用于windbg检查文件是否匹配的python脚本
checkfile.py
# -*- coding: utf-8 -*-
import sys
import os
from pykd import *
from ctypes import *
MAX_PATH = 260
FILE_PATH = 'C:\\Program Files (x86)\\'
file_list = ['filename1',
'filename2']
class FileInfoStruct(Structure):
_fields_ = [
('inputFileName', c_char * MAX_PATH),
('outputFileCheckSum', c_char * 100),
('outputFileImageSize', c_char * 100)
]
def GetFileInfoInDump(file):
cmdResult = dbgCommand('lmvm ' + file)
checkSum = ''
imageSize = ''
for line in cmdResult.split('\n'):
if line.find('CheckSum:') != -1:
line = line.expandtabs(4)
line = line.replace(' ', '')
checkSum = line[-8:]
elif line.find('ImageSize:') != -1:
line = line.expandtabs(4)
line = line.replace(' ', '')
imageSize = line[-8:]
return checkSum + imageSize
def checkfile():
dll = cdll.LoadLibrary('GetFileCheckSumAndImageSize.dll')
pStruct = FileInfoStruct()
for file in file_list:
if not os.path.exists(pStruct.inputFileName):
dprintln(pStruct.inputFileName + ' file does not exist in disk!')
continue
dumpFileInfo = GetFileInfoInDump(file)
dumpCheckSum = dumpFileInfo[0:8]
dumpImageSize = dumpFileInfo[-8:]
if dumpCheckSum == '' and dumpImageSize == '':
continue
dll.GetFileCheckSumAndImageSize(byref(pStruct))
fileCheckSum = pStruct.outputFileCheckSum
if dumpCheckSum == '00000000' and fileCheckSum == '00000000':
fileImageSize = pStruct.outputFileImageSize
if dumpImageSize != fileImageSize:
dprintln(file + ' CheckSum zero, ImageSize different - ' +
'Dump: ' + dumpImageSize + ' ' +
'File: ' + fileImageSize)
elif dumpCheckSum != fileCheckSum:
dprintln(file + ' CheckSum different - ' +
'Dump: ' + dumpCheckSum + ' ' +
'File: ' + fileCheckSum)
def main(argv):
checkfile()
if __name__ == '__main__':
main(sys.argv)
BOOL __GetFileCheckSumAndImageSize( const char* szFilename,
DWORD32& dwExistingChecksum,
DWORD32& dwSize )
{
HANDLE hFile = INVALID_HANDLE_VALUE;
HANDLE hFileMapping = NULL;
PVOID pBaseAddress = NULL;
DWORD dwFileLength = 0;
DWORD dwHeaderSum; // Checksum as stated by Header
DWORD dwCheckSum; // Calculated Checksum
hFile = CreateFileA( szFilename, GENERIC_READ, FILE_SHARE_READ,
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0 );
if ( INVALID_HANDLE_VALUE == hFile ||
NULL == hFile) { throw GetLastError(); }
hFileMapping = CreateFileMapping(hFile, NULL,
PAGE_READONLY, 0, 0, NULL);
if ( NULL == hFileMapping )
{
return FALSE;
}
pBaseAddress = MapViewOfFile( hFileMapping,
FILE_MAP_READ, 0, 0, 0);
if ( NULL == pBaseAddress )
{
return FALSE;
}
LARGE_INTEGER liSize = { 0, 0 };
if( TRUE == GetFileSizeEx( hFile, &liSize ) )
{
dwSize = liSize.LowPart;
}
SetLastError( ERROR_SUCCESS );
PIMAGE_NT_HEADERS pNTHeaders = CheckSumMappedFile(
pBaseAddress, dwSize, &dwHeaderSum, &dwCheckSum );
if( NULL != pNTHeaders )
{
dwExistingChecksum = dwHeaderSum;
//dwChecksum = dwCheckSum;
}
UnmapViewOfFile( pBaseAddress );
CloseHandle( hFile );
return TRUE;
}
struct FileInfoStruct
{
char inputFileName[MAX_PATH];
char outputFileCheckSum[100];
char outputFileImageSize[100];
};
extern "C"
{
__declspec(dllexport) CDECL void GetFileCheckSumAndImageSize(FileInfoStruct* pStruct)
{
char szFileName[MAX_PATH] = {0};
strcpy_s(szFileName, sizeof(szFileName), pStruct->inputFileName);
DWORD32 dwExistingChecksum = 0;
DWORD32 dwSize = 0;
if(__GetFileCheckSumAndImageSize(szFileName, dwExistingChecksum, dwSize))
{
char szCheckSum[100] = {0};
sprintf_s(szCheckSum, sizeof(szCheckSum), "%08X", dwExistingChecksum);
char szFileSize[100] = {0};
sprintf_s(szFileSize, sizeof(szFileSize), "%08X", dwSize);
strcpy_s(pStruct->outputFileCheckSum, sizeof(pStruct->outputFileCheckSum), szCheckSum);
strcpy_s(pStruct->outputFileImageSize, sizeof(pStruct->outputFileImageSize), szFileSize);
}
else
{
strcpy_s(pStruct->outputFileCheckSum, sizeof(pStruct->outputFileCheckSum), "XXXXXXXX");
}
}
} // extern "C"