| Home | Trees | Indices | Help |
|
|---|
|
|
Base class for debug event handlers.
Your program should subclass it to implement it's own event handling.
The signature for event handlers is the following:
def event_handler(self, event):
Where event is an Event object.
Each event handler is named after the event they handle. This is the list of all valid event handler names:
Receives an Event object or an object of any of it's subclasses, and handles any event for which no handler was defined.
Receives an Event object or an object of any of it's subclasses, and handles any event unknown to the debugging engine. (This is not likely to happen unless the Win32 debugging API is changed in future versions of Windows).
Receives an ExceptionEvent object and handles any exception for which no handler was defined. See above for exception handlers.
Receives an ExceptionEvent object and handles any exception unknown to the debugging engine. This usually happens for C++ exceptions, which are not standardized and may change from one compiler to the next.
Currently we have partial support for C++ exceptions thrown by Microsoft compilers.
Also see: RaiseException()
Receives a CreateThreadEvent object.
Receives a CreateProcessEvent object.
Receives a ExitThreadEvent object.
Receives a ExitProcessEvent object.
Receives a LoadDLLEvent object.
Receives an UnloadDLLEvent object.
Receives an OutputDebugStringEvent object.
Receives a RIPEvent object.
This is the list of all valid exception handler names (they all receive an ExceptionEvent object):
|
|||
|
|||
|
|||
|
|||
|
|||
|
Inherited from |
|||
|
|||
| dict( int → str ) |
__eventCallbackName = Map of event code constants to the names of the user-defined methods. |
||
| dict( int → str ) |
__exceptionCallbackName = Map of exception code constants to the names of the user-defined methods. |
||
| dict( str → tuple( str, int ) ) |
apiHooks = Dictionary that maps module names to tuples of ( procedure name, parameter count ). |
||
|
|||
|
Inherited from |
|||
|
|||
x.__init__(...) initializes x; see x.__class__.__doc__ for signature
|
Hook the requested API calls (in self.apiHooks). This method is called automatically whenever a DLL is loaded. |
Dispatch debug events.
|
Handler for events not handled by any other defined method.
|
|
|||
__eventCallbackNameMap of event code constants to the names of the user-defined methods. Unknown codes go to 'unknown_event'.
|
__exceptionCallbackNameMap of exception code constants to the names of the user-defined methods. Unknown codes go to 'unknown_exception'.
|
apiHooksDictionary that maps module names to tuples of ( procedure name, parameter count ).All procedures listed here will be hooked for calls from the debuguee. When this happens, the corresponding event handler is notified both when the procedure is entered and when it's left by the debugee. For example, if the procedure name is "LoadLibraryEx" the event handler routines must be defined as "pre_LoadLibraryEx" and "post_LoadLibraryEx" in your class. The signature for the routines can be something like this:
def pre_LoadLibraryEx(event, *params):
ra = params[0] # return address
argv = params[1:] # function parameters
# (...)
def post_LoadLibrary(event, return_value):
# (...)
But since you can also specify the number of arguments, this signature works too (four arguments in this case):
def pre_LoadLibraryEx(event, ra, lpFilename, hFile, dwFlags):
szFilename = event.get_process().peek_string(lpFilename)
# (...)
Note that the number of parameters to pull from the stack includes the return address. The apiHooks dictionary for the example above would look like this:
apiHook = {
"kernel32.dll" : (
# Procedure name Parameter count
( "LoadLibraryEx", 4 ),
# (more procedures can go here...)
),
# (more libraries can go here...)
}
For a more complete support of API hooking, you can also check out Universal Hooker at http://oss.coresecurity.com/projects/uhooker.htm
|
| Home | Trees | Indices | Help |
|
|---|
| Generated by Epydoc 3.0.1 on Fri May 15 21:56:33 2009 | http://epydoc.sourceforge.net |