Home       Trees       Indices       Help   
Windows application debugging engine
Package winappdbg :: Module system :: Class Process
[hide private]
[frames] | no frames]

Class Process

Interface to a process. Contains threads and modules snapshots.

Nested Classes [hide private]
  __ThreadsAndModulesIterator
Iterator object for Process objects.
Instance Methods [hide private]
 
__init__(self, dwProcessId, hProcess=None, fileName=None)
x.__init__(...) initializes x; see x.__class__.__doc__ for signature
 
suspend(self)
Suspends execution on all threads of the process.
 
resume(self)
Resumes execution on all threads of the process.

Inherited from object: __delattr__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __str__

    Properties
int
get_pid(self)
Returns: Process global ID.
str
get_filename(self)
Returns: Filename of the main module of the process.
bool
is_debugged(self)
Returns: True if the process is being debugged.
bool
is_alive(self)
Returns: True if the process is currently running.
int
get_exit_code(self)
Returns: Process exit code, or STILL_ACTIVE if it's still alive.
int
get_image_base(self)
Returns: Image base address for the process main module. (Inherited from winappdbg.system.ProcessDebugOperations)
int
get_image_name(self)
Returns: Filename of the process main module. (Inherited from winappdbg.system.ProcessDebugOperations)
Module
get_main_module(self)
Returns: Module object for the process main module. (Inherited from winappdbg.system.ProcessDebugOperations)
PEB
get_peb(self)
Returns a copy of the PEB. (Inherited from winappdbg.system.ProcessDebugOperations)
    Instrumentation
 
wait(self, dwTimeout=None)
Waits for the process to finish executing.
 
kill(self, dwExitCode=0)
Terminates the execution of the process.
 
inject_code(self, payload, lpParameter=0)
Injects relocatable code into the process memory and executes it.
 
inject_dll(self, dllname, procname=None, lpParameter=0, dwTimeout=None)
Injects a DLL into the process memory.
 
start_thread(self, lpStartAddress, lpParameter=0, bSuspended=False)
Remotely creates a new thread in the process. (Inherited from winappdbg.system.ThreadContainer)
    Debugging
 
debug_break(self)
Triggers the system breakpoint in the process.
int
get_system_breakpoint(self)
Returns: Memory address of the system breakpoint within the process address space. (Inherited from winappdbg.system.SymbolOperations)
    Processes snapshot
bool
__contains__(self, anObject)
The same as: self.has_thread(anObject) or self.has_module(anObject)
int
__len__(self)
Returns: Count of Thread and Module objects in this snapshot.
iterator
__iter__(self)
Returns: Iterator of Thread and Module objects in this snapshot.
 
scan(self)
Populates the snapshot of threads and modules.
 
clear(self)
Clears the snapshot of threads and modules.
    Handle
 
open_handle(self)
Opens a new handle to the process.
 
close_handle(self)
Closes the handle to the process.
ProcessHandle
get_handle(self)
Returns: Handle to the process.
    Event notifications (private)
 
notify_create_process(self, event)
Notify the creation of a new process.
 
notify_create_thread(self, event)
Notify the creation of a new thread in this process. (Inherited from winappdbg.system.ThreadContainer)
 
notify_exit_thread(self, event)
Notify the termination of a thread. (Inherited from winappdbg.system.ThreadContainer)
 
notify_load_dll(self, event)
Notify the load of a new module. (Inherited from winappdbg.system.ModuleContainer)
 
notify_unload_dll(self, event)
Notify the release of a loaded module. (Inherited from winappdbg.system.ModuleContainer)
    Memory mapping
bool
free(self, lpAddress, dwSize=0)
Frees memory from the address space of the process. (Inherited from winappdbg.system.MemoryOperations)
list( MEMORY_BASIC_INFORMATION )
get_memory_map(self, minAddr=0, maxAddr=4294967296)
Produces a memory map to the process address space. (Inherited from winappdbg.system.MemoryOperations)
int
malloc(self, dwSize, lpAddress=0)
Allocates memory into the address space of the process. (Inherited from winappdbg.system.MemoryOperations)
int
mprotect(self, lpAddress, dwSize, flNewProtect)
Set memory protection in the address space of the process. (Inherited from winappdbg.system.MemoryOperations)
MEMORY_BASIC_INFORMATION
mquery(self, lpAddress)
Query memory information from the address space of the process. (Inherited from winappdbg.system.MemoryOperations)
    Memory read
str
peek(self, lpBaseAddress, nSize)
Reads the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
int
peek_char(self, lpBaseAddress)
Reads a single character from the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
str, unicode
peek_string(self, lpBaseAddress, fUnicode=False, dwMaxSize=4096)
Tries to read an ASCII or Unicode string from the address space of the process. (Inherited from winappdbg.system.MemoryOperations)
int
peek_uint(self, lpBaseAddress)
Reads a single uint from the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
str
read(self, lpBaseAddress, nSize)
Reads from the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
int
read_char(self, lpBaseAddress)
Reads a single character to the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
int
read_structure(self, lpBaseAddress, stype)
Reads a ctypes structure from the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
int
read_uint(self, lpBaseAddress)
Reads a single uint from the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
    Memory write
int
poke(self, lpBaseAddress, lpBuffer)
Writes to the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
int
poke_char(self, lpBaseAddress, char)
Writes a single character to the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
int
poke_uint(self, lpBaseAddress, unpackedDword)
Writes a single uint to the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
 
write(self, lpBaseAddress, lpBuffer)
Writes to the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
 
write_char(self, lpBaseAddress, char)
Writes a single character to the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
 
write_uint(self, lpBaseAddress, unpackedDword)
Writes a single uint to the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
    Disassembly
list of tuple( long, int, str, str )
disassemble(self, lpAddress, dwSize)
Disassemble instructions from the address space of the process. (Inherited from winappdbg.system.ProcessDebugOperations)
list of tuple( long, int, str, str )
disassemble_around(self, lpAddress, dwSize=64)
Disassemble around the given address. (Inherited from winappdbg.system.ProcessDebugOperations)
list of tuple( long, int, str, str )
disassemble_around_pc(self, dwThreadId, dwSize=64)
Disassemble around the program counter of the given thread. (Inherited from winappdbg.system.ProcessDebugOperations)
    Miscellaneous
 
flush_instruction_cache(self)
Flush the instruction cache. (Inherited from winappdbg.system.ProcessDebugOperations)
dict( str → str )
peek_pointers_in_data(self, data, peekSize=16, peekStep=1)
Tries to guess which values in the given data are valid pointers, and reads some data from them. (Inherited from winappdbg.system.ProcessDebugOperations)
    Labels
str
get_label_at_address(self, address, offset=None)
Creates a label from the given memory address. (Inherited from winappdbg.system.SymbolOperations)
int
resolve_label(self, label)
Resolve the memory address of the given label. (Inherited from winappdbg.system.SymbolOperations)
str
sanitize_label(self, label)
Converts a label taken from user input into a well-formed label. (Inherited from winappdbg.system.SymbolOperations)
tuple( str or None, str or int or None, int or None )
split_label_fuzzy(self, label)
Splits a label entered as user input. (Inherited from winappdbg.system.SymbolOperations)
    Threads snapshot
 
clear_dead_threads(self)
Remove Thread objects from the snapshot referring to threads no longer running. (Inherited from winappdbg.system.ThreadContainer)
 
clear_threads(self)
Clears the threads snapshot. (Inherited from winappdbg.system.ThreadContainer)
 
close_thread_handles(self)
Closes all open handles to threads in the snapshot. (Inherited from winappdbg.system.ThreadContainer)
list( Thread )
find_threads_by_name(self, name, bExactMatch=True)
Find threads by name, using different search methods. (Inherited from winappdbg.system.ThreadContainer)
Thread
get_thread(self, dwThreadId)
Returns: Thread object with the given global ID. (Inherited from winappdbg.system.ThreadContainer)
int
get_thread_count(self)
Returns: Count of Thread objects in this snapshot. (Inherited from winappdbg.system.ThreadContainer)
list( int )
get_thread_ids(self)
Returns: List of global thread IDs in this snapshot. (Inherited from winappdbg.system.ThreadContainer)
bool
has_thread(self, dwThreadId)
Returns: True if the snapshot contains a Thread object with the given global ID. (Inherited from winappdbg.system.ThreadContainer)
dictionary-keyiterator
iter_thread_ids(self)
Returns: Iterator of global thread IDs in this snapshot. (Inherited from winappdbg.system.ThreadContainer)
dictionary-valueiterator
iter_threads(self)
Returns: Iterator of Thread objects in this snapshot. (Inherited from winappdbg.system.ThreadContainer)
 
scan_threads(self)
Populates the snapshot with running threads. (Inherited from winappdbg.system.ThreadContainer)
    Modules snapshot
 
clear_modules(self)
Clears the modules snapshot. (Inherited from winappdbg.system.ModuleContainer)
Module
get_module(self, lpBaseOfDll)
Returns: Module object with the given base address. (Inherited from winappdbg.system.ModuleContainer)
Module
get_module_at_address(self, address)
Returns: Module object that best matches the given address. (Inherited from winappdbg.system.ModuleContainer)
list( int... )
get_module_bases(self)
Returns: List of DLL base addresses in this snapshot. (Inherited from winappdbg.system.ModuleContainer)
Module
get_module_by_name(self, modName)
Returns: Module object that best matches the given name. (Inherited from winappdbg.system.ModuleContainer)
int
get_module_count(self)
Returns: Count of Module objects in this snapshot. (Inherited from winappdbg.system.ModuleContainer)
bool
has_module(self, lpBaseOfDll)
Returns: True if the snapshot contains a Module object with the given base address. (Inherited from winappdbg.system.ModuleContainer)
dictionary-keyiterator
iter_module_addresses(self)
Returns: Iterator of DLL base addresses in this snapshot. (Inherited from winappdbg.system.ModuleContainer)
dictionary-valueiterator
iter_modules(self)
Returns: Iterator of Module objects in this snapshot. (Inherited from winappdbg.system.ModuleContainer)
 
scan_modules(self)
Populates the snapshot with loaded modules. (Inherited from winappdbg.system.ModuleContainer)
Class Methods [hide private]
    Labels
tuple( str or None, str or int or None, int or None )
split_label(cls, label)
Splits a label into it's module, function and offset components, as used in parse_label. (Inherited from winappdbg.system.SymbolOperations)
Static Methods [hide private]
    Disassembly
list of tuple( long, int, str, str )
disassemble_string(lpAddress, code)
Disassemble instructions from a block of binary code. (Inherited from winappdbg.system.ProcessDebugOperations)
    Labels
str
parse_label(module=None, function=None, offset=None)
Creates a label from a module and a function name, plus an offset. (Inherited from winappdbg.system.SymbolOperations)
tuple( str or None, str or int or None, int or None )
split_label_strict(label)
Splits a label created with parse_label. (Inherited from winappdbg.system.SymbolOperations)
Instance Variables [hide private]
int dwProcessId
Global process ID.
str fileName
Filename of the main module.
ProcessHandle hProcess
Handle to the process.
Properties [hide private]

Inherited from object: __class__

Method Details [hide private]

__init__(self, dwProcessId, hProcess=None, fileName=None)
(Constructor)

 

x.__init__(...) initializes x; see x.__class__.__doc__ for signature

Parameters:
  • dwProcessId (int) - Global process ID.
  • hProcess (ProcessHandle) - Handle to the process.
  • fileName (str) - (Optional) Filename of the main module.
Overrides: object.__init__

get_pid(self)

 
Returns: int
Process global ID.

get_filename(self)

 
Returns: str
Filename of the main module of the process.

get_handle(self)

 
Returns: ProcessHandle
Handle to the process.

__contains__(self, anObject)
(In operator)

 

The same as: self.has_thread(anObject) or self.has_module(anObject)

Parameters:
  • anObject (Thread, Module or int) - Object to look for. Can be a Thread, Module, thread global ID or module base address.
Returns: bool
True if the requested object was found in the snapshot.
Overrides: ModuleContainer.__contains__

__len__(self)
(Length operator)

 
Returns: int
Count of Thread and Module objects in this snapshot.
Overrides: ModuleContainer.__len__

See Also: get_thread_count, get_module_count

__iter__(self)

 
Returns: iterator
Iterator of Thread and Module objects in this snapshot. All threads are iterated first, then all modules.
Overrides: ModuleContainer.__iter__

See Also: iter_threads, iter_modules

wait(self, dwTimeout=None)

 

Waits for the process to finish executing.

Raises:
  • WindowsError - On error an exception is raised.

kill(self, dwExitCode=0)

 

Terminates the execution of the process.

Raises:
  • WindowsError - On error an exception is raised.

suspend(self)

 

Suspends execution on all threads of the process.

Raises:
  • WindowsError - On error an exception is raised.

resume(self)

 

Resumes execution on all threads of the process.

Raises:
  • WindowsError - On error an exception is raised.

debug_break(self)

 

Triggers the system breakpoint in the process.

Raises:
  • WindowsError - On error an exception is raised.

is_debugged(self)

 
Returns: bool
True if the process is being debugged.

is_alive(self)

 
Returns: bool
True if the process is currently running.

get_exit_code(self)

 
Returns: int
Process exit code, or STILL_ACTIVE if it's still alive.

inject_code(self, payload, lpParameter=0)

 

Injects relocatable code into the process memory and executes it.

Parameters:
  • payload (str) - Relocatable code to run in a new thread.
  • lpParameter (int) - (Optional) Parameter to be pushed in the stack.

See Also: inject_dll

inject_dll(self, dllname, procname=None, lpParameter=0, dwTimeout=None)

 

Injects a DLL into the process memory.

Parameters:
  • dllname (str) - Name of the DLL module to load.
  • procname (str) - (Optional) Procedure to call when the DLL is loaded.
  • lpParameter (int) - (Optional) Parameter to the procname procedure.
  • dwTimeout (int) - (Optional) Timeout value in milliseconds.

See Also: inject_code

notify_create_process(self, event)

 

Notify the creation of a new process.

Parameters:
Overrides: ModuleContainer.notify_create_process

Instance Variable Details [hide private]

dwProcessId

Global process ID. Use get_pid instead.
Type:
int

fileName

Filename of the main module. Use get_filename instead.
Type:
str

hProcess

Handle to the process. Use get_handle instead.
Type:
ProcessHandle

   Home       Trees       Indices       Help   
Windows application debugging engine
Generated by Epydoc 3.0.1 on Tue Apr 21 15:14:43 2009 http://epydoc.sourceforge.net