Home       Trees       Indices       Help   
WinAppDbg - Programming Reference
Package winappdbg :: Module breakpoint :: Class _BreakpointContainer
[hide private]
[frames] | no frames]

Class _BreakpointContainer

source code

Encapsulates the capability to contain Breakpoint objects.

Instance Methods [hide private]
 
__init__(self)
x.__init__(...) initializes x; see help(type(x)) for signature		 source code
 
__get_running_bp_set(self, tid)
Auxiliary method.
 
__add_running_bp(self, tid, bp)
Auxiliary method.
 
__del_running_bp(self, tid, bp)
Auxiliary method.
 
__del_running_bp_from_all_threads(self, bp)
Auxiliary method.
 
__cleanup_breakpoint(self, event, bp)
Auxiliary method.
 
__cleanup_thread(self, event)
Auxiliary method for _notify_exit_thread and _notify_exit_process.
 
__cleanup_process(self, event)
Auxiliary method for _notify_exit_process.
 
__cleanup_module(self, event)
Auxiliary method for _notify_unload_dll.
bool
_notify_guard_page(self, event)
Notify breakpoints of a guard page exception event.		 source code
bool
_notify_breakpoint(self, event)
Notify breakpoints of a breakpoint exception event.		 source code
bool
_notify_single_step(self, event)
Notify breakpoints of a single step exception event.		 source code
bool
_notify_load_dll(self, event)
Notify the loading of a DLL.		 source code
bool
_notify_unload_dll(self, event)
Notify the unloading of a DLL.		 source code
bool
_notify_exit_thread(self, event)
Notify the termination of a thread.		 source code
bool
_notify_exit_process(self, event)
Notify the termination of a process.		 source code
Breakpoint
__set_break(self, pid, address, action, oneshot)
Used by break_at and stalk_at.
 
__clear_break(self, pid, address)
Used by dont_break_at and dont_stalk_at.
 
__set_deferred_breakpoints(self, event)
Used internally.
HardwareBreakpoint
__set_variable_watch(self, tid, address, size, action)
Used by watch_variable and stalk_variable.
 
__clear_variable_watch(self, tid, address)
Used by dont_watch_variable and dont_stalk_variable.
 
__set_buffer_watch(self, pid, address, size, action, bOneShot)
Used by watch_buffer and stalk_buffer.
 
__clear_buffer_watch_old_method(self, pid, address, size)
Used by dont_watch_buffer and dont_stalk_buffer.
 
__clear_buffer_watch(self, bw)
Used by dont_watch_buffer and dont_stalk_buffer.
 
__start_tracing(self, thread)
 
__stop_tracing(self, thread)
 
_BreakpointContainer__add_running_bp(self, tid, bp)
Auxiliary method.		 source code
 
_BreakpointContainer__cleanup_breakpoint(self, event, bp)
Auxiliary method.		 source code
 
_BreakpointContainer__cleanup_module(self, event)
Auxiliary method for _notify_unload_dll.		 source code
 
_BreakpointContainer__cleanup_process(self, event)
Auxiliary method for _notify_exit_process.		 source code
 
_BreakpointContainer__cleanup_thread(self, event)
Auxiliary method for _notify_exit_thread and _notify_exit_process.		 source code
 
_BreakpointContainer__clear_break(self, pid, address)
Used by dont_break_at and dont_stalk_at.		 source code
 
_BreakpointContainer__clear_buffer_watch(self, bw)
Used by dont_watch_buffer and dont_stalk_buffer.		 source code
 
_BreakpointContainer__clear_buffer_watch_old_method(self, pid, address, size)
Used by dont_watch_buffer and dont_stalk_buffer.		 source code
 
_BreakpointContainer__clear_variable_watch(self, tid, address)
Used by dont_watch_variable and dont_stalk_variable.		 source code
 
_BreakpointContainer__del_running_bp(self, tid, bp)
Auxiliary method.		 source code
 
_BreakpointContainer__del_running_bp_from_all_threads(self, bp)
Auxiliary method.		 source code
 
_BreakpointContainer__get_running_bp_set(self, tid)
Auxiliary method.		 source code
Breakpoint
_BreakpointContainer__set_break(self, pid, address, action, oneshot)
Used by break_at and stalk_at.		 source code
 
_BreakpointContainer__set_buffer_watch(self, pid, address, size, action, bOneShot)
Used by watch_buffer and stalk_buffer.		 source code
 
_BreakpointContainer__set_deferred_breakpoints(self, event)
Used internally.		 source code
HardwareBreakpoint
_BreakpointContainer__set_variable_watch(self, tid, address, size, action)
Used by watch_variable and stalk_variable.		 source code
 
_BreakpointContainer__start_tracing(self, thread) source code
 
_BreakpointContainer__stop_tracing(self, thread) source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

    Breakpoints
bool
break_at(self, pid, address, action=None)
Sets a code breakpoint at the given process and address.		 source code
 
dont_break_at(self, pid, address)
Clears a code breakpoint set by break_at.		 source code
bool
hook_function(self, pid, address, preCB=None, postCB=None, paramCount=None, signature=None)
Sets a function hook at the given address.		 source code
 
dont_hook_function(self, pid, address)
Removes a function hook set by hook_function.		 source code
 
unhook_function(self, pid, address)
Removes a function hook set by hook_function.		 source code
 
watch_variable(self, tid, address, size, action=None)
Sets a hardware breakpoint at the given thread, address and size.		 source code
 
dont_watch_variable(self, tid, address)
Clears a hardware breakpoint set by watch_variable.		 source code
BufferWatch
watch_buffer(self, pid, address, size, action=None)
Sets a page breakpoint and notifies when the given buffer is accessed.		 source code
 
dont_watch_buffer(self, bw, *argv, **argd)
Clears a page breakpoint set by watch_buffer.		 source code
 
break_on_error(self, pid, errorCode)
Sets or clears the system breakpoint for a given Win32 error code.		 source code
 
dont_break_on_error(self, pid)
Alias to break_on_error(pid, ERROR_SUCCESS).		 source code
    Stalking
bool
stalk_at(self, pid, address, action=None)
Sets a one shot code breakpoint at the given process and address.		 source code
 
dont_stalk_at(self, pid, address)
Clears a code breakpoint set by stalk_at.		 source code
bool
stalk_function(self, pid, address, preCB=None, postCB=None, paramCount=None, signature=None)
Sets a one-shot function hook at the given address.		 source code
 
dont_stalk_function(self, pid, address)
Removes a function hook set by stalk_function.		 source code
 
stalk_variable(self, tid, address, size, action=None)
Sets a one-shot hardware breakpoint at the given thread, address and size.		 source code
 
dont_stalk_variable(self, tid, address)
Clears a hardware breakpoint set by stalk_variable.		 source code
BufferWatch
stalk_buffer(self, pid, address, size, action=None)
Sets a one-shot page breakpoint and notifies when the given buffer is accessed.		 source code
 
dont_stalk_buffer(self, bw, *argv, **argd)
Clears a page breakpoint set by stalk_buffer.		 source code
    Tracing
bool
is_tracing(self, tid)
Returns: True if the thread is being traced, False otherwise.		 source code
list( int... )
get_traced_tids(self)
Retrieves the list of global IDs of all threads being traced.		 source code
 
start_tracing(self, tid)
Start tracing mode in the given thread.		 source code
 
stop_tracing(self, tid)
Stop tracing mode in the given thread.		 source code
 
start_tracing_process(self, pid)
Start tracing mode for all threads in the given process.		 source code
 
stop_tracing_process(self, pid)
Stop tracing mode for all threads in the given process.		 source code
 
start_tracing_all(self)
Start tracing mode for all threads in all debugees.		 source code
 
stop_tracing_all(self)
Stop tracing mode for all threads in all debugees.		 source code
    Symbols
int, None
resolve_exported_function(self, pid, modName, procName)
Resolves the exported DLL function for the given process.		 source code
int
resolve_label(self, pid, label)
Resolves a label for the given process.		 source code
    Advanced breakpoint use
CodeBreakpoint
define_code_breakpoint(self, dwProcessId, address, condition=True, action=None)
Creates a disabled code breakpoint at the given address.		 source code
PageBreakpoint
define_page_breakpoint(self, dwProcessId, address, pages=1, condition=True, action=None)
Creates a disabled page breakpoint at the given address.		 source code
HardwareBreakpoint
define_hardware_breakpoint(self, dwThreadId, address, triggerFlag=3, sizeFlag=3, condition=True, action=None)
Creates a disabled hardware breakpoint at the given address.		 source code
bool
has_code_breakpoint(self, dwProcessId, address)
Checks if a code breakpoint is defined at the given address.		 source code
bool
has_page_breakpoint(self, dwProcessId, address)
Checks if a page breakpoint is defined at the given address.		 source code
bool
has_hardware_breakpoint(self, dwThreadId, address)
Checks if a hardware breakpoint is defined at the given address.		 source code
CodeBreakpoint
get_code_breakpoint(self, dwProcessId, address)
Returns the internally used breakpoint object, for the code breakpoint defined at the given address.		 source code
PageBreakpoint
get_page_breakpoint(self, dwProcessId, address)
Returns the internally used breakpoint object, for the page breakpoint defined at the given address.		 source code
HardwareBreakpoint
get_hardware_breakpoint(self, dwThreadId, address)
Returns the internally used breakpoint object, for the code breakpoint defined at the given address.		 source code
 
enable_code_breakpoint(self, dwProcessId, address)
Enables the code breakpoint at the given address.		 source code
 
enable_page_breakpoint(self, dwProcessId, address)
Enables the page breakpoint at the given address.		 source code
 
enable_hardware_breakpoint(self, dwThreadId, address)
Enables the hardware breakpoint at the given address.		 source code
 
enable_one_shot_code_breakpoint(self, dwProcessId, address)
Enables the code breakpoint at the given address for only one shot.		 source code
 
enable_one_shot_page_breakpoint(self, dwProcessId, address)
Enables the page breakpoint at the given address for only one shot.		 source code
 
enable_one_shot_hardware_breakpoint(self, dwThreadId, address)
Enables the hardware breakpoint at the given address for only one shot.		 source code
 
disable_code_breakpoint(self, dwProcessId, address)
Disables the code breakpoint at the given address.		 source code
 
disable_page_breakpoint(self, dwProcessId, address)
Disables the page breakpoint at the given address.		 source code
 
disable_hardware_breakpoint(self, dwThreadId, address)
Disables the hardware breakpoint at the given address.		 source code
 
erase_code_breakpoint(self, dwProcessId, address)
Erases the code breakpoint at the given address.		 source code
 
erase_page_breakpoint(self, dwProcessId, address)
Erases the page breakpoint at the given address.		 source code
 
erase_hardware_breakpoint(self, dwThreadId, address)
Erases the hardware breakpoint at the given address.		 source code
    Listing breakpoints
list of tuple( pid, tid, bp )
get_all_breakpoints(self)
Returns all breakpoint objects as a list of tuples.		 source code
list of tuple( int, CodeBreakpoint )
get_all_code_breakpoints(self)
Returns: All code breakpoints as a list of tuples (pid, bp).		 source code
list of tuple( int, PageBreakpoint )
get_all_page_breakpoints(self)
Returns: All page breakpoints as a list of tuples (pid, bp).		 source code
list of tuple( int, HardwareBreakpoint )
get_all_hardware_breakpoints(self)
Returns: All hardware breakpoints as a list of tuples (tid, bp).		 source code
list of tuple( pid, tid, bp )
get_process_breakpoints(self, dwProcessId)
Returns all breakpoint objects for the given process as a list of tuples.		 source code
list of CodeBreakpoint
get_process_code_breakpoints(self, dwProcessId)
Returns: All code breakpoints for the given process.		 source code
list of PageBreakpoint
get_process_page_breakpoints(self, dwProcessId)
Returns: All page breakpoints for the given process.		 source code
list of HardwareBreakpoint
get_thread_hardware_breakpoints(self, dwThreadId)
Returns: All hardware breakpoints for the given thread.		 source code
list of tuple( int, HardwareBreakpoint )
get_process_hardware_breakpoints(self, dwProcessId)
Returns: All hardware breakpoints for each thread in the given process as a list of tuples (tid, bp).		 source code
tuple of (int, str, callable, bool)
get_all_deferred_code_breakpoints(self)
Returns a list of deferred code breakpoints.		 source code
tuple of (int, str, callable, bool)
get_process_deferred_code_breakpoints(self, dwProcessId)
Returns a list of deferred code breakpoints.		 source code
    Batch operations on breakpoints
 
enable_all_breakpoints(self)
Enables all disabled breakpoints in all processes.		 source code
 
enable_one_shot_all_breakpoints(self)
Enables for one shot all disabled breakpoints in all processes.		 source code
 
disable_all_breakpoints(self)
Disables all breakpoints in all processes.		 source code
 
erase_all_breakpoints(self)
Erases all breakpoints in all processes.		 source code
 
enable_process_breakpoints(self, dwProcessId)
Enables all disabled breakpoints for the given process.		 source code
 
enable_one_shot_process_breakpoints(self, dwProcessId)
Enables for one shot all disabled breakpoints for the given process.		 source code
 
disable_process_breakpoints(self, dwProcessId)
Disables all breakpoints for the given process.		 source code
 
erase_process_breakpoints(self, dwProcessId)
Erases all breakpoints for the given process.		 source code
Class Variables [hide private]
    Breakpoint types
int BP_TYPE_ANY = 0
To get all breakpoints
int BP_TYPE_CODE = 1
To get code breakpoints only
int BP_TYPE_PAGE = 2
To get page breakpoints only
int BP_TYPE_HARDWARE = 3
To get hardware breakpoints only
    Breakpoint states
int BP_STATE_DISABLED = 0
Breakpoint is disabled.
int BP_STATE_ENABLED = 1
Breakpoint is enabled.
int BP_STATE_ONESHOT = 2
Breakpoint is enabled for one shot.
int BP_STATE_RUNNING = 3
Breakpoint is running (recently hit).
    Memory breakpoint trigger flags
int BP_BREAK_ON_EXECUTION = 0
Break on code execution.
int BP_BREAK_ON_WRITE = 1
Break on memory write.
int BP_BREAK_ON_ACCESS = 3
Break on memory read or write.
    Memory breakpoint size flags
  BP_WATCH_BYTE = 0
  BP_WATCH_WORD = 1
  BP_WATCH_QWORD = 2
  BP_WATCH_DWORD = 3
Properties [hide private]

Inherited from object: __class__

Method Details [hide private]

__init__(self)
(Constructor)

source code 

x.__init__(...) initializes x; see help(type(x)) for signature

Overrides: object.__init__
(inherited documentation)

define_code_breakpoint(self, dwProcessId, address, condition=True, action=None)

source code 

Creates a disabled code breakpoint at the given address.

Parameters:
  • dwProcessId (int) - Process global ID.
  • address (int) - Memory address of the code instruction to break at.
  • condition (function) - (Optional) Condition callback function.

    The callback signature is:

       def condition_callback(event):
       return True     # returns True or False

    Where event is an Event object, and the return value is a boolean (True to dispatch the event, False otherwise).

  • action (function) - (Optional) Action callback function. If specified, the event is handled by this callback instead of being dispatched normally.

    The callback signature is:

       def action_callback(event):
       pass        # no return value

    Where event is an Event object, and the return value is a boolean (True to dispatch the event, False otherwise).

Returns: CodeBreakpoint
The code breakpoint object.

See Also: has_code_breakpoint, get_code_breakpoint, enable_code_breakpoint, enable_one_shot_code_breakpoint, disable_code_breakpoint, erase_code_breakpoint

define_page_breakpoint(self, dwProcessId, address, pages=1, condition=True, action=None)

source code 

Creates a disabled page breakpoint at the given address.

Parameters:
  • dwProcessId (int) - Process global ID.
  • address (int) - Memory address of the first page to watch.
  • pages (int) - Number of pages to watch.
  • condition (function) - (Optional) Condition callback function.

    The callback signature is:

       def condition_callback(event):
       return True     # returns True or False

    Where event is an Event object, and the return value is a boolean (True to dispatch the event, False otherwise).

  • action (function) - (Optional) Action callback function. If specified, the event is handled by this callback instead of being dispatched normally.

    The callback signature is:

       def action_callback(event):
       pass        # no return value

    Where event is an Event object, and the return value is a boolean (True to dispatch the event, False otherwise).

Returns: PageBreakpoint
The page breakpoint object.

See Also: has_page_breakpoint, get_page_breakpoint, enable_page_breakpoint, enable_one_shot_page_breakpoint, disable_page_breakpoint, erase_page_breakpoint

define_hardware_breakpoint(self, dwThreadId, address, triggerFlag=3, sizeFlag=3, condition=True, action=None)

source code 

Creates a disabled hardware breakpoint at the given address.

Parameters:
  • dwThreadId (int) - Thread global ID.
  • address (int) - Memory address to watch.
  • triggerFlag (int) - Trigger of breakpoint. Must be one of the following:
  • sizeFlag (int) - Size of breakpoint. Must be one of the following:
  • condition (function) - (Optional) Condition callback function.

    The callback signature is:

       def condition_callback(event):
       return True     # returns True or False

    Where event is an Event object, and the return value is a boolean (True to dispatch the event, False otherwise).

  • action (function) - (Optional) Action callback function. If specified, the event is handled by this callback instead of being dispatched normally.

    The callback signature is:

       def action_callback(event):
       pass        # no return value

    Where event is an Event object, and the return value is a boolean (True to dispatch the event, False otherwise).

Returns: HardwareBreakpoint
The hardware breakpoint object.

See Also: has_hardware_breakpoint, get_hardware_breakpoint, enable_hardware_breakpoint, enable_one_shot_hardware_breakpoint, disable_hardware_breakpoint, erase_hardware_breakpoint

Note: Hardware breakpoints do not seem to work properly on VirtualBox. See http://www.virtualbox.org/ticket/477.

has_code_breakpoint(self, dwProcessId, address)

source code 

Checks if a code breakpoint is defined at the given address.

Parameters:
  • dwProcessId (int) - Process global ID.
  • address (int) - Memory address of breakpoint.
Returns: bool
True if the breakpoint is defined, False otherwise.

See Also: define_code_breakpoint, get_code_breakpoint, erase_code_breakpoint, enable_code_breakpoint, enable_one_shot_code_breakpoint, disable_code_breakpoint

has_page_breakpoint(self, dwProcessId, address)

source code 

Checks if a page breakpoint is defined at the given address.

Parameters:
  • dwProcessId (int) - Process global ID.
  • address (int) - Memory address of breakpoint.
Returns: bool
True if the breakpoint is defined, False otherwise.

See Also: define_page_breakpoint, get_page_breakpoint, erase_page_breakpoint, enable_page_breakpoint, enable_one_shot_page_breakpoint, disable_page_breakpoint

has_hardware_breakpoint(self, dwThreadId, address)

source code 

Checks if a hardware breakpoint is defined at the given address.

Parameters:
  • dwThreadId (int) - Thread global ID.
  • address (int) - Memory address of breakpoint.
Returns: bool
True if the breakpoint is defined, False otherwise.

See Also: define_hardware_breakpoint, get_hardware_breakpoint, erase_hardware_breakpoint, enable_hardware_breakpoint, enable_one_shot_hardware_breakpoint, disable_hardware_breakpoint

get_code_breakpoint(self, dwProcessId, address)

source code 

Returns the internally used breakpoint object, for the code breakpoint defined at the given address.

Parameters:
  • dwProcessId (int) - Process global ID.
  • address (int) - Memory address where the breakpoint is defined.
Returns: CodeBreakpoint
The code breakpoint object.

Warning: It's usually best to call the Debug methods instead of accessing the breakpoint objects directly.

See Also: define_code_breakpoint, has_code_breakpoint, enable_code_breakpoint, enable_one_shot_code_breakpoint, disable_code_breakpoint, erase_code_breakpoint

get_page_breakpoint(self, dwProcessId, address)

source code 

Returns the internally used breakpoint object, for the page breakpoint defined at the given address.

Parameters:
  • dwProcessId (int) - Process global ID.
  • address (int) - Memory address where the breakpoint is defined.
Returns: PageBreakpoint
The page breakpoint object.

Warning: It's usually best to call the Debug methods instead of accessing the breakpoint objects directly.

See Also: define_page_breakpoint, has_page_breakpoint, enable_page_breakpoint, enable_one_shot_page_breakpoint, disable_page_breakpoint, erase_page_breakpoint

get_hardware_breakpoint(self, dwThreadId, address)

source code 

Returns the internally used breakpoint object, for the code breakpoint defined at the given address.

Parameters:
  • dwThreadId (int) - Thread global ID.
  • address (int) - Memory address where the breakpoint is defined.
Returns: HardwareBreakpoint
The hardware breakpoint object.

Warning: It's usually best to call the Debug methods instead of accessing the breakpoint objects directly.

See Also: define_hardware_breakpoint, has_hardware_breakpoint, get_code_breakpoint, enable_hardware_breakpoint, enable_one_shot_hardware_breakpoint, disable_hardware_breakpoint, erase_hardware_breakpoint

enable_code_breakpoint(self, dwProcessId, address)

source code 

Enables the code breakpoint at the given address.

Parameters:
  • dwProcessId (int) - Process global ID.
  • address (int) - Memory address of breakpoint.

See Also: define_code_breakpoint, has_code_breakpoint, enable_one_shot_code_breakpoint, disable_code_breakpoint erase_code_breakpoint,

enable_page_breakpoint(self, dwProcessId, address)

source code 

Enables the page breakpoint at the given address.

Parameters:
  • dwProcessId (int) - Process global ID.
  • address (int) - Memory address of breakpoint.

See Also: define_page_breakpoint, has_page_breakpoint, get_page_breakpoint, enable_one_shot_page_breakpoint, disable_page_breakpoint erase_page_breakpoint,

enable_hardware_breakpoint(self, dwThreadId, address)

source code 

Enables the hardware breakpoint at the given address.

Parameters:
  • dwThreadId (int) - Thread global ID.
  • address (int) - Memory address of breakpoint.

See Also: define_hardware_breakpoint, has_hardware_breakpoint, get_hardware_breakpoint, enable_one_shot_hardware_breakpoint, disable_hardware_breakpoint erase_hardware_breakpoint,

Note: Do not set hardware breakpoints while processing the system breakpoint event.

enable_one_shot_code_breakpoint(self, dwProcessId, address)

source code 

Enables the code breakpoint at the given address for only one shot.

Parameters:
  • dwProcessId (int) - Process global ID.
  • address (int) - Memory address of breakpoint.

See Also: define_code_breakpoint, has_code_breakpoint, get_code_breakpoint, enable_code_breakpoint, disable_code_breakpoint erase_code_breakpoint,

enable_one_shot_page_breakpoint(self, dwProcessId, address)

source code 

Enables the page breakpoint at the given address for only one shot.

Parameters:
  • dwProcessId (int) - Process global ID.
  • address (int) - Memory address of breakpoint.

See Also: define_page_breakpoint, has_page_breakpoint, get_page_breakpoint, enable_page_breakpoint, disable_page_breakpoint erase_page_breakpoint,

enable_one_shot_hardware_breakpoint(self, dwThreadId, address)

source code 

Enables the hardware breakpoint at the given address for only one shot.

Parameters:
  • dwThreadId (int) - Thread global ID.
  • address (int) - Memory address of breakpoint.

See Also: define_hardware_breakpoint, has_hardware_breakpoint, get_hardware_breakpoint, enable_hardware_breakpoint, disable_hardware_breakpoint erase_hardware_breakpoint,

disable_code_breakpoint(self, dwProcessId, address)

source code 

Disables the code breakpoint at the given address.

Parameters:
  • dwProcessId (int) - Process global ID.
  • address (int) - Memory address of breakpoint.

See Also: define_code_breakpoint, has_code_breakpoint, get_code_breakpoint, enable_code_breakpoint enable_one_shot_code_breakpoint, erase_code_breakpoint,

disable_page_breakpoint(self, dwProcessId, address)

source code 

Disables the page breakpoint at the given address.

Parameters:
  • dwProcessId (int) - Process global ID.
  • address (int) - Memory address of breakpoint.

See Also: define_page_breakpoint, has_page_breakpoint, get_page_breakpoint, enable_page_breakpoint enable_one_shot_page_breakpoint, erase_page_breakpoint,

disable_hardware_breakpoint(self, dwThreadId, address)

source code 

Disables the hardware breakpoint at the given address.

Parameters:
  • dwThreadId (int) - Thread global ID.
  • address (int) - Memory address of breakpoint.

See Also: define_hardware_breakpoint, has_hardware_breakpoint, get_hardware_breakpoint, enable_hardware_breakpoint enable_one_shot_hardware_breakpoint, erase_hardware_breakpoint,

erase_code_breakpoint(self, dwProcessId, address)

source code 

Erases the code breakpoint at the given address.

Parameters:
  • dwProcessId (int) - Process global ID.
  • address (int) - Memory address of breakpoint.

See Also: define_code_breakpoint, has_code_breakpoint, get_code_breakpoint, enable_code_breakpoint, enable_one_shot_code_breakpoint, disable_code_breakpoint

erase_page_breakpoint(self, dwProcessId, address)

source code 

Erases the page breakpoint at the given address.

Parameters:
  • dwProcessId (int) - Process global ID.
  • address (int) - Memory address of breakpoint.

See Also: define_page_breakpoint, has_page_breakpoint, get_page_breakpoint, enable_page_breakpoint, enable_one_shot_page_breakpoint, disable_page_breakpoint

erase_hardware_breakpoint(self, dwThreadId, address)

source code 

Erases the hardware breakpoint at the given address.

Parameters:
  • dwThreadId (int) - Thread global ID.
  • address (int) - Memory address of breakpoint.

See Also: define_hardware_breakpoint, has_hardware_breakpoint, get_hardware_breakpoint, enable_hardware_breakpoint, enable_one_shot_hardware_breakpoint, disable_hardware_breakpoint

get_all_breakpoints(self)

source code 

Returns all breakpoint objects as a list of tuples.

Each tuple contains:

  • Process global ID to which the breakpoint applies.
  • Thread global ID to which the breakpoint applies, or None.
  • The Breakpoint object itself.
Returns: list of tuple( pid, tid, bp )
List of all breakpoints.

Note: If you're only interested in a specific breakpoint type, or in breakpoints for a specific process or thread, it's probably faster to call one of the following methods:

get_all_code_breakpoints(self)

source code 
Returns: list of tuple( int, CodeBreakpoint )
All code breakpoints as a list of tuples (pid, bp).

get_all_page_breakpoints(self)

source code 
Returns: list of tuple( int, PageBreakpoint )
All page breakpoints as a list of tuples (pid, bp).

get_all_hardware_breakpoints(self)

source code 
Returns: list of tuple( int, HardwareBreakpoint )
All hardware breakpoints as a list of tuples (tid, bp).

get_process_breakpoints(self, dwProcessId)

source code 

Returns all breakpoint objects for the given process as a list of tuples.

Each tuple contains:

  • Process global ID to which the breakpoint applies.
  • Thread global ID to which the breakpoint applies, or None.
  • The Breakpoint object itself.
Parameters:
  • dwProcessId (int) - Process global ID.
Returns: list of tuple( pid, tid, bp )
List of all breakpoints for the given process.

Note: If you're only interested in a specific breakpoint type, or in breakpoints for a specific process or thread, it's probably faster to call one of the following methods:

get_process_code_breakpoints(self, dwProcessId)

source code 
Parameters:
  • dwProcessId (int) - Process global ID.
Returns: list of CodeBreakpoint
All code breakpoints for the given process.

get_process_page_breakpoints(self, dwProcessId)

source code 
Parameters:
  • dwProcessId (int) - Process global ID.
Returns: list of PageBreakpoint
All page breakpoints for the given process.

get_thread_hardware_breakpoints(self, dwThreadId)

source code 
Parameters:
  • dwThreadId (int) - Thread global ID.
Returns: list of HardwareBreakpoint
All hardware breakpoints for the given thread.

See Also: get_process_hardware_breakpoints

get_process_hardware_breakpoints(self, dwProcessId)

source code 
Parameters:
  • dwProcessId (int) - Process global ID.
Returns: list of tuple( int, HardwareBreakpoint )
All hardware breakpoints for each thread in the given process as a list of tuples (tid, bp).

See Also: get_thread_hardware_breakpoints

enable_all_breakpoints(self)

source code 

Enables all disabled breakpoints in all processes.

See Also: enable_code_breakpoint, enable_page_breakpoint, enable_hardware_breakpoint

enable_one_shot_all_breakpoints(self)

source code 

Enables for one shot all disabled breakpoints in all processes.

See Also: enable_one_shot_code_breakpoint, enable_one_shot_page_breakpoint, enable_one_shot_hardware_breakpoint

disable_all_breakpoints(self)

source code 

Disables all breakpoints in all processes.

See Also: disable_code_breakpoint, disable_page_breakpoint, disable_hardware_breakpoint

erase_all_breakpoints(self)

source code 

Erases all breakpoints in all processes.

See Also: erase_code_breakpoint, erase_page_breakpoint, erase_hardware_breakpoint

enable_process_breakpoints(self, dwProcessId)

source code 

Enables all disabled breakpoints for the given process.

Parameters:
  • dwProcessId (int) - Process global ID.

enable_one_shot_process_breakpoints(self, dwProcessId)

source code 

Enables for one shot all disabled breakpoints for the given process.

Parameters:
  • dwProcessId (int) - Process global ID.

disable_process_breakpoints(self, dwProcessId)

source code 

Disables all breakpoints for the given process.

Parameters:
  • dwProcessId (int) - Process global ID.

erase_process_breakpoints(self, dwProcessId)

source code 

Erases all breakpoints for the given process.

Parameters:
  • dwProcessId (int) - Process global ID.

_notify_guard_page(self, event)

source code 

Notify breakpoints of a guard page exception event.

Parameters:
Returns: bool
True to call the user-defined handle, False otherwise.

_notify_breakpoint(self, event)

source code 

Notify breakpoints of a breakpoint exception event.

Parameters:
Returns: bool
True to call the user-defined handle, False otherwise.

_notify_single_step(self, event)

source code 

Notify breakpoints of a single step exception event.

Parameters:
Returns: bool
True to call the user-defined handle, False otherwise.

_notify_load_dll(self, event)

source code 

Notify the loading of a DLL.

Parameters:
Returns: bool
True to call the user-defined handler, False otherwise.

_notify_unload_dll(self, event)

source code 

Notify the unloading of a DLL.

Parameters:
Returns: bool
True to call the user-defined handler, False otherwise.

_notify_exit_thread(self, event)

source code 

Notify the termination of a thread.

Parameters:
Returns: bool
True to call the user-defined handler, False otherwise.

_notify_exit_process(self, event)

source code 

Notify the termination of a process.

Parameters:
Returns: bool
True to call the user-defined handler, False otherwise.

__set_break(self, pid, address, action, oneshot)

 

Used by break_at and stalk_at.

Parameters:
  • pid (int) - Process global ID.
  • address (int or str) - Memory address of code instruction to break at. It can be an integer value for the actual address or a string with a label to be resolved.
  • action (function) - (Optional) Action callback function.

    See define_code_breakpoint for more details.

  • oneshot (bool) - True for one-shot breakpoints, False otherwise.
Returns: Breakpoint
Returns the new Breakpoint object, or None if the label couldn't be resolved and the breakpoint was deferred. Deferred breakpoints are set when the DLL they point to is loaded.

__clear_break(self, pid, address)

 

Used by dont_break_at and dont_stalk_at.

Parameters:
  • pid (int) - Process global ID.
  • address (int or str) - Memory address of code instruction to break at. It can be an integer value for the actual address or a string with a label to be resolved.

__set_deferred_breakpoints(self, event)

 

Used internally. Sets all deferred breakpoints for a DLL when it's loaded.

Parameters:

get_all_deferred_code_breakpoints(self)

source code 

Returns a list of deferred code breakpoints.

Returns: tuple of (int, str, callable, bool)
Tuple containing the following elements:
  • Process ID where to set the breakpoint.
  • Label pointing to the address where to set the breakpoint.
  • Action callback for the breakpoint.
  • True of the breakpoint is one-shot, False otherwise.

get_process_deferred_code_breakpoints(self, dwProcessId)

source code 

Returns a list of deferred code breakpoints.

Parameters:
  • dwProcessId (int) - Process ID.
Returns: tuple of (int, str, callable, bool)
Tuple containing the following elements:
  • Label pointing to the address where to set the breakpoint.
  • Action callback for the breakpoint.
  • True of the breakpoint is one-shot, False otherwise.

stalk_at(self, pid, address, action=None)

source code 

Sets a one shot code breakpoint at the given process and address.

If instead of an address you pass a label, the breakpoint may be deferred until the DLL it points to is loaded.

Parameters:
  • pid (int) - Process global ID.
  • address (int or str) - Memory address of code instruction to break at. It can be an integer value for the actual address or a string with a label to be resolved.
  • action (function) - (Optional) Action callback function.

    See define_code_breakpoint for more details.

Returns: bool
True if the breakpoint was set immediately, or False if it was deferred.

See Also: break_at, dont_stalk_at

break_at(self, pid, address, action=None)

source code 

Sets a code breakpoint at the given process and address.

If instead of an address you pass a label, the breakpoint may be deferred until the DLL it points to is loaded.

Parameters:
  • pid (int) - Process global ID.
  • address (int or str) - Memory address of code instruction to break at. It can be an integer value for the actual address or a string with a label to be resolved.
  • action (function) - (Optional) Action callback function.

    See define_code_breakpoint for more details.

Returns: bool
True if the breakpoint was set immediately, or False if it was deferred.

See Also: stalk_at, dont_break_at

dont_break_at(self, pid, address)

source code 

Clears a code breakpoint set by break_at.

Parameters:
  • pid (int) - Process global ID.
  • address (int or str) - Memory address of code instruction to break at. It can be an integer value for the actual address or a string with a label to be resolved.

dont_stalk_at(self, pid, address)

source code 

Clears a code breakpoint set by stalk_at.

Parameters:
  • pid (int) - Process global ID.
  • address (int or str) - Memory address of code instruction to break at. It can be an integer value for the actual address or a string with a label to be resolved.

hook_function(self, pid, address, preCB=None, postCB=None, paramCount=None, signature=None)

source code 

Sets a function hook at the given address.

If instead of an address you pass a label, the hook may be deferred until the DLL it points to is loaded.

Parameters:
  • pid (int) - Process global ID.
  • address (int or str) - Memory address of code instruction to break at. It can be an integer value for the actual address or a string with a label to be resolved.
  • preCB (function) - (Optional) Callback triggered on function entry.

    The signature for the callback should be something like this:

       def pre_LoadLibraryEx(event, ra, lpFilename, hFile, dwFlags):

       # return address
       ra = params[0]

       # function arguments start from here...
       szFilename = event.get_process().peek_string(lpFilename)

       # (...)

    Note that all pointer types are treated like void pointers, so your callback won't get the string or structure pointed to by it, but the remote memory address instead. This is so to prevent the ctypes library from being "too helpful" and trying to dereference the pointer. To get the actual data being pointed to, use one of the Process.read methods.

  • postCB (function) - (Optional) Callback triggered on function exit.

    The signature for the callback should be something like this:

       def post_LoadLibraryEx(event, return_value):

       # (...)
  • paramCount (int) - (Optional) Number of parameters for the preCB callback, not counting the return address. Parameters are read from the stack and assumed to be DWORDs in 32 bits and QWORDs in 64.

    This is a faster way to pull stack parameters in 32 bits, but in 64 bits (or with some odd APIs in 32 bits) it won't be useful, since not all arguments to the hooked function will be of the same size.

    For a more reliable and cross-platform way of hooking use the signature argument instead.

  • signature (tuple) - (Optional) Tuple of ctypes data types that constitute the hooked function signature. When the function is called, this will be used to parse the arguments from the stack. Overrides the paramCount argument.
Returns: bool
True if the hook was set immediately, or False if it was deferred.

stalk_function(self, pid, address, preCB=None, postCB=None, paramCount=None, signature=None)

source code 

Sets a one-shot function hook at the given address.

If instead of an address you pass a label, the hook may be deferred until the DLL it points to is loaded.

Parameters:
  • pid (int) - Process global ID.
  • address (int or str) - Memory address of code instruction to break at. It can be an integer value for the actual address or a string with a label to be resolved.
  • preCB (function) - (Optional) Callback triggered on function entry.

    The signature for the callback should be something like this:

       def pre_LoadLibraryEx(event, ra, lpFilename, hFile, dwFlags):

       # return address
       ra = params[0]

       # function arguments start from here...
       szFilename = event.get_process().peek_string(lpFilename)

       # (...)

    Note that all pointer types are treated like void pointers, so your callback won't get the string or structure pointed to by it, but the remote memory address instead. This is so to prevent the ctypes library from being "too helpful" and trying to dereference the pointer. To get the actual data being pointed to, use one of the Process.read methods.

  • postCB (function) - (Optional) Callback triggered on function exit.

    The signature for the callback should be something like this:

       def post_LoadLibraryEx(event, return_value):

       # (...)
  • paramCount (int) - (Optional) Number of parameters for the preCB callback, not counting the return address. Parameters are read from the stack and assumed to be DWORDs in 32 bits and QWORDs in 64.

    This is a faster way to pull stack parameters in 32 bits, but in 64 bits (or with some odd APIs in 32 bits) it won't be useful, since not all arguments to the hooked function will be of the same size.

    For a more reliable and cross-platform way of hooking use the signature argument instead.

  • signature (tuple) - (Optional) Tuple of ctypes data types that constitute the hooked function signature. When the function is called, this will be used to parse the arguments from the stack. Overrides the paramCount argument.
Returns: bool
True if the breakpoint was set immediately, or False if it was deferred.

dont_hook_function(self, pid, address)

source code 

Removes a function hook set by hook_function.

Parameters:
  • pid (int) - Process global ID.
  • address (int or str) - Memory address of code instruction to break at. It can be an integer value for the actual address or a string with a label to be resolved.

unhook_function(self, pid, address)

source code 

Removes a function hook set by hook_function.

Parameters:
  • pid (int) - Process global ID.
  • address (int or str) - Memory address of code instruction to break at. It can be an integer value for the actual address or a string with a label to be resolved.

dont_stalk_function(self, pid, address)

source code 

Removes a function hook set by stalk_function.

Parameters:
  • pid (int) - Process global ID.
  • address (int or str) - Memory address of code instruction to break at. It can be an integer value for the actual address or a string with a label to be resolved.

__set_variable_watch(self, tid, address, size, action)

 

Used by watch_variable and stalk_variable.

Parameters:
  • tid (int) - Thread global ID.
  • address (int) - Memory address of variable to watch.
  • size (int) - Size of variable to watch. The only supported sizes are: byte (1), word (2), dword (4) and qword (8).
  • action (function) - (Optional) Action callback function.

    See define_hardware_breakpoint for more details.

Returns: HardwareBreakpoint
Hardware breakpoint at the requested address.

__clear_variable_watch(self, tid, address)

 

Used by dont_watch_variable and dont_stalk_variable.

Parameters:
  • tid (int) - Thread global ID.
  • address (int) - Memory address of variable to stop watching.

watch_variable(self, tid, address, size, action=None)

source code 

Sets a hardware breakpoint at the given thread, address and size.

Parameters:
  • tid (int) - Thread global ID.
  • address (int) - Memory address of variable to watch.
  • size (int) - Size of variable to watch. The only supported sizes are: byte (1), word (2), dword (4) and qword (8).
  • action (function) - (Optional) Action callback function.

    See define_hardware_breakpoint for more details.

See Also: dont_watch_variable

stalk_variable(self, tid, address, size, action=None)

source code 

Sets a one-shot hardware breakpoint at the given thread, address and size.

Parameters:
  • tid (int) - Thread global ID.
  • address (int) - Memory address of variable to watch.
  • size (int) - Size of variable to watch. The only supported sizes are: byte (1), word (2), dword (4) and qword (8).
  • action (function) - (Optional) Action callback function.

    See define_hardware_breakpoint for more details.

See Also: dont_watch_variable

dont_watch_variable(self, tid, address)

source code 

Clears a hardware breakpoint set by watch_variable.

Parameters:
  • tid (int) - Thread global ID.
  • address (int) - Memory address of variable to stop watching.

dont_stalk_variable(self, tid, address)

source code 

Clears a hardware breakpoint set by stalk_variable.

Parameters:
  • tid (int) - Thread global ID.
  • address (int) - Memory address of variable to stop watching.

__set_buffer_watch(self, pid, address, size, action, bOneShot)

 

Used by watch_buffer and stalk_buffer.

Parameters:
  • pid (int) - Process global ID.
  • address (int) - Memory address of buffer to watch.
  • size (int) - Size in bytes of buffer to watch.
  • action (function) - (Optional) Action callback function.

    See define_page_breakpoint for more details.

  • bOneShot (bool) - True to set a one-shot breakpoint, False to set a normal breakpoint.

__clear_buffer_watch_old_method(self, pid, address, size)

 

Used by dont_watch_buffer and dont_stalk_buffer.

Parameters:
  • pid (int) - Process global ID.
  • address (int) - Memory address of buffer to stop watching.
  • size (int) - Size in bytes of buffer to stop watching.

Warning: Deprecated since WinAppDbg 1.5.

__clear_buffer_watch(self, bw)

 

Used by dont_watch_buffer and dont_stalk_buffer.

Parameters:

watch_buffer(self, pid, address, size, action=None)

source code 

Sets a page breakpoint and notifies when the given buffer is accessed.

Parameters:
  • pid (int) - Process global ID.
  • address (int) - Memory address of buffer to watch.
  • size (int) - Size in bytes of buffer to watch.
  • action (function) - (Optional) Action callback function.

    See define_page_breakpoint for more details.

Returns: BufferWatch
Buffer watch identifier.

See Also: dont_watch_variable

stalk_buffer(self, pid, address, size, action=None)

source code 

Sets a one-shot page breakpoint and notifies when the given buffer is accessed.

Parameters:
  • pid (int) - Process global ID.
  • address (int) - Memory address of buffer to watch.
  • size (int) - Size in bytes of buffer to watch.
  • action (function) - (Optional) Action callback function.

    See define_page_breakpoint for more details.

Returns: BufferWatch
Buffer watch identifier.

See Also: dont_watch_variable

dont_watch_buffer(self, bw, *argv, **argd)

source code 

Clears a page breakpoint set by watch_buffer.

Parameters:

dont_stalk_buffer(self, bw, *argv, **argd)

source code 

Clears a page breakpoint set by stalk_buffer.

Parameters:

__start_tracing(self, thread)

 
Parameters:
  • thread (Thread) - Thread to start tracing.

__stop_tracing(self, thread)

 
Parameters:
  • thread (Thread) - Thread to stop tracing.

is_tracing(self, tid)

source code 
Parameters:
  • tid (int) - Thread global ID.
Returns: bool
True if the thread is being traced, False otherwise.

get_traced_tids(self)

source code 

Retrieves the list of global IDs of all threads being traced.

Returns: list( int... )
List of thread global IDs.

start_tracing(self, tid)

source code 

Start tracing mode in the given thread.

Parameters:
  • tid (int) - Global ID of thread to start tracing.

stop_tracing(self, tid)

source code 

Stop tracing mode in the given thread.

Parameters:
  • tid (int) - Global ID of thread to stop tracing.

start_tracing_process(self, pid)

source code 

Start tracing mode for all threads in the given process.

Parameters:
  • pid (int) - Global ID of process to start tracing.

stop_tracing_process(self, pid)

source code 

Stop tracing mode for all threads in the given process.

Parameters:
  • pid (int) - Global ID of process to stop tracing.

break_on_error(self, pid, errorCode)

source code 

Sets or clears the system breakpoint for a given Win32 error code.

Use Process.is_system_defined_breakpoint to tell if a breakpoint exception was caused by a system breakpoint or by the application itself (for example because of a failed assertion in the code).

Parameters:
  • pid (int) - Process ID.
  • errorCode (int) - Win32 error code to stop on. Set to 0 or ERROR_SUCCESS to clear the breakpoint instead.
Raises:
  • NotImplementedError - The functionality is not supported in this system.
  • WindowsError - An error occurred while processing this request.

Note: This functionality is only available since Windows Server 2003. In 2003 it only breaks on error values set externally to the kernel32.dll library, but this was fixed in Windows Vista.

Warning: This method will fail if the debug symbols for ntdll (kernel32 in Windows 2003) are not present. For more information see: System.fix_symbol_store_path.

See Also: http://www.nynaeve.net/?p=147

dont_break_on_error(self, pid)

source code 

Alias to break_on_error(pid, ERROR_SUCCESS).

Parameters:
  • pid (int) - Process ID.
Raises:
  • NotImplementedError - The functionality is not supported in this system.
  • WindowsError - An error occurred while processing this request.

resolve_exported_function(self, pid, modName, procName)

source code 

Resolves the exported DLL function for the given process.

Parameters:
  • pid (int) - Process global ID.
  • modName (str) - Name of the module that exports the function.
  • procName (str) - Name of the exported function to resolve.
Returns: int, None
On success, the address of the exported function. On failure, returns None.

resolve_label(self, pid, label)

source code 

Resolves a label for the given process.

Parameters:
  • pid (int) - Process global ID.
  • label (str) - Label to resolve.
Returns: int
Memory address pointed to by the label.
Raises:
  • ValueError - The label is malformed or impossible to resolve.
  • RuntimeError - Cannot resolve the module or function.

_BreakpointContainer__clear_break(self, pid, address)

source code 

Used by dont_break_at and dont_stalk_at.

Parameters:
  • pid (int) - Process global ID.
  • address (int or str) - Memory address of code instruction to break at. It can be an integer value for the actual address or a string with a label to be resolved.

_BreakpointContainer__clear_buffer_watch(self, bw)

source code 

Used by dont_watch_buffer and dont_stalk_buffer.

Parameters:

_BreakpointContainer__clear_buffer_watch_old_method(self, pid, address, size)

source code 

Used by dont_watch_buffer and dont_stalk_buffer.

Parameters:
  • pid (int) - Process global ID.
  • address (int) - Memory address of buffer to stop watching.
  • size (int) - Size in bytes of buffer to stop watching.

Warning: Deprecated since WinAppDbg 1.5.

_BreakpointContainer__clear_variable_watch(self, tid, address)

source code 

Used by dont_watch_variable and dont_stalk_variable.

Parameters:
  • tid (int) - Thread global ID.
  • address (int) - Memory address of variable to stop watching.

_BreakpointContainer__set_break(self, pid, address, action, oneshot)

source code 

Used by break_at and stalk_at.

Parameters:
  • pid (int) - Process global ID.
  • address (int or str) - Memory address of code instruction to break at. It can be an integer value for the actual address or a string with a label to be resolved.
  • action (function) - (Optional) Action callback function.

    See define_code_breakpoint for more details.

  • oneshot (bool) - True for one-shot breakpoints, False otherwise.
Returns: Breakpoint
Returns the new Breakpoint object, or None if the label couldn't be resolved and the breakpoint was deferred. Deferred breakpoints are set when the DLL they point to is loaded.

_BreakpointContainer__set_buffer_watch(self, pid, address, size, action, bOneShot)

source code 

Used by watch_buffer and stalk_buffer.

Parameters:
  • pid (int) - Process global ID.
  • address (int) - Memory address of buffer to watch.
  • size (int) - Size in bytes of buffer to watch.
  • action (function) - (Optional) Action callback function.

    See define_page_breakpoint for more details.

  • bOneShot (bool) - True to set a one-shot breakpoint, False to set a normal breakpoint.

_BreakpointContainer__set_deferred_breakpoints(self, event)

source code 

Used internally. Sets all deferred breakpoints for a DLL when it's loaded.

Parameters:

_BreakpointContainer__set_variable_watch(self, tid, address, size, action)

source code 

Used by watch_variable and stalk_variable.

Parameters:
  • tid (int) - Thread global ID.
  • address (int) - Memory address of variable to watch.
  • size (int) - Size of variable to watch. The only supported sizes are: byte (1), word (2), dword (4) and qword (8).
  • action (function) - (Optional) Action callback function.

    See define_hardware_breakpoint for more details.

Returns: HardwareBreakpoint
Hardware breakpoint at the requested address.

_BreakpointContainer__start_tracing(self, thread)

source code 
Parameters:
  • thread (Thread) - Thread to start tracing.

_BreakpointContainer__stop_tracing(self, thread)

source code 
Parameters:
  • thread (Thread) - Thread to stop tracing.

   Home       Trees       Indices       Help   
WinAppDbg - Programming Reference
Generated by Epydoc 3.0.1 on Fri Dec 20 17:54:50 2013 http://epydoc.sourceforge.net