PyKd is a plugin for WinDbg allowing to deploy Python scripts . It can be very helpful i.e. for tracing and deobfuscation of obfuscated code. In this small tutorial I will demonstrate how to install it and make everything work.
Download and install the PyKd.dll
I assume that we already have a WinDbg installed. First we need to download PyKd DLL. Ready made builds are available in the project’s repository:
The package contains two versions of the DLL: 32 and 64 bit. We need to use the version appropriate to the bitness of our WinDbg installation (i assume 64 bit).
First we create a directory where we will store plugins for WinDbg. For example: “C:\windbg_ext”. We drop there the pykd.dll.
Then we need to set the path to this directory in and environment variable (
_NT_DEBUGGER_EXTENSION_PATH) , so that WinDbg can find it.
Install Python and pykd Python library
We need to have a Python installed, as well as Pip. I have chosen the latest Python installer from the official page.
The next step is to install the pykd Python library via Pip (from command prompt):
pip install pykd
If all the above steps succeeded, our PyKd is ready to be deployed. In order to test it, we will run WinDbg, and attach to some process (i.e. notepad).
First, let’s load the PyKd extension:
If it is loaded, we can see its commands by using help:
If we have multiple versions of Python installed, the latest one will be set as default, but yet it is possible to switch between them.
Once the PyKd extension for WinDbg (
PyKd.dll) is loaded, we can run the python command prompt and check if the PyKd library for Python is available. We run the prompt by:
Now we can issue:
And test by issuing some WinDbg command via PyKd:
print(pykd.dbgCommand("<any WinDbg command>")
The results of the command are printed with the help of Python print. After the text we can exit console by issuing:
If we get the results as above, everything is installed and ready. Now, instead of running the python commands from the WinDbg command prompt, we can save them as a script:
test.py, and run by giving the path to the script. Example:
We can also pass arguments to our script. Demo given below.
Content of the “test.py”:
import pykd import sys for i in range(1, len(sys.argv)): print('arg[', i, '] = ', sys.argv[i]) print(pykd.dbgCommand("!teb"))