!irp returns none on 32bit dumps

Jun 22, 2016 at 9:07 PM
Hello All,

I am currently using - pykd- version of pykd. I have copied the dll to winext.
For all the 64bit dumps, this works fine but when I try to do run !irp <address> , pykd returns a none for a 32bit dump.
I am using loadDump(<dump file>) to load the dumps
Strange thing is - the command works fine in windbg when I do the following -
.load pykd.pyd
!irp <address>
Any idea why it wont work when I use it outside of windbg?

Jun 24, 2016 at 10:05 AM
If you run standalone script ( without windbg ) you need to explicitly load windbg extensions. !irp is an extension command from kdexts.dll
Try to add this line:
Jun 24, 2016 at 11:20 PM
Okay, I tried to add the above line and it always returns -
Call IDebugAdvanced::Request failed
HRESULT 0x8000ffff
I tried to load a few other extensions just to check if it was able to load but no success.

The code is pretty simple right now -

from pykd import *
bugcheckData = json.loads(sys.argv[1]) # has bugcheck info and dump file location
extHandle = loadExt(r"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winxp\kdexts.dll") ## Fails here
commandOutput = callExt(extHandle, 'irp ' + str(bugcheckData['Arg4'])) ##This maybe wrong but it does not reach here
print commandOutput
Jun 25, 2016 at 8:27 AM
It seems loadExt is sensitive to a debug target's presence.
Try to change the call's order:
extHandle = loadExt(r"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winxp\kdexts.dll") 
Or use a windbg metacommand '.load'. It does not check If there is a debug target.
pykd.dbgCommand(".load \"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winxp\kdexts.dll\")
Jun 27, 2016 at 5:24 PM
Bingo! both methods work fine. Thanks for the help, appreciate it :)
Aug 19, 2016 at 8:14 PM
Might need some help again :)
I tried to install pykd on a new system using the below command -
check_call(['python', '-m', 'pip', 'install', '--upgrade', 'pykd'])
After installing pykd, installed the WDK. Pasted the pykd.pyd in winext + winxp folder

I am seeing that !analyze -v is returning a None but other commands are working fine (!irp, !stack 2 etc)
After following the sequence,
    pykd.dbgCommand(r'.load {0}' .format(r'C:\Program Files\Windows Kits\10\Debuggers\x64\winxp\exts.dll'))
    pykd.dbgCommand(r'.load {0}' .format(r'C:\Program Files\Windows Kits\10\Debuggers\x64\winxp\kdexts.dll'))
    print pykd.dbgCommand(r'.chain')
.chain output -
Extension DLL search Path:
C:\Python27\lib\site-packages\pykd\WINXP;C:\Python27\lib\site-packages\pykd\winext;C:\Python27\lib\site-packages\pykd\winext\arcade;C:\Python27\lib\site-packages\pykd\pri;C:\Python27\lib\site-packages\pykd;C:\Python27\lib\site-packages\pykd\winext\arcade;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;C:\Python27;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;c:\python27;C:\windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TShell\TShell\
Extension DLL chain:
C:\Program Files\Windows Kits\10\Debuggers\x64\winxp\kdexts.dll: image 10.0.14393.0, API 1.0.0, built Fri Jul 15 19:20:54 2016
    [path: C:\Program Files\Windows Kits\10\Debuggers\x64\winxp\kdexts.dll]
C:\Program Files\Windows Kits\10\Debuggers\x64\winxp\exts.dll: image 10.0.14321.1024, API 1.0.0, built Fri Jul 15 19:11:36 2016
    [path: C:\Program Files\Windows Kits\10\Debuggers\x64\winxp\exts.dll]
dbghelp: image 6.3.9600.16384, API 6.3.6, built Thu Aug 22 04:25:28 2013
    [path: C:\Python27\lib\site-packages\pykd\dbghelp.dll]
ext: (Not loaded)
exts: (Not loaded)
kext: (Not loaded)
kdexts: (Not loaded)
I am guessing !analyze -v is coming from exts.dll but why is pykd not loading the extensions ?
If I run pykd in windbg, it works fine.
Any help, pointers would be appreciated :)
Aug 19, 2016 at 10:24 PM
Nevermind, the below commands work - ( ' vs " )
    print 'INFO: Loading extensions...'
    if dbgCommand(r".load {0}".format(r"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winxp\kdexts.dll")) is None:
        print 'INFO: kdexts loaded successfully'
        print 'WARN: kdexts did not load'
    if dbgCommand(r".load {0}".format(r"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winxp\exts.dll")) is None:
        print 'INFO: exts loaded successfully'
        print 'WARN: exts did not load'
    if dbgCommand(r".load {0}".format(r"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winext\kext.dll")) is None:
        print 'INFO: kext loaded successfully'
        print 'WARN: kext did not load'
    if dbgCommand(r".load {0}".format(r"C:\Program Files\Windows Kits\8.1\Debuggers\x64\winext\ext.dll")) is None:
        print 'INFO: ext loaded successfully'
        print 'WARN: ext did not load'
    if dbgCommand(r".load {0}".format(r"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winext\wdfkd.dll")) is None:
        print 'INFO: wdfkd loaded successfully'
        print 'WARN: wdfkd did not load'