pykd
1from pykd import *2from sys import argv3
4nt = module("nt")5LDR_DATA_TABLE_ENTRY = nt.type("_LDR_DATA_TABLE_ENTRY")6
7
8def getModuleList():9ldrLst = typedVarList( nt.PsLoadedModuleList, LDR_DATA_TABLE_ENTRY, "InLoadOrderLinks.Flink")10return [ module(m.DllBase) for m in ldrLst ]11
12def findTagInModule(mod, tag):13
14matchLst = []15begin = mod.begin()16end = mod.end()17offset = begin18size = mod.size()19while True:20match = searchMemory( offset, size, tag )21if not match:22break;23matchLst.append(match)24offset = match + 125size = end - offset26return matchLst27
28
29def main():30
31if len(argv) < 2:32print "You should note tag's value"33return34
35if len(argv[1])!=4:36print "Tag must have 4 symbols length"37return38
39tag = str(argv[1])40
41modLst = getModuleList()42for m in modLst:43matchLst = findTagInModule( m, tag )44if len(matchLst) == 0:45#print m.name(), "tag not found"46pass47else:48print m.name(), "found", len(matchLst), "entries"49for offset in matchLst:50print "\t", hex(offset)51
52
53if __name__=="__main__":54main()55
56
57