Hi,
First I'm starting a kernel-mode debugging and entering a process context, while the ntdll.dll is loaded at an address 00007fff`aa2b0000, which is shown below. The dd command verifies that this is indeed a PE file.
```
0: kd> lmi
00007fff`aa2b0000 00007fff`aa481000 ntdll (pdb symbols) ntdll.dll
0: kd> dd 00007fff`aa2b0000
00007fff`aa2b0000 00905a4d 00000003 00000004 0000ffff
00007fff`aa2b0010 000000b8 00000000 00000040 00000000
00007fff`aa2b0020 00000000 00000000 00000000 00000000
00007fff`aa2b0030 00000000 00000000 00000000 000000d8
00007fff`aa2b0040 0eba1f0e cd09b400 4c01b821 685421cd
00007fff`aa2b0050 70207369 72676f72 63206d61 6f6e6e61
00007fff`aa2b0060 65622074 6e757220 206e6920 20534f44
00007fff`aa2b0070 65646f6d 0a0d0d2e 00000024 00000000
```
The current installed version of Python after loading pykd extension:
```
0: kd> .load pykd
0: kd> !info
pykd bootstrapper version: 2.0.0.5
Installed python:
Version: Status: Image:
------------------------------------------------------------------------------
* 2.7 x86-64 Loaded C:\Windows\system32\python27.dll
3.5 x86-64 Loaded C:\Program Files\Python 3.5\python35.dll
```
Then I'm using ctypes by first creating the IMAGE_DOS_HEADER structure, then casting an address (where ntdll.dll is loaded) to an actual object, which works fine. However, when accessing the structure member the pykd crashes as presented below.
```
>>> import ctypes
>>> class IMAGE_DOS_HEADER(ctypes.Structure):
... _fields_ = [
... ("e_magic", ctypes.c_ushort),
... ("e_cblp", ctypes.c_ushort),
... ("e_cp", ctypes.c_ushort),
... ("e_crlc", ctypes.c_ushort),
... ("e_cparhdr", ctypes.c_ushort),
... ("e_minalloc", ctypes.c_ushort),
... ("e_maxalloc", ctypes.c_ushort),
... ("e_ss", ctypes.c_ushort),
... ("e_sp", ctypes.c_ushort),
... ("e_csum", ctypes.c_ushort),
... ("e_ip", ctypes.c_ushort),
... ("e_cs", ctypes.c_ushort),
... ("e_lfarlc", ctypes.c_ushort),
... ("e_ovno", ctypes.c_ushort),
... ("e_res", ctypes.c_ushort * 4),
... ("e_oemid", ctypes.c_ushort),
... ("e_oeminfo", ctypes.c_ushort),
... ("e_res2", ctypes.c_ushort * 10),
... ("e_lfanew", ctypes.c_ushort),
... ]
...
...
>>> dos = IMAGE_DOS_HEADER.from_address(0x00007fffaa2b0000)
>>> dos
<__main__.IMAGE_DOS_HEADER object at 0x00000000078B6B48>
>>> dos.e_lfanew
c0000005 Exception in C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winext\pykd.py debugger extension.
PC: 00000000`1d1ac910 VA: 00007fff`aa2b003c R/W: 0 Parameter: 00000000`00000000
```
Does anybody know if there are any fixes regarding this issue, are you aware of this issue?
First I'm starting a kernel-mode debugging and entering a process context, while the ntdll.dll is loaded at an address 00007fff`aa2b0000, which is shown below. The dd command verifies that this is indeed a PE file.
```
0: kd> lmi
00007fff`aa2b0000 00007fff`aa481000 ntdll (pdb symbols) ntdll.dll
0: kd> dd 00007fff`aa2b0000
00007fff`aa2b0000 00905a4d 00000003 00000004 0000ffff
00007fff`aa2b0010 000000b8 00000000 00000040 00000000
00007fff`aa2b0020 00000000 00000000 00000000 00000000
00007fff`aa2b0030 00000000 00000000 00000000 000000d8
00007fff`aa2b0040 0eba1f0e cd09b400 4c01b821 685421cd
00007fff`aa2b0050 70207369 72676f72 63206d61 6f6e6e61
00007fff`aa2b0060 65622074 6e757220 206e6920 20534f44
00007fff`aa2b0070 65646f6d 0a0d0d2e 00000024 00000000
```
The current installed version of Python after loading pykd extension:
```
0: kd> .load pykd
0: kd> !info
pykd bootstrapper version: 2.0.0.5
Installed python:
Version: Status: Image:
------------------------------------------------------------------------------
* 2.7 x86-64 Loaded C:\Windows\system32\python27.dll
3.5 x86-64 Loaded C:\Program Files\Python 3.5\python35.dll
```
Then I'm using ctypes by first creating the IMAGE_DOS_HEADER structure, then casting an address (where ntdll.dll is loaded) to an actual object, which works fine. However, when accessing the structure member the pykd crashes as presented below.
```
>>> import ctypes
>>> class IMAGE_DOS_HEADER(ctypes.Structure):
... _fields_ = [
... ("e_magic", ctypes.c_ushort),
... ("e_cblp", ctypes.c_ushort),
... ("e_cp", ctypes.c_ushort),
... ("e_crlc", ctypes.c_ushort),
... ("e_cparhdr", ctypes.c_ushort),
... ("e_minalloc", ctypes.c_ushort),
... ("e_maxalloc", ctypes.c_ushort),
... ("e_ss", ctypes.c_ushort),
... ("e_sp", ctypes.c_ushort),
... ("e_csum", ctypes.c_ushort),
... ("e_ip", ctypes.c_ushort),
... ("e_cs", ctypes.c_ushort),
... ("e_lfarlc", ctypes.c_ushort),
... ("e_ovno", ctypes.c_ushort),
... ("e_res", ctypes.c_ushort * 4),
... ("e_oemid", ctypes.c_ushort),
... ("e_oeminfo", ctypes.c_ushort),
... ("e_res2", ctypes.c_ushort * 10),
... ("e_lfanew", ctypes.c_ushort),
... ]
...
...
>>> dos = IMAGE_DOS_HEADER.from_address(0x00007fffaa2b0000)
>>> dos
<__main__.IMAGE_DOS_HEADER object at 0x00000000078B6B48>
>>> dos.e_lfanew
c0000005 Exception in C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winext\pykd.py debugger extension.
PC: 00000000`1d1ac910 VA: 00007fff`aa2b003c R/W: 0 Parameter: 00000000`00000000
```
Does anybody know if there are any fixes regarding this issue, are you aware of this issue?