Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Simple breakpoint use

break_at(self, pid, address, action=None)
Sets a code breakpoint at the given process and address.

source code

dont_break_at(self, pid, address)
Clears a code breakpoint set by break_at.

source code

hook_function(self, pid, address, preCB=None, postCB=None, paramCount=0)
Sets a function hook at the given address.

source code

dont_hook_function(self, pid, address)
Removes a function hook set by hook_function.

source code

unhook_function(self, pid, address)
Removes a function hook set by hook_function.

source code

watch_variable(self, tid, address, size, action=None)
Sets a hardware breakpoint at the given thread, address and size.

source code

dont_watch_variable(self, tid, address)
Clears a hardware breakpoint set by watch_variable.

source code

watch_buffer(self, pid, address, size, action=None)
Sets a page breakpoint and notifies when the given buffer is accessed.

source code

dont_watch_buffer(self, pid, address, size)
Clears a page breakpoint set by watch_buffer.

source code

Stalking

stalk_at(self, pid, address, action=None)
Sets a one shot code breakpoint at the given process and address.

source code

dont_stalk_at(self, pid, address)
Clears a code breakpoint set by stalk_at.

source code

stalk_function(self, pid, address, preCB=None, postCB=None, paramCount=0)
Sets a one-shot function hook at the given address.

source code

dont_stalk_function(self, pid, address)
Removes a function hook set by stalk_function.

source code

stalk_variable(self, tid, address, size, action=None)
Sets a one-shot hardware breakpoint at the given thread, address and size.

source code

dont_stalk_variable(self, tid, address)
Clears a hardware breakpoint set by stalk_variable.

source code

stalk_buffer(self, pid, address, size, action=None)
Sets a one-shot page breakpoint and notifies when the given buffer is accessed.

source code

dont_stalk_buffer(self, pid, address, size)
Clears a page breakpoint set by stalk_buffer.

source code

Tracing

bool

is_tracing(self, tid)
Returns: True if the thread is being traced, False otherwise. source code

list( int... )

get_traced_tids(self)
Retrieves the list of global IDs of all threads being traced.

source code

start_tracing(self, tid)
Start tracing mode in the given thread.

source code

stop_tracing(self, tid)
Stop tracing mode in the given thread.

source code

start_tracing_process(self, pid)
Start tracing mode for all threads in the given process.

source code

stop_tracing_process(self, pid)
Stop tracing mode for all threads in the given process.

source code

start_tracing_all(self)
Start tracing mode for all threads in all debugees.

source code

stop_tracing_all(self)
Stop tracing mode for all threads in all debugees.

source code

Symbols

int, None

resolve_exported_function(self, pid, modName, procName)
Resolves the exported DLL function for the given process.

source code

int

resolve_label(self, pid, label)
Resolves a label for the given process.

source code

Advanced breakpoint use

CodeBreakpoint

define_code_breakpoint(self, dwProcessId, address, condition=True, action=None)
Creates a disabled code breakpoint at the given address.

source code

PageBreakpoint

define_page_breakpoint(self, dwProcessId, address, pages=1, condition=True, action=None)
Creates a disabled page breakpoint at the given address.

source code

HardwareBreakpoint

define_hardware_breakpoint(self, dwThreadId, address, triggerFlag=3, sizeFlag=3, condition=True, action=None)
Creates a disabled hardware breakpoint at the given address.

source code

bool

has_code_breakpoint(self, dwProcessId, address)
Checks if a code breakpoint is defined at the given address.

source code

bool

has_page_breakpoint(self, dwProcessId, address)
Checks if a page breakpoint is defined at the given address.

source code

bool

has_hardware_breakpoint(self, dwThreadId, address)
Checks if a hardware breakpoint is defined at the given address.

source code

CodeBreakpoint

get_code_breakpoint(self, dwProcessId, address)
Returns the internally used breakpoint object, for the code breakpoint defined at the given address.

source code

PageBreakpoint

get_page_breakpoint(self, dwProcessId, address)
Returns the internally used breakpoint object, for the page breakpoint defined at the given address.

source code

HardwareBreakpoint

get_hardware_breakpoint(self, dwThreadId, address)
Returns the internally used breakpoint object, for the code breakpoint defined at the given address.

source code

enable_code_breakpoint(self, dwProcessId, address)
Enables the code breakpoint at the given address.

source code

enable_page_breakpoint(self, dwProcessId, address)
Enables the page breakpoint at the given address.

source code

enable_hardware_breakpoint(self, dwThreadId, address)
Enables the hardware breakpoint at the given address.

source code

enable_one_shot_code_breakpoint(self, dwProcessId, address)
Enables the code breakpoint at the given address for only one shot.

source code

enable_one_shot_page_breakpoint(self, dwProcessId, address)
Enables the page breakpoint at the given address for only one shot.

source code

enable_one_shot_hardware_breakpoint(self, dwThreadId, address)
Enables the hardware breakpoint at the given address for only one shot.

source code

disable_code_breakpoint(self, dwProcessId, address)
Disables the code breakpoint at the given address.

source code

disable_page_breakpoint(self, dwProcessId, address)
Disables the page breakpoint at the given address.

source code

disable_hardware_breakpoint(self, dwThreadId, address)
Disables the hardware breakpoint at the given address.

source code

erase_code_breakpoint(self, dwProcessId, address)
Erases the code breakpoint at the given address.

source code

erase_page_breakpoint(self, dwProcessId, address)
Erases the page breakpoint at the given address.

source code

erase_hardware_breakpoint(self, dwThreadId, address)
Erases the hardware breakpoint at the given address.

source code

Listing breakpoints

list of tuple( pid, tid, bp )

get_all_breakpoints(self)
Returns all breakpoint objects as a list of tuples.

source code

list of tuple( int, CodeBreakpoint )

get_all_code_breakpoints(self)
Returns: All code breakpoints as a list of tuples (pid, bp).

source code

list of tuple( int, PageBreakpoint )

get_all_page_breakpoints(self)
Returns: All page breakpoints as a list of tuples (pid, bp).

source code

list of tuple( int, HardwareBreakpoint )

get_all_hardware_breakpoints(self)
Returns: All hardware breakpoints as a list of tuples (tid, bp).

source code

list of tuple( pid, tid, bp )

get_process_breakpoints(self, dwProcessId)
Returns all breakpoint objects for the given process as a list of tuples.

source code

list of CodeBreakpoint

get_process_code_breakpoints(self, dwProcessId)
Returns: All code breakpoints for the given process.

source code

list of PageBreakpoint

get_process_page_breakpoints(self, dwProcessId)
Returns: All page breakpoints for the given process.

source code

list of HardwareBreakpoint

get_thread_hardware_breakpoints(self, dwThreadId)
Returns: All hardware breakpoints for the given thread.

source code

list of tuple( int, HardwareBreakpoint )

get_process_hardware_breakpoints(self, dwProcessId)
Returns: All hardware breakpoints for each thread in the given process as a list of tuples (tid, bp).

source code

Batch operations on breakpoints

enable_all_breakpoints(self)
Enables all disabled breakpoints in all processes.

source code

enable_one_shot_all_breakpoints(self)
Enables for one shot all disabled breakpoints in all processes.

source code

disable_all_breakpoints(self)
Disables all breakpoints in all processes.

source code

erase_all_breakpoints(self)
Erases all breakpoints in all processes.

source code

enable_process_breakpoints(self, dwProcessId)
Enables all disabled breakpoints for the given process.

source code

enable_one_shot_process_breakpoints(self, dwProcessId)
Enables for one shot all disabled breakpoints for the given process.

source code

disable_process_breakpoints(self, dwProcessId)
Disables all breakpoints for the given process.

source code

erase_process_breakpoints(self, dwProcessId)
Erases all breakpoints for the given process.

source code

Event notifications (private)

notify_guard_page(self, event)
Notify breakpoints of a guard page exception event.

source code

notify_breakpoint(self, event)
Notify breakpoints of a breakpoint exception event.

source code

notify_single_step(self, event)
Notify breakpoints of a single step exception event.

source code

notify_exit_thread(self, event)
Notify the termination of a thread.

source code

notify_exit_process(self, event)
Notify the termination of a process.

source code

Class Variables

[hide private]

BP_BREAK_ON_IO_ACCESS = 2

Breakpoint types

int BP_TYPE_ANY = 0
To get all breakpoints

int BP_TYPE_CODE = 1
To get code breakpoints only

int BP_TYPE_PAGE = 2
To get page breakpoints only

int BP_TYPE_HARDWARE = 3
To get hardware breakpoints only

Breakpoint states

int BP_STATE_DISABLED = 0
Breakpoint is disabled.

int BP_STATE_ENABLED = 1
Breakpoint is enabled.

int BP_STATE_ONESHOT = 2
Breakpoint is enabled for one shot.

int BP_STATE_RUNNING = 3
Breakpoint is running (recently hit).

Memory breakpoint trigger flags

int BP_BREAK_ON_EXECUTION = 0
Break on code execution.

int BP_BREAK_ON_WRITE = 1
Break on memory write.

int BP_BREAK_ON_ACCESS = 3
Break on memory read or write.

Memory breakpoint size flags

BP_WATCH_BYTE = 0

BP_WATCH_WORD = 1

BP_WATCH_QWORD = 2

BP_WATCH_DWORD = 3

Properties

[hide private]

Inherited from object: __class__

Method Details

[hide private]

init(self)
(Constructor)

source code

x.__init__(...) initializes x; see x.__class__.__doc__ for signature

Overrides: object.__init__: (inherited documentation)

define_code_breakpoint(self, dwProcessId, address, condition=True, action=None)

source code

Creates a disabled code breakpoint at the given address.

Parameters:

dwProcessId (int) - Process global ID.
address (int) - Memory address of the code instruction to break at.
condition (function) - (Optional) Condition callback function.
The callback signature is:
```
   def condition_callback(event):
       return True     # returns True or False
```
Where event is an Event object, and the return value is a boolean (True to dispatch the event, False otherwise).
action (function) - (Optional) Action callback function. If specified, the event is handled by this callback instead of being dispatched normally.
The callback signature is:
```
   def action_callback(event):
       pass        # no return value
```
Where event is an Event object, and the return value is a boolean (True to dispatch the event, False otherwise).

Returns: CodeBreakpoint

The code breakpoint object.

define_page_breakpoint(self, dwProcessId, address, pages=1, condition=True, action=None)

source code

Creates a disabled page breakpoint at the given address.

Parameters:

dwProcessId (int) - Process global ID.
address (int) - Memory address of the first page to watch.
pages (int) - Number of pages to watch.
condition (function) - (Optional) Condition callback function.
The callback signature is:
```
   def condition_callback(event):
       return True     # returns True or False
```
Where event is an Event object, and the return value is a boolean (True to dispatch the event, False otherwise).
action (function) - (Optional) Action callback function. If specified, the event is handled by this callback instead of being dispatched normally.
The callback signature is:
```
   def action_callback(event):
       pass        # no return value
```
Where event is an Event object, and the return value is a boolean (True to dispatch the event, False otherwise).

Returns: PageBreakpoint

The page breakpoint object.

define_hardware_breakpoint(self, dwThreadId, address, triggerFlag=3, sizeFlag=3, condition=True, action=None)

source code

Creates a disabled hardware breakpoint at the given address.

Parameters:

dwThreadId (int) - Thread global ID.
address (int) - Memory address to watch.
triggerFlag (int) - Trigger of breakpoint. Must be one of the following:
- BP_BREAK_ON_EXECUTION
  Break on code execution.
- BP_BREAK_ON_WRITE
  Break on memory read or write.
- BP_BREAK_ON_ACCESS
  Break on memory write.
sizeFlag (int) - Size of breakpoint. Must be one of the following:
- BP_WATCH_BYTE
  One (1) byte in size.
- BP_WATCH_WORD
  Two (2) bytes in size.
- BP_WATCH_DWORD
  Four (4) bytes in size.
- BP_WATCH_QWORD
  Eight (8) bytes in size.
condition (function) - (Optional) Condition callback function.
The callback signature is:
```
   def condition_callback(event):
       return True     # returns True or False
```
Where event is an Event object, and the return value is a boolean (True to dispatch the event, False otherwise).
action (function) - (Optional) Action callback function. If specified, the event is handled by this callback instead of being dispatched normally.
The callback signature is:
```
   def action_callback(event):
       pass        # no return value
```
Where event is an Event object, and the return value is a boolean (True to dispatch the event, False otherwise).

Returns: HardwareBreakpoint

The hardware breakpoint object.

Note: Hardware breakpoints do not seem to work properly on VirtualBox. See http://www.virtualbox.org/ticket/477.

has_code_breakpoint(self, dwProcessId, address)

source code

Checks if a code breakpoint is defined at the given address.

Parameters:

dwProcessId (int) - Process global ID.
address (int) - Memory address of breakpoint.

Returns: bool

True if the breakpoint is defined, False otherwise.

has_page_breakpoint(self, dwProcessId, address)

source code

Checks if a page breakpoint is defined at the given address.

Parameters:

dwProcessId (int) - Process global ID.
address (int) - Memory address of breakpoint.

Returns: bool

True if the breakpoint is defined, False otherwise.

has_hardware_breakpoint(self, dwThreadId, address)

source code

Checks if a hardware breakpoint is defined at the given address.

Parameters:

dwThreadId (int) - Thread global ID.
address (int) - Memory address of breakpoint.

Returns: bool

True if the breakpoint is defined, False otherwise.

get_code_breakpoint(self, dwProcessId, address)

source code

Returns the internally used breakpoint object, for the code breakpoint defined at the given address.

Parameters:

dwProcessId (int) - Process global ID.
address (int) - Memory address where the breakpoint is defined.

Returns: CodeBreakpoint

The code breakpoint object.

Warning: It's usually best to call the Debug methods instead of accessing the breakpoint objects directly.

get_page_breakpoint(self, dwProcessId, address)

source code

Returns the internally used breakpoint object, for the page breakpoint defined at the given address.

Parameters:

dwProcessId (int) - Process global ID.
address (int) - Memory address where the breakpoint is defined.

Returns: PageBreakpoint

The page breakpoint object.

Warning: It's usually best to call the Debug methods instead of accessing the breakpoint objects directly.

get_hardware_breakpoint(self, dwThreadId, address)

source code

Returns the internally used breakpoint object, for the code breakpoint defined at the given address.

Parameters:

dwThreadId (int) - Thread global ID.
address (int) - Memory address where the breakpoint is defined.

Returns: HardwareBreakpoint

The hardware breakpoint object.

Warning: It's usually best to call the Debug methods instead of accessing the breakpoint objects directly.

enable_code_breakpoint(self, dwProcessId, address)

source code

Enables the code breakpoint at the given address.

Parameters:

dwProcessId (int) - Process global ID.
address (int) - Memory address of breakpoint.

enable_page_breakpoint(self, dwProcessId, address)

source code

Enables the page breakpoint at the given address.

Parameters:

dwProcessId (int) - Process global ID.
address (int) - Memory address of breakpoint.

enable_hardware_breakpoint(self, dwThreadId, address)

source code

Enables the hardware breakpoint at the given address.

Parameters:

dwThreadId (int) - Thread global ID.
address (int) - Memory address of breakpoint.

Note: Do not set hardware breakpoints while processing the system breakpoint event.

enable_one_shot_code_breakpoint(self, dwProcessId, address)

source code

Enables the code breakpoint at the given address for only one shot.

Parameters:

dwProcessId (int) - Process global ID.
address (int) - Memory address of breakpoint.

enable_one_shot_page_breakpoint(self, dwProcessId, address)

source code

Enables the page breakpoint at the given address for only one shot.

Parameters:

dwProcessId (int) - Process global ID.
address (int) - Memory address of breakpoint.

enable_one_shot_hardware_breakpoint(self, dwThreadId, address)

source code

Enables the hardware breakpoint at the given address for only one shot.

Parameters:

dwThreadId (int) - Thread global ID.
address (int) - Memory address of breakpoint.

disable_code_breakpoint(self, dwProcessId, address)

source code

Disables the code breakpoint at the given address.

Parameters:

dwProcessId (int) - Process global ID.
address (int) - Memory address of breakpoint.

disable_page_breakpoint(self, dwProcessId, address)

source code

Disables the page breakpoint at the given address.

Parameters:

dwProcessId (int) - Process global ID.
address (int) - Memory address of breakpoint.

disable_hardware_breakpoint(self, dwThreadId, address)

source code

Disables the hardware breakpoint at the given address.

Parameters:

dwThreadId (int) - Thread global ID.
address (int) - Memory address of breakpoint.

erase_code_breakpoint(self, dwProcessId, address)

source code

Erases the code breakpoint at the given address.

Parameters:

dwProcessId (int) - Process global ID.
address (int) - Memory address of breakpoint.

erase_page_breakpoint(self, dwProcessId, address)

source code

Erases the page breakpoint at the given address.

Parameters:

dwProcessId (int) - Process global ID.
address (int) - Memory address of breakpoint.

erase_hardware_breakpoint(self, dwThreadId, address)

source code

Erases the hardware breakpoint at the given address.

Parameters:

dwThreadId (int) - Thread global ID.
address (int) - Memory address of breakpoint.

get_all_breakpoints(self)

source code

Returns all breakpoint objects as a list of tuples.

Each tuple contains:

Process global ID to which the breakpoint applies.
Thread global ID to which the breakpoint applies, or None.
The Breakpoint object itself.

Returns: list of tuple( pid, tid, bp ): List of all breakpoints.

Note: If you're only interested in a specific breakpoint type, or in breakpoints for a specific process or thread, it's probably faster to call one of the following methods:

get_all_code_breakpoints(self)

source code

Returns: list of tuple( int, CodeBreakpoint ): All code breakpoints as a list of tuples (pid, bp).

get_all_page_breakpoints(self)

source code

Returns: list of tuple( int, PageBreakpoint ): All page breakpoints as a list of tuples (pid, bp).

get_all_hardware_breakpoints(self)

source code

Returns: list of tuple( int, HardwareBreakpoint ): All hardware breakpoints as a list of tuples (tid, bp).

get_process_breakpoints(self, dwProcessId)

source code

Returns all breakpoint objects for the given process as a list of tuples.

Each tuple contains:

Process global ID to which the breakpoint applies.
Thread global ID to which the breakpoint applies, or None.
The Breakpoint object itself.

Parameters:

dwProcessId (int) - Process global ID.

Returns: list of tuple( pid, tid, bp )

List of all breakpoints for the given process.

Note: If you're only interested in a specific breakpoint type, or in breakpoints for a specific process or thread, it's probably faster to call one of the following methods:

get_process_code_breakpoints(self, dwProcessId)

source code

Parameters:

dwProcessId (int) - Process global ID.

Returns: list of CodeBreakpoint

All code breakpoints for the given process.

get_process_page_breakpoints(self, dwProcessId)

source code

Parameters:

dwProcessId (int) - Process global ID.

Returns: list of PageBreakpoint

All page breakpoints for the given process.

get_thread_hardware_breakpoints(self, dwThreadId)

source code

Parameters:

dwThreadId (int) - Thread global ID.

Returns: list of HardwareBreakpoint

All hardware breakpoints for the given thread.

See Also: get_process_hardware_breakpoints

get_process_hardware_breakpoints(self, dwProcessId)

source code

Parameters:

dwProcessId (int) - Process global ID.

Returns: list of tuple( int, HardwareBreakpoint )

All hardware breakpoints for each thread in the given process as a list of tuples (tid, bp).

See Also: get_thread_hardware_breakpoints

enable_all_breakpoints(self)

source code

Enables all disabled breakpoints in all processes.

See Also: enable_code_breakpoint, enable_page_breakpoint, enable_hardware_breakpoint

enable_one_shot_all_breakpoints(self)

source code

Enables for one shot all disabled breakpoints in all processes.

See Also: enable_one_shot_code_breakpoint, enable_one_shot_page_breakpoint, enable_one_shot_hardware_breakpoint

disable_all_breakpoints(self)

source code

Disables all breakpoints in all processes.

See Also: disable_code_breakpoint, disable_page_breakpoint, disable_hardware_breakpoint

erase_all_breakpoints(self)

source code

Erases all breakpoints in all processes.

See Also: erase_code_breakpoint, erase_page_breakpoint, erase_hardware_breakpoint

enable_process_breakpoints(self, dwProcessId)

source code

Enables all disabled breakpoints for the given process.

Parameters:

dwProcessId (int) - Process global ID.

enable_one_shot_process_breakpoints(self, dwProcessId)

source code

Enables for one shot all disabled breakpoints for the given process.

Parameters:

dwProcessId (int) - Process global ID.

disable_process_breakpoints(self, dwProcessId)

source code

Disables all breakpoints for the given process.

Parameters:

dwProcessId (int) - Process global ID.

erase_process_breakpoints(self, dwProcessId)

source code

Erases all breakpoints for the given process.

Parameters:

dwProcessId (int) - Process global ID.

notify_guard_page(self, event)

source code

Notify breakpoints of a guard page exception event.

Parameters:

event (ExceptionEvent) - Guard page exception event.

notify_breakpoint(self, event)

source code

Notify breakpoints of a breakpoint exception event.

Parameters:

event (ExceptionEvent) - Breakpoint exception event.

notify_single_step(self, event)

source code

Notify breakpoints of a single step exception event.

Parameters:

event (ExceptionEvent) - Single step exception event.

notify_exit_thread(self, event)

source code

Notify the termination of a thread.

Parameters:

event (ExitThreadEvent) - Exit thread event.

notify_exit_process(self, event)

source code

Notify the termination of a process.

Parameters:

event (ExitProcessEvent) - Exit process event.

notify_unload_dll(self, event)

source code

Notify the unloading of a DLL.

Parameters:

event (UnloadDLLEvent) - Unload DLL event.

__set_break(self, pid, address, action)

source code

Used by break_at and stalk_at.

Parameters:

pid (int) - Process global ID.
address (int) - Memory address of code instruction to break at.
action (function) - (Optional) Action callback function.
See define_code_breakpoint for more details.

__clear_break(self, pid, address)

source code

Used by dont_break_at and dont_stalk_at.

Parameters:

pid (int) - Process global ID.
address (int) - Memory address of code breakpoint.

stalk_at(self, pid, address, action=None)

source code

Sets a one shot code breakpoint at the given process and address.

Parameters:

pid (int) - Process global ID.
address (int) - Memory address of code instruction to break at.
action (function) - (Optional) Action callback function.
See define_code_breakpoint for more details.

See Also: break_at, dont_stalk_at

break_at(self, pid, address, action=None)

source code

Sets a code breakpoint at the given process and address.

Parameters:

pid (int) - Process global ID.
address (int) - Memory address of code instruction to break at.
action (function) - (Optional) Action callback function.
See define_code_breakpoint for more details.

See Also: stalk_at, dont_break_at

dont_break_at(self, pid, address)

source code

Clears a code breakpoint set by break_at.

Parameters:

pid (int) - Process global ID.
address (int) - Memory address of code instruction to break at.

dont_stalk_at(self, pid, address)

source code

Clears a code breakpoint set by stalk_at.

Parameters:

pid (int) - Process global ID.
address (int) - Memory address of code instruction to break at.

hook_function(self, pid, address, preCB=None, postCB=None, paramCount=0)

source code

Sets a function hook at the given address.

Parameters:

pid (int) - Process global ID.
address (int) - Function address.

preCB (function) - (Optional) Callback triggered on function entry.

The signature for the callback can be something like this:

   def pre_LoadLibraryEx(event, *params):
       ra   = params[0]        # return address
       argv = params[1:]       # function parameters

       # (...)

But if you passed the right number of arguments, you can also use a signature like this:

   def pre_LoadLibraryEx(event, ra, lpFilename, hFile, dwFlags):
       szFilename = event.get_process().peek_string(lpFilename)

       # (...)

In the above example, the value for paramCount would be 3.

postCB (function) - (Optional) Callback triggered on function exit.
The signature for the callback would be something like this:
```
   def post_LoadLibraryEx(event, return_value):

       # (...)
```
paramCount (int) - (Optional) Number of parameters for the preCB callback, not counting the return address. Parameters are read from the stack and assumed to be DWORDs.

stalk_function(self, pid, address, preCB=None, postCB=None, paramCount=0)

source code

Sets a one-shot function hook at the given address.

Parameters:

pid (int) - Process global ID.
address (int) - Function address.

preCB (function) - (Optional) Callback triggered on function entry.

The signature for the callback can be something like this:

   def pre_LoadLibraryEx(event, *params):
       ra   = params[0]        # return address
       argv = params[1:]       # function parameters

       # (...)

But if you passed the right number of arguments, you can also use a signature like this:

   def pre_LoadLibraryEx(event, ra, lpFilename, hFile, dwFlags):
       szFilename = event.get_process().peek_string(lpFilename)

       # (...)

In the above example, the value for paramCount would be 3.

postCB (function) - (Optional) Callback triggered on function exit.
The signature for the callback would be something like this:
```
   def post_LoadLibraryEx(event, return_value):

       # (...)
```
paramCount (int) - (Optional) Number of parameters for the preCB callback, not counting the return address. Parameters are read from the stack and assumed to be DWORDs.

dont_hook_function(self, pid, address)

source code

Removes a function hook set by hook_function.

Parameters:

pid (int) - Process global ID.
address (int) - Function address.

unhook_function(self, pid, address)

source code

Removes a function hook set by hook_function.

Parameters:

pid (int) - Process global ID.
address (int) - Function address.

dont_stalk_function(self, pid, address)

source code

Removes a function hook set by stalk_function.

Parameters:

pid (int) - Process global ID.
address (int) - Function address.

__set_variable_watch(self, tid, address, size, action)

source code

Used by watch_variable and stalk_variable.

Parameters:

tid (int) - Thread global ID.
address (int) - Memory address of variable to watch.
size (int) - Size of variable to watch. The only supported sizes are: byte (1), word (2), dword (4) and qword (8).
action (function) - (Optional) Action callback function.
See define_hardware_breakpoint for more details.

Returns: HardwareBreakpoint

Hardware breakpoint at the requested address.

__clear_variable_watch(self, tid, address)

source code

Used by dont_watch_variable and dont_stalk_variable.

Parameters:

tid (int) - Thread global ID.
address (int) - Memory address of variable to stop watching.

watch_variable(self, tid, address, size, action=None)

source code

Sets a hardware breakpoint at the given thread, address and size.

Parameters:

tid (int) - Thread global ID.
address (int) - Memory address of variable to watch.
size (int) - Size of variable to watch. The only supported sizes are: byte (1), word (2), dword (4) and qword (8).
action (function) - (Optional) Action callback function.
See define_hardware_breakpoint for more details.

See Also: dont_watch_variable

stalk_variable(self, tid, address, size, action=None)

source code

Sets a one-shot hardware breakpoint at the given thread, address and size.

Parameters:

tid (int) - Thread global ID.
address (int) - Memory address of variable to watch.
size (int) - Size of variable to watch. The only supported sizes are: byte (1), word (2), dword (4) and qword (8).
action (function) - (Optional) Action callback function.
See define_hardware_breakpoint for more details.

See Also: dont_watch_variable

dont_watch_variable(self, tid, address)

source code

Clears a hardware breakpoint set by watch_variable.

Parameters:

tid (int) - Thread global ID.
address (int) - Memory address of variable to stop watching.

dont_stalk_variable(self, tid, address)

source code

Clears a hardware breakpoint set by stalk_variable.

Parameters:

tid (int) - Thread global ID.
address (int) - Memory address of variable to stop watching.

__set_buffer_watch(self, pid, address, size, action, bOneShot)

source code

Used by watch_buffer and stalk_buffer.

Parameters:

pid (int) - Process global ID.
address (int) - Memory address of buffer to watch.
size (int) - Size in bytes of buffer to watch.
action (function) - (Optional) Action callback function.
See define_page_breakpoint for more details.
bOneShot (bool) - True to set a one-shot breakpoint, False to set a normal breakpoint.

__clear_buffer_watch(self, pid, address, size)

source code

Used by dont_watch_buffer and dont_stalk_buffer.

Parameters:

pid (int) - Process global ID.
address (int) - Memory address of buffer to stop watching.
size (int) - Size in bytes of buffer to stop watching.

watch_buffer(self, pid, address, size, action=None)

source code

Sets a page breakpoint and notifies when the given buffer is accessed.

Parameters:

pid (int) - Process global ID.
address (int) - Memory address of buffer to watch.
size (int) - Size in bytes of buffer to watch.
action (function) - (Optional) Action callback function.
See define_page_breakpoint for more details.

See Also: dont_watch_variable

stalk_buffer(self, pid, address, size, action=None)

source code

Sets a one-shot page breakpoint and notifies when the given buffer is accessed.

Parameters:

pid (int) - Process global ID.
address (int) - Memory address of buffer to watch.
size (int) - Size in bytes of buffer to watch.
action (function) - (Optional) Action callback function.
See define_page_breakpoint for more details.

See Also: dont_watch_variable

dont_watch_buffer(self, pid, address, size)

source code

Clears a page breakpoint set by watch_buffer.

Parameters:

pid (int) - Process global ID.
address (int) - Memory address of buffer to stop watching.
size (int) - Size in bytes of buffer to stop watching.

dont_stalk_buffer(self, pid, address, size)

source code

Clears a page breakpoint set by stalk_buffer.

Parameters:

pid (int) - Process global ID.
address (int) - Memory address of buffer to stop watching.
size (int) - Size in bytes of buffer to stop watching.

__start_tracing(self, thread)

source code

Parameters:

thread (Thread) - Thread to start tracing.

__stop_tracing(self, thread)

source code

Parameters:

thread (Thread) - Thread to stop tracing.

is_tracing(self, tid)

source code

Parameters:

tid (int) - Thread global ID.

Returns: bool

True if the thread is being traced, False otherwise.

get_traced_tids(self)

source code

Retrieves the list of global IDs of all threads being traced.

Returns: list( int... ): List of thread global IDs.

start_tracing(self, tid)

source code

Start tracing mode in the given thread.

Parameters:

tid (int) - Global ID of thread to start tracing.

stop_tracing(self, tid)

source code

Stop tracing mode in the given thread.

Parameters:

tid (int) - Global ID of thread to stop tracing.

start_tracing_process(self, pid)

source code

Start tracing mode for all threads in the given process.

Parameters:

pid (int) - Global ID of process to start tracing.

stop_tracing_process(self, pid)

source code

Stop tracing mode for all threads in the given process.

Parameters:

pid (int) - Global ID of process to stop tracing.

resolve_exported_function(self, pid, modName, procName)

source code

Resolves the exported DLL function for the given process.

Parameters:

pid (int) - Process global ID.
modName (str) - Name of the module that exports the function.
procName (str) - Name of the exported function to resolve.

Returns: int, None

On success, the address of the exported function. On failure, returns None.

resolve_label(self, pid, label)

source code

Resolves a label for the given process.

Parameters:

pid (int) - Process global ID.
label (str) - Label to resolve.

Returns: int

Memory address pointed to by the label.

Raises:

ValueError - The label is malformed or impossible to resolve.
RuntimeError - Cannot resolve the module or function.

Home

Trees

Indices

Help

Class BreakpointContainer

__init__(self) (Constructor)

define_code_breakpoint(self, dwProcessId, address, condition=True, action=None)

define_page_breakpoint(self, dwProcessId, address, pages=1, condition=True, action=None)

define_hardware_breakpoint(self, dwThreadId, address, triggerFlag=3, sizeFlag=3, condition=True, action=None)

has_code_breakpoint(self, dwProcessId, address)

has_page_breakpoint(self, dwProcessId, address)

has_hardware_breakpoint(self, dwThreadId, address)

get_code_breakpoint(self, dwProcessId, address)

get_page_breakpoint(self, dwProcessId, address)

get_hardware_breakpoint(self, dwThreadId, address)

enable_code_breakpoint(self, dwProcessId, address)

enable_page_breakpoint(self, dwProcessId, address)

enable_hardware_breakpoint(self, dwThreadId, address)

enable_one_shot_code_breakpoint(self, dwProcessId, address)

enable_one_shot_page_breakpoint(self, dwProcessId, address)

enable_one_shot_hardware_breakpoint(self, dwThreadId, address)

disable_code_breakpoint(self, dwProcessId, address)

disable_page_breakpoint(self, dwProcessId, address)

disable_hardware_breakpoint(self, dwThreadId, address)

erase_code_breakpoint(self, dwProcessId, address)

erase_page_breakpoint(self, dwProcessId, address)

erase_hardware_breakpoint(self, dwThreadId, address)

get_all_breakpoints(self)

get_all_code_breakpoints(self)

get_all_page_breakpoints(self)

get_all_hardware_breakpoints(self)

get_process_breakpoints(self, dwProcessId)

get_process_code_breakpoints(self, dwProcessId)

get_process_page_breakpoints(self, dwProcessId)

get_thread_hardware_breakpoints(self, dwThreadId)

get_process_hardware_breakpoints(self, dwProcessId)

enable_all_breakpoints(self)

enable_one_shot_all_breakpoints(self)

disable_all_breakpoints(self)

erase_all_breakpoints(self)

enable_process_breakpoints(self, dwProcessId)

enable_one_shot_process_breakpoints(self, dwProcessId)

disable_process_breakpoints(self, dwProcessId)

erase_process_breakpoints(self, dwProcessId)

notify_guard_page(self, event)

notify_breakpoint(self, event)

notify_single_step(self, event)

notify_exit_thread(self, event)

notify_exit_process(self, event)

notify_unload_dll(self, event)

__set_break(self, pid, address, action)

__clear_break(self, pid, address)

stalk_at(self, pid, address, action=None)

break_at(self, pid, address, action=None)

dont_break_at(self, pid, address)

dont_stalk_at(self, pid, address)

hook_function(self, pid, address, preCB=None, postCB=None, paramCount=0)

stalk_function(self, pid, address, preCB=None, postCB=None, paramCount=0)

dont_hook_function(self, pid, address)

unhook_function(self, pid, address)

dont_stalk_function(self, pid, address)

__set_variable_watch(self, tid, address, size, action)

__clear_variable_watch(self, tid, address)

watch_variable(self, tid, address, size, action=None)

stalk_variable(self, tid, address, size, action=None)

dont_watch_variable(self, tid, address)

dont_stalk_variable(self, tid, address)

__set_buffer_watch(self, pid, address, size, action, bOneShot)

__clear_buffer_watch(self, pid, address, size)

watch_buffer(self, pid, address, size, action=None)

stalk_buffer(self, pid, address, size, action=None)

dont_watch_buffer(self, pid, address, size)

dont_stalk_buffer(self, pid, address, size)

__start_tracing(self, thread)

__stop_tracing(self, thread)

is_tracing(self, tid)

get_traced_tids(self)

start_tracing(self, tid)

stop_tracing(self, tid)

start_tracing_process(self, pid)

stop_tracing_process(self, pid)

resolve_exported_function(self, pid, modName, procName)

resolve_label(self, pid, label)

init(self)
(Constructor)