Home       Trees       Indices       Help   
WinAppDbg - Windows application debugging engine
Package winappdbg :: Module breakpoint :: Class ApiHook
[hide private]
[frames] | no frames]

Class ApiHook

source code

Used by EventHandler.

This class acts as an action callback for code breakpoints set at the beginning of a function. It automatically retrieves the parameters from the stack, sets a breakpoint at the return address and retrieves the return value from the function call.

See Also: EventHandler.apiHooks

Instance Methods [hide private]
 
__init__(self, eventHandler, procName, paramCount=0)
x.__init__(...) initializes x; see x.__class__.__doc__ for signature		 source code
 
hook(self, debug, pid, modName)
Installs the API hook on a given process and module.		 source code
 
unhook(self, debug, pid, modName)
Removes the API hook from the given process and module.		 source code
 
__call__(self, event)
Handles the breakpoint event on entry of the function. (Inherited from winappdbg.breakpoint.Hook)		 source code
tuple( arg, arg, arg... )
get_params(self, tid)
Returns the parameters found in the stack when the hooked function was last called by this thread. (Inherited from winappdbg.breakpoint.Hook)		 source code
list of tuple( arg, arg, arg... )
get_params_stack(self, tid)
Returns the parameters found in the stack each time the hooked function was called by this thread and haven't returned yet. (Inherited from winappdbg.breakpoint.Hook)		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Variables [hide private]
bool useHardwareBreakpoints = False
True to try to use hardware breakpoints, False otherwise. (Inherited from winappdbg.breakpoint.Hook)
Properties [hide private]

Inherited from object: __class__

Method Details [hide private]

__init__(self, eventHandler, procName, paramCount=0)
(Constructor)

source code 

x.__init__(...) initializes x; see x.__class__.__doc__ for signature

Parameters:
  • eventHandler (EventHandler) - Event handler instance.
  • procName (str) - Procedure name. The pre and post callbacks will be deduced from it.

    For example, if the procedure is "LoadLibraryEx" the callback routines will be "pre_LoadLibraryEx" and "post_LoadLibraryEx".

    The signature for the callbacks can be something like this:

       def pre_LoadLibraryEx(event, *params):
       ra   = params[0]        # return address
       argv = params[1:]       # function parameters

       # (...)

   def post_LoadLibraryEx(event, return_value):

       # (...)

    But if you passed the right number of arguments, you can also use a signature like this:

       def pre_LoadLibraryEx(event, ra, lpFilename, hFile, dwFlags):
       szFilename = event.get_process().peek_string(lpFilename)

       # (...)

    Note that the second example assumes all parameters are DWORDs. This may not always be so, especially in 64 bits Windows.

  • paramCount (int) - (Optional) Number of parameters for the callback. Parameters are read from the stack and assumed to be DWORDs. The first parameter of the pre callback is always the return address.
Overrides: object.__init__

hook(self, debug, pid, modName)

source code 

Installs the API hook on a given process and module.

Parameters:
  • debug (Debug) - Debug object.
  • pid (int) - Process ID.
  • modName (str) - Module name.
Overrides: Hook.hook

Warning: Do not call from an API hook callback.

unhook(self, debug, pid, modName)

source code 

Removes the API hook from the given process and module.

Parameters:
  • debug (Debug) - Debug object.
  • pid (int) - Process ID.
  • modName (str) - Module name.
Overrides: Hook.unhook

Warning: Do not call from an API hook callback.


   Home       Trees       Indices       Help   
WinAppDbg - Windows application debugging engine
Generated by Epydoc 3.0.1 on Fri Feb 12 19:46:14 2010 http://epydoc.sourceforge.net