pykd
1from pykd import *2import ntobj3import sys4
5nt = module("nt")6
7
8def findHanle(objaddr):9
10processList = typedVarList( nt.PsActiveProcessHead, "nt!_EPROCESS", "ActiveProcessLinks" )11
12for process in processList:13
14dprintln( "search in process %x " % process.UniqueProcessId + "".join( [chr(i) for i in process.ImageFileName if i != 0] ) )15
16if process.ObjectTable == 0:17continue18
19objects = ntobj.getListByHandleTable( process.ObjectTable )20for obj in objects:21if obj[0] == objaddr:22dprintln("\tHandle: %x" % ( obj[1],) )23
24
25def usage():26dprintln("!py findhandle object_address")27
28def main():29
30if not isKernelDebugging():31dprintln("This script for kernel debugging only")32return33
34if len(sys.argv) < 2:35usage();36return;37
38objaddr = expr(sys.argv[1])39
40objectType = ntobj.getType(objaddr)41
42dprintln("Object Type: " + ntobj.getObjectName(objectType) )43dprintln("Object Name: "+ ntobj.getObjectName(objaddr) )44dprintln("")45
46findHanle( objaddr )47
48if __name__ == "__main__":49main()