[go: up one dir, main page]
Menu

[r55]: / listdll.py  Maximize  Restore  History

Download this file

125 lines (97 with data), 4.7 kB 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#!/usr/bin/env python



from struct import unpack,calcsize

from memutil import virt2phys, PagedOutException, offsets, read_range

from hexutil import hd



def unpack_le(str):

    """Silly helper function to convert 4 characters to a little-endian unsigned int"""

    return unpack("<L", str)[0]



LDR_DATA_FMT = "<LccccLLLLLLLL"

LDR_ENTRY_FMT = "<LLLLLLLLLHHLHHL" # There's more but I'm on a deadline



def getUnicodeString(memdump,pdba,str_addr,size):

    try:

        str_addr_real = virt2phys(memdump,pdba,str_addr)

    except PagedOutException:

        return "[string address paged out]"

    #print "DEBUG: getting string of size %d at %08x (%08x)" % (size,str_addr,str_addr_real)

    memdump.seek(str_addr_real)

    try:

        str = memdump.read(size).decode('utf_16_le')

        return str

    except UnicodeDecodeError:

        return "[unicode decoding error]"



def getDllName(memdump,pdba,ldr_entry_addr):

    ldr_entry_real = virt2phys(memdump,pdba,ldr_entry_addr)

    #print "DEBUG: reading LDR_ENTRY at %08x (%08x)" % (ldr_entry_addr,ldr_entry_real)

    memdump.seek(ldr_entry_real)

    LDR_ENTRY_SIZE = calcsize(LDR_ENTRY_FMT)

    (in_ldorder_flink, in_ldorder_blink,

     in_memorder_flink, in_memorder_blink,

     in_initorder_flink, in_initorder_blink,

     DllBase, EntryPoint, SizeOfImage,

     FullDllNameLen, FullDllNameMaxLen, FullDllNamePtr,

     BaseDllNameLen, BaseDllNameMaxLen, BaseDllNamePtr) = unpack(LDR_ENTRY_FMT,memdump.read(LDR_ENTRY_SIZE))

    

    FullDllName = getUnicodeString(memdump,pdba,FullDllNamePtr,FullDllNameLen)

    BaseDllName = getUnicodeString(memdump,pdba,BaseDllNamePtr,BaseDllNameLen)

    

    if DllBase == 0 or EntryPoint == 0 or SizeOfImage == 0:

        return (0,0,"","")



    return (in_ldorder_flink,in_ldorder_blink,FullDllName,BaseDllName)



if __name__ == "__main__":

    from optparse import OptionParser



    usage = "usage: %prog [options] <memory dump> <EPROCESS offset>"

    parser = OptionParser(usage=usage)

    parser.add_option("-o", "--operating-system", dest="osname", default="XPSP2",

            help=("operating system memory dump comes from"

                  " [default: %%default, options: %s]" % ",".join(offsets.keys())))

    

    (options, args) = parser.parse_args()



    if len(args) != 2:

        import sys

        parser.print_help()

        sys.exit(1)



    print "Done parsing arguments."

    

    memdump = open(args[0], 'rb')

    eproc_offset = int(args[1], 0)

    offs = offsets[options.osname]



    memdump.seek(eproc_offset)

    eproc_struct = memdump.read(offs["EPROC_SIZE"])



    pdba = unpack_le(eproc_struct[offs["PDBA_OFFSET"]:offs["PDBA_OFFSET"]+4])



    peb_addr_virt = unpack_le(eproc_struct[offs["PEB_OFFSET"]:offs["PEB_OFFSET"]+4])

    peb_addr_real = virt2phys(memdump, pdba, peb_addr_virt)

    # print "DEBUG: PEB found at %x (%x)" % (peb_addr_virt,peb_addr_real)

    memdump.seek(peb_addr_real + offs["PEB_LDR_DATA"])

    ldr_base_virt = unpack_le(memdump.read(4))

    ldr_base_real = virt2phys(memdump, pdba, ldr_base_virt)



    memdump.seek(ldr_base_real)



    LDR_SIZE = calcsize(LDR_DATA_FMT)

    (length, initialized, _, _, _,

     SsHandle, initial_in_ldorder_flink, initial_in_ldorder_blink,

     in_memorder_flink, in_memorder_blink,

     in_initorder_flink, in_initorder_blink,

     inprogress) = unpack(LDR_DATA_FMT,memdump.read(LDR_SIZE))



    print "Number of loaded DLLs: %d" % length



    dlls_in_load_order = []



    in_ldorder_flink = initial_in_ldorder_flink

    while in_ldorder_flink != 0:

        cur = in_ldorder_flink

        (in_ldorder_flink,in_ldorder_blink,

         FullDllName,BaseDllName) = getDllName(memdump,pdba,in_ldorder_flink)

        if in_ldorder_flink == 0 or in_ldorder_blink == 0: break

        # Append to list

        dlls_in_load_order.append((FullDllName,BaseDllName))



    print "Number of DLLs in forward list: %d" % len(dlls_in_load_order)



    in_ldorder_blink = initial_in_ldorder_blink

    while in_ldorder_blink != 0:

        cur = in_ldorder_blink

        (in_ldorder_flink,in_ldorder_blink,

         FullDllName,BaseDllName) = getDllName(memdump,pdba,in_ldorder_blink)

        if in_ldorder_flink == 0 or in_ldorder_blink == 0: break

        # Prepend to list

        dlls_in_load_order = [(FullDllName,BaseDllName)] + dlls_in_load_order

    

    print "Number of DLLs in full list: %d" % len(dlls_in_load_order)



    for full,short in dlls_in_load_order:

        try: print full,

        except UnicodeError:

            print "".join(("%x" % ord(f) for f in full)),

        try: print "(%s)" % short

        except UnicodeError:

            print "(%s)" % "".join(("%x" % ord(f) for f in short))



    memdump.close()