ghost
commented
6 years ago I managed to find the version of Pykd you recommend by downloading the 2gig backup from their site and going through each one. I've installed it and still get the exact same issue, so I don't think it's anything to do with Pykd.
0:085> !py C:\\Users\\aaa\\AppData\\Local\\Temp\\shadow\\pykd_driver.py jeparse
[shadow] parsing structures from memory...
[shadow] 2018-06-01 21:54:40
Traceback (most recent call last):
File "C:\\Users\\aaa\\AppData\\Local\\Temp\\shadow\\pykd_driver.py", line 42, in <module>
shadow.parse(read_content_preview, config_path, do_debug_log=do_debug_log)
File "C:\Users\aaa\AppData\Local\Temp\shadow\shadow.py", line 269, in parse
parse_general(jeheap)
File "C:\Users\aaa\AppData\Local\Temp\shadow\shadow.py", line 309, in parse_general
arenas_addr = dbg.read_dwords(arenas_arr_addr, jeheap.narenas)
File "C:\Users\aaa\AppData\Local\Temp\shadow\pykd_engine.py", line 159, in read_dwords
return pykd.loadQWords(addr, size)
ArgumentError: Python argument types in
pykd.pykd.loadQWords(NoneType, NoneType)
did not match C++ signature:
loadQWords(unsigned __int64 offset, unsigned long count)
loadQWords(unsigned __int64 offset, unsigned long count, bool phyAddr)
The path variable does not seem to get passed to EMList properly for some reason. Python really isn't my language of choice, so I don't really know how to fix it. I've tried to set the path variable with tempfile.gettempdir(). I can see that storage_path is set as a global variable and is set with tempfile.gettempdir(), so I thought doing that might remedy the problem, but it didn't.