windows环境下iospace和physmem检测的python模块
divination的Python项目详细描述
概述
divination是一个python包,它公开了一个简单的事务处理接口 在Windows上有物理内存和IO空间(10+)。
IO和物理内存区域映射到用户模式进程中,并且 在pywin32内存原语的帮助下直接读取。
该模块需要常驻内核模式驱动程序。
功能
- 读取PCI配置空间
- 正在读取MSR(正在写入当前未实现的MSR)
- 映射和rw从/到io区域
- 映射和rw从/到物理内存区域(当前未实现)
依赖关系
- PYWIN32
安装
python模块
python模块可以通过pypi获得:
pip install divination
核心模块
所需的kmdf驱动程序可以通过安装vs、sdk+wdk和 在vs developer中的native/driver目录下运行msbuild 命令提示符。
请do not(non test-)签署此内核模块;我们不想进一步启用攻击者! 除非采用限制性的设备保护策略,否则启用测试签名应足以允许驱动程序运行:
bcdedit /set testsigning on ; shutdown -f -t 0 -r
用法
目前有三个可用的类:pcidevice、msr和memoryobject。 下面是每种用法的示例。
pcidevice(总线、设备、功能)
>>> amd_lpc = PciDevice(0, 0x14, 3) # LPC Bridge @ D14F3 >>> hexdump.hexdump(amd_lpc.read_cfg()) 00000000: 22 10 0E 79 0F 00 20 02 51 00 01 06 00 00 80 00 "..y.. .Q....... 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 62 14 37 7C ............b.7| 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 04 00 00 00 40 C0 03 20 07 FF 20 03 00 00 00 00 ....@.. .. ..... 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 00 40 16 00 0A 00 00 0F 00 00 FF FF FF ....@........... 00000070: 67 45 23 00 08 00 00 00 90 02 00 00 07 0A 00 00 gE#............. 00000080: 08 00 03 A8 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000090: E0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000A0: 02 00 C1 FE 2F 01 00 00 00 00 00 00 00 00 00 00 ..../........... 000000B0: 00 00 00 00 00 00 00 00 04 00 E9 3F 00 00 00 00 ...........?.... 000000C0: 00 00 00 00 00 00 00 00 00 00 00 80 00 00 F7 FF ................ 000000D0: 86 FF FD 08 42 00 00 00 00 00 00 00 00 00 00 00 ....B........... 000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
msr(寄存器)
>>> amd_hwcr = Msr(0xc0010015) >>> hex(amd_hwcr.read()) '0x89000111'
memoryObject(基址、范围、mem类型,alloc=false)
>>> spi_bar = MemoryObject(0xfec10000, 0x100, MemoryType.IoSpace) >>> hexdump.hexdump(spi_bar[0:]) # MemoryObjects are sliceable and can be read from + written to 00000000: 05 21 CC 4F 00 00 00 00 00 00 00 00 6A 00 00 02 .!.O........j... 00000010: 06 20 04 04 06 04 9F 05 03 0B 0A 02 FF 98 06 02 . .............. 00000020: 13 07 33 10 08 20 20 20 0C 14 06 0E C0 54 C0 14 ..3.. .....T.. 00000030: C0 14 08 46 03 00 00 00 FC FC FC FC FC 88 00 00 ...F............ 00000040: 3B 6B BB EB 00 05 00 00 01 00 00 02 02 00 06 00 ;k.............. 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000080: 00 40 40 69 24 6A 4A 16 CA C5 EB 7B E2 95 09 4C .@@i$jJ....{...L 00000090: C8 AD 4A FC CB 1D 83 A9 C4 82 C1 D9 7E 35 F9 27 ..J.........~5.' 000000A0: 92 8A 43 4B 78 D3 6B 04 9C B8 AF 79 8C 68 C6 E8 ..CKx.k....y.h.. 000000B0: 2E 24 04 68 F4 97 2A CC 83 74 C9 E2 17 C0 5A C7 .$.h..*..t....Z. 000000C0: C7 C7 C7 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
贡献
如您所知,并非所有计划的功能都已实现,我将 当我的个人需求出现时填补空白。 当然,贡献是最受欢迎的!