Home

Trees

Indices

Help

Package winappdbg :: Module system :: Class ProcessDebugOperations

[hide private]

[frames] | no frames]

Class ProcessDebugOperations

source code

Encapsulates several useful debugging routines for processes.

Instance Methods

[hide private]

__fixup_labels(self, disasm)

source code

str

get_command_line(self)
Retrieves the command line with wich the program was started.

source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __init__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Properties

bool

is_wow64(self)
Determines if the process is running under WOW64.

source code

win32.PEB

get_peb(self)
Returns a copy of the PEB.

source code

int

get_peb_address(self)
Returns a remote pointer to the PEB.

source code

Module

get_main_module(self)
Returns: Module object for the process main module.

source code

int

get_image_base(self)
Returns: Image base address for the process main module.

source code

int

get_image_name(self)
Returns: Filename of the process main module.

source code

Disassembly

list of tuple( long, int, str, str )

disassemble_string(self, lpAddress, code)
Disassemble instructions from a block of binary code.

source code

list of tuple( long, int, str, str )

disassemble(self, lpAddress, dwSize)
Disassemble instructions from the address space of the process.

source code

list of tuple( long, int, str, str )

disassemble_around(self, lpAddress, dwSize=64)
Disassemble around the given address.

source code

list of tuple( long, int, str, str )

disassemble_around_pc(self, dwThreadId, dwSize=64)
Disassemble around the program counter of the given thread.

source code

tuple( long, int, str, str )

disassemble_instruction(self, lpAddress)
Disassemble the instruction at the given memory address.

source code

tuple( long, int, str, str )

disassemble_current(self, dwThreadId)
Disassemble the instruction at the program counter of the given thread.

source code

Debugging

flush_instruction_cache(self)
Flush the instruction cache.

source code

debug_break(self)
Triggers the system breakpoint in the process.

source code

dict( str → str )

peek_pointers_in_data(self, data, peekSize=16, peekStep=1)
Tries to guess which values in the given data are valid pointers, and reads some data from them.

source code

Class Variables

[hide private]

__hexa_parameter = re.compile(r'0x[0-9A-Za-z]+')

Properties

[hide private]

Inherited from object: __class__

Method Details

[hide private]

disassemble_string(self, lpAddress, code)

source code

Disassemble instructions from a block of binary code.

Parameters:

lpAddress (int) - Memory address where the code was read from.
code (str) - Binary code to disassemble.

Returns: list of tuple( long, int, str, str )

List of tuples. Each tuple represents an assembly instruction and contains:

Memory address of instruction.
Size of instruction in bytes.
Disassembly line of instruction.
Hexadecimal dump of instruction.

disassemble(self, lpAddress, dwSize)

source code

Disassemble instructions from the address space of the process.

Parameters:

lpAddress (int) - Memory address where to read the code from.
dwSize (int) - Size of binary code to disassemble.

Returns: list of tuple( long, int, str, str )

List of tuples. Each tuple represents an assembly instruction and contains:

Memory address of instruction.
Size of instruction in bytes.
Disassembly line of instruction.
Hexadecimal dump of instruction.

disassemble_around(self, lpAddress, dwSize=64)

source code

Disassemble around the given address.

Parameters:

lpAddress (int) - Memory address where to read the code from.
dwSize (int) - Delta offset. Code will be read from lpAddress - dwSize to lpAddress + dwSize.

Returns: list of tuple( long, int, str, str )

List of tuples. Each tuple represents an assembly instruction and contains:

Memory address of instruction.
Size of instruction in bytes.
Disassembly line of instruction.
Hexadecimal dump of instruction.

disassemble_around_pc(self, dwThreadId, dwSize=64)

source code

Disassemble around the program counter of the given thread.

Parameters:

dwThreadId (int) - Global thread ID. The program counter for this thread will be used as the disassembly address.
dwSize (int) - Delta offset. Code will be read from pc - dwSize to pc + dwSize.

Returns: list of tuple( long, int, str, str )

List of tuples. Each tuple represents an assembly instruction and contains:

Memory address of instruction.
Size of instruction in bytes.
Disassembly line of instruction.
Hexadecimal dump of instruction.

disassemble_instruction(self, lpAddress)

source code

Disassemble the instruction at the given memory address.

Parameters:

lpAddress (int) - Memory address where to read the code from.

Returns: tuple( long, int, str, str )

The tuple represents an assembly instruction and contains:

Memory address of instruction.
Size of instruction in bytes.
Disassembly line of instruction.
Hexadecimal dump of instruction.

disassemble_current(self, dwThreadId)

source code

Disassemble the instruction at the program counter of the given thread.

Parameters:

dwThreadId (int) - Global thread ID. The program counter for this thread will be used as the disassembly address.

Returns: tuple( long, int, str, str )

The tuple represents an assembly instruction and contains:

Memory address of instruction.
Size of instruction in bytes.
Disassembly line of instruction.
Hexadecimal dump of instruction.

flush_instruction_cache(self)

source code

Flush the instruction cache. This is required if the process memory is modified and one or more threads are executing nearby the modified memory region.

Raises:

WindowsError - Raises exception on error.

debug_break(self)

source code

Triggers the system breakpoint in the process.

Raises:

WindowsError - On error an exception is raised.

is_wow64(self)

source code

Determines if the process is running under WOW64.

Returns: bool

True if the process is running under WOW64. That is, a 32-bit application running in a 64-bit Windows.

False if the process is either a 32-bit application running in a 32-bit Windows, or a 64-bit application running in a 64-bit Windows.

Raises:

WindowsError - On error an exception is raised.

get_peb(self)

source code

Returns a copy of the PEB. To dereference pointers in it call Process.read_structure.

Returns: win32.PEB

PEB structure.

Raises:

WindowsError - An exception is raised on error.

get_peb_address(self)

source code

Returns a remote pointer to the PEB.

Returns: int: Remote pointer to the win32.PEB structure. Returns None on error.

get_main_module(self)

source code

Returns: Module: Module object for the process main module.

get_image_base(self)

source code

Returns: int: Image base address for the process main module.

get_image_name(self)

source code

Returns: int: Filename of the process main module.
This method does it's best to retrieve the filename. However sometimes this is not possible, so None may be returned instead.

get_command_line(self)

source code

Retrieves the command line with wich the program was started.

Returns: str

Command line string.

Raises:

WindowsError - On error an exception is raised.

peek_pointers_in_data(self, data, peekSize=16, peekStep=1)

source code

Tries to guess which values in the given data are valid pointers, and reads some data from them.

Parameters:

data (str) - Binary data to find pointers in.
peekSize (int) - Number of bytes to read from each pointer found.
peekStep (int) - Expected data alignment. Tipically you specify 1 when data alignment is unknown, or 4 when you expect data to be DWORD aligned. Any other value may be specified.

Returns: dict( str → str )

Dictionary mapping stack offsets to the data they point to.

Home

Trees

Indices

Help