[go: up one dir, main page]
Menu

[r79]: / misc / listdll.py  Maximize  Restore  History

Download this file

97 lines (73 with data), 3.4 kB 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/usr/bin/env python



from struct import unpack,calcsize

from memutil import virt2phys, PagedOutException, offsets, read_range

from general import getUnicodeString

from hexutil import hd



def unpack_le(str):

    """Silly helper function to convert 4 characters to a little-endian unsigned int"""

    return unpack("<L", str)[0]



LDR_DATA_FMT = "<LccccLLLLLLLL"

LDR_ENTRY_FMT = "<LLLLLLLLLHHLHHL" # There's more but I'm on a deadline



def getDllName(memdump,pdba,ldr_entry_addr):

    ldr_entry_real = virt2phys(memdump,pdba,ldr_entry_addr)

    #print "DEBUG: reading LDR_ENTRY at %08x (%08x)" % (ldr_entry_addr,ldr_entry_real)

    memdump.seek(ldr_entry_real)

    LDR_ENTRY_SIZE = calcsize(LDR_ENTRY_FMT)

    (in_ldorder_flink, in_ldorder_blink,

     in_memorder_flink, in_memorder_blink,

     in_initorder_flink, in_initorder_blink,

     DllBase, EntryPoint, SizeOfImage,

     FullDllNameLen, FullDllNameMaxLen, FullDllNamePtr,

     BaseDllNameLen, BaseDllNameMaxLen, BaseDllNamePtr) = unpack(LDR_ENTRY_FMT,memdump.read(LDR_ENTRY_SIZE))

    

    FullDllName = getUnicodeString(memdump,pdba,FullDllNamePtr,FullDllNameLen)

    BaseDllName = getUnicodeString(memdump,pdba,BaseDllNamePtr,BaseDllNameLen)

    

    #if DllBase == 0 or EntryPoint == 0 or SizeOfImage == 0:

    #    return (0,0,"","")



    print "%08x %s" % (DllBase,BaseDllName)



    return (in_ldorder_flink,in_ldorder_blink,FullDllName,BaseDllName)



if __name__ == "__main__":

    from general import parser

    

    (options, args) = parser.parse_args()



    if len(args) != 2:

        import sys

        parser.print_help()

        sys.exit(1)



    #print "Done parsing arguments."

    

    memdump = open(args[0], 'rb')

    eproc_offset = int(args[1], 0)

    offs = offsets[options.osname]



    memdump.seek(eproc_offset)

    eproc_struct = memdump.read(offs["EPROC_SIZE"])



    pdba = unpack_le(eproc_struct[offs["PDBA_OFFSET"]:offs["PDBA_OFFSET"]+4])



    peb_addr_virt = unpack_le(eproc_struct[offs["PEB_OFFSET"]:offs["PEB_OFFSET"]+4])

    peb_addr_real = virt2phys(memdump, pdba, peb_addr_virt)

    # print "DEBUG: PEB found at %x (%x)" % (peb_addr_virt,peb_addr_real)

    memdump.seek(peb_addr_real + offs["PEB_LDR_DATA"])

    ldr_base_virt = unpack_le(memdump.read(4))

    ldr_base_real = virt2phys(memdump, pdba, ldr_base_virt)



    memdump.seek(ldr_base_real)



    LDR_SIZE = calcsize(LDR_DATA_FMT)

    (length, initialized, _, _, _,

     SsHandle, initial_in_ldorder_flink, initial_in_ldorder_blink,

     in_memorder_flink, in_memorder_blink,

     in_initorder_flink, in_initorder_blink,

     inprogress) = unpack(LDR_DATA_FMT,memdump.read(LDR_SIZE))



    dlls_in_load_order = []



    in_ldorder_flink = initial_in_ldorder_flink

    while True:

        cur = in_ldorder_flink

        (in_ldorder_flink,in_ldorder_blink,

         FullDllName,BaseDllName) = getDllName(memdump,pdba,in_ldorder_flink)

        # Append to list

        dlls_in_load_order.append((FullDllName,BaseDllName))

        if in_ldorder_flink == initial_in_ldorder_flink: break



    # HACK: last one always seems to be invalid, so I'm skipping it

    dlls_in_load_order.pop()



    for full,short in dlls_in_load_order:

        try: print full,

        except UnicodeError:

            print "".join(("%x" % ord(f) for f in full)),

        try: print "(%s)" % short

        except UnicodeError:

            print "(%s)" % "".join(("%x" % ord(f) for f in short))



    memdump.close()