7
def getServiceAddrWlh(Start, Offset):
8
return Start + (Offset / 16)
10
def getServiceAddr2k3(Start, Offset):
11
return Start + (Offset & ~0xf)
13
if ptrWord( nt.offset("NtBuildNumber")) == 3790:
14
getServiceAddr = getServiceAddr2k3
16
getServiceAddr = getServiceAddrWlh
18
def getSymbolString(addr):
20
return findSymbol(addr)
23
return " !!! 0x%x" % addr
29
serviceTableHeader = loadQWords( nt.offset("KeServiceDescriptorTable"), 4 )
30
serviceTableStart = serviceTableHeader[0]
31
serviceCount = serviceTableHeader[2]
33
dprintln( "ServiceTable start: %(1)x count: %(2)x" % { "1" : serviceTableStart, "2" : serviceCount } )
35
serviceTable = loadSignDWords( serviceTableStart, serviceCount )
37
for i in range( 0, serviceCount ):
39
routineAddress = getServiceAddr(serviceTableStart, serviceTable[i]);
40
dprintln( "[%u] " % i + getSymbolString( routineAddress ) )
45
serviceTableHeader = loadDWords( nt.offset("KeServiceDescriptorTable"), 4 )
46
serviceTableStart = serviceTableHeader[0]
47
serviceCount = serviceTableHeader[2]
49
dprintln( "ServiceTable start: %(1)x count: %(2)x" % { "1" : serviceTableStart, "2" : serviceCount } )
51
serviceTable = loadPtrs( serviceTableStart, serviceCount )
53
for i in range( 0, serviceCount ):
54
dprintln( "[%u] " % i + getSymbolString( serviceTable[i] ) )
56
if __name__ == "__main__":
62
if not loadDump( sys.argv[1] ):
63
dprintln( sys.argv[1] + " - load failed" )
66
if not isKernelDebugging():
67
dprintln( "not a kernel debugging" )