Pybag icon indicating copy to clipboard operation
Pybag copied to clipboard

Published 20 hours ago verified publisher icon dshikashio

pybag loading failed

Open yjdfy opened this issue 6 months ago • 0 comments

Hi, excuse me, I have a problem now, it seems that some programs failed to load. I can load notepad.exe successfully, but fail to load Acrobat.exe.

    dbg = UserDbg()
    dbg.create(r"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe")
    # dbg.bp("Kernel32!WriteFile", handler)
    dbg.go()

this is the output log. I'm not quite sure what went wrong.

PS C:\Users\cqy\Documents\test> python .\test_pybag.py

Microsoft (R) Windows Debugger Version 10.0.22621.2428 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*
Symbol search path is: srv*
Executable search path is:
ModLoad: 00007ff7`59020000 00007ff7`59635000   Acrobat.exe
ModLoad: 00007ffb`7f1d0000 00007ffb`7f3c8000   ntdll.dll
ModLoad: 00007ffb`7ea10000 00007ffb`7ead2000   C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ffb`7cd90000 00007ffb`7d086000   C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ffb`7ef30000 00007ffb`7f0cd000   C:\WINDOWS\System32\USER32.dll
ModLoad: 00007ffb`7cc30000 00007ffb`7cc52000   C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ffb`7e5d0000 00007ffb`7e5fb000   C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ffb`7c900000 00007ffb`7ca1a000   C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ffb`7c860000 00007ffb`7c8fd000   C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ffb`7cae0000 00007ffb`7cbe0000   C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ffb`7d730000 00007ffb`7d7df000   C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ffb`7d200000 00007ffb`7d29e000   C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ffb`7e970000 00007ffb`7ea0f000   C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ffb`7d2a0000 00007ffb`7d3c3000   C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ffb`7cab0000 00007ffb`7cad7000   C:\WINDOWS\System32\bcrypt.dll
ModLoad: 00007ffb`7f0d0000 00007ffb`7f125000   C:\WINDOWS\System32\SHLWAPI.dll
ModLoad: 00007ffb`76a40000 00007ffb`76b4a000   C:\WINDOWS\SYSTEM32\WINHTTP.dll
ModLoad: 00007ffb`7c050000 00007ffb`7c05c000   C:\WINDOWS\SYSTEM32\CRYPTBASE.DLL
(18e8.39e0): Break instruction exception - code 80000003 (first chance)
ModLoad: 00007ffb`7ec10000 00007ffb`7ec3f000   C:\WINDOWS\System32\IMM32.DLL
ModLoad: 00007ffb`61ca0000 00007ffb`61f3a000   C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.4355_none_60b8b9eb71f62e16\Comctl32.dll
ModLoad: 00007ffb`7eb60000 00007ffb`7ec0d000   C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ffb`7d3d0000 00007ffb`7d725000   C:\WINDOWS\System32\combase.dll
ModLoad: 00007ffb`7ba50000 00007ffb`7ba83000   C:\WINDOWS\SYSTEM32\ntmarta.dll
ModLoad: 00007ffb`7e600000 00007ffb`7e72b000   C:\WINDOWS\System32\ole32.dll
ModLoad: 00007ffb`7d3d0000 00007ffb`7d725000   C:\WINDOWS\System32\combase.dll
ModLoad: 00007ffb`7a6c0000 00007ffb`7a6d2000   C:\WINDOWS\SYSTEM32\kernel.appcore.dll
ModLoad: 00007ffb`7ca20000 00007ffb`7caa2000   C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ffb`7c710000 00007ffb`7c73e000   C:\WINDOWS\system32\userenv.dll
ModLoad: 00007ffb`7a150000 00007ffb`7a1ee000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 00007ffb`7b4b0000 00007ffb`7b4de000   C:\WINDOWS\SYSTEM32\profext.dll
ModLoad: 00007ffb`7c790000 00007ffb`7c7b5000   C:\WINDOWS\SYSTEM32\profapi.dll
ModLoad: 00007ffb`7ee10000 00007ffb`7ef25000   C:\WINDOWS\System32\MSCTF.dll
ModLoad: 00007ffb`7e840000 00007ffb`7e90d000   C:\WINDOWS\System32\OLEAUT32.dll
ModLoad: 00007ffb`7b410000 00007ffb`7b4a6000   C:\WINDOWS\SYSTEM32\firewallapi.dll
ModLoad: 00007ffb`7bc00000 00007ffb`7bcca000   C:\WINDOWS\SYSTEM32\DNSAPI.dll
ModLoad: 00007ffb`7bbc0000 00007ffb`7bbfb000   C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ffb`7d1f0000 00007ffb`7d1f8000   C:\WINDOWS\System32\NSI.dll
ModLoad: 00007ffb`7b3a0000 00007ffb`7b3d7000   C:\WINDOWS\SYSTEM32\fwbase.dll
ModLoad: 00007ffb`5d630000 00007ffb`5d639000   C:\WINDOWS\SYSTEM32\KBDUS.DLL
ModLoad: 00007ffb`7de50000 00007ffb`7e5bf000   C:\WINDOWS\System32\shell32.dll
ModLoad: 00007ffb`7a8c0000 00007ffb`7b063000   C:\WINDOWS\SYSTEM32\windows.storage.dll
ModLoad: 00007ffb`7c0e0000 00007ffb`7c10b000   C:\WINDOWS\SYSTEM32\Wldp.dll
onecore\base\appmodel\appcontainerregistration\appcontainerregistration.cpp(608)\kernelbase.dll!00007FFB7CE197BE: (caller: 00007FFB7CE19243) ReturnHr(1) tid(2b54) 800700B7 Cannot create a file when that file already exists.
onecore\base\appmodel\appcontainerregistration\appcontainerregistration.cpp(684)\kernelbase.dll!00007FFB7CE1928F: (caller: 00007FFB7CE19087) ReturnHr(2) tid(2b54) 800700B7 Cannot create a file when that file already exists.
onecore\base\appmodel\identity\lib\packageidentity.cpp(108)\kernelbase.dll!00007FFB7CE190BC: (caller: 00007FFB7B4C0ADD) ReturnHr(3) tid(2b54) 
800700B7 Cannot create a file when that file already exists.
    Msg:[Moniker adobe.acrobatreaderdc.protectedmode DispName Adobe Acrobat Reader Protected Mode]
onecore\ds\security\gina\profile\profext\appcontainer.cpp(1809)\profext.dll!00007FFB7B4C0B10: (caller: 00007FFB7B4B5ABA) LogHr(1) tid(2b54) 800700B7 Cannot create a file when that file already exists.
    Msg:[Name adobe.acrobatreaderdc.protectedmode display Adobe Acrobat Reader Protected Mode]
ModLoad: 00007ffb`7eb60000 00007ffb`7ec0d000   C:\WINDOWS\System32\SHCORE.dll
ModLoad: 00007ffb`7d920000 00007ffb`7d9c9000   C:\WINDOWS\System32\clbcatq.dll
ModLoad: 00007ffb`7c660000 00007ffb`7c702000   C:\WINDOWS\SYSTEM32\sxs.dll

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*
Symbol search path is: srv*
Executable search path is:
ModLoad: 00007ff7`59020000 00007ff7`59635000   Acrobat.exe
ModLoad: 00000000`51610000 00000000`56918000   C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.dll
ModLoad: 00007ffb`7f1d0000 00007ffb`7f3c8000   ntdll.dll
ModLoad: 00007ffb`7e7d0000 00007ffb`7e83b000   C:\WINDOWS\System32\WS2_32.dll
ModLoad: 00007ffb`7ea10000 00007ffb`7ead2000   C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ffa`f13f0000 00007ffa`f1b1a000   C:\Program Files\Adobe\Acrobat DC\Acrobat\AGM.dll
ModLoad: 00007ffb`7cd90000 00007ffb`7d086000   C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ffb`17560000 00007ffb`179a4000   C:\Program Files\Adobe\Acrobat DC\Acrobat\CoolType.dll
ModLoad: 00007ffb`60080000 00007ffb`600a5000   C:\Program Files\Adobe\Acrobat DC\Acrobat\BIB.dll
ModLoad: 00007ffb`7ef30000 00007ffb`7f0cd000   C:\WINDOWS\System32\USER32.dll
ModLoad: 00007ffb`71450000 00007ffb`71634000   C:\WINDOWS\SYSTEM32\dbghelp.dll
ModLoad: 00007ffb`7cc30000 00007ffb`7cc52000   C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ffb`7d9d0000 00007ffb`7de41000   C:\WINDOWS\System32\SETUPAPI.dll
ModLoad: 00007ffb`7e5d0000 00007ffb`7e5fb000   C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ffb`7a3c0000 00007ffb`7a3ef000   C:\WINDOWS\SYSTEM32\dwmapi.dll
ModLoad: 00007ffb`7c900000 00007ffb`7ca1a000   C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ffb`7cbe0000 00007ffb`7cc2e000   C:\WINDOWS\System32\cfgmgr32.dll
ModLoad: 00007ffb`7c860000 00007ffb`7c8fd000   C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ffb`63e50000 00007ffb`63edd000   C:\WINDOWS\SYSTEM32\MSVCP140.dll
ModLoad: 00007ffb`7cae0000 00007ffb`7cbe0000   C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ffb`6edb0000 00007ffb`6edb7000   C:\WINDOWS\SYSTEM32\MSVCP140_CODECVT_IDS.dll
ModLoad: 00007ffb`7d730000 00007ffb`7d7df000   C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ffb`6d8d0000 00007ffb`6d8dc000   C:\WINDOWS\SYSTEM32\Secur32.dll
ModLoad: 00007ffb`7d200000 00007ffb`7d29e000   C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ffb`67520000 00007ffb`6752c000   C:\WINDOWS\SYSTEM32\VCRUNTIME140_1.dll
ModLoad: 00007ffb`7e970000 00007ffb`7ea0f000   C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ffb`36920000 00007ffb`36a50000   C:\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll
ModLoad: 00007ffb`7d2a0000 00007ffb`7d3c3000   C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ffb`6f480000 00007ffb`6f48a000   C:\WINDOWS\SYSTEM32\SensApi.dll
ModLoad: 00007ffb`7cab0000 00007ffb`7cad7000   C:\WINDOWS\System32\bcrypt.dll
ModLoad: 0000022e`dc940000 0000022e`dc95e000   C:\WINDOWS\SYSTEM32\VCRUNTIME140.dll
ModLoad: 00007ffb`74450000 00007ffb`7445a000   C:\WINDOWS\SYSTEM32\VERSION.dll
ModLoad: 000001c5`4f620000 000001c5`4f675000   C:\WINDOWS\System32\SHLWAPI.dll
ModLoad: 0000022e`dc960000 0000022e`dc97e000   C:\WINDOWS\SYSTEM32\VCRUNTIME140.dll
ModLoad: 00007ffb`76a40000 00007ffb`76b4a000   C:\WINDOWS\SYSTEM32\WINHTTP.dll
ModLoad: 00007ffb`68f90000 00007ffb`68fae000   C:\WINDOWS\SYSTEM32\VCRUNTIME140.dll
ModLoad: 00007ffb`7c050000 00007ffb`7c05c000   C:\WINDOWS\SYSTEM32\CRYPTBASE.DLL
(36fc.8bc): Break instruction exception - code 80000003 (first chance)
PS C:\Users\cqy\Documents\test>

yjdfy avatar Apr 25 '25 08:04 yjdfy