Home       Trees       Indices       Help   
WinAppDbg - Windows application debugging engine
Package winappdbg :: Module system :: Class ProcessDebugOperations
[hide private]
[frames] | no frames]

Class ProcessDebugOperations

Encapsulates several useful debugging routines for processes.

Instance Methods [hide private]

Inherited from object: __delattr__, __getattribute__, __hash__, __init__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __str__

    Properties
PEB
get_peb(self)
Returns a copy of the PEB.
Module
get_main_module(self)
Returns: Module object for the process main module.
int
get_image_base(self)
Returns: Image base address for the process main module.
int
get_image_name(self)
Returns: Filename of the process main module.
    Disassembly
list of tuple( long, int, str, str )
disassemble(self, lpAddress, dwSize)
Disassemble instructions from the address space of the process.
list of tuple( long, int, str, str )
disassemble_around(self, lpAddress, dwSize=64)
Disassemble around the given address.
list of tuple( long, int, str, str )
disassemble_around_pc(self, dwThreadId, dwSize=64)
Disassemble around the program counter of the given thread.
    Debugging
 
flush_instruction_cache(self)
Flush the instruction cache.
 
debug_break(self)
Triggers the system breakpoint in the process.
dict( str → str )
peek_pointers_in_data(self, data, peekSize=16, peekStep=1)
Tries to guess which values in the given data are valid pointers, and reads some data from them.
Static Methods [hide private]
    Disassembly
list of tuple( long, int, str, str )
disassemble_string(lpAddress, code)
Disassemble instructions from a block of binary code.
Properties [hide private]

Inherited from object: __class__

Method Details [hide private]

disassemble_string(lpAddress, code)
Static Method

 

Disassemble instructions from a block of binary code.

Parameters:
  • lpAddress (int) - Memory address where the code was read from.
  • code (str) - Binary code to disassemble.
Returns: list of tuple( long, int, str, str )
List of tuples. Each tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.

disassemble(self, lpAddress, dwSize)

 

Disassemble instructions from the address space of the process.

Parameters:
  • lpAddress (int) - Memory address where to read the code from.
  • dwSize (int) - Size of binary code to disassemble.
Returns: list of tuple( long, int, str, str )
List of tuples. Each tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.

disassemble_around(self, lpAddress, dwSize=64)

 

Disassemble around the given address.

Parameters:
  • lpAddress (int) - Memory address where to read the code from.
  • dwSize (int) - Delta offset. Code will be read from lpAddress - dwSize to lpAddress + dwSize.
Returns: list of tuple( long, int, str, str )
List of tuples. Each tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.

disassemble_around_pc(self, dwThreadId, dwSize=64)

 

Disassemble around the program counter of the given thread.

Parameters:
  • dwThreadId (int) - Global thread ID. The program counter for this thread will be used as the disassembly address.
  • dwSize (int) - Delta offset. Code will be read from pc - dwSize to pc + dwSize.
Returns: list of tuple( long, int, str, str )
List of tuples. Each tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.

flush_instruction_cache(self)

 

Flush the instruction cache. This is required if the process memory is modified and one or more threads are executing nearby the modified memory region.

Raises:
  • WindowsError - Raises exception on error.

See Also: http://blogs.msdn.com/oldnewthing/archive/2003/12/08/55954.aspx#55958

debug_break(self)

 

Triggers the system breakpoint in the process.

Raises:
  • WindowsError - On error an exception is raised.

get_peb(self)

 

Returns a copy of the PEB. To dereference pointers in it call Process.read_structure.

Returns: PEB
PEB structure.

get_main_module(self)

 
Returns: Module
Module object for the process main module.

get_image_base(self)

 
Returns: int
Image base address for the process main module.

get_image_name(self)

 
Returns: int
Filename of the process main module.

This method does it's best to retrieve the filename. However sometimes this is not possible, so None may be returned instead.

peek_pointers_in_data(self, data, peekSize=16, peekStep=1)

 

Tries to guess which values in the given data are valid pointers, and reads some data from them.

Parameters:
  • data (str) - Binary data to find pointers in.
  • peekSize (int) - Number of bytes to read from each pointer found.
  • peekStep (int) - Expected data alignment. Tipically you specify 1 when data alignment is unknown, or 4 when you expect data to be DWORD aligned. Any other value may be specified.
Returns: dict( str → str )
Dictionary mapping stack offsets to the data they point to.

   Home       Trees       Indices       Help   
WinAppDbg - Windows application debugging engine
Generated by Epydoc 3.0.1 on Fri May 15 21:56:39 2009 http://epydoc.sourceforge.net