Class Thread

x.__init__(...) initializes x; see help(type(x)) for signature

Parameters:

• dwThreadId (int) - Global thread ID.
• hThread (ThreadHandle) - (Optional) Handle to the thread.
• process (Process) - (Optional) Parent Process object.

Overrides: object.__init__

Returns: Process

Parent Process object. Returns None if unknown.

Manually set the parent Process object. Use with care!

Parameters:

• process (Process) - (Optional) Process object. Use None for no process.

Returns: int

Parent process global ID.

Raises:

• WindowsError - An error occured when calling a Win32 API function.
• RuntimeError - The parent process ID can't be found.

Returns: int

Thread global ID.

Returns: str

Thread name, or None if the thread is nameless.

Sets the thread's name.

Parameters:

• name (str) - Thread name, or None if the thread is nameless.

Opens a new handle to the thread, closing the previous one.

The new handle is stored in the hThread property.

Parameters:

• dwDesiredAccess (int) - Desired access rights. Defaults to win32.THREAD_ALL_ACCESS. See: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686769(v=vs.85).aspx

Raises:

• WindowsError - It's not possible to open a handle to the thread with the requested access rights. This tipically happens because the target thread belongs to system process and the debugger is not runnning with administrative rights.

Closes the handle to the thread.

Returns a handle to the thread with at least the access rights requested.

Parameters:

• dwDesiredAccess (int) - Desired access rights. See: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686769(v=vs.85).aspx

Returns: ThreadHandle

Handle to the thread.

Raises:

• WindowsError - It's not possible to open a handle to the thread with the requested access rights. This tipically happens because the target thread belongs to system process and the debugger is not runnning with administrative rights.

Waits for the thread to finish executing.

Parameters:

• dwTimeout (int) - (Optional) Timeout value in milliseconds. Use INFINITE or None for no timeout.

Terminates the thread execution.

Parameters:

• dwExitCode (int) - (Optional) Thread exit code.

Suspends the thread execution.

Returns: int

Suspend count. If zero, the thread is running.

Resumes the thread execution.

Returns: int

Suspend count. If zero, the thread is running.

Returns: bool

True if the thread if currently running.

Raises:

• WindowsError - The debugger doesn't have enough privileges to perform this action.

Returns: int

Thread exit code, or STILL_ACTIVE if it's still alive.

Returns: list of Window

Returns a list of windows handled by this thread.

Retrieves the execution context (i.e. the registers values) for this thread.

Parameters:

• ContextFlags (int) - Optional, specify which registers to retrieve. Defaults to win32.CONTEXT_ALL which retrieves all registes for the current platform.
• bSuspend (bool) - True to automatically suspend the thread before getting its context, False otherwise.

  Defaults to False because suspending the thread during some debug events (like thread creation or destruction) may lead to strange errors.

  Note that WinAppDbg 1.4 used to suspend the thread automatically always. This behavior was changed in version 1.5.

Returns: dict( str → int )

Dictionary mapping register names to their values.

Sets the values of the registers.

Parameters:

• context (dict( str → int )) - Dictionary mapping register names to their values.
• bSuspend (bool) - True to automatically suspend the thread before setting its context, False otherwise.

  Defaults to False because suspending the thread during some debug events (like thread creation or destruction) may lead to strange errors.

  Note that WinAppDbg 1.4 used to suspend the thread automatically always. This behavior was changed in version 1.5.

Parameters:

• register (str) - Register name.

Returns: int

Value of the requested register.

Sets the value of a specific register.

Parameters:

• register (str) - Register name.

Returns: int

Register value.

Returns: int

Value of the program counter register.

Sets the value of the program counter register.

Parameters:

• pc (int) - Value of the program counter register.

Returns: int

Value of the stack pointer register.

Sets the value of the stack pointer register.

Parameters:

• sp (int) - Value of the stack pointer register.

Returns: int

Value of the frame pointer register.

Sets the value of the frame pointer register.

Parameters:

• fp (int) - Value of the frame pointer register.

Parameters:

• FlagMask (int) - (Optional) Bitwise-AND mask.

Returns: int

Flags register contents, optionally masking out some bits.

Sets the flags register, optionally masking some bits.

Parameters:

• eflags (int) - Flags register contents.
• FlagMask (int) - (Optional) Bitwise-AND mask.

Parameters:

• FlagBit (int) - One of the Flags.

Returns: bool

Boolean value of the requested flag.

Sets a single flag, leaving the others intact.

Parameters:

• FlagBit (int) - One of the Flags.
• FlagValue (bool) - Boolean value of the flag.

Returns: bool

Boolean value of the Zero flag.

Returns: bool

Boolean value of the Carry flag.

Returns: bool

Boolean value of the Sign flag.

Returns: bool

Boolean value of the Direction flag.

Returns: bool

Boolean value of the Trap flag.

Determines if the thread is running under WOW64.

Returns: bool

True if the thread is running under WOW64. That is, it belongs to a 32-bit application running in a 64-bit Windows.

False if the thread belongs to either a 32-bit application running in a 32-bit Windows, or a 64-bit application running in a 64-bit Windows.

Raises:

• WindowsError - On error an exception is raised.

Returns: str

The architecture in which this thread believes to be running. For example, if running a 32 bit binary in a 64 bit machine, the architecture returned by this method will be win32.ARCH_I386, but the value of System.arch will be win32.ARCH_AMD64.

Returns: str

The number of bits in which this thread believes to be running. For example, if running a 32 bit binary in a 64 bit machine, the number of bits returned by this method will be 32, but the value of System.arch will be 64.

Determines if the thread has been hidden from debuggers.

Some binary packers hide their own threads to thwart debugging.

Returns: bool

True if the thread is hidden from debuggers. This means the thread's execution won't be stopped for debug events, and thus said events won't be sent to the debugger.

Returns a copy of the TEB. To dereference pointers in it call Process.read_structure.

Returns: TEB

TEB structure.

Raises:

• WindowsError - An exception is raised on error.

Returns a remote pointer to the TEB.

Returns: int

Remote pointer to the TEB structure.

Raises:

• WindowsError - An exception is raised on error.

Translates segment-relative addresses to linear addresses.

Linear addresses can be used to access a process memory, calling Process.read and Process.write.

Parameters:

• segment (str) - Segment register name.
• address (int) - Segment relative memory address.

Returns: int

Linear memory address.

Raises:

• ValueError - Address is too large for selector.
• WindowsError - The current architecture does not support selectors. Selectors only exist in x86-based systems.

Returns: str

Label that points to the instruction currently being executed.

Get the pointer to the first structured exception handler block.

Returns: int

Remote pointer to the first block of the structured exception handlers linked list. If the list is empty, the returned value is 0xFFFFFFFF.

Raises:

• NotImplementedError - This method is only supported in 32 bits versions of Windows.

Change the pointer to the first structured exception handler block.

Parameters:

• value (int) - Value of the remote pointer to the first block of the structured exception handlers linked list. To disable SEH set the value 0xFFFFFFFF.

Raises:

• NotImplementedError - This method is only supported in 32 bits versions of Windows.

Returns: list of tuple( int, int )

List of structured exception handlers. Each SEH is represented as a tuple of two addresses:

• Address of this SEH block
• Address of the SEH callback function

Do not confuse this with the contents of the SEH block itself, where the first member is a pointer to the next block instead.

Raises:

• NotImplementedError - This method is only supported in 32 bits versions of Windows.

Returns: tuple of ( list of win32.WaitChainNodeInfo structures, bool)

Wait chain for the thread. The boolean indicates if there's a cycle in the chain (a deadlock).

Raises:

• AttributeError - This method is only suppported in Windows Vista and above.

Returns: tuple( int, int )

Stack beginning and end pointers, in memory addresses order. That is, the first pointer is the stack top, and the second pointer is the stack bottom, since the stack grows towards lower memory addresses.

Raises:

• WindowsError - Raises an exception on error.

Tries to get a stack trace for the current function. Only works for functions with standard prologue and epilogue.

Parameters:

• depth (int) - Maximum depth of stack trace.

Returns: tuple of tuple( int, int, str )

Stack trace of the thread as a tuple of ( return address, frame pointer address, module filename ).

Raises:

• WindowsError - Raises an exception on error.

Tries to get a stack trace for the current function. Only works for functions with standard prologue and epilogue.

Parameters:

• depth (int) - Maximum depth of stack trace.
• bMakePretty (bool) - True for user readable labels, False for labels that can be passed to Process.resolve_label.

  "Pretty" labels look better when producing output for the user to read, while pure labels are more useful programatically.

Returns: tuple of tuple( int, int, str )

Stack trace of the thread as a tuple of ( return address, frame pointer label ).

Raises:

• WindowsError - Raises an exception on error.

Returns the starting and ending addresses of the stack frame. Only works for functions with standard prologue and epilogue.

Returns: tuple( int, int )

Stack frame range. May not be accurate, depending on the compiler used.

Raises:

• RuntimeError - The stack frame is invalid, or the function doesn't have a standard prologue and epilogue.
• WindowsError - An error occured when getting the thread context.

Reads the contents of the current stack frame. Only works for functions with standard prologue and epilogue.

Parameters:

• max_size (int) - (Optional) Maximum amount of bytes to read.

Returns: str

Stack frame data. May not be accurate, depending on the compiler used. May return an empty string.

Raises:

• RuntimeError - The stack frame is invalid, or the function doesn't have a standard prologue and epilogue.
• WindowsError - An error occured when getting the thread context or reading data from the process memory.

Reads the contents of the top of the stack.

Parameters:

• size (int) - Number of bytes to read.
• offset (int) - Offset from the stack pointer to begin reading.

Returns: str

Stack data.

Raises:

• WindowsError - Could not read the requested data.

Tries to read the contents of the top of the stack.

Parameters:

• size (int) - Number of bytes to read.
• offset (int) - Offset from the stack pointer to begin reading.

Returns: str

Stack data. Returned data may be less than the requested size.

Reads DWORDs from the top of the stack.

Parameters:

• count (int) - Number of DWORDs to read.
• offset (int) - Offset from the stack pointer to begin reading.

Returns: tuple( int... )

Tuple of integers read from the stack.

Raises:

• WindowsError - Could not read the requested data.

Tries to read DWORDs from the top of the stack.

Parameters:

• count (int) - Number of DWORDs to read.
• offset (int) - Offset from the stack pointer to begin reading.

Returns: tuple( int... )

Tuple of integers read from the stack. May be less than the requested number of DWORDs.

Reads QWORDs from the top of the stack.

Parameters:

• count (int) - Number of QWORDs to read.
• offset (int) - Offset from the stack pointer to begin reading.

Returns: tuple( int... )

Tuple of integers read from the stack.

Raises:

• WindowsError - Could not read the requested data.

Tries to read QWORDs from the top of the stack.

Parameters:

• count (int) - Number of QWORDs to read.
• offset (int) - Offset from the stack pointer to begin reading.

Returns: tuple( int... )

Tuple of integers read from the stack. May be less than the requested number of QWORDs.

Reads the given structure at the top of the stack.

Parameters:

• structure (ctypes.Structure) - Structure of the data to read from the stack.
• offset (int) - Offset from the stack pointer to begin reading. The stack pointer is the same returned by the get_sp method.

Returns: tuple

Tuple of elements read from the stack. The type of each element matches the types in the stack frame structure.

Reads the stack frame of the thread.

Parameters:

• structure (ctypes.Structure) - Structure of the stack frame.
• offset (int) - Offset from the frame pointer to begin reading. The frame pointer is the same returned by the get_fp method.

Returns: tuple

Tuple of elements read from the stack frame. The type of each element matches the types in the stack frame structure.

Tries to read some bytes of the code currently being executed.

Parameters:

• size (int) - Number of bytes to read.
• offset (int) - Offset from the program counter to begin reading.

Returns: str

Bytes read from the process memory.

Raises:

• WindowsError - Could not read the requested data.

Tries to read some bytes of the code currently being executed.

Parameters:

• size (int) - Number of bytes to read.
• offset (int) - Offset from the program counter to begin reading.

Returns: str

Bytes read from the process memory. May be less than the requested number of bytes.

Tries to guess which values in the registers are valid pointers, and reads some data from them.

Parameters:

• peekSize (int) - Number of bytes to read from each pointer found.
• context (dict( str → int )) - (Optional) Dictionary mapping register names to their values. If not given, the current thread context will be used.

Returns: dict( str → str )

Dictionary mapping register names to the data they point to.

Tries to guess which values in the given data are valid pointers, and reads some data from them.

Parameters:

• data (str) - Binary data to find pointers in.
• peekSize (int) - Number of bytes to read from each pointer found.
• peekStep (int) - Expected data alignment. Tipically you specify 1 when data alignment is unknown, or 4 when you expect data to be DWORD aligned. Any other value may be specified.

Returns: dict( str → str )

Dictionary mapping stack offsets to the data they point to.

Disassemble instructions from a block of binary code.

Parameters:

• lpAddress (int) - Memory address where the code was read from.
• code (str) - Binary code to disassemble.

Returns: list of tuple( long, int, str, str )

List of tuples. Each tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.

Disassemble instructions from the address space of the process.

Parameters:

• lpAddress (int) - Memory address where to read the code from.
• dwSize (int) - Size of binary code to disassemble.

Returns: list of tuple( long, int, str, str )

List of tuples. Each tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.

Disassemble around the given address.

Parameters:

• lpAddress (int) - Memory address where to read the code from.
• dwSize (int) - Delta offset. Code will be read from lpAddress - dwSize to lpAddress + dwSize.

Returns: list of tuple( long, int, str, str )

List of tuples. Each tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.

Disassemble around the program counter of the given thread.

Parameters:

• dwSize (int) - Delta offset. Code will be read from pc - dwSize to pc + dwSize.

Returns: list of tuple( long, int, str, str )

List of tuples. Each tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.

Disassemble the instruction at the given memory address.

Parameters:

• lpAddress (int) - Memory address where to read the code from.

Returns: tuple( long, int, str, str )

The tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.

Disassemble the instruction at the program counter of the given thread.

Returns: tuple( long, int, str, str )

The tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.

process

Get Method:

get_process(self) - Returns: Parent Process object.

Set Method:

set_process(self, process=None) - Manually set the parent Process object.

dwThreadId

Type:

int

hThread

Type:

ThreadHandle

pInjectedMemory

The kill method uses this member to free the buffer when the injected thread is killed.

Type:

int