Python scripting for WinDbg: a quick introduction to PyKd

PyKd is a plugin for WinDbg allowing to deploy Python scripts . It can be very helpful i.e. for tracing and deobfuscation of obfuscated code. In this small tutorial I will demonstrate how to install it and make everything work.

Installation

Download and install the PyKd.dll

I assume that we already have a WinDbg installed. First we need to download PyKd DLL. Ready made builds are available in the project’s repository:

https://githomelab.ru/pykd/pykd-ext/-/wikis/Downloads

The package contains two versions of the DLL: 32 and 64 bit. We need to use the version appropriate to the bitness of our WinDbg installation (i assume 64 bit).

First we create a directory where we will store plugins for WinDbg. For example: “C:\windbg_ext”. We drop there the pykd.dll.

Then we need to set the path to this directory in and environment variable (_NT_DEBUGGER_EXTENSION_PATH) , so that WinDbg can find it.

Install Python and pykd Python library

We need to have a Python installed, as well as Pip. I have chosen the latest Python installer from the official page.

Now let’s install Pip. The detailed guide how to do it is presented here. I have chosen to download the script get-pip.py, and run it by previously installed Python. The installed pip (example):

The next step is to install the pykd Python library via Pip (from command prompt):

pip install pykd

Testing PyKd

If all the above steps succeeded, our PyKd is ready to be deployed. In order to test it, we will run WinDbg, and attach to some process (i.e. notepad).

First, let’s load the PyKd extension:

.load pykd

If it is loaded, we can see its commands by using help:

!help

If we have multiple versions of Python installed, the latest one will be set as default, but yet it is possible to switch between them.

Once the PyKd extension for WinDbg (PyKd.dll) is loaded, we can run the python command prompt and check if the PyKd library for Python is available. We run the prompt by:

!py

Now we can issue:

import pykd

And test by issuing some WinDbg command via PyKd:

print(pykd.dbgCommand("<any WinDbg command>")

Example:

The results of the command are printed with the help of Python print. After the text we can exit console by issuing:

exit()

Running scripts

If we get the results as above, everything is installed and ready. Now, instead of running the python commands from the WinDbg command prompt, we can save them as a script: test.py, and run by giving the path to the script. Example:

!py C:\pykd_scripts\test.py

We can also pass arguments to our script. Demo given below.

Content of the “test.py”:

import pykd
import sys

for i in range(1, len(sys.argv)):
    print('arg[', i, '] = ', sys.argv[i])

print(pykd.dbgCommand("!teb"))

Execution:

About hasherezade

Programmer and researcher, interested in InfoSec.
This entry was posted in Tools, Tutorial. Bookmark the permalink.

3 Responses to Python scripting for WinDbg: a quick introduction to PyKd

  1. C.J. says:

    Hello! For some reason I called the “!py -g C:\Script.py 10 “String”” but when I get into the python script, I can’t seem to access/find the arguments. Can you provide an example of how that function would be executed and how you would access it? Thanks!

  2. Michael says:

    I have noticed the same thing – parameters are not passed correctly.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s