Home       Trees       Indices       Help   
WinAppDbg - Windows application debugging engine
Package winappdbg :: Module system :: Class MemoryOperations
[hide private]
[frames] | no frames]

Class MemoryOperations

Encapsulates the capabilities to manipulate the memory of a process.

Instance Methods [hide private]

Inherited from object: __delattr__, __getattribute__, __hash__, __init__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __str__

    Memory mapping
int
malloc(self, dwSize, lpAddress=0)
Allocates memory into the address space of the process.
int
mprotect(self, lpAddress, dwSize, flNewProtect)
Set memory protection in the address space of the process.
MEMORY_BASIC_INFORMATION
mquery(self, lpAddress)
Query memory information from the address space of the process.
bool
free(self, lpAddress, dwSize=0)
Frees memory from the address space of the process.
bool
is_address_valid(self, address)
Determines if an address is a valid user mode address.
bool
is_address_free(self, address)
Determines if an address belongs to a free page.
bool
is_address_reserved(self, address)
Determines if an address belongs to a reserved page.
bool
is_address_commited(self, address)
Determines if an address belongs to a commited page.
bool
is_address_readable(self, address)
Determines if an address belongs to a commited and readable page.
bool
is_address_writeable(self, address)
Determines if an address belongs to a commited and writeable page.
bool
is_address_executable(self, address)
Determines if an address belongs to a commited and executable page.
bool
is_address_executable_and_writeable(self, address)
Determines if an address belongs to a commited, writeable and executable page.
list( MEMORY_BASIC_INFORMATION )
get_memory_map(self, minAddr=0, maxAddr=4294967296)
Produces a memory map to the process address space.
    Memory read
str
read(self, lpBaseAddress, nSize)
Reads from the memory of the process.
int
read_uint(self, lpBaseAddress)
Reads a single uint from the memory of the process.
int
read_char(self, lpBaseAddress)
Reads a single character to the memory of the process.
int
read_structure(self, lpBaseAddress, stype)
Reads a ctypes structure from the memory of the process.
str
peek(self, lpBaseAddress, nSize)
Reads the memory of the process.
int
peek_uint(self, lpBaseAddress)
Reads a single uint from the memory of the process.
int
peek_char(self, lpBaseAddress)
Reads a single character from the memory of the process.
str, unicode
peek_string(self, lpBaseAddress, fUnicode=False, dwMaxSize=4096)
Tries to read an ASCII or Unicode string from the address space of the process.
    Memory write
 
write(self, lpBaseAddress, lpBuffer)
Writes to the memory of the process.
 
write_uint(self, lpBaseAddress, unpackedDword)
Writes a single uint to the memory of the process.
 
write_char(self, lpBaseAddress, char)
Writes a single character to the memory of the process.
int
poke(self, lpBaseAddress, lpBuffer)
Writes to the memory of the process.
int
poke_uint(self, lpBaseAddress, unpackedDword)
Writes a single uint to the memory of the process.
int
poke_char(self, lpBaseAddress, char)
Writes a single character to the memory of the process.
Properties [hide private]

Inherited from object: __class__

Method Details [hide private]

read(self, lpBaseAddress, nSize)

 

Reads from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
  • nSize (int) - Number of bytes to read.
Returns: str
Bytes read from the process memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: peek

write(self, lpBaseAddress, lpBuffer)

 

Writes to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • lpBuffer (int) - Bytes to write.
Raises:
  • WindowsError - On error an exception is raised.

See Also: poke

read_uint(self, lpBaseAddress)

 

Reads a single uint from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Integer value read from the process memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: peek

write_uint(self, lpBaseAddress, unpackedDword)

 

Writes a single uint to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • unpackedDword (int, long) - Value to write.
Raises:
  • WindowsError - On error an exception is raised.

See Also: poke_uint

read_char(self, lpBaseAddress)

 

Reads a single character to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
Returns: int
Character value read from the process memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: write_char

write_char(self, lpBaseAddress, char)

 

Writes a single character to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • char (int) - Character to write.
Raises:
  • WindowsError - On error an exception is raised.

See Also: write_char

read_structure(self, lpBaseAddress, stype)

 

Reads a ctypes structure from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
  • stype (class ctypes.Structure or a subclass.) - Structure definition.
Returns: int
Structure instance filled in with data read from the process memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: read

peek(self, lpBaseAddress, nSize)

 

Reads the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
  • nSize (int) - Number of bytes to read.
Returns: str
Bytes read from the process memory. Returns an empty string on error.

See Also: read

poke(self, lpBaseAddress, lpBuffer)

 

Writes to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • lpBuffer (str) - Bytes to write.
Returns: int
Number of bytes written. May be less than the number of bytes to write.

See Also: write

peek_uint(self, lpBaseAddress)

 

Reads a single uint from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Integer value read from the process memory. Returns zero on error.

See Also: read_uint

poke_uint(self, lpBaseAddress, unpackedDword)

 

Writes a single uint to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • unpackedDword (int, long) - Value to write.
Returns: int
Number of bytes written. May be less than the number of bytes to write.

See Also: write_uint

peek_char(self, lpBaseAddress)

 

Reads a single character from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Character read from the process memory. Returns zero on error.

See Also: read_char

poke_char(self, lpBaseAddress, char)

 

Writes a single character to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • char (str) - Character to write.
Returns: int
Number of bytes written. May be less than the number of bytes to write.

See Also: write_char

peek_string(self, lpBaseAddress, fUnicode=False, dwMaxSize=4096)

 

Tries to read an ASCII or Unicode string from the address space of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
  • fUnicode (bool) - True is the string is expected to be Unicode, False if it's expected to be ANSI.
  • dwMaxSize (int) - Maximum allowed string length to read, in bytes.
Returns: str, unicode
String read from the process memory space. It doesn't include the terminating null character. Returns an empty string on failure.

See Also: peek

malloc(self, dwSize, lpAddress=0)

 

Allocates memory into the address space of the process.

Parameters:
  • dwSize (int) - Number of bytes to allocate.
  • lpAddress (int) - (Optional) Desired address for the newly allocated memory. This is only a hint, the memory could still be allocated somewhere else.
Returns: int
Address of the newly allocated memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: free

mprotect(self, lpAddress, dwSize, flNewProtect)

 

Set memory protection in the address space of the process.

Parameters:
  • lpAddress (int) - Address of memory to protect.
  • dwSize (int) - Number of bytes to protect.
  • flNewProtect (int) - New protect flags.
Returns: int
Old protect flags.
Raises:
  • WindowsError - On error an exception is raised.

See Also: http://msdn.microsoft.com/en-us/library/aa366899.aspx

mquery(self, lpAddress)

 

Query memory information from the address space of the process. Returns a MEMORY_BASIC_INFORMATION structure.

Parameters:
  • lpAddress (int) - Address of memory to query.
Returns: MEMORY_BASIC_INFORMATION
Memory region information.
Raises:
  • WindowsError - On error an exception is raised.

See Also: http://msdn.microsoft.com/en-us/library/aa366907(VS.85).aspx

free(self, lpAddress, dwSize=0)

 

Frees memory from the address space of the process.

Parameters:
  • lpAddress (int) - Address of memory to free.
  • dwSize (int) - (Optional) Number of bytes to free.
Returns: bool
True on success, False on error.

See Also: malloc

is_address_valid(self, address)

 

Determines if an address is a valid user mode address.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address is a valid user mode address.
Raises:
  • WindowsError - An exception is raised on error.

is_address_free(self, address)

 

Determines if an address belongs to a free page.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a free page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_reserved(self, address)

 

Determines if an address belongs to a reserved page.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a reserved page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_commited(self, address)

 

Determines if an address belongs to a commited page.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a commited page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_readable(self, address)

 

Determines if an address belongs to a commited and readable page. The page may or may not have additional permissions.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a commited and readable page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_writeable(self, address)

 

Determines if an address belongs to a commited and writeable page. The page may or may not have additional permissions.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a commited and writeable page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_executable(self, address)

 

Determines if an address belongs to a commited and executable page. The page may or may not have additional permissions.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a commited and executable page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_executable_and_writeable(self, address)

 

Determines if an address belongs to a commited, writeable and executable page. The page may or may not have additional permissions.

Looking for writeable and executable pages is important when exploiting a software vulnerability.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a commited, writeable and executable page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

get_memory_map(self, minAddr=0, maxAddr=4294967296)

 

Produces a memory map to the process address space. Optionally restrict the map to the given address range.

Parameters:
  • minAddr (int) - (Optional) Starting address in address range to query.
  • maxAddr (int) - (Optional) Ending address in address range to query.
Returns: list( MEMORY_BASIC_INFORMATION )
List of MEMORY_BASIC_INFORMATION structures.

See Also: mquery


   Home       Trees       Indices       Help   
WinAppDbg - Windows application debugging engine
Generated by Epydoc 3.0.1 on Fri May 15 21:56:36 2009 http://epydoc.sourceforge.net