windbg-doublepulsar-detection-script

windbg_detect_doublepulsar_smb.py

#!/usr/bin/env python
# coding: utf-8
import pykd
for i in pykd.dbgCommand('dps srv!SrvTransaction2DispatchTable').split('\n'):
    if len(i) > 0 and '00000000' not in i and 'srv!' not in i: # addr addr symbol
            print 'Doublepulsar hook detected: ' + i