Class ThreadDebugOperations

Returns a copy of the TEB. To dereference pointers in it call Process.read_structure.

Returns: TEB

TEB structure.

Translates segment-relative addresses to linear addresses.

Linear addresses can be used to access a process memory, calling Process.read and Process.write.

Parameters:

• segment (str) - Segment register name.
• address (int) - Segment relative memory address.

Returns: int

Linear memory address.

Returns: str

Label that points to the instruction currently being executed.

Returns: list of tuple( int, int )

List of structured exception handlers. Each SEH is represented as a tuple of two addresses:

• Address of the SEH block
• Address of the SEH callback function

Returns: tuple( int, int )

Stack beginning and end pointers, in memory addresses order.

Tries to get a stack trace for the current function. Only works for functions with standard prologue and epilogue.

Parameters:

• depth (int) - Maximum depth of stack trace.

Returns: tuple of tuple( int, int, str )

Stack trace of the thread as a tuple of ( return address, frame pointer address, module filename ).

Tries to get a stack trace for the current function. Only works for functions with standard prologue and epilogue.

Parameters:

• depth (int) - Maximum depth of stack trace.
• bMakePretty (bool) - True for user readable labels, False for labels that can be passed to Process.resolve_label.

  "Pretty" labels look better when producing output for the user to read, while pure labels are more useful programatically.

Returns: tuple of tuple( int, int, str )

Stack trace of the thread as a tuple of ( return address, frame pointer label ).

Returns the starting and ending addresses of the stack frame. Only works for functions with standard prologue and epilogue.

Returns: tuple( int, int )

Stack frame range. May not be accurate, depending on the compiler used.

Raises:

• RuntimeError - The stack frame is invalid, or the function doesn't have a standard prologue and epilogue.
• WindowsError - An error occured when getting the thread context.

Reads the contents of the current stack frame. Only works for functions with standard prologue and epilogue.

Parameters:

• max_size (int) - (Optional) Maximum amount of bytes to read.

Returns: str

Stack frame data. May not be accurate, depending on the compiler used. May return an empty string.

Raises:

• RuntimeError - The stack frame is invalid, or the function doesn't have a standard prologue and epilogue.
• WindowsError - An error occured when getting the thread context or reading data from the process memory.

Reads the contents of the top of the stack.

Parameters:

• size (int) - Number of bytes to read.
• offset (int) - Offset from the stack pointer to begin reading.

Returns: str

Stack data.

Raises:

• WindowsError - Could not read the requested data.

Tries to read the contents of the top of the stack.

Parameters:

• size (int) - Number of bytes to read.
• offset (int) - Offset from the stack pointer to begin reading.

Returns: str

Stack data. Returned data may be less than the requested size.

Reads DWORDs from the top of the stack.

Parameters:

• count (int) - Number of DWORDs to read.
• offset (int) - Offset from the stack pointer to begin reading.

Returns: tuple( int... )

Tuple of integers read from the stack.

Raises:

• WindowsError - Could not read the requested data.

Tries to read DWORDs from the top of the stack.

Parameters:

• count (int) - Number of DWORDs to read.
• offset (int) - Offset from the stack pointer to begin reading.

Returns: tuple( int... )

Tuple of integers read from the stack. May be less than the requested number of DWORDs.

Tries to read some bytes of the code currently being executed.

Parameters:

• size (int) - Number of bytes to read.
• offset (int) - Offset from the program counter to begin reading.

Returns: str

Bytes read from the process memory.

Raises:

• WindowsError - Could not read the requested data.

Tries to read some bytes of the code currently being executed.

Parameters:

• size (int) - Number of bytes to read.
• offset (int) - Offset from the program counter to begin reading.

Returns: str

Bytes read from the process memory. May be less than the requested number of bytes.

Tries to guess which values in the registers are valid pointers, and reads some data from them.

Parameters:

• peekSize (int) - Number of bytes to read from each pointer found.
• context (dict( str → int )) - (Optional) Dictionary mapping register names to their values. If not given, the current thread context will be used.

Returns: dict( str → str )

Dictionary mapping register names to the data they point to.

Tries to guess which values in the given data are valid pointers, and reads some data from them.

Parameters:

• data (str) - Binary data to find pointers in.
• peekSize (int) - Number of bytes to read from each pointer found.
• peekStep (int) - Expected data alignment. Tipically you specify 1 when data alignment is unknown, or 4 when you expect data to be DWORD aligned. Any other value may be specified.

Returns: dict( str → str )

Dictionary mapping stack offsets to the data they point to.

Disassemble instructions from a block of binary code.

Parameters:

• lpAddress (int) - Memory address where the code was read from.
• code (str) - Binary code to disassemble.

Returns: list of tuple( long, int, str, str )

List of tuples. Each tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.

Disassemble instructions from the address space of the process.

Parameters:

• lpAddress (int) - Memory address where to read the code from.
• dwSize (int) - Size of binary code to disassemble.

Returns: list of tuple( long, int, str, str )

List of tuples. Each tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.

Disassemble around the given address.

Parameters:

• lpAddress (int) - Memory address where to read the code from.
• dwSize (int) - Delta offset. Code will be read from lpAddress - dwSize to lpAddress + dwSize.

Returns: list of tuple( long, int, str, str )

List of tuples. Each tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.

Disassemble around the program counter of the given thread.

Parameters:

• dwSize (int) - Delta offset. Code will be read from pc - dwSize to pc + dwSize.

Returns: list of tuple( long, int, str, str )

List of tuples. Each tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.