Package winappdbg :: Module system :: Class ProcessDebugOperations
[hide private]
[frames] | no frames]

Class ProcessDebugOperations

source code


Encapsulates several useful debugging routines for processes.

Instance Methods [hide private]
 
__fixup_labels(self, disasm) source code
str
get_command_line(self)
Retrieves the command line with wich the program was started.
source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __init__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

    Properties
bool
is_wow64(self)
Determines if the process is running under WOW64.
source code
win32.PEB
get_peb(self)
Returns a copy of the PEB.
source code
int
get_peb_address(self)
Returns a remote pointer to the PEB.
source code
Module
get_main_module(self)
Returns: Module object for the process main module.
source code
int
get_image_base(self)
Returns: Image base address for the process main module.
source code
int
get_image_name(self)
Returns: Filename of the process main module.
source code
    Disassembly
list of tuple( long, int, str, str )
disassemble_string(self, lpAddress, code)
Disassemble instructions from a block of binary code.
source code
list of tuple( long, int, str, str )
disassemble(self, lpAddress, dwSize)
Disassemble instructions from the address space of the process.
source code
list of tuple( long, int, str, str )
disassemble_around(self, lpAddress, dwSize=64)
Disassemble around the given address.
source code
list of tuple( long, int, str, str )
disassemble_around_pc(self, dwThreadId, dwSize=64)
Disassemble around the program counter of the given thread.
source code
tuple( long, int, str, str )
disassemble_instruction(self, lpAddress)
Disassemble the instruction at the given memory address.
source code
tuple( long, int, str, str )
disassemble_current(self, dwThreadId)
Disassemble the instruction at the program counter of the given thread.
source code
    Debugging
 
flush_instruction_cache(self)
Flush the instruction cache.
source code
 
debug_break(self)
Triggers the system breakpoint in the process.
source code
dict( str → str )
peek_pointers_in_data(self, data, peekSize=16, peekStep=1)
Tries to guess which values in the given data are valid pointers, and reads some data from them.
source code
Class Variables [hide private]
  __hexa_parameter = re.compile(r'0x[0-9A-Za-z]+')
Properties [hide private]

Inherited from object: __class__

Method Details [hide private]

disassemble_string(self, lpAddress, code)

source code 

Disassemble instructions from a block of binary code.

Parameters:
  • lpAddress (int) - Memory address where the code was read from.
  • code (str) - Binary code to disassemble.
Returns: list of tuple( long, int, str, str )
List of tuples. Each tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.

disassemble(self, lpAddress, dwSize)

source code 

Disassemble instructions from the address space of the process.

Parameters:
  • lpAddress (int) - Memory address where to read the code from.
  • dwSize (int) - Size of binary code to disassemble.
Returns: list of tuple( long, int, str, str )
List of tuples. Each tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.

disassemble_around(self, lpAddress, dwSize=64)

source code 

Disassemble around the given address.

Parameters:
  • lpAddress (int) - Memory address where to read the code from.
  • dwSize (int) - Delta offset. Code will be read from lpAddress - dwSize to lpAddress + dwSize.
Returns: list of tuple( long, int, str, str )
List of tuples. Each tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.

disassemble_around_pc(self, dwThreadId, dwSize=64)

source code 

Disassemble around the program counter of the given thread.

Parameters:
  • dwThreadId (int) - Global thread ID. The program counter for this thread will be used as the disassembly address.
  • dwSize (int) - Delta offset. Code will be read from pc - dwSize to pc + dwSize.
Returns: list of tuple( long, int, str, str )
List of tuples. Each tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.

disassemble_instruction(self, lpAddress)

source code 

Disassemble the instruction at the given memory address.

Parameters:
  • lpAddress (int) - Memory address where to read the code from.
Returns: tuple( long, int, str, str )
The tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.

disassemble_current(self, dwThreadId)

source code 

Disassemble the instruction at the program counter of the given thread.

Parameters:
  • dwThreadId (int) - Global thread ID. The program counter for this thread will be used as the disassembly address.
Returns: tuple( long, int, str, str )
The tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.

flush_instruction_cache(self)

source code 

Flush the instruction cache. This is required if the process memory is modified and one or more threads are executing nearby the modified memory region.

Raises:
  • WindowsError - Raises exception on error.

debug_break(self)

source code 

Triggers the system breakpoint in the process.

Raises:
  • WindowsError - On error an exception is raised.

is_wow64(self)

source code 

Determines if the process is running under WOW64.

Returns: bool
True if the process is running under WOW64. That is, a 32-bit application running in a 64-bit Windows.

False if the process is either a 32-bit application running in a 32-bit Windows, or a 64-bit application running in a 64-bit Windows.

Raises:
  • WindowsError - On error an exception is raised.

get_peb(self)

source code 

Returns a copy of the PEB. To dereference pointers in it call Process.read_structure.

Returns: win32.PEB
PEB structure.
Raises:
  • WindowsError - An exception is raised on error.

get_peb_address(self)

source code 

Returns a remote pointer to the PEB.

Returns: int
Remote pointer to the win32.PEB structure. Returns None on error.

get_main_module(self)

source code 
Returns: Module
Module object for the process main module.

get_image_base(self)

source code 
Returns: int
Image base address for the process main module.

get_image_name(self)

source code 
Returns: int
Filename of the process main module.

This method does it's best to retrieve the filename. However sometimes this is not possible, so None may be returned instead.

get_command_line(self)

source code 

Retrieves the command line with wich the program was started.

Returns: str
Command line string.
Raises:
  • WindowsError - On error an exception is raised.

peek_pointers_in_data(self, data, peekSize=16, peekStep=1)

source code 

Tries to guess which values in the given data are valid pointers, and reads some data from them.

Parameters:
  • data (str) - Binary data to find pointers in.
  • peekSize (int) - Number of bytes to read from each pointer found.
  • peekStep (int) - Expected data alignment. Tipically you specify 1 when data alignment is unknown, or 4 when you expect data to be DWORD aligned. Any other value may be specified.
Returns: dict( str → str )
Dictionary mapping stack offsets to the data they point to.