PyKd is a plugin for WinDbg allowing to deploy Python scripts . It can be very helpful i.e. for tracing and deobfuscation of obfuscated code. In this small tutorial I will demonstrate how to install it and make everything work.
Installation
Download and install the PyKd.dll
I assume that we already have a WinDbg installed. First we need to download PyKd DLL. Ready made builds are available in the project’s repository:
https://githomelab.ru/pykd/pykd-ext/-/wikis/Downloads
The package contains two versions of the DLL: 32 and 64 bit. We need to use the version appropriate to the bitness of our WinDbg installation (i assume 64 bit).
First we create a directory where we will store plugins for WinDbg. For example: “C:\windbg_ext”. We drop there the pykd.dll.
Then we need to set the path to this directory in and environment variable (_NT_DEBUGGER_EXTENSION_PATH) , so that WinDbg can find it.
Install Python and pykd Python library
We need to have a Python installed, as well as Pip. I have chosen the latest Python installer from the official page.
Now let’s install Pip. The detailed guide how to do it is presented here. I have chosen to download the script get-pip.py, and run it by previously installed Python. The installed pip (example):
The next step is to install the pykd Python library via Pip (from command prompt):
pip install pykd
Testing PyKd
If all the above steps succeeded, our PyKd is ready to be deployed. In order to test it, we will run WinDbg, and attach to some process (i.e. notepad).
First, let’s load the PyKd extension:
.load pykd
If it is loaded, we can see its commands by using help:
!help
If we have multiple versions of Python installed, the latest one will be set as default, but yet it is possible to switch between them.
Once the PyKd extension for WinDbg (PyKd.dll) is loaded, we can run the python command prompt and check if the PyKd library for Python is available. We run the prompt by:
!py
Now we can issue:
import pykd
And test by issuing some WinDbg command via PyKd:
print(pykd.dbgCommand("<any WinDbg command>")
Example:
The results of the command are printed with the help of Python print. After the text we can exit console by issuing:
exit()
Running scripts
If we get the results as above, everything is installed and ready. Now, instead of running the python commands from the WinDbg command prompt, we can save them as a script: test.py, and run by giving the path to the script. Example:
!py C:\pykd_scripts\test.py
We can also pass arguments to our script. Demo given below.
Content of the “test.py”:
import pykd
import sys
for i in range(1, len(sys.argv)):
print('arg[', i, '] = ', sys.argv[i])
print(pykd.dbgCommand("!teb"))
Execution:
hasherezade's 1001 nights 
Hello! For some reason I called the “!py -g C:\Script.py 10 “String”” but when I get into the python script, I can’t seem to access/find the arguments. Can you provide an example of how that function would be executed and how you would access it? Thanks!
I have noticed the same thing – parameters are not passed correctly.
hi, I added an example, please let me know if it works for you.
https://githomelab.ru/pykd/pykd-ext/-/wikis/Downloads is not working, does the website stop?
I checked it and it works for me, maybe it was a temporary outage
502 Bad Gateway, it is still not accessible.