-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy paththread_op.py
135 lines (112 loc) · 4.53 KB
/
thread_op.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#!/usr/bin/env python
# -*- coding: utf-8 -*
# author: SAI
import os,sys,time
import traceback
import pykd
from common import *
class ThreadInfo(object):
def __init__(self, ethreadobj=None):
super(ThreadInfo, self).__init__()
self.ethreadaddr=int(ethreadobj)
self.tid=int(ethreadobj.Cid.UniqueThread)
self.entrypoint=int(ethreadobj.StartAddress)
def listThreadByTcbThreadListEntry(eprocessaddr):
threadlist=[]
try:
cmdline='.process /P %x;.reload;' % eprocessaddr
r=pykd.dbgCommand(cmdline)
eprocessobj=pykd.typedVar('nt!_EPROCESS', eprocessaddr)
l=pykd.typedVarList(eprocessobj.Pcb.ThreadListHead, 'nt!_ETHREAD', 'Tcb.ThreadListEntry')
for i in l:
info=ThreadInfo(i)
threadlist.append(info)
except Exception, err:
print traceback.format_exc()
return threadlist
def listThreadByThreadListEntry(eprocessaddr):
threadlist=[]
try:
cmdline='.process /P %x;.reload;' % eprocessaddr
r=pykd.dbgCommand(cmdline)
eprocessobj=pykd.typedVar('nt!_EPROCESS', eprocessaddr)
l=pykd.typedVarList(eprocessobj.ThreadListHead, 'nt!_ETHREAD', 'ThreadListEntry')
for i in l:
info=ThreadInfo(i)
threadlist.append(info)
except Exception, err:
print traceback.format_exc()
return threadlist
from process_op import *
def inspectProcessHiddenThread(eprocessaddr=None):
try:
if eprocessaddr:
eprocessobj=pykd.typedVar('nt!_EPROCESS', eprocessaddr)
eprocessinfo=ProcessInfo()
if not eprocessinfo.init(eprocessobj):
print 'it is not a eprocess'
return
processlist=[eprocessinfo]
else:
processlist=listProcessByPsActiveProcessHead()
if not processlist:
print 'can not get process list'
return
funclist=[listThreadByTcbThreadListEntry, listThreadByThreadListEntry]
for eprocessinfo in processlist:
try:
eprocessaddr=eprocessinfo.eprocessaddr
print '='*10, 'process:%x pid:%d %s' % (eprocessaddr, eprocessinfo.pid, eprocessinfo.filepath), '='*10
threadlist={}
for func in funclist:
try:
l=func(eprocessaddr)
except Exception, err:
l=[]
print err
for info in l:
if info.ethreadaddr not in threadlist:
threadlist[info.ethreadaddr]=info
hooknumber=0
for info in threadlist.values():
symbolname=pykd.findSymbol(info.entrypoint)
if symbolname.find('!')==-1:
print 'ethread:%x tid:%d entry:%x' % (info.ethreadaddr, info.tid, info.entrypoint)
hooknumber+=1
if hooknumber==0:
print 'no hidden thread'
except Exception, err:
print traceback.format_exc()
print
print 'inspect completely'
except Exception, err:
print traceback.format_exc()
def help():
print '-inspectall'
print '-inspectone eprocessaddr'
print '-list0 eprocessaddr #by _ETHREAD.Tcb.ThreadListEntry'
print '-list1 eprocessaddr #by _ETHREAD.ThreadListEntry'
if __name__=='__main__':
try:
if len(sys.argv)<2:
help()
sys.exit(0)
if sys.argv[1]=='-inspectall':
inspectProcessHiddenThread()
elif sys.argv[1]=='-inspectone':
eprocessaddr=int(sys.argv[2], 16)
inspectProcessHiddenThread(eprocessaddr)
elif sys.argv[1]=='-list0':
eprocessaddr=int(sys.argv[2], 16)
threadlist=listThreadByTcbThreadListEntry(eprocessaddr)
for i in threadlist:
print 'ethread:%x tid:%d entry:%x' % (i.ethreadaddr, i.tid, i.entrypoint)
elif sys.argv[1]=='-list1':
eprocessaddr=int(sys.argv[2], 16)
threadlist=listThreadByThreadListEntry(eprocessaddr)
for i in threadlist:
print 'ethread:%x tid:%d entry:%x' % (i.ethreadaddr, i.tid, i.entrypoint)
else:
help()
except Exception, err:
print traceback.format_exc()