Home       Trees       Indices       Help   
WinAppDbg - Windows application debugging engine
Package winappdbg :: Module breakpoint :: Class ApiHook
[hide private]
[frames] | no frames]

Class ApiHook

Used by EventHandler.

This class acts as an action callback for code breakpoints set at the beginning of a function. It automatically retrieves the parameters from the stack, sets a breakpoint at the return address and retrieves the return value from the function call.

See Also: EventHandler.apiHooks

Instance Methods [hide private]
 
__init__(self, eventHandler, procName, paramCount=0)
x.__init__(...) initializes x; see x.__class__.__doc__ for signature
 
hook(self, debug, pid, modName)
Installs the API hook on a given process and module.
 
unhook(self, debug, pid, modName)
Removes the API hook from the given process and module.
 
__call__(self, event)
Handles the breakpoint event on entry of the function. (Inherited from winappdbg.breakpoint.Hook)

Inherited from object: __delattr__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __str__

Properties [hide private]

Inherited from object: __class__

Method Details [hide private]

__init__(self, eventHandler, procName, paramCount=0)
(Constructor)

 

x.__init__(...) initializes x; see x.__class__.__doc__ for signature

Parameters:
  • eventHandler (EventHandler) - Event handler instance.
  • procName (str) - Procedure name. The pre and post callbacks will be deduced from it.

    For example, if the procedure is "LoadLibraryEx" the callback routines will be "pre_LoadLibraryEx" and "post_LoadLibraryEx".

    The signature for the callbacks can be something like this:

       def pre_LoadLibraryEx(event, *params):
       ra   = params[0]        # return address
       argv = params[1:]       # function parameters

       # (...)

   def post_LoadLibraryEx(event, return_value):

       # (...)

    But if you passed the right number of arguments, you can also use a signature like this:

       def pre_LoadLibraryEx(event, ra, lpFilename, hFile, dwFlags):
       szFilename = event.get_process().peek_string(lpFilename)

       # (...)
  • paramCount (int) - (Optional) Number of parameters for the callback. Parameters are read from the stack and assumed to be DWORDs. The first parameter of the pre callback is always the return address.
Overrides: object.__init__

hook(self, debug, pid, modName)

 

Installs the API hook on a given process and module.

Parameters:
  • debug (Debug) - Debug object.
  • pid (int) - Process ID.
  • modName (str) - Module name.
Overrides: Hook.hook

Warning: Do not call from an API hook callback.

unhook(self, debug, pid, modName)

 

Removes the API hook from the given process and module.

Parameters:
  • debug (Debug) - Debug object.
  • pid (int) - Process ID.
  • modName (str) - Module name.
Overrides: Hook.unhook

Warning: Do not call from an API hook callback.


   Home       Trees       Indices       Help   
WinAppDbg - Windows application debugging engine
Generated by Epydoc 3.0.1 on Fri May 15 21:56:26 2009 http://epydoc.sourceforge.net