[go: up one dir, main page]
Menu

[r33]: / proc_dumper.py  Maximize  Restore  History

Download this file

70 lines (59 with data), 2.0 kB 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#!/usr/bin/env python



import sys,struct

from memutil import virt2phys, PagedOutException



def write_pe(memdump, pdb, pe):

    img_base = pe.OPTIONAL_HEADER.ImageBase

    section_align = pe.OPTIONAL_HEADER.SectionAlignment

    for sect in pe.sections:

        out = open('section-' + sect.Name,'w')

        virt_addr = sect.VirtualAddress + img_base

        virt_size = sect.Misc_VirtualSize

        for page in range(virt_addr, virt_addr + virt_size, section_align):

            try:

                phys_addr = virt2phys(memdump, pdb, page)

                memdump.seek(phys_addr)

                print "DEBUG: %s: %08X %08X" % (sect.Name, page, phys_addr)

                out.write(memdump.read(4096))

            except PagedOutException:

                print "WARNING: page at virtual address %08X is swapped out, writing nulls." % page

                out.write('\x00'*4096)

        out.close()



pdb_off = 0x18

peb_off = 0x1b0

image_base_off = 0x08



if len(sys.argv) < 3:

    from os.path import basename

    print "usage: %s <memdump> <_EPROCESS offset>" % basename(sys.argv[0])

    sys.exit(1)



memdump = open(sys.argv[1])

eproc_off = int(sys.argv[2],0)



memdump.seek(eproc_off + pdb_off)

pdba = struct.unpack('<L', memdump.read(4))[0]



memdump.seek(eproc_off + peb_off)

peb_virt_addr = struct.unpack('<L', memdump.read(4))[0]

try:

    peb_phys_addr = virt2phys(memdump, pdba, peb_virt_addr)

except:

    print "FAIL (PEB paged out)"

    sys.exit(1)



memdump.seek(peb_phys_addr + image_base_off)

img_base_virt = struct.unpack('<L', memdump.read(4))[0]

try:

    img_base_phys = virt2phys(memdump, pdba, img_base_virt)

except:

    print "FAIL (ImageBase paged out)"

    sys.exit(1)



#print "0x%X" % img_base_phys

memdump.seek(img_base_phys)

#if memdump.read(2) == 'MZ': print "OK"

#else: print "FAIL"



from pefile import PE

try:

    pehead = memdump.read(4096)

    w = open('header','w')

    w.write(pehead)

    w.close()

    pe = PE(data=pehead,fast_load=True)

    write_pe(memdump,pdba,pe)

except Exception, e:

    print e