Home       Trees       Indices       Help   
WinAppDbg - Programming Reference
Package winappdbg :: Module breakpoint :: Class Hook
[hide private]
[frames] | no frames]

Class Hook

source code

Factory class to produce hook objects. Used by Debug.hook_function and Debug.stalk_function.

When you try to instance this class, one of the architecture specific implementations is returned instead.

Instances act as an action callback for code breakpoints set at the beginning of a function. It automatically retrieves the parameters from the stack, sets a breakpoint at the return address and retrieves the return value from the function call.

See Also: _Hook_i386, _Hook_amd64

Instance Methods [hide private]
 
__init__(self, preCB=None, postCB=None, paramCount=None, signature=None, arch=None)
x.__init__(...) initializes x; see help(type(x)) for signature		 source code
 
_cast_signature_pointers_to_void(self, signature) source code
 
_calc_signature(self, signature) source code
 
_get_return_address(self, aProcess, aThread) source code
 
_get_function_arguments(self, aProcess, aThread) source code
 
_get_return_value(self, aThread) source code
 
__call__(self, event)
Handles the breakpoint event on entry of the function.		 source code
 
__postCallAction_hwbp(self, event)
Handles hardware breakpoint events on return from the function.		 source code
 
__postCallAction_codebp(self, event)
Handles code breakpoint events on return from the function.		 source code
 
__postCallAction(self, event)
Calls the "post" callback.		 source code
 
__callHandler(self, callback, event, *params)
Calls a "pre" or "post" handler, if set.		 source code
 
__push_params(self, tid, params)
Remembers the arguments tuple for the last call to the hooked function from this thread.		 source code
 
__pop_params(self, tid)
Forgets the arguments tuple for the last call to the hooked function from this thread.		 source code
tuple( arg, arg, arg... )
get_params(self, tid)
Returns the parameters found in the stack when the hooked function was last called by this thread.		 source code
list of tuple( arg, arg, arg... )
get_params_stack(self, tid)
Returns the parameters found in the stack each time the hooked function was called by this thread and hasn't returned yet.		 source code
 
hook(self, debug, pid, address)
Installs the function hook at a given process and address.		 source code
 
unhook(self, debug, pid, address)
Removes the function hook at a given process and address.		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Static Methods [hide private]
a new object with type S, a subtype of T
__new__(cls, *argv, **argd) source code
Class Variables [hide private]
bool useHardwareBreakpoints = False
True to try to use hardware breakpoints, False otherwise.
Properties [hide private]

Inherited from object: __class__

Method Details [hide private]

__new__(cls, *argv, **argd)
Static Method

source code 
Returns: a new object with type S, a subtype of T
Overrides: object.__new__
(inherited documentation)

__init__(self, preCB=None, postCB=None, paramCount=None, signature=None, arch=None)
(Constructor)

source code 

x.__init__(...) initializes x; see help(type(x)) for signature

Parameters:
  • preCB (function) - (Optional) Callback triggered on function entry.

    The signature for the callback should be something like this:

       def pre_LoadLibraryEx(event, ra, lpFilename, hFile, dwFlags):

       # return address
       ra = params[0]

       # function arguments start from here...
       szFilename = event.get_process().peek_string(lpFilename)

       # (...)

    Note that all pointer types are treated like void pointers, so your callback won't get the string or structure pointed to by it, but the remote memory address instead. This is so to prevent the ctypes library from being "too helpful" and trying to dereference the pointer. To get the actual data being pointed to, use one of the Process.read methods.

  • postCB (function) - (Optional) Callback triggered on function exit.

    The signature for the callback should be something like this:

       def post_LoadLibraryEx(event, return_value):

       # (...)
  • paramCount (int) - (Optional) Number of parameters for the preCB callback, not counting the return address. Parameters are read from the stack and assumed to be DWORDs in 32 bits and QWORDs in 64.

    This is a faster way to pull stack parameters in 32 bits, but in 64 bits (or with some odd APIs in 32 bits) it won't be useful, since not all arguments to the hooked function will be of the same size.

    For a more reliable and cross-platform way of hooking use the signature argument instead.

  • signature (tuple) - (Optional) Tuple of ctypes data types that constitute the hooked function signature. When the function is called, this will be used to parse the arguments from the stack. Overrides the paramCount argument.
  • arch (str) - (Optional) Target architecture. Defaults to the current architecture. See: win32.arch
Overrides: object.__init__

__call__(self, event)
(Call operator)

source code 

Handles the breakpoint event on entry of the function.

Parameters:
Raises:
  • WindowsError - An error occured.

__postCallAction_hwbp(self, event)

source code 

Handles hardware breakpoint events on return from the function.

Parameters:

__postCallAction_codebp(self, event)

source code 

Handles code breakpoint events on return from the function.

Parameters:

__postCallAction(self, event)

source code 

Calls the "post" callback.

Parameters:

__callHandler(self, callback, event, *params)

source code 

Calls a "pre" or "post" handler, if set.

Parameters:
  • callback (function) - Callback function to call.
  • event (ExceptionEvent) - Breakpoint hit event.
  • params (tuple) - Parameters for the callback function.

__push_params(self, tid, params)

source code 

Remembers the arguments tuple for the last call to the hooked function from this thread.

Parameters:
  • tid (int) - Thread global ID.
  • params (tuple( arg, arg, arg... )) - Tuple of arguments.

__pop_params(self, tid)

source code 

Forgets the arguments tuple for the last call to the hooked function from this thread.

Parameters:
  • tid (int) - Thread global ID.

get_params(self, tid)

source code 

Returns the parameters found in the stack when the hooked function was last called by this thread.

Parameters:
  • tid (int) - Thread global ID.
Returns: tuple( arg, arg, arg... )
Tuple of arguments.

get_params_stack(self, tid)

source code 

Returns the parameters found in the stack each time the hooked function was called by this thread and hasn't returned yet.

Parameters:
  • tid (int) - Thread global ID.
Returns: list of tuple( arg, arg, arg... )
List of argument tuples.

hook(self, debug, pid, address)

source code 

Installs the function hook at a given process and address.

Parameters:
  • debug (Debug) - Debug object.
  • pid (int) - Process ID.
  • address (int) - Function address.

See Also: unhook

Warning: Do not call from an function hook callback.

unhook(self, debug, pid, address)

source code 

Removes the function hook at a given process and address.

Parameters:
  • debug (Debug) - Debug object.
  • pid (int) - Process ID.
  • address (int) - Function address.

See Also: hook

Warning: Do not call from an function hook callback.


   Home       Trees       Indices       Help   
WinAppDbg - Programming Reference
Generated by Epydoc 3.0.1 on Fri Dec 20 17:54:50 2013 http://epydoc.sourceforge.net