Home       Trees       Indices       Help   
WinAppDbg - Programming Reference
Package winappdbg :: Module process :: Class Process
[hide private]
[frames] | no frames]

Class Process

source code

Interface to a process. Contains threads and modules snapshots.

Nested Classes [hide private]
  __ThreadsAndModulesIterator
Iterator object for Process objects.
Instance Methods [hide private]
 
__init__(self, dwProcessId, hProcess=None, fileName=None)
x.__init__(...) initializes x; see help(type(x)) for signature		 source code
 
__fixup_labels(self, disasm)
Private method used when disassembling from process memory.		 source code
 
__load_System_class(self) source code
 
__read_c_type(self, address, format, c_type) source code
 
__write_c_type(self, address, format, unpacked) source code
 
__peek_c_type(self, address, format, c_type) source code
 
__poke_c_type(self, address, format, unpacked) source code
 
__restore_mbi(self, hProcess, new_mbi, old_mbi, bSkipMappedFiles, bSkipOnError)
Used internally by restore_memory_snapshot.		 source code
bool
_notify_create_process(self, event)
Notify the creation of a new process.		 source code
 
_ModuleContainer__add_loaded_module(self, event)
Private method to automatically add new module objects from debug events. (Inherited from winappdbg.module._ModuleContainer)		 source code
 
_ModuleContainer__get_system_breakpoint(self, label) (Inherited from winappdbg.module._ModuleContainer) source code
 
_ModuleContainer__initialize_snapshot(self)
Private method to automatically initialize the snapshot when you try to use it without calling any of the scan_* methods first. (Inherited from winappdbg.module._ModuleContainer)		 source code
 
_ModuleContainer__use_fuzzy_mode(self, label) (Inherited from winappdbg.module._ModuleContainer) source code
 
_ThreadContainer__add_created_thread(self, event)
Private method to automatically add new thread objects from debug events. (Inherited from winappdbg.thread._ThreadContainer)		 source code
 
_ThreadContainer__initialize_snapshot(self)
Private method to automatically initialize the snapshot when you try to use it without calling any of the scan_* methods first. (Inherited from winappdbg.thread._ThreadContainer)		 source code
 
_add_module(self, aModule)
Private method to add a module object to the snapshot. (Inherited from winappdbg.module._ModuleContainer)		 source code
 
_add_thread(self, aThread)
Private method to add a thread object to the snapshot. (Inherited from winappdbg.thread._ThreadContainer)		 source code
 
_del_module(self, lpBaseOfDll)
Private method to remove a module object from the snapshot. (Inherited from winappdbg.module._ModuleContainer)		 source code
 
_del_thread(self, dwThreadId)
Private method to remove a thread object from the snapshot. (Inherited from winappdbg.thread._ThreadContainer)		 source code
 
_get_thread_ids(self)
Private method to get the list of thread IDs currently in the snapshot without triggering an automatic scan. (Inherited from winappdbg.thread._ThreadContainer)		 source code
 
_has_thread_id(self, dwThreadId)
Private method to test for a thread in the snapshot without triggering an automatic scan. (Inherited from winappdbg.thread._ThreadContainer)		 source code
bool
_notify_create_thread(self, event)
Notify the creation of a new thread in this process. (Inherited from winappdbg.thread._ThreadContainer)		 source code
bool
_notify_exit_thread(self, event)
Notify the termination of a thread. (Inherited from winappdbg.thread._ThreadContainer)		 source code
bool
_notify_load_dll(self, event)
Notify the load of a new module. (Inherited from winappdbg.module._ModuleContainer)		 source code
bool
_notify_unload_dll(self, event)
Notify the release of a loaded module. (Inherited from winappdbg.module._ModuleContainer)		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

    Properties
int
get_pid(self)
Returns: Process global ID.		 source code
str
get_filename(self)
Returns: Filename of the main module of the process.		 source code
 
open_handle(self, dwDesiredAccess=2097151)
Opens a new handle to the process.		 source code
 
close_handle(self)
Closes the handle to the process.		 source code
ProcessHandle
get_handle(self, dwDesiredAccess=2097151)
Returns a handle to the process with at least the access rights requested.		 source code
bool
is_debugged(self)
Tries to determine if the process is being debugged by another process.		 source code
bool
is_alive(self)
Returns: True if the process is currently running.		 source code
int
get_exit_code(self)
Returns: Process exit code, or STILL_ACTIVE if it's still alive.		 source code
bool
is_wow64(self)
Determines if the process is running under WOW64.		 source code
str
get_arch(self)
Returns: The architecture in which this process believes to be running.		 source code
str
get_bits(self)
Returns: The number of bits in which this process believes to be running.		 source code
win32.SYSTEMTIME
get_start_time(self)
Determines when has this process started running.		 source code
win32.SYSTEMTIME
get_exit_time(self)
Determines when has this process finished running.		 source code
long
get_running_time(self)
Determines how long has this process been running.		 source code
list( win32.ServiceStatusProcessEntry )
get_services(self)
Retrieves the list of system services that are currently running in this process.		 source code
tuple(int, int)
get_dep_policy(self)
Retrieves the DEP (Data Execution Prevention) policy for this process.		 source code
win32.PEB
get_peb(self)
Returns a copy of the PEB.		 source code
int
get_peb_address(self)
Returns a remote pointer to the PEB.		 source code
int
get_entry_point(self)
Alias to process.get_main_module().get_entry_point().		 source code
Module
get_main_module(self)
Returns: Module object for the process main module.		 source code
int
get_image_base(self)
Returns: Image base address for the process main module.		 source code
int
get_image_name(self)
Returns: Filename of the process main module.		 source code
tuple(int, int)
get_command_line_block(self)
Retrieves the command line block memory address and size.		 source code
tuple(int, int)
get_environment_block(self)
Retrieves the environment block memory address for the process.		 source code
str
get_command_line(self)
Retrieves the command line with wich the program was started.		 source code
list of tuple(unicode, unicode)
get_environment_variables(self)
Retrieves the environment variables with wich the program is running.		 source code
dict(str → str)
get_environment(self, fUnicode=None)
Retrieves the environment with wich the program is running.		 source code
    Instrumentation
 
wait(self, dwTimeout=None)
Waits for the process to finish executing.		 source code
 
kill(self, dwExitCode=0)
Terminates the execution of the process.		 source code
 
suspend(self)
Suspends execution on all threads of the process.		 source code
 
resume(self)
Resumes execution on all threads of the process.		 source code
tuple( Thread, int )
inject_code(self, payload, lpParameter=0)
Injects relocatable code into the process memory and executes it.		 source code
Thread
inject_dll(self, dllname, procname=None, lpParameter=0, bWait=True, dwTimeout=None)
Injects a DLL into the process memory.		 source code
 
clean_exit(self, dwExitCode=0, bWait=False, dwTimeout=None)
Injects a new thread to call ExitProcess().		 source code
 
start_thread(self, lpStartAddress, lpParameter=0, bSuspended=False)
Remotely creates a new thread in the process. (Inherited from winappdbg.thread._ThreadContainer)		 source code
    Disassembly
list of tuple( long, int, str, str )
disassemble_string(self, lpAddress, code)
Disassemble instructions from a block of binary code.		 source code
list of tuple( long, int, str, str )
disassemble(self, lpAddress, dwSize)
Disassemble instructions from the address space of the process.		 source code
list of tuple( long, int, str, str )
disassemble_around(self, lpAddress, dwSize=64)
Disassemble around the given address.		 source code
list of tuple( long, int, str, str )
disassemble_around_pc(self, dwThreadId, dwSize=64)
Disassemble around the program counter of the given thread.		 source code
tuple( long, int, str, str )
disassemble_instruction(self, lpAddress)
Disassemble the instruction at the given memory address.		 source code
tuple( long, int, str, str )
disassemble_current(self, dwThreadId)
Disassemble the instruction at the program counter of the given thread.		 source code
    Debugging
 
flush_instruction_cache(self)
Flush the instruction cache.		 source code
 
debug_break(self)
Triggers the system breakpoint in the process.		 source code
dict( str → str )
peek_pointers_in_data(self, data, peekSize=16, peekStep=1)
Tries to guess which values in the given data are valid pointers, and reads some data from them.		 source code
int
get_break_on_error_ptr(self)
Returns: If present, returns the address of the g_dwLastErrorToBreakOn global variable for this process. (Inherited from winappdbg.module._ModuleContainer)		 source code
int or None
get_breakin_breakpoint(self)
Returns: Memory address of the remote breakin breakpoint within the process address space. (Inherited from winappdbg.module._ModuleContainer)		 source code
int or None
get_system_breakpoint(self)
Returns: Memory address of the system breakpoint within the process address space. (Inherited from winappdbg.module._ModuleContainer)		 source code
int or None
get_user_breakpoint(self)
Returns: Memory address of the user breakpoint within the process address space. (Inherited from winappdbg.module._ModuleContainer)		 source code
int or None
get_wow64_breakin_breakpoint(self)
Returns: Memory address of the Wow64 remote breakin breakpoint within the process address space. (Inherited from winappdbg.module._ModuleContainer)		 source code
int or None
get_wow64_system_breakpoint(self)
Returns: Memory address of the Wow64 system breakpoint within the process address space. (Inherited from winappdbg.module._ModuleContainer)		 source code
int or None
get_wow64_user_breakpoint(self)
Returns: Memory address of the Wow64 user breakpoint within the process address space. (Inherited from winappdbg.module._ModuleContainer)		 source code
bool
is_system_defined_breakpoint(self, address)
Returns: True if the given address points to a system defined breakpoint. (Inherited from winappdbg.module._ModuleContainer)		 source code
    Memory mapping
bool
is_pointer(self, address)
Determines if an address is a valid code or data pointer.		 source code
bool
is_address_valid(self, address)
Determines if an address is a valid user mode address.		 source code
bool
is_address_free(self, address)
Determines if an address belongs to a free page.		 source code
bool
is_address_reserved(self, address)
Determines if an address belongs to a reserved page.		 source code
bool
is_address_commited(self, address)
Determines if an address belongs to a commited page.		 source code
bool
is_address_guard(self, address)
Determines if an address belongs to a guard page.		 source code
bool
is_address_readable(self, address)
Determines if an address belongs to a commited and readable page.		 source code
bool
is_address_writeable(self, address)
Determines if an address belongs to a commited and writeable page.		 source code
bool
is_address_copy_on_write(self, address)
Determines if an address belongs to a commited, copy-on-write page.		 source code
bool
is_address_executable(self, address)
Determines if an address belongs to a commited and executable page.		 source code
bool
is_address_executable_and_writeable(self, address)
Determines if an address belongs to a commited, writeable and executable page.		 source code
bool
is_buffer(self, address, size)
Determines if the given memory area is a valid code or data buffer.		 source code
bool
is_buffer_readable(self, address, size)
Determines if the given memory area is readable.		 source code
bool
is_buffer_writeable(self, address, size)
Determines if the given memory area is writeable.		 source code
bool
is_buffer_copy_on_write(self, address, size)
Determines if the given memory area is marked as copy-on-write.		 source code
bool
is_buffer_executable(self, address, size)
Determines if the given memory area is executable.		 source code
bool
is_buffer_executable_and_writeable(self, address, size)
Determines if the given memory area is writeable and executable.		 source code
list( win32.MemoryBasicInformation )
get_memory_map(self, minAddr=None, maxAddr=None)
Produces a memory map to the process address space.		 source code
Regenerator of win32.MemoryBasicInformation
generate_memory_map(self, minAddr=None, maxAddr=None)
Returns a Regenerator that can iterate indefinitely over the memory map to the process address space.		 source code
iterator of win32.MemoryBasicInformation
iter_memory_map(self, minAddr=None, maxAddr=None)
Produces an iterator over the memory map to the process address space.		 source code
dict( int → str )
get_mapped_filenames(self, memoryMap=None)
Retrieves the filenames for memory mapped files in the debugee.		 source code
Regenerator of win32.MemoryBasicInformation
generate_memory_snapshot(self, minAddr=None, maxAddr=None)
Returns a Regenerator that allows you to iterate through the memory contents of a process indefinitely.		 source code
iterator of win32.MemoryBasicInformation
iter_memory_snapshot(self, minAddr=None, maxAddr=None)
Returns an iterator that allows you to go through the memory contents of a process.		 source code
list( win32.MemoryBasicInformation )
take_memory_snapshot(self, minAddr=None, maxAddr=None)
Takes a snapshot of the memory contents of the process.		 source code
 
restore_memory_snapshot(self, snapshot, bSkipMappedFiles=True, bSkipOnError=False)
Attempts to restore the memory state as it was when the given snapshot was taken.		 source code
    Memory allocation
int
malloc(self, dwSize, lpAddress=None)
Allocates memory into the address space of the process.		 source code
int
mprotect(self, lpAddress, dwSize, flNewProtect)
Set memory protection in the address space of the process.		 source code
win32.MemoryBasicInformation
mquery(self, lpAddress)
Query memory information from the address space of the process.		 source code
 
free(self, lpAddress)
Frees memory from the address space of the process.		 source code
    Memory read
str
read(self, lpBaseAddress, nSize)
Reads from the memory of the process.		 source code
int
read_char(self, lpBaseAddress)
Reads a single character to the memory of the process.		 source code
int
read_int(self, lpBaseAddress)
Reads a signed integer from the memory of the process.		 source code
int
read_uint(self, lpBaseAddress)
Reads an unsigned integer from the memory of the process.		 source code
int
read_float(self, lpBaseAddress)
Reads a float from the memory of the process.		 source code
int
read_double(self, lpBaseAddress)
Reads a double from the memory of the process.		 source code
int
read_pointer(self, lpBaseAddress)
Reads a pointer value from the memory of the process.		 source code
int
read_dword(self, lpBaseAddress)
Reads a DWORD from the memory of the process.		 source code
int
read_qword(self, lpBaseAddress)
Reads a QWORD from the memory of the process.		 source code
int
read_structure(self, lpBaseAddress, stype)
Reads a ctypes structure from the memory of the process.		 source code
str, unicode
read_string(self, lpBaseAddress, nChars, fUnicode=False)
Reads an ASCII or Unicode string from the address space of the process.		 source code
str
peek(self, lpBaseAddress, nSize)
Reads the memory of the process.		 source code
int
peek_char(self, lpBaseAddress)
Reads a single character from the memory of the process.		 source code
int
peek_int(self, lpBaseAddress)
Reads a signed integer from the memory of the process.		 source code
int
peek_uint(self, lpBaseAddress)
Reads an unsigned integer from the memory of the process.		 source code
int
peek_float(self, lpBaseAddress)
Reads a float from the memory of the process.		 source code
int
peek_double(self, lpBaseAddress)
Reads a double from the memory of the process.		 source code
int
peek_dword(self, lpBaseAddress)
Reads a DWORD from the memory of the process.		 source code
int
peek_qword(self, lpBaseAddress)
Reads a QWORD from the memory of the process.		 source code
int
peek_pointer(self, lpBaseAddress)
Reads a pointer value from the memory of the process.		 source code
str, unicode
peek_string(self, lpBaseAddress, fUnicode=False, dwMaxSize=4096)
Tries to read an ASCII or Unicode string from the address space of the process.		 source code
    Memory write
 
write(self, lpBaseAddress, lpBuffer)
Writes to the memory of the process.		 source code
 
write_char(self, lpBaseAddress, char)
Writes a single character to the memory of the process.		 source code
 
write_int(self, lpBaseAddress, unpackedValue)
Writes a signed integer to the memory of the process.		 source code
 
write_uint(self, lpBaseAddress, unpackedValue)
Writes an unsigned integer to the memory of the process.		 source code
 
write_float(self, lpBaseAddress, unpackedValue)
Writes a float to the memory of the process.		 source code
 
write_double(self, lpBaseAddress, unpackedValue)
Writes a double to the memory of the process.		 source code
 
write_pointer(self, lpBaseAddress, unpackedValue)
Writes a pointer value to the memory of the process.		 source code
 
write_dword(self, lpBaseAddress, unpackedValue)
Writes a DWORD to the memory of the process.		 source code
 
write_qword(self, lpBaseAddress, unpackedValue)
Writes a QWORD to the memory of the process.		 source code
int
poke(self, lpBaseAddress, lpBuffer)
Writes to the memory of the process.		 source code
int
poke_char(self, lpBaseAddress, char)
Writes a single character to the memory of the process.		 source code
int
poke_int(self, lpBaseAddress, unpackedValue)
Writes a signed integer to the memory of the process.		 source code
int
poke_uint(self, lpBaseAddress, unpackedValue)
Writes an unsigned integer to the memory of the process.		 source code
int
poke_float(self, lpBaseAddress, unpackedValue)
Writes a float to the memory of the process.		 source code
int
poke_double(self, lpBaseAddress, unpackedValue)
Writes a double to the memory of the process.		 source code
int
poke_dword(self, lpBaseAddress, unpackedValue)
Writes a DWORD to the memory of the process.		 source code
int
poke_qword(self, lpBaseAddress, unpackedValue)
Writes a QWORD to the memory of the process.		 source code
int
poke_pointer(self, lpBaseAddress, unpackedValue)
Writes a pointer value to the memory of the process.		 source code
    Memory search
iterator of tuple( int, int, str )
search(self, pattern, minAddr=None, maxAddr=None)
Search for the given pattern within the process memory.		 source code
iterator of int
search_bytes(self, bytes, minAddr=None, maxAddr=None)
Search for the given byte pattern within the process memory.		 source code
iterator of tuple( int, str )
search_text(self, text, encoding='utf-16le', caseSensitive=False, minAddr=None, maxAddr=None)
Search for the given text within the process memory.		 source code
iterator of tuple( int, int, str )
search_regexp(self, regexp, flags=0, minAddr=None, maxAddr=None, bufferPages=-1)
Search for the given regular expression within the process memory.		 source code
iterator of tuple( int, str )
search_hexa(self, hexa, minAddr=None, maxAddr=None)
Search for the given hexadecimal pattern within the process memory.		 source code
iterator of tuple(int, int, str)
strings(self, minSize=4, maxSize=1024)
Extract ASCII strings from the process memory.		 source code
    Processes snapshot
bool
__contains__(self, anObject)
The same as: self.has_thread(anObject) or self.has_module(anObject)		 source code
int
__len__(self)
Returns: Count of Thread and Module objects in this snapshot.		 source code
iterator
__iter__(self)
Returns: Iterator of Thread and Module objects in this snapshot.		 source code
 
scan(self)
Populates the snapshot of threads and modules.		 source code
 
clear(self)
Clears the snapshot of threads and modules.		 source code
    Deprecated
list of str
get_environment_data(self, fUnicode=None)
Retrieves the environment block data with wich the program is running.		 source code
    Threads snapshot
 
clear_dead_threads(self)
Remove Thread objects from the snapshot referring to threads no longer running. (Inherited from winappdbg.thread._ThreadContainer)		 source code
 
clear_threads(self)
Clears the threads snapshot. (Inherited from winappdbg.thread._ThreadContainer)		 source code
 
close_thread_handles(self)
Closes all open handles to threads in the snapshot. (Inherited from winappdbg.thread._ThreadContainer)		 source code
list( Thread )
find_threads_by_name(self, name, bExactMatch=True)
Find threads by name, using different search methods. (Inherited from winappdbg.thread._ThreadContainer)		 source code
Thread
get_thread(self, dwThreadId)
Returns: Thread object with the given global ID. (Inherited from winappdbg.thread._ThreadContainer)		 source code
int
get_thread_count(self)
Returns: Count of Thread objects in this snapshot. (Inherited from winappdbg.thread._ThreadContainer)		 source code
list( int )
get_thread_ids(self)
Returns: List of global thread IDs in this snapshot. (Inherited from winappdbg.thread._ThreadContainer)		 source code
list of Window
get_windows(self)
Returns: Returns a list of windows handled by this process. (Inherited from winappdbg.thread._ThreadContainer)		 source code
bool
has_thread(self, dwThreadId)
Returns: True if the snapshot contains a Thread object with the given global ID. (Inherited from winappdbg.thread._ThreadContainer)		 source code
dictionary-keyiterator
iter_thread_ids(self)
Returns: Iterator of global thread IDs in this snapshot. (Inherited from winappdbg.thread._ThreadContainer)		 source code
dictionary-valueiterator
iter_threads(self)
Returns: Iterator of Thread objects in this snapshot. (Inherited from winappdbg.thread._ThreadContainer)		 source code
 
scan_threads(self)
Populates the snapshot with running threads. (Inherited from winappdbg.thread._ThreadContainer)		 source code
    Modules snapshot
 
clear_modules(self)
Clears the modules snapshot. (Inherited from winappdbg.module._ModuleContainer)		 source code
Module
get_module(self, lpBaseOfDll)
Returns: Module object with the given base address. (Inherited from winappdbg.module._ModuleContainer)		 source code
Module
get_module_at_address(self, address)
Returns: Module object that best matches the given address. (Inherited from winappdbg.module._ModuleContainer)		 source code
list( int... )
get_module_bases(self)
Returns: List of DLL base addresses in this snapshot. (Inherited from winappdbg.module._ModuleContainer)		 source code
Module
get_module_by_name(self, modName)
Returns: Module object that best matches the given name. (Inherited from winappdbg.module._ModuleContainer)		 source code
int
get_module_count(self)
Returns: Count of Module objects in this snapshot. (Inherited from winappdbg.module._ModuleContainer)		 source code
bool
has_module(self, lpBaseOfDll)
Returns: True if the snapshot contains a Module object with the given base address. (Inherited from winappdbg.module._ModuleContainer)		 source code
dictionary-keyiterator
iter_module_addresses(self)
Returns: Iterator of DLL base addresses in this snapshot. (Inherited from winappdbg.module._ModuleContainer)		 source code
dictionary-valueiterator
iter_modules(self)
Returns: Iterator of Module objects in this snapshot. (Inherited from winappdbg.module._ModuleContainer)		 source code
 
scan_modules(self)
Populates the snapshot with loaded modules. (Inherited from winappdbg.module._ModuleContainer)		 source code
    Labels
str
get_label_at_address(self, address, offset=None)
Creates a label from the given memory address. (Inherited from winappdbg.module._ModuleContainer)		 source code
int
resolve_label(self, label)
Resolve the memory address of the given label. (Inherited from winappdbg.module._ModuleContainer)		 source code
int
resolve_label_components(self, module=None, function=None, offset=None)
Resolve the memory address of the given module, function and/or offset. (Inherited from winappdbg.module._ModuleContainer)		 source code
str
sanitize_label(self, label)
Converts a label taken from user input into a well-formed label. (Inherited from winappdbg.module._ModuleContainer)		 source code
tuple( str or None, str or int or None, int or None )
split_label_fuzzy(self, label)
Splits a label entered as user input. (Inherited from winappdbg.module._ModuleContainer)		 source code
    Symbols
None or tuple( str, int, int )
get_symbol_at_address(self, address)
Tries to find the closest matching symbol for the given address. (Inherited from winappdbg.module._ModuleContainer)		 source code
list of tuple( str, int, int )
get_symbols(self)
Returns the debugging symbols for all modules in this snapshot. (Inherited from winappdbg.module._ModuleContainer)		 source code
iterator of tuple( str, int, int )
iter_symbols(self)
Returns an iterator for the debugging symbols in all modules in this snapshot, in no particular order. (Inherited from winappdbg.module._ModuleContainer)		 source code
 
load_symbols(self)
Loads the debugging symbols for all modules in this snapshot. (Inherited from winappdbg.module._ModuleContainer)		 source code
int or None
resolve_symbol(self, symbol, bCaseSensitive=False)
Resolves a debugging symbol's address. (Inherited from winappdbg.module._ModuleContainer)		 source code
 
unload_symbols(self)
Unloads the debugging symbols for all modules in this snapshot. (Inherited from winappdbg.module._ModuleContainer)		 source code
Class Methods [hide private]
    Labels
tuple( str or None, str or int or None, int or None )
split_label(cls, label)
Splits a label into it's module, function and offset components, as used in parse_label. (Inherited from winappdbg.module._ModuleContainer)		 source code
Static Methods [hide private]
    Deprecated
dict(str → str)
parse_environment_data(block)
Parse the environment block into a Python dictionary.		 source code
    Labels
str
parse_label(module=None, function=None, offset=None)
Creates a label from a module and a function name, plus an offset. (Inherited from winappdbg.module._ModuleContainer)		 source code
tuple( str or None, str or int or None, int or None )
split_label_strict(label)
Splits a label created with parse_label. (Inherited from winappdbg.module._ModuleContainer)		 source code
Class Variables [hide private]
  __hexa_parameter = re.compile(r'0x[0-9A-Fa-f]+')
Instance Variables [hide private]
int dwProcessId
Global process ID.
str fileName
Filename of the main module.
ProcessHandle hProcess
Handle to the process.
Properties [hide private]

Inherited from object: __class__

Method Details [hide private]

__init__(self, dwProcessId, hProcess=None, fileName=None)
(Constructor)

source code 

x.__init__(...) initializes x; see help(type(x)) for signature

Parameters:
  • dwProcessId (int) - Global process ID.
  • hProcess (ProcessHandle) - Handle to the process.
  • fileName (str) - (Optional) Filename of the main module.
Overrides: object.__init__

get_pid(self)

source code 
Returns: int
Process global ID.

get_filename(self)

source code 
Returns: str
Filename of the main module of the process.

open_handle(self, dwDesiredAccess=2097151)

source code 

Opens a new handle to the process.

The new handle is stored in the hProcess property.

Parameters:
Raises:
  • WindowsError - It's not possible to open a handle to the process with the requested access rights. This tipically happens because the target process is a system process and the debugger is not runnning with administrative rights.

Warning: Normally you should call get_handle instead, since it's much "smarter" and tries to reuse handles and merge access rights.

close_handle(self)

source code 

Closes the handle to the process.

Note: Normally you don't need to call this method. All handles created by WinAppDbg are automatically closed when the garbage collector claims them. So unless you've been tinkering with it, setting hProcess to None should be enough.

get_handle(self, dwDesiredAccess=2097151)

source code 

Returns a handle to the process with at least the access rights requested.

Parameters:
Returns: ProcessHandle
Handle to the process.
Raises:
  • WindowsError - It's not possible to open a handle to the process with the requested access rights. This tipically happens because the target process is a system process and the debugger is not runnning with administrative rights.

Note: If a handle was previously opened and has the required access rights, it's reused. If not, a new handle is opened with the combination of the old and new access rights.

__contains__(self, anObject)
(In operator)

source code 

The same as: self.has_thread(anObject) or self.has_module(anObject)

Parameters:
  • anObject (Thread, Module or int) - Object to look for. Can be a Thread, Module, thread global ID or module base address.
Returns: bool
True if the requested object was found in the snapshot.
Overrides: module._ModuleContainer.__contains__

__len__(self)
(Length operator)

source code 
Returns: int
Count of Thread and Module objects in this snapshot.
Overrides: module._ModuleContainer.__len__

See Also: get_thread_count, get_module_count

__iter__(self)

source code 
Returns: iterator
Iterator of Thread and Module objects in this snapshot. All threads are iterated first, then all modules.
Overrides: module._ModuleContainer.__iter__

See Also: iter_threads, iter_modules

wait(self, dwTimeout=None)

source code 

Waits for the process to finish executing.

Raises:
  • WindowsError - On error an exception is raised.

kill(self, dwExitCode=0)

source code 

Terminates the execution of the process.

Raises:
  • WindowsError - On error an exception is raised.

suspend(self)

source code 

Suspends execution on all threads of the process.

Raises:
  • WindowsError - On error an exception is raised.

resume(self)

source code 

Resumes execution on all threads of the process.

Raises:
  • WindowsError - On error an exception is raised.

is_debugged(self)

source code 

Tries to determine if the process is being debugged by another process. It may detect other debuggers besides WinAppDbg.

Returns: bool
True if the process has a debugger attached.

Warning: May return inaccurate results when some anti-debug techniques are used by the target process.

Note: To know if a process currently being debugged by a Debug object, call Debug.is_debugee instead.

is_alive(self)

source code 
Returns: bool
True if the process is currently running.

get_exit_code(self)

source code 
Returns: int
Process exit code, or STILL_ACTIVE if it's still alive.

Warning: If a process returns STILL_ACTIVE as it's exit code, you may not be able to determine if it's active or not with this method. Use is_alive to check if the process is still active. Alternatively you can call get_handle to get the handle object and then ProcessHandle.wait on it to wait until the process finishes running.

__fixup_labels(self, disasm)

source code 

Private method used when disassembling from process memory.

It has no return value because the list is modified in place. On return all raw memory addresses are replaced by labels when possible.

Parameters:
  • disasm (list of tuple(int, int, str, str)) - Output of one of the dissassembly functions.

disassemble_string(self, lpAddress, code)

source code 

Disassemble instructions from a block of binary code.

Parameters:
  • lpAddress (int) - Memory address where the code was read from.
  • code (str) - Binary code to disassemble.
Returns: list of tuple( long, int, str, str )
List of tuples. Each tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.
Raises:
  • NotImplementedError - No compatible disassembler was found for the current platform.

disassemble(self, lpAddress, dwSize)

source code 

Disassemble instructions from the address space of the process.

Parameters:
  • lpAddress (int) - Memory address where to read the code from.
  • dwSize (int) - Size of binary code to disassemble.
Returns: list of tuple( long, int, str, str )
List of tuples. Each tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.

disassemble_around(self, lpAddress, dwSize=64)

source code 

Disassemble around the given address.

Parameters:
  • lpAddress (int) - Memory address where to read the code from.
  • dwSize (int) - Delta offset. Code will be read from lpAddress - dwSize to lpAddress + dwSize.
Returns: list of tuple( long, int, str, str )
List of tuples. Each tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.

disassemble_around_pc(self, dwThreadId, dwSize=64)

source code 

Disassemble around the program counter of the given thread.

Parameters:
  • dwThreadId (int) - Global thread ID. The program counter for this thread will be used as the disassembly address.
  • dwSize (int) - Delta offset. Code will be read from pc - dwSize to pc + dwSize.
Returns: list of tuple( long, int, str, str )
List of tuples. Each tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.

disassemble_instruction(self, lpAddress)

source code 

Disassemble the instruction at the given memory address.

Parameters:
  • lpAddress (int) - Memory address where to read the code from.
Returns: tuple( long, int, str, str )
The tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.

disassemble_current(self, dwThreadId)

source code 

Disassemble the instruction at the program counter of the given thread.

Parameters:
  • dwThreadId (int) - Global thread ID. The program counter for this thread will be used as the disassembly address.
Returns: tuple( long, int, str, str )
The tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.

flush_instruction_cache(self)

source code 

Flush the instruction cache. This is required if the process memory is modified and one or more threads are executing nearby the modified memory region.

Raises:
  • WindowsError - Raises exception on error.

See Also: http://blogs.msdn.com/oldnewthing/archive/2003/12/08/55954.aspx#55958

debug_break(self)

source code 

Triggers the system breakpoint in the process.

Raises:
  • WindowsError - On error an exception is raised.

is_wow64(self)

source code 

Determines if the process is running under WOW64.

Returns: bool
True if the process is running under WOW64. That is, a 32-bit application running in a 64-bit Windows.

False if the process is either a 32-bit application running in a 32-bit Windows, or a 64-bit application running in a 64-bit Windows.

Raises:
  • WindowsError - On error an exception is raised.

See Also: http://msdn.microsoft.com/en-us/library/aa384249(VS.85).aspx

get_arch(self)

source code 
Returns: str
The architecture in which this process believes to be running. For example, if running a 32 bit binary in a 64 bit machine, the architecture returned by this method will be win32.ARCH_I386, but the value of System.arch will be win32.ARCH_AMD64.

get_bits(self)

source code 
Returns: str
The number of bits in which this process believes to be running. For example, if running a 32 bit binary in a 64 bit machine, the number of bits returned by this method will be 32, but the value of System.arch will be 64.

get_start_time(self)

source code 

Determines when has this process started running.

Returns: win32.SYSTEMTIME
Process start time.

get_exit_time(self)

source code 

Determines when has this process finished running. If the process is still alive, the current time is returned instead.

Returns: win32.SYSTEMTIME
Process exit time.

get_running_time(self)

source code 

Determines how long has this process been running.

Returns: long
Process running time in milliseconds.

get_services(self)

source code 

Retrieves the list of system services that are currently running in this process.

Returns: list( win32.ServiceStatusProcessEntry )
List of service status descriptors.

See Also: System.get_services

get_dep_policy(self)

source code 

Retrieves the DEP (Data Execution Prevention) policy for this process.

Returns: tuple(int, int)
The first member of the tuple is the DEP flags. It can be a combination of the following values:
  • 0: DEP is disabled for this process.
  • 1: DEP is enabled for this process. (PROCESS_DEP_ENABLE)
  • 2: DEP-ATL thunk emulation is disabled for this process. (PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION)

The second member of the tuple is the permanent flag. If TRUE the DEP settings cannot be changed in runtime for this process.

Raises:
  • WindowsError - On error an exception is raised.

Note: This method is only available in Windows XP SP3 and above, and only for 32 bit processes. It will fail in any other circumstance.

See Also: http://msdn.microsoft.com/en-us/library/bb736297(v=vs.85).aspx

get_peb(self)

source code 

Returns a copy of the PEB. To dereference pointers in it call Process.read_structure.

Returns: win32.PEB
PEB structure.
Raises:
  • WindowsError - An exception is raised on error.

get_peb_address(self)

source code 

Returns a remote pointer to the PEB.

Returns: int
Remote pointer to the win32.PEB structure. Returns None on error.

get_entry_point(self)

source code 

Alias to process.get_main_module().get_entry_point().

Returns: int
Address of the entry point of the main module.

get_main_module(self)

source code 
Returns: Module
Module object for the process main module.

get_image_base(self)

source code 
Returns: int
Image base address for the process main module.

get_image_name(self)

source code 
Returns: int
Filename of the process main module.

This method does it's best to retrieve the filename. However sometimes this is not possible, so None may be returned instead.

get_command_line_block(self)

source code 

Retrieves the command line block memory address and size.

Returns: tuple(int, int)
Tuple with the memory address of the command line block and it's maximum size in Unicode characters.
Raises:
  • WindowsError - On error an exception is raised.

get_environment_block(self)

source code 

Retrieves the environment block memory address for the process.

Returns: tuple(int, int)
Tuple with the memory address of the environment block and it's size.
Raises:
  • WindowsError - On error an exception is raised.

Note: The size is always enough to contain the environment data, but it may not be an exact size. It's best to read the memory and scan for two null wide chars to find the actual size.

get_command_line(self)

source code 

Retrieves the command line with wich the program was started.

Returns: str
Command line string.
Raises:
  • WindowsError - On error an exception is raised.

get_environment_variables(self)

source code 

Retrieves the environment variables with wich the program is running.

Returns: list of tuple(unicode, unicode)
Environment keys and values as found in the process memory.
Raises:
  • WindowsError - On error an exception is raised.

get_environment_data(self, fUnicode=None)

source code 

Retrieves the environment block data with wich the program is running.

Parameters:
  • fUnicode (bool or None) - True to return a list of Unicode strings, False to return a list of ANSI strings, or None to return whatever the default is for string types.
Returns: list of str
Environment keys and values separated by a (=) character, as found in the process memory.
Raises:
  • WindowsError - On error an exception is raised.

Warning: Deprecated since WinAppDbg 1.5.

See Also: win32.GuessStringType

parse_environment_data(block)
Static Method

source code 

Parse the environment block into a Python dictionary.

Parameters:
Returns: dict(str → str)
Dictionary of environment keys and values.

Warning: Deprecated since WinAppDbg 1.5.

Note: Values of duplicated keys are joined using null characters.

get_environment(self, fUnicode=None)

source code 

Retrieves the environment with wich the program is running.

Parameters:
  • fUnicode (bool or None) - True to return a list of Unicode strings, False to return a list of ANSI strings, or None to return whatever the default is for string types.
Returns: dict(str → str)
Dictionary of environment keys and values.
Raises:
  • WindowsError - On error an exception is raised.

Note: Duplicated keys are joined using null characters. To avoid this behavior, call get_environment_variables instead and convert the results to a dictionary directly, like this: dict(process.get_environment_variables())

See Also: win32.GuessStringType

search(self, pattern, minAddr=None, maxAddr=None)

source code 

Search for the given pattern within the process memory.

Parameters:
  • pattern (str, unicode or Pattern) - Pattern to search for. It may be a byte string, a Unicode string, or an instance of Pattern.

    The following Pattern subclasses are provided by WinAppDbg:

    You can also write your own subclass of Pattern for customized searches.

  • minAddr (int) - (Optional) Start the search at this memory address.
  • maxAddr (int) - (Optional) Stop the search at this memory address.
Returns: iterator of tuple( int, int, str )
An iterator of tuples. Each tuple contains the following:
  • The memory address where the pattern was found.
  • The size of the data that matches the pattern.
  • The data that matches the pattern.
Raises:
  • WindowsError - An error occurred when querying or reading the process memory.

search_bytes(self, bytes, minAddr=None, maxAddr=None)

source code 

Search for the given byte pattern within the process memory.

Parameters:
  • bytes (str) - Bytes to search for.
  • minAddr (int) - (Optional) Start the search at this memory address.
  • maxAddr (int) - (Optional) Stop the search at this memory address.
Returns: iterator of int
An iterator of memory addresses where the pattern was found.
Raises:
  • WindowsError - An error occurred when querying or reading the process memory.

search_text(self, text, encoding='utf-16le', caseSensitive=False, minAddr=None, maxAddr=None)

source code 

Search for the given text within the process memory.

Parameters:
  • text (str or unicode) - Text to search for.
  • encoding (str) - (Optional) Encoding for the text parameter. Only used when the text to search for is a Unicode string. Don't change unless you know what you're doing!
  • caseSensitive (bool) - True of the search is case sensitive, False otherwise.
  • minAddr (int) - (Optional) Start the search at this memory address.
  • maxAddr (int) - (Optional) Stop the search at this memory address.
Returns: iterator of tuple( int, str )
An iterator of tuples. Each tuple contains the following:
  • The memory address where the pattern was found.
  • The text that matches the pattern.
Raises:
  • WindowsError - An error occurred when querying or reading the process memory.

search_regexp(self, regexp, flags=0, minAddr=None, maxAddr=None, bufferPages=-1)

source code 

Search for the given regular expression within the process memory.

Parameters:
  • regexp (str) - Regular expression string.
  • flags (int) - Regular expression flags.
  • minAddr (int) - (Optional) Start the search at this memory address.
  • maxAddr (int) - (Optional) Stop the search at this memory address.
  • bufferPages (int) - (Optional) Number of memory pages to buffer when performing the search. Valid values are:
    • 0 or None: Automatically determine the required buffer size. May not give complete results for regular expressions that match variable sized strings.
    • > 0: Set the buffer size, in memory pages.
    • < 0: Disable buffering entirely. This may give you a little speed gain at the cost of an increased memory usage. If the target process has very large contiguous memory regions it may actually be slower or even fail. It's also the only way to guarantee complete results for regular expressions that match variable sized strings.
Returns: iterator of tuple( int, int, str )
An iterator of tuples. Each tuple contains the following:
  • The memory address where the pattern was found.
  • The size of the data that matches the pattern.
  • The data that matches the pattern.
Raises:
  • WindowsError - An error occurred when querying or reading the process memory.

search_hexa(self, hexa, minAddr=None, maxAddr=None)

source code 

Search for the given hexadecimal pattern within the process memory.

Hex patterns must be in this form:

   "68 65 6c 6c 6f 20 77 6f 72 6c 64"  # "hello world"

Spaces are optional. Capitalization of hex digits doesn't matter. This is exactly equivalent to the previous example:

   "68656C6C6F20776F726C64"            # "hello world"

Wildcards are allowed, in the form of a ? sign in any hex digit:

   "5? 5? c3"          # pop register / pop register / ret
   "b8 ?? ?? ?? ??"    # mov eax, immediate value
Parameters:
  • hexa (str) - Pattern to search for.
  • minAddr (int) - (Optional) Start the search at this memory address.
  • maxAddr (int) - (Optional) Stop the search at this memory address.
Returns: iterator of tuple( int, str )
An iterator of tuples. Each tuple contains the following:
  • The memory address where the pattern was found.
  • The bytes that match the pattern.
Raises:
  • WindowsError - An error occurred when querying or reading the process memory.

strings(self, minSize=4, maxSize=1024)

source code 

Extract ASCII strings from the process memory.

Parameters:
  • minSize (int) - (Optional) Minimum size of the strings to search for.
  • maxSize (int) - (Optional) Maximum size of the strings to search for.
Returns: iterator of tuple(int, int, str)
Iterator of strings extracted from the process memory. Each tuple contains the following:
  • The memory address where the string was found.
  • The size of the string.
  • The string.

read(self, lpBaseAddress, nSize)

source code 

Reads from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
  • nSize (int) - Number of bytes to read.
Returns: str
Bytes read from the process memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: peek

write(self, lpBaseAddress, lpBuffer)

source code 

Writes to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • lpBuffer (str) - Bytes to write.
Raises:
  • WindowsError - On error an exception is raised.

Note: Page permissions may be changed temporarily while writing.

See Also: poke

read_char(self, lpBaseAddress)

source code 

Reads a single character to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
Returns: int
Character value read from the process memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: peek_char

write_char(self, lpBaseAddress, char)

source code 

Writes a single character to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • char (int) - Character to write.
Raises:
  • WindowsError - On error an exception is raised.

Note: Page permissions may be changed temporarily while writing.

See Also: poke_char

read_int(self, lpBaseAddress)

source code 

Reads a signed integer from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Integer value read from the process memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: peek_int

write_int(self, lpBaseAddress, unpackedValue)

source code 

Writes a signed integer to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • unpackedValue (int, long) - Value to write.
Raises:
  • WindowsError - On error an exception is raised.

Note: Page permissions may be changed temporarily while writing.

See Also: poke_int

read_uint(self, lpBaseAddress)

source code 

Reads an unsigned integer from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Integer value read from the process memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: peek_uint

write_uint(self, lpBaseAddress, unpackedValue)

source code 

Writes an unsigned integer to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • unpackedValue (int, long) - Value to write.
Raises:
  • WindowsError - On error an exception is raised.

Note: Page permissions may be changed temporarily while writing.

See Also: poke_uint

read_float(self, lpBaseAddress)

source code 

Reads a float from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Floating point value read from the process memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: peek_float

write_float(self, lpBaseAddress, unpackedValue)

source code 

Writes a float to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • unpackedValue (int, long) - Floating point value to write.
Raises:
  • WindowsError - On error an exception is raised.

Note: Page permissions may be changed temporarily while writing.

See Also: poke_float

read_double(self, lpBaseAddress)

source code 

Reads a double from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Floating point value read from the process memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: peek_double

write_double(self, lpBaseAddress, unpackedValue)

source code 

Writes a double to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • unpackedValue (int, long) - Floating point value to write.
Raises:
  • WindowsError - On error an exception is raised.

Note: Page permissions may be changed temporarily while writing.

See Also: poke_double

read_pointer(self, lpBaseAddress)

source code 

Reads a pointer value from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Pointer value read from the process memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: peek_pointer

write_pointer(self, lpBaseAddress, unpackedValue)

source code 

Writes a pointer value to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • unpackedValue (int, long) - Value to write.
Raises:
  • WindowsError - On error an exception is raised.

Note: Page permissions may be changed temporarily while writing.

See Also: poke_pointer

read_dword(self, lpBaseAddress)

source code 

Reads a DWORD from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Integer value read from the process memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: peek_dword

write_dword(self, lpBaseAddress, unpackedValue)

source code 

Writes a DWORD to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • unpackedValue (int, long) - Value to write.
Raises:
  • WindowsError - On error an exception is raised.

Note: Page permissions may be changed temporarily while writing.

See Also: poke_dword

read_qword(self, lpBaseAddress)

source code 

Reads a QWORD from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Integer value read from the process memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: peek_qword

write_qword(self, lpBaseAddress, unpackedValue)

source code 

Writes a QWORD to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • unpackedValue (int, long) - Value to write.
Raises:
  • WindowsError - On error an exception is raised.

Note: Page permissions may be changed temporarily while writing.

See Also: poke_qword

read_structure(self, lpBaseAddress, stype)

source code 

Reads a ctypes structure from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
  • stype (class ctypes.Structure or a subclass.) - Structure definition.
Returns: int
Structure instance filled in with data read from the process memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: read

read_string(self, lpBaseAddress, nChars, fUnicode=False)

source code 

Reads an ASCII or Unicode string from the address space of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
  • nChars (int) - String length to read, in characters. Remember that Unicode strings have two byte characters.
  • fUnicode (bool) - True is the string is expected to be Unicode, False if it's expected to be ANSI.
Returns: str, unicode
String read from the process memory space.
Raises:
  • WindowsError - On error an exception is raised.

See Also: peek_string

peek(self, lpBaseAddress, nSize)

source code 

Reads the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
  • nSize (int) - Number of bytes to read.
Returns: str
Bytes read from the process memory. Returns an empty string on error.

See Also: read

poke(self, lpBaseAddress, lpBuffer)

source code 

Writes to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • lpBuffer (str) - Bytes to write.
Returns: int
Number of bytes written. May be less than the number of bytes to write.

Note: Page permissions may be changed temporarily while writing.

See Also: write

peek_char(self, lpBaseAddress)

source code 

Reads a single character from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Character read from the process memory. Returns zero on error.

See Also: read_char

poke_char(self, lpBaseAddress, char)

source code 

Writes a single character to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • char (str) - Character to write.
Returns: int
Number of bytes written. May be less than the number of bytes to write.

Note: Page permissions may be changed temporarily while writing.

See Also: write_char

peek_int(self, lpBaseAddress)

source code 

Reads a signed integer from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Integer value read from the process memory. Returns zero on error.

See Also: read_int

poke_int(self, lpBaseAddress, unpackedValue)

source code 

Writes a signed integer to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • unpackedValue (int, long) - Value to write.
Returns: int
Number of bytes written. May be less than the number of bytes to write.

Note: Page permissions may be changed temporarily while writing.

See Also: write_int

peek_uint(self, lpBaseAddress)

source code 

Reads an unsigned integer from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Integer value read from the process memory. Returns zero on error.

See Also: read_uint

poke_uint(self, lpBaseAddress, unpackedValue)

source code 

Writes an unsigned integer to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • unpackedValue (int, long) - Value to write.
Returns: int
Number of bytes written. May be less than the number of bytes to write.

Note: Page permissions may be changed temporarily while writing.

See Also: write_uint

peek_float(self, lpBaseAddress)

source code 

Reads a float from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Integer value read from the process memory. Returns zero on error.

See Also: read_float

poke_float(self, lpBaseAddress, unpackedValue)

source code 

Writes a float to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • unpackedValue (int, long) - Value to write.
Returns: int
Number of bytes written. May be less than the number of bytes to write.

Note: Page permissions may be changed temporarily while writing.

See Also: write_float

peek_double(self, lpBaseAddress)

source code 

Reads a double from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Integer value read from the process memory. Returns zero on error.

See Also: read_double

poke_double(self, lpBaseAddress, unpackedValue)

source code 

Writes a double to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • unpackedValue (int, long) - Value to write.
Returns: int
Number of bytes written. May be less than the number of bytes to write.

Note: Page permissions may be changed temporarily while writing.

See Also: write_double

peek_dword(self, lpBaseAddress)

source code 

Reads a DWORD from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Integer value read from the process memory. Returns zero on error.

See Also: read_dword

poke_dword(self, lpBaseAddress, unpackedValue)

source code 

Writes a DWORD to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • unpackedValue (int, long) - Value to write.
Returns: int
Number of bytes written. May be less than the number of bytes to write.

Note: Page permissions may be changed temporarily while writing.

See Also: write_dword

peek_qword(self, lpBaseAddress)

source code 

Reads a QWORD from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Integer value read from the process memory. Returns zero on error.

See Also: read_qword

poke_qword(self, lpBaseAddress, unpackedValue)

source code 

Writes a QWORD to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • unpackedValue (int, long) - Value to write.
Returns: int
Number of bytes written. May be less than the number of bytes to write.

Note: Page permissions may be changed temporarily while writing.

See Also: write_qword

peek_pointer(self, lpBaseAddress)

source code 

Reads a pointer value from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Pointer value read from the process memory. Returns zero on error.

See Also: read_pointer

poke_pointer(self, lpBaseAddress, unpackedValue)

source code 

Writes a pointer value to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • unpackedValue (int, long) - Value to write.
Returns: int
Number of bytes written. May be less than the number of bytes to write.

Note: Page permissions may be changed temporarily while writing.

See Also: write_pointer

peek_string(self, lpBaseAddress, fUnicode=False, dwMaxSize=4096)

source code 

Tries to read an ASCII or Unicode string from the address space of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
  • fUnicode (bool) - True is the string is expected to be Unicode, False if it's expected to be ANSI.
  • dwMaxSize (int) - Maximum allowed string length to read, in bytes.
Returns: str, unicode
String read from the process memory space. It doesn't include the terminating null character. Returns an empty string on failure.

See Also: read_string

peek_pointers_in_data(self, data, peekSize=16, peekStep=1)

source code 

Tries to guess which values in the given data are valid pointers, and reads some data from them.

Parameters:
  • data (str) - Binary data to find pointers in.
  • peekSize (int) - Number of bytes to read from each pointer found.
  • peekStep (int) - Expected data alignment. Tipically you specify 1 when data alignment is unknown, or 4 when you expect data to be DWORD aligned. Any other value may be specified.
Returns: dict( str → str )
Dictionary mapping stack offsets to the data they point to.

See Also: peek

malloc(self, dwSize, lpAddress=None)

source code 

Allocates memory into the address space of the process.

Parameters:
  • dwSize (int) - Number of bytes to allocate.
  • lpAddress (int) - (Optional) Desired address for the newly allocated memory. This is only a hint, the memory could still be allocated somewhere else.
Returns: int
Address of the newly allocated memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: free

mprotect(self, lpAddress, dwSize, flNewProtect)

source code 

Set memory protection in the address space of the process.

Parameters:
  • lpAddress (int) - Address of memory to protect.
  • dwSize (int) - Number of bytes to protect.
  • flNewProtect (int) - New protect flags.
Returns: int
Old protect flags.
Raises:
  • WindowsError - On error an exception is raised.

See Also: http://msdn.microsoft.com/en-us/library/aa366899.aspx

mquery(self, lpAddress)

source code 

Query memory information from the address space of the process. Returns a win32.MemoryBasicInformation object.

Parameters:
  • lpAddress (int) - Address of memory to query.
Returns: win32.MemoryBasicInformation
Memory region information.
Raises:
  • WindowsError - On error an exception is raised.

See Also: http://msdn.microsoft.com/en-us/library/aa366907(VS.85).aspx

free(self, lpAddress)

source code 

Frees memory from the address space of the process.

Parameters:
  • lpAddress (int) - Address of memory to free. Must be the base address returned by malloc.
Raises:
  • WindowsError - On error an exception is raised.

See Also: http://msdn.microsoft.com/en-us/library/aa366894(v=vs.85).aspx

is_pointer(self, address)

source code 

Determines if an address is a valid code or data pointer.

That is, the address must be valid and must point to code or data in the target process.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address is a valid code or data pointer.
Raises:
  • WindowsError - An exception is raised on error.

is_address_valid(self, address)

source code 

Determines if an address is a valid user mode address.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address is a valid user mode address.
Raises:
  • WindowsError - An exception is raised on error.

is_address_free(self, address)

source code 

Determines if an address belongs to a free page.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a free page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_reserved(self, address)

source code 

Determines if an address belongs to a reserved page.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a reserved page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_commited(self, address)

source code 

Determines if an address belongs to a commited page.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a commited page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_guard(self, address)

source code 

Determines if an address belongs to a guard page.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a guard page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_readable(self, address)

source code 

Determines if an address belongs to a commited and readable page. The page may or may not have additional permissions.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a commited and readable page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_writeable(self, address)

source code 

Determines if an address belongs to a commited and writeable page. The page may or may not have additional permissions.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a commited and writeable page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_copy_on_write(self, address)

source code 

Determines if an address belongs to a commited, copy-on-write page. The page may or may not have additional permissions.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a commited, copy-on-write page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_executable(self, address)

source code 

Determines if an address belongs to a commited and executable page. The page may or may not have additional permissions.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a commited and executable page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_executable_and_writeable(self, address)

source code 

Determines if an address belongs to a commited, writeable and executable page. The page may or may not have additional permissions.

Looking for writeable and executable pages is important when exploiting a software vulnerability.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a commited, writeable and executable page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_buffer(self, address, size)

source code 

Determines if the given memory area is a valid code or data buffer.

Parameters:
  • address (int) - Memory address.
  • size (int) - Number of bytes. Must be greater than zero.
Returns: bool
True if the memory area is a valid code or data buffer, False otherwise.
Raises:
  • ValueError - The size argument must be greater than zero.
  • WindowsError - On error an exception is raised.

Note: Returns always False for kernel mode addresses.

See Also: mquery

is_buffer_readable(self, address, size)

source code 

Determines if the given memory area is readable.

Parameters:
  • address (int) - Memory address.
  • size (int) - Number of bytes. Must be greater than zero.
Returns: bool
True if the memory area is readable, False otherwise.
Raises:
  • ValueError - The size argument must be greater than zero.
  • WindowsError - On error an exception is raised.

Note: Returns always False for kernel mode addresses.

See Also: mquery

is_buffer_writeable(self, address, size)

source code 

Determines if the given memory area is writeable.

Parameters:
  • address (int) - Memory address.
  • size (int) - Number of bytes. Must be greater than zero.
Returns: bool
True if the memory area is writeable, False otherwise.
Raises:
  • ValueError - The size argument must be greater than zero.
  • WindowsError - On error an exception is raised.

Note: Returns always False for kernel mode addresses.

See Also: mquery

is_buffer_copy_on_write(self, address, size)

source code 

Determines if the given memory area is marked as copy-on-write.

Parameters:
  • address (int) - Memory address.
  • size (int) - Number of bytes. Must be greater than zero.
Returns: bool
True if the memory area is marked as copy-on-write, False otherwise.
Raises:
  • ValueError - The size argument must be greater than zero.
  • WindowsError - On error an exception is raised.

Note: Returns always False for kernel mode addresses.

See Also: mquery

is_buffer_executable(self, address, size)

source code 

Determines if the given memory area is executable.

Parameters:
  • address (int) - Memory address.
  • size (int) - Number of bytes. Must be greater than zero.
Returns: bool
True if the memory area is executable, False otherwise.
Raises:
  • ValueError - The size argument must be greater than zero.
  • WindowsError - On error an exception is raised.

Note: Returns always False for kernel mode addresses.

See Also: mquery

is_buffer_executable_and_writeable(self, address, size)

source code 

Determines if the given memory area is writeable and executable.

Looking for writeable and executable pages is important when exploiting a software vulnerability.

Parameters:
  • address (int) - Memory address.
  • size (int) - Number of bytes. Must be greater than zero.
Returns: bool
True if the memory area is writeable and executable, False otherwise.
Raises:
  • ValueError - The size argument must be greater than zero.
  • WindowsError - On error an exception is raised.

Note: Returns always False for kernel mode addresses.

See Also: mquery

get_memory_map(self, minAddr=None, maxAddr=None)

source code 

Produces a memory map to the process address space.

Optionally restrict the map to the given address range.

Parameters:
  • minAddr (int) - (Optional) Starting address in address range to query.
  • maxAddr (int) - (Optional) Ending address in address range to query.
Returns: list( win32.MemoryBasicInformation )
List of memory region information objects.

See Also: mquery

generate_memory_map(self, minAddr=None, maxAddr=None)

source code 

Returns a Regenerator that can iterate indefinitely over the memory map to the process address space.

Optionally restrict the map to the given address range.

Parameters:
  • minAddr (int) - (Optional) Starting address in address range to query.
  • maxAddr (int) - (Optional) Ending address in address range to query.
Returns: Regenerator of win32.MemoryBasicInformation
List of memory region information objects.

See Also: mquery

iter_memory_map(self, minAddr=None, maxAddr=None)

source code 

Produces an iterator over the memory map to the process address space.

Optionally restrict the map to the given address range.

Parameters:
  • minAddr (int) - (Optional) Starting address in address range to query.
  • maxAddr (int) - (Optional) Ending address in address range to query.
Returns: iterator of win32.MemoryBasicInformation
List of memory region information objects.

See Also: mquery

get_mapped_filenames(self, memoryMap=None)

source code 

Retrieves the filenames for memory mapped files in the debugee.

Parameters:
Returns: dict( int → str )
Dictionary mapping memory addresses to file names. Native filenames are converted to Win32 filenames when possible.

generate_memory_snapshot(self, minAddr=None, maxAddr=None)

source code 

Returns a Regenerator that allows you to iterate through the memory contents of a process indefinitely.

It's basically the same as the take_memory_snapshot method, but it takes the snapshot of each memory region as it goes, as opposed to taking the whole snapshot at once. This allows you to work with very large snapshots without a significant performance penalty.

Example:

   # Print the memory contents of a process.
   process.suspend()
   try:
       snapshot = process.generate_memory_snapshot()
       for mbi in snapshot:
           print HexDump.hexblock(mbi.content, mbi.BaseAddress)
   finally:
       process.resume()

The downside of this is the process must remain suspended while iterating the snapshot, otherwise strange things may happen.

The snapshot can be iterated more than once. Each time it's iterated the memory contents of the process will be fetched again.

You can also iterate the memory of a dead process, just as long as the last open handle to it hasn't been closed.

Parameters:
  • minAddr (int) - (Optional) Starting address in address range to query.
  • maxAddr (int) - (Optional) Ending address in address range to query.
Returns: Regenerator of win32.MemoryBasicInformation
Generator that when iterated returns memory region information objects. Two extra properties are added to these objects:
  • filename: Mapped filename, or None.
  • content: Memory contents, or None.

See Also: take_memory_snapshot

iter_memory_snapshot(self, minAddr=None, maxAddr=None)

source code 

Returns an iterator that allows you to go through the memory contents of a process.

It's basically the same as the take_memory_snapshot method, but it takes the snapshot of each memory region as it goes, as opposed to taking the whole snapshot at once. This allows you to work with very large snapshots without a significant performance penalty.

Example:

   # Print the memory contents of a process.
   process.suspend()
   try:
       snapshot = process.generate_memory_snapshot()
       for mbi in snapshot:
           print HexDump.hexblock(mbi.content, mbi.BaseAddress)
   finally:
       process.resume()

The downside of this is the process must remain suspended while iterating the snapshot, otherwise strange things may happen.

The snapshot can only iterated once. To be able to iterate indefinitely call the generate_memory_snapshot method instead.

You can also iterate the memory of a dead process, just as long as the last open handle to it hasn't been closed.

Parameters:
  • minAddr (int) - (Optional) Starting address in address range to query.
  • maxAddr (int) - (Optional) Ending address in address range to query.
Returns: iterator of win32.MemoryBasicInformation
Iterator of memory region information objects. Two extra properties are added to these objects:
  • filename: Mapped filename, or None.
  • content: Memory contents, or None.

See Also: take_memory_snapshot

take_memory_snapshot(self, minAddr=None, maxAddr=None)

source code 

Takes a snapshot of the memory contents of the process.

It's best if the process is suspended (if alive) when taking the snapshot. Execution can be resumed afterwards.

Example:

   # Print the memory contents of a process.
   process.suspend()
   try:
       snapshot = process.take_memory_snapshot()
       for mbi in snapshot:
           print HexDump.hexblock(mbi.content, mbi.BaseAddress)
   finally:
       process.resume()

You can also iterate the memory of a dead process, just as long as the last open handle to it hasn't been closed.

Parameters:
  • minAddr (int) - (Optional) Starting address in address range to query.
  • maxAddr (int) - (Optional) Ending address in address range to query.
Returns: list( win32.MemoryBasicInformation )
List of memory region information objects. Two extra properties are added to these objects:
  • filename: Mapped filename, or None.
  • content: Memory contents, or None.

Warning: If the target process has a very big memory footprint, the resulting snapshot will be equally big. This may result in a severe performance penalty.

See Also: generate_memory_snapshot

restore_memory_snapshot(self, snapshot, bSkipMappedFiles=True, bSkipOnError=False)

source code 

Attempts to restore the memory state as it was when the given snapshot was taken.

Parameters:
  • snapshot (list( win32.MemoryBasicInformation )) - Memory snapshot returned by take_memory_snapshot. Snapshots returned by generate_memory_snapshot don't work here.
  • bSkipMappedFiles (bool) - True to avoid restoring the contents of memory mapped files, False otherwise. Use with care! Setting this to False can cause undesired side effects - changes to memory mapped files may be written to disk by the OS. Also note that most mapped files are typically executables and don't change, so trying to restore their contents is usually a waste of time.
  • bSkipOnError (bool) - True to issue a warning when an error occurs during the restoration of the snapshot, False to stop and raise an exception instead. Use with care! Setting this to True will cause the debugger to falsely believe the memory snapshot has been correctly restored.
Raises:
  • WindowsError - An error occured while restoring the snapshot.
  • RuntimeError - An error occured while restoring the snapshot.
  • TypeError - A snapshot of the wrong type was passed.

Warning: Currently only the memory contents, state and protect bits are restored. Under some circumstances this method may fail (for example if memory was freed and then reused by a mapped file).

inject_code(self, payload, lpParameter=0)

source code 

Injects relocatable code into the process memory and executes it.

Parameters:
  • payload (str) - Relocatable code to run in a new thread.
  • lpParameter (int) - (Optional) Parameter to be pushed in the stack.
Returns: tuple( Thread, int )
The injected Thread object and the memory address where the code was written.
Raises:
  • WindowsError - An exception is raised on error.

Warning: Don't forget to free the memory when you're done with it! Otherwise you'll be leaking memory in the target process.

See Also: inject_dll

inject_dll(self, dllname, procname=None, lpParameter=0, bWait=True, dwTimeout=None)

source code 

Injects a DLL into the process memory.

Parameters:
  • dllname (str) - Name of the DLL module to load.
  • procname (str) - (Optional) Procedure to call when the DLL is loaded.
  • lpParameter (int) - (Optional) Parameter to the procname procedure.
  • bWait (bool) - True to wait for the process to finish. False to return immediately.
  • dwTimeout (int) - (Optional) Timeout value in milliseconds. Ignored if bWait is False.
Returns: Thread
Newly created thread object. If bWait is set to True the thread will be dead, otherwise it will be alive.
Raises:
  • NotImplementedError - The target platform is not supported. Currently calling a procedure in the library is only supported in the i386 architecture.
  • WindowsError - An exception is raised on error.
Warnings:
  • Setting bWait to True when the process is frozen by a debug event will cause a deadlock in your debugger.
  • This involves allocating memory in the target process. This is how the freeing of this memory is handled:
    • If the bWait flag is set to True the memory will be freed automatically before returning from this method.
    • If the bWait flag is set to False, the memory address is set as the Thread.pInjectedMemory property of the returned thread object.
    • Debug objects free Thread.pInjectedMemory automatically both when it detaches from a process and when the injected thread finishes its execution.
    • The {Thread.kill} method also frees Thread.pInjectedMemory automatically, even if you're not attached to the process.

    You could still be leaking memory if not careful. For example, if you inject a dll into a process you're not attached to, you don't wait for the thread's completion and you don't kill it either, the memory would be leaked.

See Also: inject_code

clean_exit(self, dwExitCode=0, bWait=False, dwTimeout=None)

source code 

Injects a new thread to call ExitProcess(). Optionally waits for the injected thread to finish.

Parameters:
  • dwExitCode (int) - Process exit code.
  • bWait (bool) - True to wait for the process to finish. False to return immediately.
  • dwTimeout (int) - (Optional) Timeout value in milliseconds. Ignored if bWait is False.
Raises:
  • WindowsError - An exception is raised on error.

Warning: Setting bWait to True when the process is frozen by a debug event will cause a deadlock in your debugger.

_notify_create_process(self, event)

source code 

Notify the creation of a new process.

This is done automatically by the Debug class, you shouldn't need to call it yourself.

Parameters:
Returns: bool
True to call the user-defined handle, False otherwise.
Overrides: module._ModuleContainer._notify_create_process

Instance Variable Details [hide private]

dwProcessId

Global process ID. Use get_pid instead.
Type:
int

fileName

Filename of the main module. Use get_filename instead.
Type:
str

hProcess

Handle to the process. Use get_handle instead.
Type:
ProcessHandle

   Home       Trees       Indices       Help   
WinAppDbg - Programming Reference
Generated by Epydoc 3.0.1 on Fri Dec 20 17:54:54 2013 http://epydoc.sourceforge.net