Skip to content

Python: Scripts and Tools

Jump to bottom Edit New page
ktwo/ShaneK2 edited this page Jul 23, 2017 · 4 revisions

We use IronPython so it can call the underlying .NET API directly

Analyze.py in general bootstraps the state. vtero = QuickSetup(my-dump.vmem)

QuickSetup returns a vtero object. IgnoreState will cause any saved state from previous runs to be backed up.

dt is like the windbg command dt for symbol lookup and output. It will take any dynamic object and render it in a similar way. If it has no data bound, it will be empty, if you provided an address to load the dynamic native type reflection information, it will be rendered. (below for the _KPRCB struct).

def dt(dynObj):

>>> pcrbDef = p.xStructInfo("_KPRCB")
>>> KPRCB = p.xStructInfo("_KPRCB", p.GetSymValueLong("KiProcessorBlock"), pcrbDef.Length)
>>> dt(KPRCB)
_KPRCB  len: 0x6900
  +0x0 MxCsr            :  len(0x4)  = 0x1f80
  +0x4 LegacyNumber             :  len(0x1)  = 0x0
  +0x5 ReservedMustBeZero               :  len(0x1)  = 0x0
  +0x6 InterruptRequest         :  len(0x1)  = 0x0
  +0x7 IdleHalt         :  len(0x1)  = 0x0
  +0x8 CurrentThread            : * _KTHREAD  len(0x8)  = 0xffffc00459455080
  +0x10 NextThread              : * _KTHREAD  len(0x8)  = 0x0
  +0x18 IdleThread              : * _KTHREAD  len(0x8)  = 0xfffff800bd5c8940
  +0x20 NestingLevel            :  len(0x1)  = 0x0
  +0x21 ClockOwner              :  len(0x1)  = 0x1
  +0x22 PendingTickFlags                :  len(0x1)  = 0x1
  +0x22 PendingTick             : Pos 0, 1 Bits  len(0x1)  = 0x1
  +0x22 PendingBackupTick               : Pos 1, 1 Bits  len(0x1)  = 0x0
  +0x23 IdleState               :  len(0x1)  = 0x1
  +0x24 Number          :  len(0x4)  = 0x0
  +0x28 RspBase         :  len(0x8)  = 0xffff8f01a13f8c90
  +0x30 PrcbLock                :  len(0x8)  = 0x0
  +0x38 PriorityState           : *  len(0x8)  = 0xfffff800bd553890


`
#
# Windows POOL traversal
#
def PoolInfo(vtero):

# Parsing for IDT / GDT
# there's actually more than one table, it's per CPU this isnt reading them out yet
def DescriptorTables(p):

#
# Dump the SSDT
#
def ssdt(p):
>>> import  List
>>> from List import *
>>> ssdt(p)
ServiceDescriptor entry: fffff800cd2f04b4 []
ServiceDescriptor is out of kernel bounds! fffff800cd2f04b4
ServiceDescriptor entry: fffff800bd708998 [NtAcceptConnectPort]
ServiceDescriptor entry: fffff800bd609450 [NtWaitForSingleObject]
ServiceDescriptor entry: fffff800bd6099c0 [NtReadFile]
ServiceDescriptor entry: fffff800bd6677d0 [NtWriteFile]
ServiceDescriptor entry: fffff800bd6e3630 [NtReleaseSemaphore]
ServiceDescriptor entry: fffff800bd6baff4 [NtReplyPort]
ServiceDescriptor entry: fffff800bd609380 [NtSetEvent]
ServiceDescriptor entry: fffff800bd6c45f0 [NtQueryObject]
ServiceDescriptor entry: fffff800bd5f5a14 [NtOpenKey]
ServiceDescriptor entry: fffff800bd5efc80 [NtFindAtom]
ServiceDescriptor entry: fffff800bd610010 [NtQueryKey]
ServiceDescriptor entry: fffff800bd62a760 [NtAllocateVirtualMemory]
ServiceDescriptor entry: fffff800bd6e07b0 [NtWaitForMultipleObjects32]
ServiceDescriptor entry: fffff800bd647f40 [NtSetInformationProcess]
ServiceDescriptor entry: fffff800bd5eaa40 [NtFreeVirtualMemory]
ServiceDescriptor entry: fffff800bd639ae0 [NtReleaseMutant]
ServiceDescriptor entry: fffff800bd6e1158 [NtRequestWaitReplyPort]
ServiceDescriptor entry: fffff800bd602000 [NtOpenThreadToken]
ServiceDescriptor entry: fffff800bd5f4c34 [NtOpenProcess]
ServiceDescriptor entry: fffff800bd627000 [NtMapViewOfSection]
ServiceDescriptor entry: fffff800bd6fce30 [NtUnmapViewOfSection]

#Capstone.dis
>>> dis(p, 0xffff800bd6309e0)
[ffff800bd6309e0] [48] mov rax, rsp
[ffff800bd6309e3] [48] mov qword ptr [rax + 8], rbx
[ffff800bd6309e7] [48] mov qword ptr [rax + 0x10], rsi
[ffff800bd6309eb] [57] push rdi
[ffff800bd6309ec] [48] sub rsp, 0x90
[ffff800bd6309f3] [48] mov rsi, rdx
[ffff800bd6309f6] [83] cmp ecx, 0xa
[ffff800bd6309f9] [f] jge 0xffff800bd79cbe2
[ffff800bd6309ff] [48] and qword ptr [rax + 0x20], 0
[ffff800bd630a04] [8b] mov edi, ecx
[ffff800bd630a06] [48] and qword ptr [rax + 0x18], 0
[ffff800bd630a0b] [c1] shl edi, 2
[ffff800bd630a0e] [81] or edi, 0x220003
[ffff800bd630a14] [83] cmp ecx, 9
[ffff800bd630a17] [f] je 0xffff800bd79cbec

#########################################################################
# search symbols like this
# SymList(proc, "*POOL*")
# pretty print symbols matching string
#########################################################################
def SymList(proc, MatchString):

#
# Used with a vtero object
# p = GetProc(vtero, "chrome.exe")
#
def GetProc(v, str, prev = None):


#Various print output


# Display Symbols
# ds(p, 0x123)
#
def ds(p, addr, len=128, maxWid = 72):

# Display quadwords
def dq(p, addr, len=128, maxWid = 72):

# Display bytes
def db(p, addr, len=128, bytesPerLine = 16):

#########################################################################
# "strings" like functionality (UNICODE/UTF8/ASCII) modes/regex
#########################################################################
def strings(p, rx):
    regx = Regex(rx, RegexOptions.Compiled)

#########################################################################
# This is a FULL address space search (bytescan)
#########################################################################
def scan(p, toFind, align = 4, Kernel = False):


#########################################################################
# example pull in one of the ListHeads from System import BitConverter
# BitConverter.ToUInt64(np.ListHeads.Value, 0).ToString("X")
#########################################################################
def scanq(p, toFind, align = 4, Kernel = False):

`
x64 Release
Build status
Add a custom sidebar
Clone this wiki locally