pykd使用

1.加載

.load pykd

!pycmd

!py XXXX.py

2.打印

.dprintln

.dprint格式
<b></b>
<i></i>
<u></u>
dprintln("<link cmd=\".reload /f\">reload</link>", True)

3. WinDBG命令
s = dbgCommand("!analyze -v")
dprint(s)

expr("@rax + 10")

4. 寄存器

import pykd
try:
    i = 0
    while True:
        r = pykd.reg(i)
        print "%s\t0x%x\t( %d )" % ( r.name(), r, r )
        i += 1

except pykd.BaseException:
    pass
或者

r = reg("eax")
print r / 10 * 234

5. 對於特定寄存器

>>> print findSymbol( rdmsr( 0x176 ) )
nt!KiFastCallEntry

6. 64位地址轉換

addr64

print pykd.addr64( 0x80000000 ):

7. 讀取字節，字，雙字

ptrByte( va )

ptrWord( va )

ptrDWord( va )

ptrQWord( va )

有符號

ptrSignByte( va )

ptrSignWord( va )

ptrSignDWord( va )

ptrSignQWord( va )

讀取到list

loadBytes( va, count )

loadWords( va, count )

loadDWords( va, count )

loadQWords( va, count )

loadSignBytes( va, count )

loadSignWords( va, count )

loadSignDWords( va, count )

loadSignQWords( va, count )

loadPtrs( va, count )

內存讀取出錯時，會raise MemoryException

8. 讀取字符串

loadChars( va, count )

loadWChars( va, count )

from struct import unpack
shortField1, shortField2, longField = unpack('hhl', loadChars( addr, 8 ) )

loadСStr( va )

loadWStr( va )

loadAnsiString

loadUnicodeString

9. module

from pykd import *
try
    ntdll = module( "ntdll" )
    print ntdll.name(), hex(ntdll.begin()), hex(ntdll.size()) 
except BaseException:
    print "module not found"

10. moudle的成員函數

name()

image()

pdb()

begin()

end()

checksum()

timestamp()

11. module的符號表

 nt = module("nt")

print hex( nt.offset("PsLoadedModuleList") )

print hex( nt.__getattr__("PsLoadedModuleList") )

print hex( nt.PsLoadedModuleList )

12. 結構體

nt = module("nt")

print nt.type("_MDL")

13. 按結構體顯示變量

nt = module("nt")

print nt.typedVar( "_LIST_ENTRY", nt.PsLoadedModuleList )

14.事件處理、 加載和卸載模塊

onLoadModule
onUnloadModule

 

15. 讀取到某個變量

from struct import unpack
shortField1, shortField2, longField = unpack('hhl', loadChars( addr, 8 ) )

 

16. 模塊中的變量

t1 = typedVar( "MyModule!MyVar" )
t2 = typedVar( "MyModule!MyType", addr )
ti = typeInfo( "MyModule!MyType" )
t3 = typedVar( ti, addr )

17. 枚舉變量中的每個字段(數組操作相同)

tv = typedVar( "structVar")
for fieldName, fieldValue in tv:
    print fieldName, fieldValue

18. local 變量

# print local variable "argc"
print getLocals()["argc"]

# print all local vairables in the current frame
for varName, varValue in  getLocals().items():
    print varName, varValue

 

19. 調試事件

onBreakpoint

onException

onLoadModule

onUnloadModule

 

20.ptrPtr # GetPointer of this symbol

21. containingRecord

objHeader = containingRecord( dirEntry.Object, "nt!_OBJECT_HEADER", "Body" )