VAD Tools Code

#!/usr/bin/env python

from memutil import virt2phys, offsets 
from vadutil import VAD
from struct import unpack

def unpack_le(str):
    """Silly helper function to convert 4 characters to a little-endian unsigned int"""
    return unpack("<L", str)[0]

if __name__ == "__main__":
    from optparse import OptionParser

    usage = "usage: %prog [options] <memory dump> <EPROCESS offset>"
    parser = OptionParser(usage=usage)
    parser.add_option("-v", "--vad", dest="vad",
                      help="read single VAD entry at OFFSET (virtual)",
                      metavar='OFFSET')
    parser.add_option("-o", "--operating-system", dest="osname", default="XPSP2",
            help=("operating system memory dump comes from"
                  " [default: %%default, options: %s]" % ",".join(offsets.keys())))
    
    (options, args) = parser.parse_args()

    if len(args) != 2:
        import sys
        parser.print_help()
        sys.exit(1)

    print "Done parsing arguments."
    
    memdump = open(args[0], 'rb')
    eproc_offset = int(args[1], 0)
    offs = offsets[options.osname]
    
    memdump.seek(eproc_offset)
    eproc_struct = memdump.read(offs["EPROC_SIZE"])

    pdba = unpack_le(eproc_struct[offs["PDBA_OFFSET"]:offs["PDBA_OFFSET"]+4])

    vad_root_addr = unpack_le(eproc_struct[offs["VAD_ROOT_OFFSET"]:offs["VAD_ROOT_OFFSET"]+4])
    vad_root = VAD(None, pdba, memdump, vad_root_addr)

    print "Successfully walked/read entire VAD tree"

    if options.vad:
        options.vad = int(options.vad,0)
        for node in vad_root:
            if node.address == options.vad:
                print node
    else:
        for node in vad_root:
            print node

    memdump.close()