1

Sorry for all the questions but I think I have narrowed down my issue. In the below code, I call the following script via pykd in windbg. For the most part, it behaves as intended. However, after I call the script a few hundred times (504 times), the script stops executing until I detach and re-attach. In an attempt to find out the problem, I set up Process Monitor and watched Windbg. After I detached windbg from the process, Process Monitor showed that 504 files were closed and they were all the python script. I believe pykd might not be closing the process after finishing the script. Would anyone have any information in windbg or pykd to close the python file as soon as it completes instead of keeping it open?

Any information you could provide would be appreciated!

Process Monitor Screenshot


import sys
import pykd
from re import findall # pattern matches strings


bp_dict = {
'BaseGameStops':' 9 477 77 18 14 ',
'MysteryRandomReplacementBGWildStateReplacement_weightReels_Main':' 170428 ',
'ThemeGame_Credit_Wild_Spin_0_Reel_2_StripNdx_18_Cascade_-1':' 0 ',
'ThemeGame_Credit_Wild_Spin_0_Reel_1_StripNdx_17_Cascade_-1':' 702 ',
'MysteryRandomReplacementBGWAP_MysteryReplacement_3_weightReels_Main':' 196874 ',
'ThemeFSMoolahWildCreditAward_Credit_Wild_Spin_508_Reel_1_StripNdx_15_Cascade_-1':' 10646 ',
'ThemeFSMoolahWildCreditAward_Credit_Wild_Spin_508_Reel_1_StripNdx_16_Cascade_-1':' 10490 ',
'ThemeFSMoolahWildCreditAward_Credit_Wild_Spin_508_Reel_1_StripNdx_17_Cascade_-1':' 10629 ',
'ThemeFSMoolahWildCreditAward_Credit_Wild_Spin_508_Reel_1_StripNdx_18_Cascade_-1':' 10676 ',
'ThemeFSMoolahWildCreditAward_Credit_Wild_Spin_508_Reel_1_StripNdx_19_Cascade_-1':' 10667 ',
'MysteryPay':' 2268637 ',  }

pykd.dbgCommand("r @$t4=${t7_alias}")
pykd.dbgCommand("as /mu ${/v:stringInstanceName} poi(@$t2+@$t4)+0x10;")
breakpoint = pykd.dbgCommand(".echo stringInstanceName").strip()

try:
    print(pykd.dbgCommand(f'$$>a< c:\emulations\ProcessRNGsToSet.txt{bp_dict[breakpoint]}'))
except KeyError:
    potential_breakpoints = [identifier for identifier in bp_dict if any(symbol in identifier for symbol in ['*', '?']) and findall(identifier.replace('*', '\S*').replace('?', '\S'), breakpoint)]
    if len(potential_breakpoints) == 0:
        print(f'Missed Breakpoint: {breakpoint}')
        # save to missed breakpoints file
    elif len(potential_breakpoints) == 1:
        print(pykd.dbgCommand(f'$$>a< c:\emulations\ProcessRNGsToSet.txt{bp_dict[potential_breakpoints[0]]}'))
    else:
        print(f'Multiple given wildcard breakpoints match the current breakpoint: {breakpoint}')
except Exception as e:
    print(f'Unexpected error: {e}')

sys.exit()

The version number of my pykd.pyd is 0.3.4.15

Thomas Weller
  • 55,411
  • 20
  • 125
  • 222
Charles Sheehe
  • 11
  • 4
  • Interesting. I think folks from PyKd are watching the [tag:pykd] tag. It may take a week until they notice the question. Might be a bug in PyKd. – Thomas Weller Oct 19 '22 at 15:08
  • Why run WinDbg scripts with `$$>a<` when you have Python as a scripting language? Is it possible that one of these scripts does not finish and you end up at the command prompt again, where you enter the next PyKd command, leaving the previous PyKd command open? – Thomas Weller Oct 19 '22 at 15:10
  • pls give version of pykd.dll – ussrhero Oct 19 '22 at 18:51
  • @ThomasWeller The current testing platform my company has in place was created via windbg. Re-writing the files into python is my long term goal but for now, I am just trying to solve one issue currently! As for the pykd.dll, my company will not let me download the .dll (because it is a russian website) but I did download the pyd file and placed it in the winext folder. When I do "pip install pykd", it says I already have version 0.3.4.15. – Charles Sheehe Oct 20 '22 at 13:17
  • IMHO the PYD file is exactly the same as a DLL file (WinDbg can only load DLLs as extensions). Luckily your IT department doesn't know that. Maybe you can try at home. Make a binary comparison between PYD and DLL (same version of course). And maybe you should tell your IT department. – Thomas Weller Oct 20 '22 at 13:31
  • BTW: @ussrhero is a PyKD member. You want to give them the information needed. – Thomas Weller Oct 20 '22 at 13:32
  • @ThomasWeller Whoops I didn't answer your other question! I was able to run the entirety of the script using the old method and confirmed that the scenarios I was manipulating were valid. The only thing I replaced with the script was where the if/else logic for a given key were located ( python script vs windbg). Additionally, the calling of the python script occurs when the software goes through a certain breakpoint which is only called after all events complete. Therefore, I believe the script completed before calling the next PyKd command. – Charles Sheehe Oct 20 '22 at 13:34
  • 1
    @ussrhero I am not able to download the .dll version but I am using the pykd.pyd file. The version number is 0.3.4.15 – Charles Sheehe Oct 20 '22 at 13:37
  • pykd.pyd is not pykd.dll at all. possiblily of use pykd.pyd as windbg extension is a legacy. Please, follow that: https://githomelab.ru/pykd/pykd-ext – ussrhero Oct 21 '22 at 04:48
  • If you can not download pykd.dll, I may upload it to gdrive for example. If you dont trust it you can rebuild it from http://githomelab.ru/pykd/pykd-ext.git. It is very easy – ussrhero Oct 21 '22 at 04:54
  • https://drive.google.com/file/d/1C3yJLJ7oML-YX6RjGjj-6D2RSUdgoeEu/view?usp=sharing – ussrhero Oct 21 '22 at 04:58
  • @ussrhero I will try and use the .dll and see if that resolves the problem. – Charles Sheehe Oct 21 '22 at 13:27
  • @ussrhero I updated to use the .dll and it seems like I have gotten beyond the previous block and the memory usage is stable! I will continue to test this out but it seems like this might have solved it! As a side note, firewalls might block the .ru websites, any way to get the .dll via pip? – Charles Sheehe Oct 21 '22 at 19:25
  • Do you use 2.7 pyhton? If you do, try this test fix: https://drive.google.com/file/d/1DmrjTXXeWpAhx_mmaKrbku_dK990qjNo/view?usp=sharing – ussrhero Oct 22 '22 at 08:29

0 Answers0