Package winappdbg :: Module system :: Class Process
[hide private]
[frames] | no frames]

Class Process

source code


Interface to a process. Contains threads and modules snapshots.

Nested Classes [hide private]
  __ThreadsAndModulesIterator
Iterator object for Process objects.
Instance Methods [hide private]
 
__init__(self, dwProcessId, hProcess=None, fileName=None)
x.__init__(...) initializes x; see x.__class__.__doc__ for signature
source code
list of Window
get_windows(self)
Returns: Returns a list of windows handled by this process.
source code
 
clean_exit(self, dwExitCode=0, bWait=False, dwTimeout=None)
Injects a new thread to call ExitProcess().
source code
str
get_command_line(self)
Retrieves the command line with wich the program was started. (Inherited from winappdbg.system.ProcessDebugOperations)
source code
dict( int → str )
get_mapped_filenames(self, memoryMap=None)
Retrieves the filenames for memory mapped files in the debugee. (Inherited from winappdbg.system.MemoryOperations)
source code
int or None
get_wow64_breakin_breakpoint(self)
Returns: Memory address of the Wow64 remote breakin breakpoint within the process address space. (Inherited from winappdbg.system.SymbolOperations)
source code
int or None
get_wow64_system_breakpoint(self)
Returns: Memory address of the Wow64 system breakpoint within the process address space. (Inherited from winappdbg.system.SymbolOperations)
source code
int or None
get_wow64_user_breakpoint(self)
Returns: Memory address of the Wow64 user breakpoint within the process address space. (Inherited from winappdbg.system.SymbolOperations)
source code
str, unicode
read_string(self, lpBaseAddress, nChars, fUnicode=False)
Reads an ASCII or Unicode string from the address space of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
 
restore_memory_snapshot(self, snapshot)
Attempts to restore the memory state as it was when the given snapshot was taken. (Inherited from winappdbg.system.MemoryOperations)
source code
list( win32.MemoryBasicInformation )
take_memory_snapshot(self, minAddr=None, maxAddr=None)
Takes a snapshot of the memory contents of the process. (Inherited from winappdbg.system.MemoryOperations)
source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

    Properties
int
get_pid(self)
Returns: Process global ID.
source code
str
get_filename(self)
Returns: Filename of the main module of the process.
source code
bool
is_debugged(self)
Tries to determine if the process is being debugged by another process.
source code
bool
is_alive(self)
Returns: True if the process is currently running.
source code
int
get_exit_code(self)
Returns: Process exit code, or STILL_ACTIVE if it's still alive.
source code
int
get_image_base(self)
Returns: Image base address for the process main module. (Inherited from winappdbg.system.ProcessDebugOperations)
source code
int
get_image_name(self)
Returns: Filename of the process main module. (Inherited from winappdbg.system.ProcessDebugOperations)
source code
Module
get_main_module(self)
Returns: Module object for the process main module. (Inherited from winappdbg.system.ProcessDebugOperations)
source code
win32.PEB
get_peb(self)
Returns a copy of the PEB. (Inherited from winappdbg.system.ProcessDebugOperations)
source code
int
get_peb_address(self)
Returns a remote pointer to the PEB. (Inherited from winappdbg.system.ProcessDebugOperations)
source code
bool
is_wow64(self)
Determines if the process is running under WOW64. (Inherited from winappdbg.system.ProcessDebugOperations)
source code
    Instrumentation
 
wait(self, dwTimeout=None)
Waits for the process to finish executing.
source code
 
kill(self, dwExitCode=0)
Terminates the execution of the process.
source code
 
suspend(self)
Suspends execution on all threads of the process.
source code
 
resume(self)
Resumes execution on all threads of the process.
source code
tuple( Thread, int )
inject_code(self, payload, lpParameter=0)
Injects relocatable code into the process memory and executes it.
source code
 
inject_dll(self, dllname, procname=None, lpParameter=0, bWait=True, dwTimeout=None)
Injects a DLL into the process memory.
source code
 
start_thread(self, lpStartAddress, lpParameter=0, bSuspended=False)
Remotely creates a new thread in the process. (Inherited from winappdbg.system.ThreadContainer)
source code
    Processes snapshot
bool
__contains__(self, anObject)
The same as: self.has_thread(anObject) or self.has_module(anObject)
source code
int
__len__(self)
Returns: Count of Thread and Module objects in this snapshot.
source code
iterator
__iter__(self)
Returns: Iterator of Thread and Module objects in this snapshot.
source code
 
scan(self)
Populates the snapshot of threads and modules.
source code
 
clear(self)
Clears the snapshot of threads and modules.
source code
    Handle
 
open_handle(self)
Opens a new handle to the process.
source code
 
close_handle(self)
Closes the handle to the process.
source code
ProcessHandle
get_handle(self)
Returns: Handle to the process.
source code
    Memory mapping
bool
free(self, lpAddress, dwSize=0)
Frees memory from the address space of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
list( win32.MemoryBasicInformation )
get_memory_map(self, minAddr=None, maxAddr=None)
Produces a memory map to the process address space. (Inherited from winappdbg.system.MemoryOperations)
source code
bool
is_address_commited(self, address)
Determines if an address belongs to a commited page. (Inherited from winappdbg.system.MemoryOperations)
source code
bool
is_address_copy_on_write(self, address)
Determines if an address belongs to a commited, copy-on-write page. (Inherited from winappdbg.system.MemoryOperations)
source code
bool
is_address_executable(self, address)
Determines if an address belongs to a commited and executable page. (Inherited from winappdbg.system.MemoryOperations)
source code
bool
is_address_executable_and_writeable(self, address)
Determines if an address belongs to a commited, writeable and executable page. (Inherited from winappdbg.system.MemoryOperations)
source code
bool
is_address_free(self, address)
Determines if an address belongs to a free page. (Inherited from winappdbg.system.MemoryOperations)
source code
bool
is_address_guard(self, address)
Determines if an address belongs to a guard page. (Inherited from winappdbg.system.MemoryOperations)
source code
bool
is_address_readable(self, address)
Determines if an address belongs to a commited and readable page. (Inherited from winappdbg.system.MemoryOperations)
source code
bool
is_address_reserved(self, address)
Determines if an address belongs to a reserved page. (Inherited from winappdbg.system.MemoryOperations)
source code
bool
is_address_valid(self, address)
Determines if an address is a valid user mode address. (Inherited from winappdbg.system.MemoryOperations)
source code
bool
is_address_writeable(self, address)
Determines if an address belongs to a commited and writeable page. (Inherited from winappdbg.system.MemoryOperations)
source code
bool
is_pointer(self, address)
Determines if an address is a valid code or data pointer. (Inherited from winappdbg.system.MemoryOperations)
source code
int
malloc(self, dwSize, lpAddress=None)
Allocates memory into the address space of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
int
mprotect(self, lpAddress, dwSize, flNewProtect)
Set memory protection in the address space of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
win32.MemoryBasicInformation
mquery(self, lpAddress)
Query memory information from the address space of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
    Memory read
str
peek(self, lpBaseAddress, nSize)
Reads the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
int
peek_char(self, lpBaseAddress)
Reads a single character from the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
int
peek_pointer(self, lpBaseAddress)
Reads a single pointer value from the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
str, unicode
peek_string(self, lpBaseAddress, fUnicode=False, dwMaxSize=4096)
Tries to read an ASCII or Unicode string from the address space of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
int
peek_uint(self, lpBaseAddress)
Reads a single unsigned integer from the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
str
read(self, lpBaseAddress, nSize)
Reads from the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
int
read_char(self, lpBaseAddress)
Reads a single character to the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
int
read_pointer(self, lpBaseAddress)
Reads a single pointer value from the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
int
read_structure(self, lpBaseAddress, stype)
Reads a ctypes structure from the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
int
read_uint(self, lpBaseAddress)
Reads a single unsigned integer from the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
    Memory write
int
poke(self, lpBaseAddress, lpBuffer)
Writes to the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
int
poke_char(self, lpBaseAddress, char)
Writes a single character to the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
int
poke_pointer(self, lpBaseAddress, unpackedValue)
Writes a single pointer value to the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
int
poke_uint(self, lpBaseAddress, unpackedDword)
Writes a single unsigned integer to the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
 
write(self, lpBaseAddress, lpBuffer)
Writes to the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
 
write_char(self, lpBaseAddress, char)
Writes a single character to the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
 
write_pointer(self, lpBaseAddress, unpackedValue)
Writes a single pointer value to the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
 
write_uint(self, lpBaseAddress, unpackedDword)
Writes a single unsigned integer to the memory of the process. (Inherited from winappdbg.system.MemoryOperations)
source code
    Disassembly
list of tuple( long, int, str, str )
disassemble(self, lpAddress, dwSize)
Disassemble instructions from the address space of the process. (Inherited from winappdbg.system.ProcessDebugOperations)
source code
list of tuple( long, int, str, str )
disassemble_around(self, lpAddress, dwSize=64)
Disassemble around the given address. (Inherited from winappdbg.system.ProcessDebugOperations)
source code
list of tuple( long, int, str, str )
disassemble_around_pc(self, dwThreadId, dwSize=64)
Disassemble around the program counter of the given thread. (Inherited from winappdbg.system.ProcessDebugOperations)
source code
tuple( long, int, str, str )
disassemble_current(self, dwThreadId)
Disassemble the instruction at the program counter of the given thread. (Inherited from winappdbg.system.ProcessDebugOperations)
source code
tuple( long, int, str, str )
disassemble_instruction(self, lpAddress)
Disassemble the instruction at the given memory address. (Inherited from winappdbg.system.ProcessDebugOperations)
source code
list of tuple( long, int, str, str )
disassemble_string(self, lpAddress, code)
Disassemble instructions from a block of binary code. (Inherited from winappdbg.system.ProcessDebugOperations)
source code
    Debugging
 
debug_break(self)
Triggers the system breakpoint in the process. (Inherited from winappdbg.system.ProcessDebugOperations)
source code
 
flush_instruction_cache(self)
Flush the instruction cache. (Inherited from winappdbg.system.ProcessDebugOperations)
source code
int or None
get_breakin_breakpoint(self)
Returns: Memory address of the remote breakin breakpoint within the process address space. (Inherited from winappdbg.system.SymbolOperations)
source code
int or None
get_system_breakpoint(self)
Returns: Memory address of the system breakpoint within the process address space. (Inherited from winappdbg.system.SymbolOperations)
source code
int or None
get_user_breakpoint(self)
Returns: Memory address of the user breakpoint within the process address space. (Inherited from winappdbg.system.SymbolOperations)
source code
bool
is_system_defined_breakpoint(self, address)
Returns: True if the given address points to a system defined breakpoint. (Inherited from winappdbg.system.SymbolOperations)
source code
dict( str → str )
peek_pointers_in_data(self, data, peekSize=16, peekStep=1)
Tries to guess which values in the given data are valid pointers, and reads some data from them. (Inherited from winappdbg.system.ProcessDebugOperations)
source code
    Labels
str
get_label_at_address(self, address, offset=None)
Creates a label from the given memory address. (Inherited from winappdbg.system.SymbolOperations)
source code
int
resolve_label(self, label)
Resolve the memory address of the given label. (Inherited from winappdbg.system.SymbolOperations)
source code
str
sanitize_label(self, label)
Converts a label taken from user input into a well-formed label. (Inherited from winappdbg.system.SymbolOperations)
source code
tuple( str or None, str or int or None, int or None )
split_label_fuzzy(self, label)
Splits a label entered as user input. (Inherited from winappdbg.system.SymbolOperations)
source code
    Symbols
 
get_symbol_at_address(self, address) (Inherited from winappdbg.system.SymbolOperations) source code
 
get_symbols(self) (Inherited from winappdbg.system.SymbolOperations) source code
 
iter_symbols(self) (Inherited from winappdbg.system.SymbolOperations) source code
 
load_symbols(self) (Inherited from winappdbg.system.SymbolOperations) source code
 
resolve_symbol(self, symbol) (Inherited from winappdbg.system.SymbolOperations) source code
 
unload_symbols(self) (Inherited from winappdbg.system.SymbolOperations) source code
    Threads snapshot
 
clear_dead_threads(self)
Remove Thread objects from the snapshot referring to threads no longer running. (Inherited from winappdbg.system.ThreadContainer)
source code
 
clear_threads(self)
Clears the threads snapshot. (Inherited from winappdbg.system.ThreadContainer)
source code
 
close_thread_handles(self)
Closes all open handles to threads in the snapshot. (Inherited from winappdbg.system.ThreadContainer)
source code
list( Thread )
find_threads_by_name(self, name, bExactMatch=True)
Find threads by name, using different search methods. (Inherited from winappdbg.system.ThreadContainer)
source code
Thread
get_thread(self, dwThreadId)
Returns: Thread object with the given global ID. (Inherited from winappdbg.system.ThreadContainer)
source code
int
get_thread_count(self)
Returns: Count of Thread objects in this snapshot. (Inherited from winappdbg.system.ThreadContainer)
source code
list( int )
get_thread_ids(self)
Returns: List of global thread IDs in this snapshot. (Inherited from winappdbg.system.ThreadContainer)
source code
bool
has_thread(self, dwThreadId)
Returns: True if the snapshot contains a Thread object with the given global ID. (Inherited from winappdbg.system.ThreadContainer)
source code
dictionary-keyiterator
iter_thread_ids(self)
Returns: Iterator of global thread IDs in this snapshot. (Inherited from winappdbg.system.ThreadContainer)
source code
dictionary-valueiterator
iter_threads(self)
Returns: Iterator of Thread objects in this snapshot. (Inherited from winappdbg.system.ThreadContainer)
source code
 
scan_threads(self)
Populates the snapshot with running threads. (Inherited from winappdbg.system.ThreadContainer)
source code
    Event notifications (private)
 
notify_create_process(self, event)
Notify the creation of a new process.
source code
 
notify_create_thread(self, event)
Notify the creation of a new thread in this process. (Inherited from winappdbg.system.ThreadContainer)
source code
 
notify_exit_thread(self, event)
Notify the termination of a thread. (Inherited from winappdbg.system.ThreadContainer)
source code
 
notify_load_dll(self, event)
Notify the load of a new module. (Inherited from winappdbg.system.ModuleContainer)
source code
 
notify_unload_dll(self, event)
Notify the release of a loaded module. (Inherited from winappdbg.system.ModuleContainer)
source code
    Modules snapshot
 
clear_modules(self)
Clears the modules snapshot. (Inherited from winappdbg.system.ModuleContainer)
source code
Module
get_module(self, lpBaseOfDll)
Returns: Module object with the given base address. (Inherited from winappdbg.system.ModuleContainer)
source code
Module
get_module_at_address(self, address)
Returns: Module object that best matches the given address. (Inherited from winappdbg.system.ModuleContainer)
source code
list( int... )
get_module_bases(self)
Returns: List of DLL base addresses in this snapshot. (Inherited from winappdbg.system.ModuleContainer)
source code
Module
get_module_by_name(self, modName)
Returns: Module object that best matches the given name. (Inherited from winappdbg.system.ModuleContainer)
source code
int
get_module_count(self)
Returns: Count of Module objects in this snapshot. (Inherited from winappdbg.system.ModuleContainer)
source code
bool
has_module(self, lpBaseOfDll)
Returns: True if the snapshot contains a Module object with the given base address. (Inherited from winappdbg.system.ModuleContainer)
source code
dictionary-keyiterator
iter_module_addresses(self)
Returns: Iterator of DLL base addresses in this snapshot. (Inherited from winappdbg.system.ModuleContainer)
source code
dictionary-valueiterator
iter_modules(self)
Returns: Iterator of Module objects in this snapshot. (Inherited from winappdbg.system.ModuleContainer)
source code
 
scan_modules(self)
Populates the snapshot with loaded modules. (Inherited from winappdbg.system.ModuleContainer)
source code
Class Methods [hide private]
    Labels
tuple( str or None, str or int or None, int or None )
split_label(cls, label)
Splits a label into it's module, function and offset components, as used in parse_label. (Inherited from winappdbg.system.SymbolOperations)
source code
Static Methods [hide private]
    Labels
str
parse_label(module=None, function=None, offset=None)
Creates a label from a module and a function name, plus an offset. (Inherited from winappdbg.system.SymbolOperations)
source code
tuple( str or None, str or int or None, int or None )
split_label_strict(label)
Splits a label created with parse_label. (Inherited from winappdbg.system.SymbolOperations)
source code
Instance Variables [hide private]
int dwProcessId
Global process ID.
str fileName
Filename of the main module.
ProcessHandle hProcess
Handle to the process.
Properties [hide private]

Inherited from object: __class__

Method Details [hide private]

__init__(self, dwProcessId, hProcess=None, fileName=None)
(Constructor)

source code 

x.__init__(...) initializes x; see x.__class__.__doc__ for signature

Parameters:
  • dwProcessId (int) - Global process ID.
  • hProcess (ProcessHandle) - Handle to the process.
  • fileName (str) - (Optional) Filename of the main module.
Overrides: object.__init__

get_pid(self)

source code 
Returns: int
Process global ID.

get_filename(self)

source code 
Returns: str
Filename of the main module of the process.

get_handle(self)

source code 
Returns: ProcessHandle
Handle to the process.

__contains__(self, anObject)
(In operator)

source code 

The same as: self.has_thread(anObject) or self.has_module(anObject)

Parameters:
  • anObject (Thread, Module or int) - Object to look for. Can be a Thread, Module, thread global ID or module base address.
Returns: bool
True if the requested object was found in the snapshot.
Overrides: ModuleContainer.__contains__

__len__(self)
(Length operator)

source code 
Returns: int
Count of Thread and Module objects in this snapshot.
Overrides: ModuleContainer.__len__

__iter__(self)

source code 
Returns: iterator
Iterator of Thread and Module objects in this snapshot. All threads are iterated first, then all modules.
Overrides: ModuleContainer.__iter__

wait(self, dwTimeout=None)

source code 

Waits for the process to finish executing.

Raises:
  • WindowsError - On error an exception is raised.

kill(self, dwExitCode=0)

source code 

Terminates the execution of the process.

Raises:
  • WindowsError - On error an exception is raised.

suspend(self)

source code 

Suspends execution on all threads of the process.

Raises:
  • WindowsError - On error an exception is raised.

resume(self)

source code 

Resumes execution on all threads of the process.

Raises:
  • WindowsError - On error an exception is raised.

is_debugged(self)

source code 

Tries to determine if the process is being debugged by another process. It may detect other debuggers besides WinAppDbg.

Returns: bool
True if the process has a debugger attached.

Warning: May return inaccurate results when some anti-debug techniques are used by the target process.

Note: To know if a process currently being debugged by a Debug object, call Debug.is_debugee instead.

is_alive(self)

source code 
Returns: bool
True if the process is currently running.

get_exit_code(self)

source code 
Returns: int
Process exit code, or STILL_ACTIVE if it's still alive.

Warning: If a process returns STILL_ACTIVE as it's exit code, you may not be able to determine if it's active or not with this method. Use is_alive to check if the process is still active. Alternatively you can call get_handle to get the handle object and then ProcessHandle.wait on it to wait until the process finishes running.

get_windows(self)

source code 
Returns: list of Window
Returns a list of windows handled by this process.

inject_code(self, payload, lpParameter=0)

source code 

Injects relocatable code into the process memory and executes it.

Parameters:
  • payload (str) - Relocatable code to run in a new thread.
  • lpParameter (int) - (Optional) Parameter to be pushed in the stack.
Returns: tuple( Thread, int )
The injected Thread object and the memory address where the code was written.
Raises:
  • WindowsError - An exception is raised on error.

See Also: inject_dll

inject_dll(self, dllname, procname=None, lpParameter=0, bWait=True, dwTimeout=None)

source code 

Injects a DLL into the process memory.

Parameters:
  • dllname (str) - Name of the DLL module to load.
  • procname (str) - (Optional) Procedure to call when the DLL is loaded.
  • lpParameter (int) - (Optional) Parameter to the procname procedure.
  • bWait (bool) - True to wait for the process to finish. False to return immediately.
  • dwTimeout (int) - (Optional) Timeout value in milliseconds. Ignored if bWait is False.
Raises:
  • NotImplementedError - The target platform is not supported. Currently calling a procedure in the library is only supported in the i386 architecture.
  • WindowsError - An exception is raised on error.

Warning: Setting bWait to True when the process is frozen by a debug event will cause a deadlock in your debugger.

See Also: inject_code

clean_exit(self, dwExitCode=0, bWait=False, dwTimeout=None)

source code 

Injects a new thread to call ExitProcess(). Optionally waits for the injected thread to finish.

Parameters:
  • dwExitCode (int) - Process exit code.
  • bWait (bool) - True to wait for the process to finish. False to return immediately.
  • dwTimeout (int) - (Optional) Timeout value in milliseconds. Ignored if bWait is False.
Raises:
  • WindowsError - An exception is raised on error.

Warning: Setting bWait to True when the process is frozen by a debug event will cause a deadlock in your debugger.

notify_create_process(self, event)

source code 

Notify the creation of a new process.

This is done automatically by the Debug class, you shouldn't need to call it yourself.

Parameters:
Overrides: ModuleContainer.notify_create_process

Instance Variable Details [hide private]

dwProcessId

Global process ID. Use get_pid instead.
Type:
int

fileName

Filename of the main module. Use get_filename instead.
Type:
str

hProcess

Handle to the process. Use get_handle instead.
Type:
ProcessHandle