Commit 76ce717c authored by Alexander Tarasenko's avatar Alexander Tarasenko

added procmod.py

parent e245538e
import pykd
from pykd import *
from optparse import OptionParser
import fnmatch
import sys
import re
nt = None
EPROCESS = None
ETHREAD = None
def setupGlobalObject():
global nt, EPROCESS, ETHREAD
try:
nt = module("nt")
EPROCESS = nt.type("_EPROCESS")
ETHREAD = nt.type("_ETHREAD")
except DbgException:
dprintln("check symbol paths")
class PrintOptions:
def __init__(self):
self.ignoreNotActiveProcess = True
def isWow64Process(process):
result = False
if is64bitSystem() == False:
return result
try:
if hasattr(process, "WoW64Process"):
return process.WoW64Process != 0
elif hasattr(process, "Wow64Process"):
return process.Wow64Process != 0
except:
pass
return result
def printProcess(process, processFilter, moduleFilter, printopt):
processName = loadCStr( process.ImageFileName )
processWow64 = isWow64Process(process)
if processFilter and not processFilter(process, process.UniqueProcessId, processName ):
return
wow64reloaded = False
try:
moduleOutput = ""
dbgCommand(".process /p /r %x" % process )
if not processWow64:
dbgCommand( ".reload /user" )
moduleOutput = dbgCommand( "lmu" )
else:
cpuMode = getCPUMode()
try:
dbgCommand( ".reload /user" )
moduleOutput = dbgCommand( "lmu" )
except DbgException:
pass
setCPUMode(cpuMode)
if not moduleFilter or next( ( s for s in moduleOutput.split(' ') if fnmatch.fnmatch(s, moduleFilter) ), None):
dprintln( "" )
dprintln( "Process %x" % process )
dprintln( "Name: %s Pid: %#x" % ( processName, process.UniqueProcessId ) )
dprintln( "" )
if moduleFilter:
pattern = re.sub('\*', '\w*', moduleFilter)
pattern = re.sub('\?', '\w?', pattern)
pattern = "(\s)(%s)" % pattern
moduleOutput = re.sub( pattern, lambda matchobj: "%s<col fg=\"clfg\" bg=\"clbg\">%s</col>" % (matchobj.group(1), matchobj.group(2)), moduleOutput, flags=re.IGNORECASE)
dprintln(moduleOutput, dml=True)
except DbgException:
if not printopt.ignoreNotActiveProcess:
dprintln( "Process %x" % process )
dprintln( "Name: %s" % processName )
dprintln( "Failed to switch into process context\n")
dprintln( "" )
def main():
dprintln("Process's module list")
if not hasattr(pykd, "__version__") or not fnmatch.fnmatch( pykd.__version__, "0.3.*"):
dprintln ( "pykd has incompatible version" )
parser = OptionParser()
parser.add_option("-p", "--process", dest="processfilter",
help="process filter: boolean expression with python syntax" )
parser.add_option("-m", "--module", dest="modulefilter",
help="module filter: module name with possible wildcard symbols" )
(options, args) = parser.parse_args()
if not isKernelDebugging():
dprintln("This script is only for kernel debugging")
return
setupGlobalObject()
processFilter = None
if options.processfilter:
processFilter = lambda process, pid, name: eval( options.processfilter )
printopt = PrintOptions()
processLst = nt.typedVarList( nt.PsActiveProcessHead, "_EPROCESS", "ActiveProcessLinks.Flink")
for process in processLst:
printProcess( process, processFilter, options.modulefilter, printopt )
if __name__ == "__main__":
main()
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment