Last active
December 18, 2024 19:05
-
-
Save prozacchiwawa/9bdf08cd03a5e097d8a90e416dcfd371 to your computer and use it in GitHub Desktop.
scan PsLoadedModuleList in gdb
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import gdb | |
| import struct | |
| i = gdb.inferiors()[0] | |
| def read_word(addr): | |
| m = i.read_memory(addr, 4) | |
| b = m.tobytes() | |
| return struct.unpack('<I', b)[0] | |
| def read_half(addr): | |
| m = i.read_memory(addr, 2) | |
| b = m.tobytes() | |
| return struct.unpack('<H', b)[0] | |
| def read_unicode_string(addr): | |
| m_addr = read_word(addr + 4) | |
| length = read_half(addr) | |
| outstr = '' | |
| for i in range(int(length / 2)): | |
| outstr += chr(read_half(m_addr + i * 2)) | |
| return outstr | |
| def print_ent(p): | |
| dll_base = read_word(p + 24) | |
| dll_name = read_unicode_string(p + 44) | |
| print(hex(dll_base), dll_name) | |
| list_head = 0x80131870 | |
| p = read_word(list_head) | |
| while p != list_head: | |
| try: | |
| print_ent(p) | |
| p = read_word(p) | |
| except: | |
| break |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment