Search code examples
pythonwindbgpykd

How to get the original file name of a module in PyKD?


I have a module in PyKD:

>>> print module("rundll32")
Module: rundll32
Start: 7f0000 End: 7fe000 Size: e000
Image: C:\Windows\SysWOW64\rundll32.exe
Symbols: e:\debug\symbols\rundll32.pdb\EFAE0C870C2846EDB63B9A7274CD50422\rundll32.pdb
Timestamp: 4a5bc637
Check Sum: 11cf2

With that information given, how can I find out more about the module, similar to the lm vm <module> command of WinDbg?

start    end        module name
007f0000 007fe000   rundll32   (deferred)             
    Image path: C:\Windows\SysWOW64\rundll32.exe
    Image name: rundll32.exe
    Timestamp:        Tue Jul 14 01:41:43 2009 (4A5BC637)
    CheckSum:         00011CF2
    ImageSize:        0000E000
    File version:     6.1.7600.16385
    Product version:  6.1.7600.16385
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     rundll
    OriginalFilename: RUNDLL32.EXE
    ProductVersion:   6.1.7600.16385
    FileVersion:      6.1.7600.16385 (win7_rtm.090713-1255)
    FileDescription:  Windows host process (Rundll32)
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

Especially, I'd like to get the "OriginalFilename".


Solution

  • Most of that information is stored in the module's version resource information. You can access the version resource with the queryVersion() method. It takes a string parameter to specify the resource, e.g.

    >>> m = module("rundll32")
    >>> m.queryVersion("LegalCopyright")
    '\xa9 Microsoft Corporation. All rights reserved.'
    

    Note how the parameter needn't be a version number, so the method name queryVersion() is a bit misleading.

    Parameters:

    • CompanyName
    • InternalName
    • ProductName
    • OriginalFilename
    • ProductVersion
    • FileVersion
    • FileDescription
    • LegalCopyright

    Other information present in lm vm:

    • Start: hex(m.begin())
    • End: hex(m.end())
    • Name: m.name()
    • File flags: m.getFixedFileInfo().FileFlags
    • Checksum: hex(m.checksum())
    • Timestamp: hex(m.timestamp())
    • File OS: hex(m.getFixedFileInfo().FileOS)
    • File Type: hex(m.getFixedFileInfo().FileType)
    • File Date: "%08X.%08X" % (m.getFixedFileInfo().FileDateLS , m.getFixedFileInfo().FileDateMS)