10
def getObjNameFromObjHeader( objHeader ):
12
if hasattr( objHeader, "NameInfoOffset"):
13
objName = typedVar( "nt!_OBJECT_HEADER_NAME_INFO", objHeader.getAddress() - objHeader.NameInfoOffset )
15
if (0 == (objHeader.InfoMask & 2)):
18
offsetNameInfo = ptrByte( nt.ObpInfoMaskToOffset + (objHeader.InfoMask & 3) )
20
if (0 == offsetNameInfo):
23
objName = nt.typedVar("_OBJECT_HEADER_NAME_INFO", objHeader.getAddress() - offsetNameInfo)
25
return loadUnicodeString( objName.Name.getAddress() )
28
def getTypeObjectByObjectHeader (objHeader):
31
if (ptrWord(nt.NtBuildNumber) < 10074):
32
index = objHeader.TypeIndex
35
index = objHeader.TypeIndex ^ ((objHeader >> 8) & 0xFF) ^ ptrByte(nt.ObHeaderCookie)
37
return ptrPtr( nt.ObTypeIndexTable + ptrSize() * index )
40
def getObjTypeFromObjHeader (objHeader):
42
if hasattr (objHeader, "Type"):
45
return getTypeObjectByObjectHeader (objHeader)
50
objHeader = containingRecord (obj, "nt!_OBJECT_HEADER", "Body")
51
return getObjTypeFromObjHeader (objHeader) == ptrPtr (nt.ObpDirectoryObjectType)
54
def getObjectInDir( dirObj, objName ):
57
if objName.find( "\\" ) != -1:
58
( dirSubName, objSubName ) = objName.split("\\", 1)
64
for i in range( 0, 37 ):
66
if dirObj.HashBuckets[i] != 0:
67
dirEntry = typedVar( "nt!_OBJECT_DIRECTORY_ENTRY", dirObj.HashBuckets[i] )
71
curObj = dirEntry.Object
73
curObjHeader = containingRecord( curObj, "nt!_OBJECT_HEADER", "Body" )
75
curObjName = getObjNameFromObjHeader( curObjHeader )
78
if curObjName.lower() == dirSubName.lower():
80
if isDirectory(curObj):
81
return getObjectInDir( typedVar( "nt!_OBJECT_DIRECTORY", curObj), objSubName )
85
if dirEntry.ChainLink != 0:
86
dirEntry = typedVar( "nt!_OBJECT_DIRECTORY_ENTRY", dirEntry.ChainLink )
91
def getObjectByName( objName ):
96
if objName[0] != '\\':
99
rootDir = typedVar( "nt!_OBJECT_DIRECTORY", ptrPtr( nt.ObpRootDirectoryObject ) )
101
return getObjectInDir( rootDir, objName[1:] )
104
def printDrvMajorTable( drvName ):
106
objName = "\\Driver\\" + drvName
107
drvObjPtr = getObjectByName( objName )
109
if drvObjPtr == None:
110
dprintln( "object not found" )
113
print ("%s %x" % (objName, drvObjPtr))
115
drvObj = typedVar( "nt!_DRIVER_OBJECT", drvObjPtr )
117
for i in range( len(drvObj.MajorFunction) ):
118
dprintln( "MajorFunction[%d] = %s" % ( i, findSymbol( drvObj.MajorFunction[i] ) ) )
123
if not isWindbgExt():
124
if not loadDump( sys.argv[1] ):
125
dprintln( sys.argv[1] + " - load failed" )
128
if not isKernelDebugging():
129
dprintln( "not a kernel debugging" )
134
printDrvMajorTable( "afd" )
135
printDrvMajorTable( "ntfs" )
137
if __name__ == "__main__":