VAD Tools Code

#!/usr/bin/env python

import sys,struct
from memutil import virt2phys, PagedOutException

pdb_off = 0x18
peb_off = 0x1b0
image_base_off = 0x08

flink_off = 0x10
blink_off = 0x14

if len(sys.argv) < 3:
    from os.path import basename
    print "usage: %s <memdump> <_EPROCESS offset>" % basename(sys.argv[0])
    sys.exit(1)

memdump = open(sys.argv[1])
eproc_off = int(sys.argv[2],0)

memdump.seek(eproc_off + flink_off)
flink = struct.unpack('<L', memdump.read(4))[0]
blink = struct.unpack('<L', memdump.read(4))[0]

print "Flink: %08x, Blink: %08x" % (flink, blink)

memdump.seek(eproc_off + pdb_off)
pdba = struct.unpack('<L', memdump.read(4))[0]

print "Page directory at: %08x" % pdba

print "Flink real addr: %08x" % virt2phys(memdump, pdba, flink)

memdump.seek(eproc_off + peb_off)
peb_virt_addr = struct.unpack('<L', memdump.read(4))[0]
try:
    peb_phys_addr = virt2phys(memdump, pdba, peb_virt_addr)
except PagedOutException:
    print "FAIL (Process Environment Block paged out)"
    sys.exit(1)

memdump.seek(peb_phys_addr + image_base_off)
img_base_virt = struct.unpack('<L', memdump.read(4))[0]
try:
    img_base_phys = virt2phys(memdump, pdba, img_base_virt)
except PagedOutException:
    print "FAIL (ImageBase paged out)"
    sys.exit(1)

memdump.seek(img_base_phys)
from pefile import PE
try:
    pe = PE(data=memdump.read(4096))
    print pe.dump_info()
    #print "%-8s %-16s %-16s %-16s" % ("Name","Virtual Address",
    #       "Physical Address","Virtual Size")
    #for sect in pe.sections:
    #    try:
    #        sect_realaddr = hex(virt2phys(memdump, pdba, sect.VirtualAddress + img_base_virt))
    #    except PagedOutException:
    #        sect_realaddr = "[paged out]"
    #    print "%-8s %-16s %-16s %-16s" % (sect.Name, hex(sect.VirtualAddress), 
    #                                   sect_realaddr, hex(sect.Misc_VirtualSize))
except Exception, e:
    print e