1

Resolved

eventHandler.onLoadModule always gets called with module name as empty string in kernel debugging

description

Target OS: Windows 10 RS2 x64
Detailed:
    Windows 10 Kernel Version 15063 MP (8 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 15063.0.amd64fre.rs2_release.170317-1834
pykd version:
   pykd-0.3.2.7-cp35-none-win_amd64.whl

Steps to reproduce:
   1. use attachKernel to connect to target
   2. In the interactive python environment, define EventHandler as follows:

    In [14]: class EventHandler(kd.eventHandler):
        ...:     def onLoadModule(self, base, name):
        ...:         print(base, name, ' loaded')
        ...:         return kd.eventResult.Break
        ...:

    In [15]: e = EventHandler()

   3. Go. Then load a kernmel mode driver and got output as follows, parameter 'name' is empty:

    18446711179303649280   loaded

comments

kernelnet wrote Jun 22 at 9:36 AM

Confirmed.
Thank you for the report.

I can offer a workaround:
class EventHandler(eventHandler):
    def onLoadModule(self, base, name):
       print(base, module(base).name(), ' loaded')
       return eventResult.Break
I will be fixed next version, but I can not promise it will be soon

wrote Jun 22 at 9:36 AM

wrote Jun 22 at 9:36 AM

wrote Jul 25 at 8:51 AM