Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __subclasshook__

Key

(opaque)

key(self)
Generates an approximately unique key for the Crash object.

source code

Report

str

briefReport(self)
Returns: Short description of the event.

source code

str

fullReport(self, bShowNotes=True)
Returns: Long description of the event.

source code

str

notesReport(self)
Returns: All notes, merged and formatted for a report.

source code

Notes

addNote(self, msg)
Add a note to the crash event.

source code

clearNotes(self)
Clear the notes of this crash event.

source code

list( str )

getNotes(self)
Get the list of notes of this crash event.

source code

listiterator

iterNotes(self)
Iterate the notes of this crash event.

source code

bool

hasNotes(self)
Returns: True if there are notes for this crash event. source code

Instance Variables

[hide private]

None or str debugString
Debug string sent by the debugee.

int eventCode
Event code as defined by the Win32 API.

str eventName
Event code user-friendly name.

None or int exceptionAddress
Memory address where the exception occured.

None or int exceptionCode
Exception code as defined by the Win32 API.

None or str exceptionLabel
Label pointing to the exception address.

None or str exceptionName
Exception code user-friendly name.

None or int faultAddress
Access violation memory address.

None or str faultCode
Data pointed to by the program counter.

None or tuple of tuple( long, int, str, str ) faultDisasm
Dissassembly around the program counter.

None or str faultLabel
Label pointing to the access violation memory address.

None or str faultMem
Data pointed to by the exception address.

None or dict( int→ str ) faultPeek
Dictionary mapping guessed pointers at faultMem to the data they point to.

None or int faultType
Access violation type.

None or bool firstChance
True for first chance exceptions, False for second chance.

bool isOurBreakpoint
True for breakpoints defined by the Debug class, False otherwise.

bool isSystemBreakpoint
True for known system-defined breakpoints, False otherwise.

None or str labelPC
Label pointing to the program counter.

None or int lpBaseOfDll
Base of module where the program counter points to.

None or list of win32.MemoryBasicInformation objects. memoryMap
Memory snapshot of the program.

None or str modFileName
File name of module where the program counter points to.

list( str ) notes
List of strings, each string is a note.

int pid
Process global ID.

dict( str → int ) registers
Dictionary mapping register names to their values.

None or dict( str → str ) registersPeek
Dictionary mapping register names to the data they point to.

None or str stackFrame
Data pointed to by the stack pointer.

None or dict( int → str ) stackPeek
Dictionary mapping stack offsets to the data they point to.

tuple( int, int ) stackRange
Stack beginning and end pointers, in memory addresses order.

None or tuple of tuple( int, int, str ) stackTrace
Stack trace of the current thread as a tuple of ( frame pointer, return address, module filename ).

None or tuple( str... ) stackTraceLabels
Tuple of labels pointing to the return addresses in the stack trace.

None or tuple( int... ) stackTracePC
Tuple of return addresses in the stack trace.

None or tuple of tuple( int, str ) stackTracePretty
Stack trace of the current thread as a tuple of ( frame pointer, return location ).

int tid
Thread global ID.

float timeStamp
Timestamp as returned by time.time().

Properties

[hide private]

int pc
Value of the program counter register.

int sp
Value of the stack pointer register.

int fp
Value of the frame pointer register.

Inherited from object: __class__

Method Details

[hide private]

init(self, event)
(Constructor)

source code

x.__init__(...) initializes x; see x.__class__.__doc__ for signature

Parameters:

event (Event) - Event object for crash.

Overrides: object.__init__

fetch_extra_data(self, event, takeMemorySnapshot=0)

source code

Fetch extra data from the Event object.

Parameters:

event (Event) - Event object for crash.
takeMemorySnapshot (int) - Memory snapshot behavior:
- 0 to take no memory information (default).
- 1 to take only the memory map.
- 2 to take a full memory snapshot.

Note: This is only needed for exceptions. Since this method may take a little longer to run, it's best to call it only after you've determined the crash is interesting and you want to save it.

str(self)
(Informal representation operator)

source code

str(x)

Overrides: object.__str__: (inherited documentation)

key(self)

source code

Generates an approximately unique key for the Crash object.

This key can be used as an heuristic to determine if two crashes were caused by the same software error. Ideally it should be treated as an opaque object.

Returns: (opaque): Crash unique key.

isExploitable(self)

source code

Guess how likely is it that the bug causing the crash can be leveraged into an exploitable vulnerability.

Returns: tuple( str, str )

The first element of the tuple is the result of the analysis, being one of the following:

Not an exception
Not exploitable
Not likely exploitable
Unknown
Probably exploitable
Exploitable

The second element of the tuple is a code to identify the matched heuristic rule.

The second element of the tuple is a description string of the reason behind the result.

Note: Don't take this as an equivalent of a real exploitability analysis, that can only be done by a human being! This is only a guideline, useful for example to sort crashes - placing the most interesting ones at the top.

See Also: The heuristics are similar to those of the !exploitable extension for WinDBG, which can be downloaded from here:

http://www.codeplex.com/msecdbg

briefReport(self)

source code

Returns: str: Short description of the event.

fullReport(self, bShowNotes=True)

source code

Parameters:

bShowNotes (bool) - True to show the user notes, False otherwise.

Returns: str

Long description of the event.

notesReport(self)

source code

Returns: str: All notes, merged and formatted for a report.

addNote(self, msg)

source code

Add a note to the crash event.

Parameters:

msg (str) - Note text.

getNotes(self)

source code

Get the list of notes of this crash event.

Returns: list( str ): List of notes.

iterNotes(self)

source code

Iterate the notes of this crash event.

Returns: listiterator: Iterator of the list of notes.

hasNotes(self)

source code

Returns: bool: True if there are notes for this crash event.

Instance Variable Details

[hide private]

debugString

Debug string sent by the debugee.

None if unapplicable or unable to retrieve.

Type:: None or str

exceptionAddress

Memory address where the exception occured.

None if unapplicable or unable to retrieve.

Type:: None or int

exceptionCode

Exception code as defined by the Win32 API.

None if unapplicable or unable to retrieve.

Type:: None or int

exceptionLabel

Label pointing to the exception address.

None or invalid if unapplicable or unable to retrieve.

Type:: None or str

exceptionName

Exception code user-friendly name.

None if unapplicable or unable to retrieve.

Type:: None or str

faultAddress

Access violation memory address. Only applicable to memory faults.

None if unapplicable or unable to retrieve.

Type:: None or int

faultCode

Data pointed to by the program counter.

None or empty if unapplicable or unable to retrieve.

Type:: None or str

faultDisasm

Dissassembly around the program counter.

None or empty if unapplicable or unable to retrieve.

Type:: None or tuple of tuple( long, int, str, str )

faultLabel

Label pointing to the access violation memory address. Only applicable to memory faults.

None if unapplicable or unable to retrieve.

Type:: None or str

faultMem

Data pointed to by the exception address.

None or empty if unapplicable or unable to retrieve.

Type:: None or str

faultPeek

Dictionary mapping guessed pointers at faultMem to the data they point to.

None or empty if unapplicable or unable to retrieve.

Type:: None or dict( int→ str )

faultType

Access violation type. Only applicable to memory faults. Should be one of the following constants:

win32.ACCESS_VIOLATION_TYPE_READ
win32.ACCESS_VIOLATION_TYPE_WRITE
win32.ACCESS_VIOLATION_TYPE_DEP

None if unapplicable or unable to retrieve.

Type:: None or int

firstChance

True for first chance exceptions, False for second chance.

None if unapplicable or unable to retrieve.

Type:: None or bool

isOurBreakpoint

True for breakpoints defined by the Debug class, False otherwise.

None if unapplicable.

Type:: bool

isSystemBreakpoint

True for known system-defined breakpoints, False otherwise.

None if unapplicable.

Type:: bool

labelPC

Label pointing to the program counter.

None or invalid if unapplicable or unable to retrieve.

Type:: None or str

lpBaseOfDll

Base of module where the program counter points to.

None if unapplicable or unable to retrieve.

Type:: None or int

memoryMap

Memory snapshot of the program. May contain the actual data from the entire process memory if requested. See fetch_extra_data for more details.

None or empty if unapplicable or unable to retrieve.

Type:: None or list of win32.MemoryBasicInformation objects.

modFileName

File name of module where the program counter points to.

None or invalid if unapplicable or unable to retrieve.

Type:: None or str

registersPeek

Dictionary mapping register names to the data they point to.

None if unapplicable or unable to retrieve.

Type:: None or dict( str → str )

stackFrame

Data pointed to by the stack pointer.

None or empty if unapplicable or unable to retrieve.

Type:: None or str

stackPeek

Dictionary mapping stack offsets to the data they point to.

None or empty if unapplicable or unable to retrieve.

Type:: None or dict( int → str )

stackRange

Stack beginning and end pointers, in memory addresses order.

None if unapplicable or unable to retrieve.

Type:: tuple( int, int )

stackTrace

Stack trace of the current thread as a tuple of ( frame pointer, return address, module filename ).

None or empty if unapplicable or unable to retrieve.

Type:: None or tuple of tuple( int, int, str )

stackTraceLabels

Tuple of labels pointing to the return addresses in the stack trace.

None or empty if unapplicable or unable to retrieve.

Type:: None or tuple( str... )

stackTracePC

Tuple of return addresses in the stack trace.

None or empty if unapplicable or unable to retrieve.

Type:: None or tuple( int... )

stackTracePretty

Stack trace of the current thread as a tuple of ( frame pointer, return location ).

None or empty if unapplicable or unable to retrieve.

Type:: None or tuple of tuple( int, str )

Property Details

[hide private]

pc

Value of the program counter register.

Get Method:: unreachable.pc(self) - Value of the program counter register.
Type:: int

Class Crash

__init__(self, event) (Constructor)

fetch_extra_data(self, event, takeMemorySnapshot=0)

__str__(self) (Informal representation operator)

key(self)

isExploitable(self)

briefReport(self)

fullReport(self, bShowNotes=True)

notesReport(self)

addNote(self, msg)

getNotes(self)

iterNotes(self)

hasNotes(self)

debugString

exceptionAddress

exceptionCode

exceptionLabel

exceptionName

faultAddress

faultCode

faultDisasm

faultLabel

faultMem

faultPeek

faultType

firstChance

isOurBreakpoint

isSystemBreakpoint

labelPC

lpBaseOfDll

memoryMap

modFileName

registersPeek

stackFrame

stackPeek

stackRange

stackTrace

stackTraceLabels

stackTracePC

stackTracePretty

pc

sp

fp

init(self, event)
(Constructor)

str(self)
(Informal representation operator)