Package winappdbg :: Module event :: Class CreateProcessEvent
[hide private]
[frames] | no frames]

Class CreateProcessEvent

source code


Process creation event.

Instance Methods [hide private]
FileHandle or None
get_file_handle(self)
Returns: File handle to the main module, received from the system.
source code
ProcessHandle
get_process_handle(self)
Returns: Process handle received from the system.
source code
ThreadHandle
get_thread_handle(self)
Returns: Thread handle received from the system.
source code
int
get_start_address(self)
Returns: Pointer to the first instruction to execute in this process.
source code
int
get_image_base(self)
Returns: Base address of the main module.
source code
int
get_teb(self)
Returns: Pointer to the TEB.
source code
str
get_debug_info(self)
Returns: Debugging information.
source code
str, None
get_filename(self)
Returns: This method does it's best to retrieve the filename to the main module of the process.
source code
int
get_module_base(self)
Returns: Base address of the main module.
source code
Module
get_module(self)
Returns: Main module of the process.
source code
 
__init__(self, debug, raw)
x.__init__(...) initializes x; see help(type(x)) for signature (Inherited from winappdbg.event.Event)
source code
int
get_event_code(self)
Returns: Debug event code as defined in the Win32 API. (Inherited from winappdbg.event.Event)
source code
str
get_event_description(self)
Returns: User-friendly description of the event. (Inherited from winappdbg.event.Event)
source code
str
get_event_name(self)
Returns: User-friendly name of the event. (Inherited from winappdbg.event.Event)
source code
int
get_pid(self)
Returns: Process global ID where the event occured. (Inherited from winappdbg.event.Event)
source code
Process
get_process(self)
Returns: Process where the event occured. (Inherited from winappdbg.event.Event)
source code
Thread
get_thread(self)
Returns: Thread where the event occured. (Inherited from winappdbg.event.Event)
source code
int
get_tid(self)
Returns: Thread global ID where the event occured. (Inherited from winappdbg.event.Event)
source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Variables [hide private]
str eventMethod = 'create_process'
Method name to call when using EventHandler subclasses.
str eventName = 'Process creation event'
User-friendly name of the event.
str eventDescription = 'A new process has started.'
User-friendly description of the event.
Instance Variables [hide private]
int continueStatus
Continue status to pass to win32.ContinueDebugEvent. (Inherited from winappdbg.event.Event)
Debug debug
Debug object that received the event. (Inherited from winappdbg.event.Event)
DEBUG_EVENT raw
Raw DEBUG_EVENT structure as used by the Win32 API. (Inherited from winappdbg.event.Event)
Properties [hide private]

Inherited from object: __class__

Method Details [hide private]

get_file_handle(self)

source code 
Returns: FileHandle or None
File handle to the main module, received from the system. Returns None if the handle is not available.

get_process_handle(self)

source code 
Returns: ProcessHandle
Process handle received from the system. Returns None if the handle is not available.

get_thread_handle(self)

source code 
Returns: ThreadHandle
Thread handle received from the system. Returns None if the handle is not available.

get_start_address(self)

source code 
Returns: int
Pointer to the first instruction to execute in this process.

Returns NULL when the debugger attaches to a process.

See http://msdn.microsoft.com/en-us/library/ms679295(VS.85).aspx

get_image_base(self)

source code 
Returns: int
Base address of the main module.

Warning: This value is taken from the PE file and may be incorrect because of ASLR!

get_teb(self)

source code 
Returns: int
Pointer to the TEB.

get_debug_info(self)

source code 
Returns: str
Debugging information.

get_filename(self)

source code 
Returns: str, None
This method does it's best to retrieve the filename to the main module of the process. However, sometimes that's not possible, and None is returned instead.

get_module_base(self)

source code 
Returns: int
Base address of the main module.

get_module(self)

source code 
Returns: Module
Main module of the process.