pykd使用

1.加载
.load pykd
!pycmd
!py XXXX.py
 
2.打印
.dprintln
.dprint格式
<b></b>
<i></i>
<u></u>
dprintln("<link cmd=\".reload /f\">reload</link>", True)
 
3. WinDBG命令
s = dbgCommand("!analyze -v") dprint(s)
expr("@rax + 10")
 
4. 寄存器

import pykd
try:
    i = 0
    while True:
        r = pykd.reg(i)
        print "%s\t0x%x\t( %d )" % ( r.name(), r, r )
        i += 1

except pykd.BaseException:
    pass
或者

r = reg("eax")
print r / 10 * 234
 
5. 对于特定寄存器
>>> print findSymbol( rdmsr( 0x176 ) )
nt!KiFastCallEntry
 
6. 64位地址转换
addr64
print pykd.addr64( 0x80000000 ):
 
7. 读取字节,字,双字
ptrByte( va )
ptrWord( va )
ptrDWord( va )
ptrQWord( va )
有符号
ptrSignByte( va )
ptrSignWord( va )
ptrSignDWord( va )
ptrSignQWord( va )
读取到list
loadBytes( va, count )
loadWords( va, count )
loadDWords( va, count )
loadQWords( va, count )
loadSignBytes( va, count )
loadSignWords( va, count )
loadSignDWords( va, count )
loadSignQWords( va, count )
loadPtrs( va, count )
 
内存读取出错时,会raise MemoryException
 
8. 读取字符串
loadChars( va, count )
loadWChars( va, count )
from struct import unpack
shortField1, shortField2, longField = unpack('hhl', loadChars( addr, 8 ) )
loadСStr( va )
loadWStr( va )
loadAnsiString
loadUnicodeString
 
9. module
from pykd import *
try
    ntdll = module( "ntdll" )
    print ntdll.name(), hex(ntdll.begin()), hex(ntdll.size()) 
except BaseException:
    print "module not found"
 
10. moudle的成员函数
name()
image()
pdb()
begin()
end()
checksum()
timestamp()
 
11. module的符号表
 nt = module("nt")
print hex( nt.offset("PsLoadedModuleList") )
print hex( nt.__getattr__("PsLoadedModuleList") )
print hex( nt.PsLoadedModuleList )
 
12. 结构体
nt = module("nt")
print nt.type("_MDL")
 
13. 按结构体显示变量
nt = module("nt")
print nt.typedVar( "_LIST_ENTRY", nt.PsLoadedModuleList )
 
14.事件处理、 加载和卸载模块

onLoadModule
onUnloadModule

 

15. 读取到某个变量

from struct import unpack
shortField1, shortField2, longField = unpack('hhl', loadChars( addr, 8 ) )

 

16. 模块中的变量

t1 = typedVar( "MyModule!MyVar" )
t2 = typedVar( "MyModule!MyType", addr )
ti = typeInfo( "MyModule!MyType" )
t3 = typedVar( ti, addr )
 
17. 枚举变量中的每个字段(数组操作相同)
tv = typedVar( "structVar")
for fieldName, fieldValue in tv:
    print fieldName, fieldValue
 
18. local 变量
# print local variable "argc"
print getLocals()["argc"]

# print all local vairables in the current frame
for varName, varValue in  getLocals().items():
    print varName, varValue

 

19. 调试事件

onBreakpoint
onException
onLoadModule
onUnloadModule

 

20.ptrPtr # GetPointer of this symbol

21. containingRecord

objHeader = containingRecord( dirEntry.Object, "nt!_OBJECT_HEADER", "Body" )

posted @ 2012-12-10 16:05  Fan Zhang  阅读(...)  评论(...编辑  收藏