pykd

Форк
0
/
drvobj.py 
138 строк · 3.9 Кб
1
from pykd import *
2
import sys
3

4

5
def loadSymbols():
6
   global nt
7
   nt = module( "nt" )
8

9

10
def getObjNameFromObjHeader( objHeader ):
11

12
    if hasattr( objHeader, "NameInfoOffset"):
13
        objName = typedVar( "nt!_OBJECT_HEADER_NAME_INFO",  objHeader.getAddress() - objHeader.NameInfoOffset )
14
    else:
15
        if (0 == (objHeader.InfoMask & 2)):
16
           return ""
17
      
18
        offsetNameInfo = ptrByte( nt.ObpInfoMaskToOffset + (objHeader.InfoMask & 3) )
19

20
        if (0 == offsetNameInfo):
21
            return ""
22

23
        objName = nt.typedVar("_OBJECT_HEADER_NAME_INFO", objHeader.getAddress() - offsetNameInfo)
24

25
    return loadUnicodeString( objName.Name.getAddress() )
26
    
27
    
28
def getTypeObjectByObjectHeader (objHeader):
29

30
    # Надо дизассемблировать функцию nt!ObGetObjectType
31
    if (ptrWord(nt.NtBuildNumber) < 10074):
32
        index = objHeader.TypeIndex
33
    else:
34
        # Начиная с "Windows 10 Technical Preview Build 10074" индекс в заголовке обфусцируют
35
        index = objHeader.TypeIndex ^ ((objHeader >> 8) & 0xFF) ^ ptrByte(nt.ObHeaderCookie)
36

37
    return ptrPtr( nt.ObTypeIndexTable + ptrSize() * index )
38

39

40
def getObjTypeFromObjHeader (objHeader):
41

42
    if hasattr (objHeader, "Type"):
43
        return objHeader.Type
44

45
    return getTypeObjectByObjectHeader (objHeader)
46

47

48
def isDirectory (obj):
49
    
50
    objHeader = containingRecord (obj, "nt!_OBJECT_HEADER", "Body")
51
    return getObjTypeFromObjHeader (objHeader) == ptrPtr (nt.ObpDirectoryObjectType)
52

53

54
def getObjectInDir( dirObj, objName ):
55

56
    # print ("%x %s" % (dirObj, getObjNameFromObjHeader(containingRecord(dirObj, "nt!_OBJECT_HEADER", "Body"))))
57
    if objName.find( "\\" ) != -1:
58
        ( dirSubName, objSubName ) =  objName.split("\\", 1)
59
        # print ("%s %s" % (dirSubName, objSubName))
60
    else:
61
        dirSubName = objName
62

63
 
64
    for i in range( 0, 37 ):
65

66
        if dirObj.HashBuckets[i] != 0:
67
            dirEntry = typedVar( "nt!_OBJECT_DIRECTORY_ENTRY", dirObj.HashBuckets[i] )
68

69
            while dirEntry != 0:
70
              
71
                curObj = dirEntry.Object
72

73
                curObjHeader = containingRecord( curObj, "nt!_OBJECT_HEADER", "Body" )
74

75
                curObjName = getObjNameFromObjHeader( curObjHeader )
76
                # print ("%d %s" % (i, curObjName))
77

78
                if curObjName.lower() == dirSubName.lower():
79

80
                    if isDirectory(curObj):
81
                        return getObjectInDir( typedVar( "nt!_OBJECT_DIRECTORY", curObj), objSubName )
82
                    else:
83
                        return curObj
84

85
                if dirEntry.ChainLink != 0:
86
                    dirEntry = typedVar( "nt!_OBJECT_DIRECTORY_ENTRY", dirEntry.ChainLink )
87
                else:
88
                    dirEntry = 0    
89

90

91
def getObjectByName( objName ):
92

93
    if len(objName)==0: 
94
        return
95

96
    if objName[0] != '\\':
97
        return
98

99
    rootDir = typedVar( "nt!_OBJECT_DIRECTORY", ptrPtr( nt.ObpRootDirectoryObject ) )
100
   
101
    return getObjectInDir( rootDir, objName[1:] )
102

103

104
def printDrvMajorTable( drvName ):
105

106
    objName = "\\Driver\\" + drvName
107
    drvObjPtr = getObjectByName( objName )
108
    
109
    if drvObjPtr == None:
110
        dprintln( "object not found" )
111
        return
112
        
113
    print ("%s %x" % (objName, drvObjPtr))
114
 
115
    drvObj = typedVar( "nt!_DRIVER_OBJECT", drvObjPtr )
116
     
117
    for i in range( len(drvObj.MajorFunction) ):
118
        dprintln( "MajorFunction[%d] = %s" % ( i, findSymbol( drvObj.MajorFunction[i] ) ) )
119

120

121
def run():
122

123
    if not isWindbgExt():
124
        if not loadDump( sys.argv[1] ):
125
             dprintln( sys.argv[1] + " - load failed" )
126
             return
127

128
    if not isKernelDebugging():
129
        dprintln( "not a kernel debugging" )
130
        return  
131

132
    loadSymbols();
133

134
    printDrvMajorTable( "afd" )
135
    printDrvMajorTable( "ntfs" )
136

137
if __name__ == "__main__":
138
    run()
139

140

141

Использование cookies

Мы используем файлы cookie в соответствии с Политикой конфиденциальности и Политикой использования cookies.

Нажимая кнопку «Принимаю», Вы даете АО «СберТех» согласие на обработку Ваших персональных данных в целях совершенствования нашего веб-сайта и Сервиса GitVerse, а также повышения удобства их использования.

Запретить использование cookies Вы можете самостоятельно в настройках Вашего браузера.