpRootDirectoryObject ) )
|
|
|
|
return getObjectInDir( rootDir, objName[1:] )
|
|
|
|
|
|
|
|
def printDrvMajorTable( drvName ):
|
|
|
|
objName = "\\Driver\\" + drvName
|
|
drvObjPtr = getObjectByName( objName )
|
|
|
|
if drvObjPtr == None:
|
|
dprintln( "object not found" )
|
|
return
|
|
|
|
drvObj = typedVar( "nt!_DRIVER_OBJECT", drvObjPtr )
|
|
|
|
for i in range( len(drvObj.MajorFunction) ):
|
|
dprintln( "MajorFunction[%d] = %s" % ( i, findSymbol( drvObj.MajorFunction[i] ) ) )
|
|
|
|
def run():
|
|
|
|
if not isWindbgExt():
|
|
if not loadDump( sys.argv[1] ):
|
|
dprintln( sys.argv[1] + " - load failed" )
|
|
return
|
|
|
|
if not isKernelDebugging():
|
|
dprintln( "not a kernel debugging" )
|
|
return
|
|
|
|
loadSymbols();
|
|
|
|
printDrvMajorTable( "afd" )
|
|
|
|
if __name__ == "__main__":
|
|
run()
|
|
|
|
|