本文整理汇总了Python中pykd.dbgCommand函数的典型用法代码示例。如果您正苦于以下问题:Python dbgCommand函数的具体用法?Python dbgCommand怎么用?Python dbgCommand使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了dbgCommand函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: inspectKernelTimer
def inspectKernelTimer():
try:
cmdline='.reload;'
r=pykd.dbgCommand(cmdline)
cmdline=r'!timer'
r=pykd.dbgCommand(cmdline)
r=r.splitlines()
start=0
idx=0
for i in r:
i=i.strip()
if i.startswith('List Timer'):
start=1
continue
if start!=1:
continue
data=i.strip()
pos=data.find('(DPC @ ')
if pos!=-1:
endpos=data.find(')', pos)
data=data[pos+len('(DPC @ '):endpos]
dpc=pykd.addr64(int(data, 16))
if dpc<=int(mmhighestuseraddress):
print i, '!!!!!!!!'
else:
dpcobj=pykd.typedVar('nt!_KDPC', dpc)
symbolname=pykd.findSymbol(dpcobj.DeferredRoutine)
print '%d dpc:%x timerfunc:%x %s' % (idx, int(dpc), int(dpcobj.DeferredRoutine), symbolname)
idx+=1
except Exception, err:
print traceback.format_exc() 示例2: inspectInlineHook
def inspectInlineHook(modulepath, modulebase):
try:
print '='*10, 'scan inlinehook in %s' % modulepath, '='*10
driversdir=os.path.join(g_system32dir, 'drivers')
symbolpath=g_sympath
symbolpath=add_symbolpath(symbolpath, driversdir)
symbolpath=add_symbolpath(symbolpath, os.path.dirname(modulepath))
cmdline='.sympath %s' % symbolpath
r=pykd.dbgCommand(cmdline)
cmdline='.reload;'
r=pykd.dbgCommand(cmdline)
filedata=open(modulepath, 'rb').read()
pe = pefile.PE(data=filedata, fast_load=True)
if pe.DOS_HEADER.e_magic!=0X5A4D or pe.NT_HEADERS.Signature!=0x4550:
raise Exception("%s is not a pe file" % modulepath)
for i in pe.sections:
try:
if pefile.SECTION_CHARACTERISTICS['IMAGE_SCN_MEM_DISCARDABLE']&i.Characteristics:
#print i.Name, 'discard'
continue
elif not (pefile.SECTION_CHARACTERISTICS['IMAGE_SCN_MEM_EXECUTE']&i.Characteristics):
#print i.Name, 'not executable'
continue
comparesize=i.Misc_VirtualSize
fileoffsetstart=i.PointerToRawData
fileoffsetend=fileoffsetstart+comparesize
memoffsetstart=modulebase+ i.VirtualAddress
memoffsetend=memoffsetstart+comparesize
print '-'*10
print '%s :%x-%x <--> %x-%x size:%d' % (i.Name, fileoffsetstart, fileoffsetend, memoffsetstart, memoffsetend, comparesize)
if modulepath.lower()==g_kernelpath.lower():
cmdline='!chkimg nt -r %x %x -v -d' % (memoffsetstart, memoffsetend)
else:
name=os.path.splitext(os.path.basename(modulepath))[0]
cmdline='!chkimg %s -r %x %x -v -d' % (name, memoffsetstart, memoffsetend)
#repair cmdline='!chkimg %s -r %x %x -v -d -f' % (os.path.basename(modulepath), startaddr, endaddr)
#print cmdline
r=pykd.dbgCommand(cmdline)
if r.find('[')!=-1:
print '!!!!hooklist'
r=r.splitlines()
for i in r:
print i
else:
print 'no hooks'
except Exception, err:
print traceback.format_exc()
except Exception, err:
print traceback.format_exc()示例3: listModuleByVadRoot
def listModuleByVadRoot(eprocessaddr):
modulelist = []
try:
cmdline = ".process /P %x;.reload;" % eprocessaddr
r = pykd.dbgCommand(cmdline)
eprocess = pykd.typedVar("nt!_EPROCESS", eprocessaddr)
VadRoot = int(eprocess.VadRoot)
if not VadRoot:
return []
cmdline = "!vad %x" % VadRoot
r = pykd.dbgCommand(cmdline).splitlines()
for i in r:
i = i.strip()
pos = i.find("Exe EXECUTE_")
if pos == -1:
continue
a = i[pos + len("Exe ") :]
pos = a.find(" ")
if pos == -1:
continue
type = a[:pos].strip()
filepath = a[pos + len(" ") :].strip()
pos = i.find(")")
if pos == -1:
continue
a = i[pos + 1 :].lstrip()
pos = a.find(" ")
if pos == -1:
continue
baseaddr = a[:pos].strip()
baseaddr = int(baseaddr, 16) * 0x1000
a = a[pos + 1 :].lstrip()
pos = a.find(" ")
if pos == -1:
continue
endaddr = a[:pos].strip()
endaddr = int(endaddr, 16) * 0x1000
info = ModuleInfo()
if info.init2(baseaddr=baseaddr, endaddr=endaddr, filepath=filepath):
modulelist.append(info)
except Exception, err:
print traceback.format_exc()示例4: inspectProcessInlineHook
def inspectProcessInlineHook(eprocessaddr=None):
if eprocessaddr:
eprocessobj=pykd.typedVar('nt!_EPROCESS', eprocessaddr)
eprocessinfo=ProcessInfo()
if not eprocessinfo.init(eprocessobj):
print 'it is not a eprocess'
return
processlist=[eprocessinfo]
else:
processlist=listProcessByPsActiveProcessHead()
if not processlist:
print 'can not get process list'
return
for eprocessinfo in processlist:
print '='*10, 'process:%x pid:%d %s' % (eprocessinfo.eprocessaddr, eprocessinfo.pid, eprocessinfo.filepath), '='*10
modulelist=listModuleByVadRoot(eprocessinfo.eprocessaddr)
if not modulelist:
print 'the process has no modules(vadroot is null)'
continue
cmdline='.process /P %x' % eprocessinfo.eprocessaddr
r=pykd.dbgCommand(cmdline)
for i in modulelist:
modulepath=i.filepath
modulebase=i.baseaddr
if not os.path.exists(modulepath):
print "can't find file:%s" % modulepath
continue
inspectInlineHook(modulepath, modulebase)
print
print
print 'inspect completely'示例5: listObjectCallback
def listObjectCallback():
try:
cmdline='!object \objecttypes'
r=pykd.dbgCommand(cmdline)
featurestr='----\n'
pos=r.find(featurestr)
if pos==-1:
return
r=r[pos+len(featurestr):].splitlines()
for i in r:
if i.find('Type'):
typeobjectaddr, name=i.split(' Type ')
pos=typeobjectaddr.rfind(' ')
if pos==-1:
return
name=name.strip()
typeobjectaddr=typeobjectaddr[pos+1:]
typeobjectaddr=int(typeobjectaddr, 16)
print '-'*20
print 'typeobject "%s":%x' % (name, typeobjectaddr)
typeobject=pykd.typedVar('nt!_OBJECT_TYPE', typeobjectaddr)
TypeInfo=pykd.typedVar('nt!_OBJECT_TYPE_INITIALIZER', typeobject.TypeInfo)
for membername, membervalue in TypeInfo:
if membername.endswith('Procedure'):
funcaddr=int(membervalue)
if funcaddr:
symbolname=pykd.findSymbol(funcaddr)
else:
symbolname=''
print '%s %x %s' % (membername, funcaddr, symbolname)
except Exception, err:
print traceback.format_exc()示例6: onException
def onException(self, exceptionInfo):
'''
Triggered exception event. This example handler only recoder exception which we interested.
:param exceptionInfo: Exception information
:return: For ignore event method must return eventResult.noChange
'''
eip = pykd.reg('eip')
last_exception = str(pykd.getLastException())
exc_code = exceptionInfo.exceptionCode
self._target.logger.info("Got Exception Code: %s at eip:%s" % (hex(exc_code), hex(eip)))
if exc_code in interesting_exception_codes.keys():
self._target.is_crash.set()
self._target.crash_dump_finished.clear()
self._target.report.failed("Got Exception Code: %s:%s at eip:%s" % (
hex(exc_code), interesting_exception_codes[exc_code], hex(eip)))
self._target.report.add("Error Code", "%s:%s" % (hex(exc_code), interesting_exception_codes[exc_code]))
self._target.report.add("Last Event", "%s" % last_exception)
self._target.report.add("Stacks", str(pykd.dbgCommand("k")))
self._target.crash_dump_finished.set()
return pykd.eventResult.Break
elif exc_code == break_in_exception_code:
# Handle break in event
self._target.logger.info("Break in at eip:%s" % hex(eip))
return pykd.eventResult.Break
return pykd.eventResult.NoChange示例7: crawl_object_by_directory
def crawl_object_by_directory(callback, param, dirname='\\'):
cmdline='!object '+dirname
#print cmdline
r=pykd.dbgCommand(cmdline)
r=r.splitlines()
startlist=0
for i in r:
i=i.lstrip()
if i.startswith('--'):
startlist=1
continue
if not startlist:
continue
data=i.split()
if len(data)>3:
obj=data[1]
type=data[2]
name=data[3]
else:
obj=data[0]
type=data[1]
name=data[2]
if not callback(obj, type, param):
return False
if type=='Directory':
childname=dirname+name+'\\'
if not crawl_object_by_directory(callback, param, childname):
return False
return True示例8: listModuleByLdrHash
def listModuleByLdrHash(eprocessaddr):
modulelist = {}
try:
cmdline = ".process /P %x;.reload;" % eprocessaddr
r = pykd.dbgCommand(cmdline)
try:
LdrpHashTable = pykd.getOffset("ntdll!LdrpHashTable")
except:
print "get LdrpHashTable symbol fail, maybe ldr is null"
return []
if int(LdrpHashTable) != 0:
for i in xrange(26):
listhead = LdrpHashTable + i * 2 * g_mwordsize
hashlink = listhead
while 1:
hashlink = pykd.ptrPtr(hashlink)
if hashlink == listhead:
break
ldr = pykd.containingRecord(hashlink, "nt!_LDR_DATA_TABLE_ENTRY", "HashLinks")
if int(ldr) not in modulelist:
info = ModuleInfo()
if info.init1(ldr):
modulelist[int(ldr)] = info
except Exception, err:
print traceback.format_exc()示例9: listReg
def listReg(regpath='System\CurrentControlSet\Services\Tcpip!*'):
try:
cmdline='!dreg %s' % regpath
r=pykd.dbgCommand(cmdline)
r=r.splitlines()
for i in r:
print i
except Exception, err:
print err示例10: get_address
def get_address(localAddr):
res = pykd.dbgCommand("x " + localAddr)
result_count = res.count("\n")
if result_count == 0:
print localAddr + " not found."
return None
if result_count > 1:
print "[-] Warning, more than one result for", localAddr
return res.split()[0]示例11: main
def main():
"""
injectfind searches process memory for potentially injected code
"""
process = flaredbg.get_process_obj()
found = False
for mbi in process.get_memory_map():
if mbi.is_executable() and mbi.is_private():
base_addr = mbi.BaseAddress
size = mbi.RegionSize
print '-' * 0x40
print "Path: %s Pid: %s Region: 0x%x - 0x%x Length: 0x%x" % (process.get_image_name(), process.get_pid(), base_addr, (base_addr+size-1), size)
db_res = pykd.dbgCommand('db %x' % base_addr)
dis_res = pykd.dbgCommand('u %x' % base_addr)
mem_bytes = process.read(base_addr, size)
# Check for stripped header
if mem_bytes[:0x1000].count('\0') > 0xfe0:
if size > 0x2000 and mem_bytes[0x1000:0x2000].count('\0') < 0x200:
print " !!! Possible stripped PE header at 0x%x\n Showing address: 0x%x\n" % (base_addr, base_addr+0x1000)
db_res = pykd.dbgCommand('db %x' % (base_addr+0x1000))
dis_res = pykd.dbgCommand('u %x' % (base_addr+0x1000))
# Check for legit PE
elif utils.is_legit_pe(mem_bytes[:0x1000]):
print " Found legit PE at 0x%x\n" % (base_addr)
dis_res = None
if db_res:
print "Hex dump:"
print db_res
if dis_res:
print "Disassembly:"
print dis_res
print
found = True
if not found:
print "Nothing found!"示例12: search
def search(start_addr, end_addr, dword):
search_expr = 's -[1]d %x %x %s'
results = []
search_str = search_expr % (start_addr, end_addr, dword)
out_str = pykd.dbgCommand(search_str)
str_results = out_str.split('\n')
for str_result in str_results:
if str_result.startswith('0x'):
results.append((str_result, start_addr))
return results示例13: enter_call_back
def enter_call_back(self,bp):
print "RtlAllocateHeap called."
if self.bp_end == None:
disas = pykd.dbgCommand("uf ntdll!RtlAllocateHeap").split('\n')
for i in disas:
if 'ret' in i:
self.ret_addr = i.split()[0]
break
self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back)
return False示例14: enter_call_back
def enter_call_back(self, bp):
self.out = "RtlAllocateHeap("
esp = pykd.reg("esp")
self.out += hex(pykd.ptrPtr(esp + 4)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0x8)) + " , "
self.out += hex(pykd.ptrMWord(esp + 0xC)) + ") = "
if self.bp_end == None:
self.ret_addr = pykd.dbgCommand("dd esp L1").split()[1]
self.bp_end = pykd.setBp(int(self.ret_addr, 16), self.return_call_back)
return False示例15: get_current_stack
def get_current_stack():
call_stack = []
for line in pykd.dbgCommand("k").splitlines()[1:]:
try:
_, ret_addr, sym = line.split()
_ = int(ret_addr, 16)
except ValueError:
continue
call_stack.append(sym)
return call_stack