Press "Enter" to skip to content

PyKD Tutorial – part 2

Sinaei 0

The content of this post is the second part of PyKD Tutorials, so make sure to read this topic first, then continue reading this topic.

Breakpoints

Breakpoints are such useful things and can give you the power of analyzing programs in a better and easier way by using PyKD. In the API Reference they introduce setBp function in the following way :

As you can see, setBp can give a pointer as its first argument and a python function as the second argument. Every time the pointer executes, your python function will be invoked. The second usage of setBp is for setting hardware breakpoints. Removing the all the breakpoints using pykd.removeAllBp(). Remove a breakpoint by its index removeBp(int).

Searching through the memory

Even though searching for a string or a special byte is really straight in Windbg but you can also use PyKD in order to search through the memory.

And the result is :

Edit a Byte

The equivalent of eb is setByte as follows:

The above script is like :

Other variants are setDWord,setDouble,setFloat.

Changing XIP

You can use setIP in order to change the current RIP or EIP which is very useful in defeating with packers and protectors.

Set Symbol Path

For debugging purpose you can also set symbol path like this:

 

Step and Step-out and Trace

Instead of using p and t you can use its equivalent pykd.step() and pykd.stepout() and pykd.trace().

Disassemble an Address

The following example describes how to disassemble the memory at a specific address.

The result depends on the location. e.g :

Further Reading

In the above post, I tried to describe the main features of PyKD and how can it be used to ease the reverse engineering process, if you want to read more about PyKD API References take a look at this link, there is also a good article here worth to read.

Leave a Reply

Your email address will not be published. Required fields are marked *