corelan / windbglib Goto Github PK

0:001> .load pykd.pyd
The call to LoadLibrary(pykd.pyd) failed, Win32 error 0n126
"找不到指定的模块。"
Please check your debugger configuration and/or network access.

but i am in internet and set the symbol path

I used pip install pykd==0.3.0.20 to install pykd. Then I copied the pykd.pyd in the site-packages to the winext of x64. mona.py and windbglib.py also hased been copied to x64. When I used the command .load pykd and '!py', it can work.

Howerver, when I used the command !py mona, it didn't work,

6: kd> !py mona
*******************************************************************************************
 You are running a newer version of pykd.pyd
 mona.py was tested against v0.2.0.29
 and not against v0.3.0.20
 This version may not work properly.
 If you are having issues, I recommend to download the correct version from
   https://github.com/corelan/windbglib/raw/master/pykd/pykd.zip
   (unzip with 7zip)

 NOTE: PyKD v0.3.0.20 requires msdia120.dll, which only gets installed via Visual Studio 2013 (yup, I know)
 Alternatively, you can use the copy of msdia120.dll from the pykd.pyd file
  (https://github.com/corelan/windbglib/raw/master/pykd/pykd03.zip), but use this file at your own risk
*******************************************************************************************

 Oops - It seems that PyKD was unable problem to get the PEB object.
 This usually means that
  1. msdiaxxx.dll has not been registered correctly    and/or
  2. symbols are missing for ntdll.dll

 Possible solutions:
 -------------------
 1. Re-register the VC runtime library:
    * For PyKd v0.3.0.20:
      Either install Visual Studio 2013, or get a copy of msdia120.dll and register it manually

      You can find a copy of msdia120.dll inside the pykd.zip file inside the github repository
      (Use at your own risk!).  Place the file in the correct 'VC' folder and run regsvr32 from an administrative prompt:
        (x86) regsvr32.exe "%ProgramFiles%\Common Files\microsoft shared\VC\msdia120.dll"

        (x64) regsvr32.exe "%ProgramFiles(x86)%\Common Files\microsoft shared\VC\msdia120.dll"

 2. Force download of the Symbols for ntdll.dll
    * Connect to the internet, and verify that the symbol path is configured correctly
      Assuming that the local symbol path is set to c:\symbols,
      run the following command from within the windbg application folder
        symchk /r c:\windows\system32\ntdll.dll /s SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

 Restart windbg and try again

To determine whether a module has been rebased, mona checks whether ntHeader.OptionalHeader.ImageBase is equal to the actual base address in memory. However, the ImageBase field is set to the new base address, so reading this value in getModule will always be the same as the base address.

The ImageBase would have to be read from the original DLL on disk to get the right value.

I encountered this issue when porting windbglib to x64dbg: x64dbg/x64dbgpylib#7

README has this for Windows 64bit:

5. Copy pykd.pyd to C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x86\winext

i am wondering if this is a typo: that x86 directory is for Windbg 32bit, but for Windows 64bit, it should be x64? so the right path should be C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\winext?

thanks

I run !py mona sehchain and !py mona seh are fail

windbg+mona can't use it in kernel mode?

this command cannot run correctly 。

0:000:x86> !py mona jmp
Hold on...
[+] Command used:
!py mona.py jmp
Usage :
Default module criteria : non aslr, non rebase
Mandatory argument : -r where reg is a valid register

[+] This mona.py action took 0:00:00.027000
0:000:x86> !py mona jmp -r ESP
Hold on...
[+] Command used:
!py mona.py jmp -r ESP

---------- Mona command started on 2017-06-09 11:38:54 (v2.0, rev 576) ----------
[+] Processing arguments and criteria
- Pointer access level : X
[+] Generating module info table, hang on...
- Processing modules

Traceback (most recent call last):
File "mona.py", line 18384, in main
commands[command].parseProc(opts)
File "mona.py", line 11389, in procFindJMP
all_opcodes=findJMP(modulecriteria,criteria,args["r"].lower().strip())
File "mona.py", line 6003, in findJMP
modulestosearch = getModulesToQuery(modulecriteria)
File "mona.py", line 5620, in getModulesToQuery
populateModuleInfo()
File "mona.py", line 5731, in populateModuleInfo
allmodules=dbg.getAllModules()
File "C:\Program Files\Debugging Tools for Windows (x64)\windbglib.py", line 1160, in getAllModules
getModulesFromPEB()
File "C:\Program Files\Debugging Tools for Windows (x64)\windbglib.py", line 369, in getModulesFromPEB
thismod = pykd.loadUnicodeString(mod.BaseDllName).encode("utf8")
MemoryException: Memory exception at 0x0 target virtual address

0:000:x86> !py mona jmp -r ESP -m kernel32.dll
Hold on...
[+] Command used:
!py mona.py jmp -r ESP -m kernel32.dll

---------- Mona command started on 2017-06-09 11:39:18 (v2.0, rev 576) ----------
[+] Processing arguments and criteria
- Pointer access level : X
- Only querying modules kernel32.dll
[+] Generating module info table, hang on...
- Processing modules

Traceback (most recent call last):
File "mona.py", line 18384, in main
commands[command].parseProc(opts)
File "mona.py", line 11389, in procFindJMP
all_opcodes=findJMP(modulecriteria,criteria,args["r"].lower().strip())
File "mona.py", line 6003, in findJMP
modulestosearch = getModulesToQuery(modulecriteria)
File "mona.py", line 5620, in getModulesToQuery
populateModuleInfo()
File "mona.py", line 5731, in populateModuleInfo
allmodules=dbg.getAllModules()
File "C:\Program Files\Debugging Tools for Windows (x64)\windbglib.py", line 1160, in getAllModules
getModulesFromPEB()
File "C:\Program Files\Debugging Tools for Windows (x64)\windbglib.py", line 369, in getModulesFromPEB
thismod = pykd.loadUnicodeString(mod.BaseDllName).encode("utf8")
MemoryException: Memory exception at 0x0 target virtual address

!py mona pattern_create 100000
Hold on...
[+] Command used:
!py mona.py pattern_create 100000
** You have asked to create a pattern > 20280 bytes, but with the current settings
the pattern generator can't create a pattern of 100000 bytes. As a result,
the pattern will be repeated for 79720 bytes until it reaches a length of 100000 bytes.
If you want a unique pattern larger than 20280 bytes, please either use the -extended option
or extend one of the 3 charsets using options -c1, -c2 and/or -c3 **

Creating cyclic pattern of 100000 bytes
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9......
.........
......
a0[+] Preparing output file 'pattern.txt'

Traceback (most recent call last):
File "mona.py", line 18384, in main
commands[command].parseProc(opts)
File "mona.py", line 11593, in procCreatePATTERN
patternfile = objpatternfile.reset()
File "mona.py", line 2448, in reset
thispid = dbg.getDebuggedPid()
File "C:\Program Files\Debugging Tools for Windows (x64)\windbglib.py", line 877, in getDebuggedPid
pid = pykd.ptrDWord(teb+offset)
MemoryException: Memory exception at 0x40 target virtual address

Hi!

I'm using pykd in Windows XP sp3 74070 and it crashes frequently.

like this:
c0000005 Exception in pykd.pyd.py debugger extension.
PC: 04bc82b8 VA: 00000004 R/W: 0 Parameter: 0001003f

so I'm looking forward to getting some help from here, thanks!

windows xp x86
python2.7.18 32bit
windbg x86

I already have it ntdll.pdb, msdia90.dll also registered
But there are still problems

Hi Peter,

Does mona plugin work for 64 bit applications loaded on 64 bit windbg?

Thanks

Hi Peter,

Thanks for sharing this excellent library. It's really useful.I have one question.

Using pydbg we can easily set break point at any address and its callback handler function using dbg.bp_set( , , )

def break_point_handler():
#Do something

dbg = pydbg()
..
..
dbg.bp_set(0xaddress,handler=break_point_handler)

I want to know what would be the easiest way to perform the same thing using windbglib ??

Thanks in Advance

Hello,
to make windbglib working you need at least symbols from ntdll.dll.
Please could you consider adding to the install instructions in the README also the instructions to download the symbols for the ntdll.dll. This is crucial especially on the offline systems.

This needs to be done to fix the problem (assuming the msdia90.dll is registered fine:

symchk /r c:\windows\system32\ntdll.dll /s SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

it might be also usefull in the code of windbglib - something like:

def getPEBInfo():
    try:
        return typedVar( "ntdll!_PEB", getCurrentProcess())
    except:
        print "It seems that windbglib has problem to get the PEB object."
        print "Try to re-register the VC runtime library by:"
        print "regsvr32.exe \"%ProgramFiles%\\Common Files\\microsoft shared\\VC\\msdia90.dll\"\n"
        print "Second option (especially for offline systems) is that it is missing symbols from ntdll.dll"
        print "Make sure the symbols directory exists (c:\\symbols)"
        print "Download the symbols at least for the ntdll libraries:"
        print "symchk /r c:\\windows\\system32\\ntdll.dll /s SRV*c:\\symbols*http://msdl.microsoft.com/download/symbols"

        exit(1)

====== Error message:

  File "C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x86\mona.py", line 143, in <module>
    osver = dbg.getOsVersion()

  File "C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x86\windbglib.py", line 694, in getOsVersion
    return getOSVersion()

  File "C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x86\windbglib.py", line 80, in getOSVersion
    peb = getPEBInfo()

  File "C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x86\windbglib.py", line 111, in getPEBInfo
    return typedVar( "ntdll!_PEB", getCurrentProcess())

See also:
https://www.corelan.be/index.php/forum/mona/error-baseexception-file-diasymexport-cpp-when-running-mona-in-windbg/
https://twitter.com/nanotechz9l/status/425778831052398592
http://pastebin.com/0BJg1F7z
http://pastebin.com/PrjwkdGX
http://pastebin.com/szBAmdEY
http://pastebin.com/TzE8HdTi
http://pastebin.com/Am8QsDHJ

Hi,
I follow the instructions and prepare everything, but when i attach a process and then use . load pykd.pyd, the windbg will exit and disappear, it think maybe it cause a crash?

when i use !py mona it is right but when i use modules it is wrong
0:014:x86> !py mona modules
Hold on...
[+] Command used:
!py mona.py modules

---------- Mona command started on 2017-06-22 16:12:56 (v2.0, rev 576) ----------
[+] Processing arguments and criteria
- Pointer access level : X
[+] Generating module info table, hang on...
- Processing modules

Traceback (most recent call last):
File "mona.py", line 18384, in main
commands[command].parseProc(opts)
File "mona.py", line 11441, in procShowMODULES
modulestosearch = getModulesToQuery(modulecriteria)
File "mona.py", line 5620, in getModulesToQuery
populateModuleInfo()
File "mona.py", line 5731, in populateModuleInfo
allmodules=dbg.getAllModules()
File "C:\WinDDK\7600.16385.1\Debuggers\windbglib.py", line 1160, in getAllModules
getModulesFromPEB()
File "C:\WinDDK\7600.16385.1\Debuggers\windbglib.py", line 369, in getModulesFromPEB
thismod = pykd.loadUnicodeString(mod.BaseDllName).encode("utf8")
MemoryException: Memory exception at 0x0 target virtual address

what should i do thank you

I followed the instructions for Win 7 64bit but removing the 'x86', for instance, I copied pykd.pyd to C:\Program Files\Windows Kits\8.0\Debuggers\x86\winext, etc. The command .load pykd.pyd failed with:

.load pykd.pyd
The call to LoadLibrary(pykd.pyd) failed, Win32 error 0n2
    "The system cannot find the file specified."
Please check your debugger configuration and/or network access.

Then I tried to exactly follow the instructions for Win 7 64bit on Win 7 32bit still no success.

Directory for windows xp should be changed from
C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x86\winext
to
C:\Program Files\Debugging Tools for Windows (x86)\winext

This is cross-referenced by an issue I submitted at FireEye's FLARE-VM repo; but I'm believing it might be more of an issue on the windbg/pykd side (?).

I'm using a Windows 10 1909 virtual machine; after a successful setup of FLARE-VM; I'm unabble to get either version of pykd to work, even after running regsvr32 on the libraries mentioned during the error after trying to invoke !py mona.

To avoid linking the other ticket, here is the error verbatim.

0:000> !py mona
*******************************************************************************************
 You are running a newer version of pykd.pyd
 mona.py was tested against v0.2.0.29
 and not against v0.3.2.2
 This version may not work properly.
 If you are having issues, I recommend to download the correct version from
   https://github.com/corelan/windbglib/raw/master/pykd/pykd.zip
   (unzip with 7zip)

 NOTE: PyKD v0.3.2.2 requires msdia120.dll, which only gets installed via Visual Studio 2013 (yup, I know)
 Alternatively, you can use the copy of msdia120.dll from the pykd.pyd file
  (https://github.com/corelan/windbglib/raw/master/pykd/pykd03.zip), but use this file at your own risk
*******************************************************************************************

 Oops - It seems that PyKD was unable problem to get the PEB object.
 This usually means that
  1. msdiaxxx.dll has not been registered correctly    and/or
  2. symbols are missing for ntdll.dll

I have manually verified that the symbols are present for ntdll.dll, and have ran regsvr32 on the msdia*.dll versions for each respective version of pykd to no avail - even going so far as to install Visual Studio 2013 Community. I'd love to figure this out; as mona is an essential part of my workflow.

I'm more than willing to provide any information needed within reason. Regards.

Greetings!
I am having an issue on OS Windows 7 x64 bit, WinDbg 6.3.9600.17298x86.
I followed the installation instructions to the letter ( https://github.com/corelan/windbglib), but still mona is not working.
0:000> .load pykd.pyd
0:000> !py test.py
Hello
0:000> !py mona
Do not run this script outside of a debugger !
I have 3 versions of Python installed: Python 2.7.13, and 3.7.0 х64 bit and 3.7 32bit.
So, looks like mona is failing here
try:
import pykd
import windbglib as dbglib
from windbglib import LogBpHook
dbglib.checkVersion()
arch = dbglib.getArchitecture()
DEBUGGERAPP = "WinDBG"
except Exception:
#import traceback
print "Do not run this script outside of a debugger !"

But I lack experience to figure out why. Please, help!

I was examining a bug in imagemagick on XP SP3, and when I ran !py mona -h -t all, I received the following output:

[+] Preparing output file 'heapchunks.txt'
- (Re)setting logfile heapchunks.txt
[+] Generating module info table, hang on...
- Processing modules

*** Error parsing image00400000 (convert_moshe2.exe) ***
*** Please open a github issue ticket at https://github.com/corelan/windbglib ***
*** and provide the output of 'lm' in the ticket ***

Output of lm:
0:000> lm
start end module name
00350000 00361000 CORE_RL_bzlib_ C (private pdb symbols) C:\Documents and Settings\user\Desktop\Incoming\bin2\CORE_RL_bzlib_.pdb
00380000 003c1000 CORE_RL_lcms_ C (private pdb symbols) C:\Documents and Settings\user\Desktop\Incoming\bin2\CORE_RL_lcms_.pdb
003e0000 003f0000 CORE_RL_lqr_ (deferred)
00400000 0041e000 convert C (private pdb symbols) C:\Documents and Settings\user\Desktop\Incoming\bin2\convert.pdb
00420000 004f6000 MSVCR110 (export symbols) C:\WINDOWS\system32\MSVCR110.dll
00500000 0070e000 CORE_RL_glib_ C (private pdb symbols) C:\Documents and Settings\user\Desktop\Incoming\bin2\CORE_RL_glib_.pdb
00720000 00734000 CORE_RL_zlib_ C (private pdb symbols) C:\Documents and Settings\user\Desktop\Incoming\bin2\CORE_RL_zlib_.pdb
00750000 007c6000 CORE_RL_ttf_ C (private pdb symbols) C:\Documents and Settings\user\Desktop\Incoming\bin2\CORE_RL_ttf_.pdb
007e0000 00888000 CORE_RL_wand_ C (private pdb symbols) C:\Documents and Settings\user\Desktop\Incoming\bin2\CORE_RL_wand_.pdb
00da0000 00dad000 hook (no symbols)
00ea0000 00ea9000 IM_MOD_RL_ICON_ C (private pdb symbols) C:\Documents and Settings\user\Desktop\Incoming\bin2\IM_MOD_RL_icon_.pdb
10000000 1015f000 CORE_RL_magick_ C (private pdb symbols) C:\Documents and Settings\user\Desktop\Incoming\bin2\CORE_RL_magick_.pdb
5d090000 5d12a000 comctl32_5d090000 (export symbols) C:\WINDOWS\system32\comctl32.dll
71aa0000 71aa8000 WS2HELP (export symbols) C:\WINDOWS\system32\WS2HELP.dll
71ab0000 71ac7000 WS2_32 (export symbols) C:\WINDOWS\system32\WS2_32.dll
76b40000 76b6d000 WINMM (export symbols) C:\WINDOWS\system32\WINMM.dll
76d60000 76d79000 IPHLPAPI (export symbols) C:\WINDOWS\system32\IPHLPAPI.DLL
76f20000 76f47000 DNSAPI (export symbols) C:\WINDOWS\system32\DNSAPI.dll
773d0000 774d3000 comctl32 (export symbols) C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
774e0000 7761d000 ole32 (export symbols) C:\WINDOWS\system32\ole32.dll
77c10000 77c68000 msvcrt (export symbols) C:\WINDOWS\system32\msvcrt.dll
77dd0000 77e6b000 ADVAPI32 (export symbols) C:\WINDOWS\system32\ADVAPI32.dll
77e70000 77f02000 RPCRT4 (export symbols) C:\WINDOWS\system32\RPCRT4.dll
77f10000 77f59000 GDI32 (deferred)
77f60000 77fd6000 SHLWAPI (export symbols) C:\WINDOWS\system32\SHLWAPI.dll
77fe0000 77ff1000 Secur32 (export symbols) C:\WINDOWS\system32\Secur32.dll
7c800000 7c8f6000 kernel32 (export symbols) C:\WINDOWS\system32\kernel32.dll
7c900000 7c9af000 ntdll (export symbols) C:\WINDOWS\system32\ntdll.dll
7c9c0000 7d1d7000 SHELL32 (export symbols) C:\WINDOWS\system32\SHELL32.dll
7e410000 7e4a1000 USER32 (export symbols) C:\WINDOWS\system32\USER32.dll

I tried following the install instructions for my windows 7 VM and all seemed to go smoothly except mona throws an error when I try to load it.

0:000> !py mona

Traceback (most recent call last):

File "mona.py", line 143, in
if dbglib.getSymbolPath().replace(" ","") == "":

AttributeError: 'module' object has no attribute 'getSymbolPath'

Hi,
I install and config mona with this link: https://github.com/corelan/windbglib#installation
When I use mona in user mode , like open a EXE , it's work but When I use it in kernel debug , I have problem :

---

You are running a newer version of pykd.pyd
mona.py was tested against v0.2.0.29
and not against v0.3.4.15
This version may not work properly.
If you are having issues, I recommend to download the correct version from
https://github.com/corelan/windbglib/raw/master/pykd/pykd.zip
(unzip with 7zip)

NOTE: PyKD v0.3.4.15 requires msdia120.dll, which only gets installed via Visual Studio 2013 (yup, I know)
Alternatively, you can use the copy of msdia120.dll from the pykd.pyd file
(https://github.com/corelan/windbglib/raw/master/pykd/pykd03.zip), but use this file at your own risk

---

Oops - It seems that PyKD was unable problem to get the PEB object.
This usually means that

1. msdiaxxx.dll has not been registered correctly and/or
2. symbols are missing for ntdll.dll

Possible solutions:

1. Re-register the VC runtime library:

   • For PyKd v0.3.4.15:
     Either install Visual Studio 2013, or get a copy of msdia120.dll and register it manually

     You can find a copy of msdia120.dll inside the pykd.zip file inside the github repository
     (Use at your own risk!). Place the file in the correct 'VC' folder and run regsvr32 from an administrative prompt:
     (x86) regsvr32.exe "%ProgramFiles%\Common Files\microsoft shared\VC\msdia120.dll"

     (x64) regsvr32.exe "%ProgramFiles(x86)%\Common Files\microsoft shared\VC\msdia120.dll"

2. Force download of the Symbols for ntdll.dll

   • Connect to the internet, and verify that the symbol path is configured correctly
     Assuming that the local symbol path is set to c:\symbols,
     run the following command from within the windbg application folder
     symchk /r c:\windows\system32\ntdll.dll /s SRVc:\symbolshttp://msdl.microsoft.com/download/symbols

Restart windbg and try again

I use pykd , Pykd3 , pykd.dll and register msdial90 , msdial120 , add environment,check symbol , open windbg with admin priv ,but user mode is OK but kernel dbg not work.

debugger : windbg x86 - windows 10 21h2 64bit
debugee : windows 7 SP1 32bit - vmware

0:000> !py mona rop
Hold on...
[+] Command used:
!py mona.py rop

---------- Mona command started on 2016-05-17 08:22:37 (v2.0, rev 566) ----------
[+] Processing arguments and criteria
- Pointer access level : X
[+] Generating module info table, hang on...
- Processing modules

*** Error parsing module 'image00524000' ('llvm-shellcode.exe') at 0x00524000 ***
*** Please open a github issue ticket at https://github.com/corelan/windbglib ***
*** and provide the output of the following 2 windbg commands in the ticket: ***
lm
!peb
*** Thanks

** Error trying to process module kernel32
** Error trying to process module KERNELBASE
** Error trying to process module ntdll
** Error trying to process module msvcrt
** Error trying to process module KERNELBASE.dll

Traceback (most recent call last):
File "mona.py", line 18182, in main
commands[command].parseProc(opts)
File "mona.py", line 11340, in procROP
findROPGADGETS(modulecriteria,criteria,endings,maxoffset,depth,split,thedistance,fast,mode)
File "mona.py", line 6032, in findROPGADGETS
modulestosearch = getModulesToQuery(modulecriteria)
File "mona.py", line 5441, in getModulesToQuery
populateModuleInfo()
File "mona.py", line 5556, in populateModuleInfo
thismod = MnModule(key)
File "mona.py", line 2537, in init
mzbase = mod.getBaseAddress()
AttributeError: 'NoneType' object has no attribute 'getBaseAddress'

0:000> lm
start end module name
0000000000400000 0000000000410000 image00000000_00400000 (deferred)
0000000077840000 000000007795f000 kernel32 (deferred)
0000000077a60000 0000000077c0a000 ntdll (pdb symbols) c:\symbols\ntdll.pdb\A026D5FC02D14D76B221882DB45B73892\ntdll.pdb
000007fefdbb0000 000007fefdc1b000 KERNELBASE (deferred)
000007feffba0000 000007feffc3f000 msvcrt (deferred)
0:000> !peb
PEB at 000007fffffd9000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: Yes
ImageBaseAddress: 0000000000400000
Ldr 0000000077b8f640
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 0000000000524010 . 00000000005257b0
Ldr.InLoadOrderModuleList: 0000000000523ee0 . 0000000000525790
Ldr.InMemoryOrderModuleList: 0000000000523ef0 . 00000000005257a0
Base TimeStamp Module
400000 00010000 Jan 01 02:12:16 1970 D:\cppIDE\workspace\llvm-shellcode\Release\llvm-shellcode.exe
77a60000 56bcd74c Feb 12 02:47:40 2016 C:\Windows\SYSTEM32\ntdll.dll
77840000 56bcd73b Feb 12 02:47:23 2016 C:\Windows\system32\kernel32.dll
7fefdbb0000 56bcd73c Feb 12 02:47:24 2016 C:\Windows\system32\KERNELBASE.dll
7feffba0000 4eeb033f Dec 16 16:37:19 2011 C:\Windows\system32\msvcrt.dll
SubSystemData: 0000000000000000
ProcessHeap: 0000000000520000
ProcessParameters: 0000000000522d60
CurrentDirectory: 'C:\Program Files\Debugging Tools for Windows (x64)'
WindowTitle: 'D:\cppIDE\workspace\llvm-shellcode\Release\llvm-shellcode.exe'
ImageFile: 'D:\cppIDE\workspace\llvm-shellcode\Release\llvm-shellcode.exe'
CommandLine: 'D:\cppIDE\workspace\llvm-shellcode\Release\llvm-shellcode.exe'
DllPath: 'D:\cppIDE\workspace\llvm-shellcode\Release;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Program Files\Debugging Tools for Windows (x64)\winext\arcade;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0;C:\Program Files\Intel\WiFi\bin;C:\Program Files\Common Files\Intel\WirelessCommon;C:\Program Files\Lenovo\Fingerprint Manager Pro;C:\Program Files\Diskeeper Corporation\ExpressCache;C:\Program Files\Git\cmd;C:\Program Files\Microsoft Windows Performance Toolkit;C:\Program Files (x86)\IDM Computer Solutions\UltraEdit;C:\Program Files (x86)\CMake\bin;C:\Program Files (x86)\Windows Kits\8.1\Windows Performance Toolkit;C:\Program Files\Microsoft SQL Server\110\Tools\Binn;C:\AnacondaX64;C:\AnacondaX64\Scripts;C:\AnacondaX64\Library\bin;;D:\llvm\install\llvm-3.7.1-mingw-w64\bin;D:\llvm\install\llvm-3.7.1-mingw-w64\lib;D:\mingw-w64\x86_64-4.8.4-posix-seh-rt_v3-rev0\mingw64\bin;C:\Program Files (x86)\Java\jdk1.8.0_20\bin;C:\Program Files\Intel\WiFi\bin;C:\Program Files\Common Files\Intel\WirelessCommon;C:\Program Files\Docker Toolbox;D:\IDA.Pro.Advanced.v6.8'
Environment: 0000000000521380
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\cherry\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=CHERRY-PC
ComSpec=C:\Windows\system32\cmd.exe
DOCKER_TOOLBOX_INSTALL_PATH=C:\Program Files\Docker Toolbox
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\cherry
JAVA_HOME=C:\Program Files (x86)\Java\jdk1.8.0_20
LLVM_PATH_X64=D:\llvm\install\llvm-3.7.1-mingw-w64\bin;D:\llvm\install\llvm-3.7.1-mingw-w64\lib
LLVM_PATH_X86=D:\llvm\install\llvm-3.7.1-mingw-x86\bin;D:\llvm\install\llvm-3.7.1-mingw-x86\lib
LOCALAPPDATA=C:\Users\cherry\AppData\Local
LOGONSERVER=\CHERRY-PC
MACHINE_STORAGE_PATH=F:\Dockers.docker\machine
MINGW_HOME_X64=D:\mingw-w64\x86_64-4.8.4-posix-seh-rt_v3-rev0\mingw64
MINGW_HOME_X86=D:\mingw-w64\i686-4.8.4-posix-dwarf-rt_v3-rev0\mingw32
MOZ_PLUGIN_PATH=C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins
NUMBER_OF_PROCESSORS=8
OS=Windows_NT
Path=C:\Program Files\Debugging Tools for Windows (x64)\winext\arcade;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0;C:\Program Files\Intel\WiFi\bin;C:\Program Files\Common Files\Intel\WirelessCommon;C:\Program Files\Lenovo\Fingerprint Manager Pro;C:\Program Files\Diskeeper Corporation\ExpressCache;C:\Program Files\Git\cmd;C:\Program Files\Microsoft Windows Performance Toolkit;C:\Program Files (x86)\IDM Computer Solutions\UltraEdit;C:\Program Files (x86)\CMake\bin;C:\Program Files (x86)\Windows Kits\8.1\Windows Performance Toolkit;C:\Program Files\Microsoft SQL Server\110\Tools\Binn;C:\AnacondaX64;C:\AnacondaX64\Scripts;C:\AnacondaX64\Library\bin;;D:\llvm\install\llvm-3.7.1-mingw-w64\bin;D:\llvm\install\llvm-3.7.1-mingw-w64\lib;D:\mingw-w64\x86_64-4.8.4-posix-seh-rt_v3-rev0\mingw64\bin;C:\Program Files (x86)\Java\jdk1.8.0_20\bin;C:\Program Files\Intel\WiFi\bin;C:\Program Files\Common Files\Intel\WirelessCommon;C:\Program Files\Docker Toolbox;D:\IDA.Pro.Advanced.v6.8
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 60 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=3c03
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules
PUBLIC=C:\Users\Public
Python_X64=C:\AnacondaX64;C:\AnacondaX64\Scripts;C:\AnacondaX64\Library\bin;
Python_X86=C:\Anaconda2;C:\Anaconda2\Scripts;C:\Anaconda2\Library\bin;
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\cherry\AppData\Local\Temp
TMP=C:\Users\cherry\AppData\Local\Temp
UOIPME_REG_PATH=C:\Program Files\Intel Corporation\USB over IP
USERDOMAIN=cherry-PC
USERNAME=cherry
USERPROFILE=C:\Users\cherry
VBOX_MSI_INSTALL_PATH=C:\Program Files\Oracle\VirtualBox
VS100COMNTOOLS=C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\Tools
VS120COMNTOOLS=C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\Tools
WINDBG_DIR=C:\Program Files\Debugging Tools for Windows (x64)
windir=C:\Windows
windows_tracing_flags=3
windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log