Package winappdbg :: Module system :: Class ThreadDebugOperations
[hide private]
[frames] | no frames]

Class ThreadDebugOperations

source code


Encapsulates several useful debugging routines for threads.

Instance Methods [hide private]
tuple of tuple( int, int, str )
__get_stack_trace(self, depth=16, bUseLabels=True, bMakePretty=True)
Tries to get a stack trace for the current function.
source code
tuple( int... )
read_stack_qwords(self, count, offset=0)
Reads QWORDs from the top of the stack.
source code
tuple( int... )
peek_stack_qwords(self, count, offset=0)
Tries to read QWORDs from the top of the stack.
source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __init__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

    Properties
bool
is_wow64(self)
Determines if the thread is running under WOW64.
source code
TEB
get_teb(self)
Returns a copy of the TEB.
source code
int
get_teb_address(self)
Returns a remote pointer to the TEB.
source code
    Disassembly
list of tuple( long, int, str, str )
disassemble_string(self, lpAddress, code)
Disassemble instructions from a block of binary code.
source code
list of tuple( long, int, str, str )
disassemble(self, lpAddress, dwSize)
Disassemble instructions from the address space of the process.
source code
list of tuple( long, int, str, str )
disassemble_around(self, lpAddress, dwSize=64)
Disassemble around the given address.
source code
list of tuple( long, int, str, str )
disassemble_around_pc(self, dwSize=64)
Disassemble around the program counter of the given thread.
source code
tuple( long, int, str, str )
disassemble_instruction(self, lpAddress)
Disassemble the instruction at the given memory address.
source code
tuple( long, int, str, str )
disassemble_current(self)
Disassemble the instruction at the program counter of the given thread.
source code
    Stack
tuple( int, int )
get_stack_range(self)
Returns: Stack beginning and end pointers, in memory addresses order.
source code
tuple of tuple( int, int, str )
get_stack_trace(self, depth=16)
Tries to get a stack trace for the current function.
source code
tuple of tuple( int, int, str )
get_stack_trace_with_labels(self, depth=16, bMakePretty=True)
Tries to get a stack trace for the current function.
source code
tuple( int, int )
get_stack_frame_range(self)
Returns the starting and ending addresses of the stack frame.
source code
str
get_stack_frame(self, max_size=None)
Reads the contents of the current stack frame.
source code
str
read_stack_data(self, size=128, offset=0)
Reads the contents of the top of the stack.
source code
str
peek_stack_data(self, size=128, offset=0)
Tries to read the contents of the top of the stack.
source code
tuple( int... )
read_stack_dwords(self, count, offset=0)
Reads DWORDs from the top of the stack.
source code
tuple( int... )
peek_stack_dwords(self, count, offset=0)
Tries to read DWORDs from the top of the stack.
source code
    Miscellaneous
int
get_linear_address(self, segment, address)
Translates segment-relative addresses to linear addresses.
source code
str
get_label_at_pc(self)
Returns: Label that points to the instruction currently being executed.
source code
list of tuple( int, int )
get_seh_chain(self)
Returns: List of structured exception handlers.
source code
tuple of ( list of win32.WAITCHAIN_NODE_INFO structures, bool)
get_wait_chain(self)
Returns: Wait chain for the thread.
source code
str
read_code_bytes(self, size=128, offset=0)
Tries to read some bytes of the code currently being executed.
source code
str
peek_code_bytes(self, size=128, offset=0)
Tries to read some bytes of the code currently being executed.
source code
dict( str → str )
peek_pointers_in_registers(self, peekSize=16, context=None)
Tries to guess which values in the registers are valid pointers, and reads some data from them.
source code
dict( str → str )
peek_pointers_in_data(self, data, peekSize=16, peekStep=1)
Tries to guess which values in the given data are valid pointers, and reads some data from them.
source code
Properties [hide private]

Inherited from object: __class__

Method Details [hide private]

is_wow64(self)

source code 

Determines if the thread is running under WOW64.

Returns: bool
True if the thread is running under WOW64. That is, it belongs to a 32-bit application running in a 64-bit Windows.

False if the thread belongs to either a 32-bit application running in a 32-bit Windows, or a 64-bit application running in a 64-bit Windows.

Raises:
  • WindowsError - On error an exception is raised.

get_teb(self)

source code 

Returns a copy of the TEB. To dereference pointers in it call Process.read_structure.

Returns: TEB
TEB structure.
Raises:
  • WindowsError - An exception is raised on error.

get_teb_address(self)

source code 

Returns a remote pointer to the TEB.

Returns: int
Remote pointer to the TEB structure.
Raises:
  • WindowsError - An exception is raised on error.

get_linear_address(self, segment, address)

source code 

Translates segment-relative addresses to linear addresses.

Linear addresses can be used to access a process memory, calling Process.read and Process.write.

Parameters:
  • segment (str) - Segment register name.
  • address (int) - Segment relative memory address.
Returns: int
Linear memory address.
Raises:
  • ValueError - Address is too large for selector.
  • WindowsError - The current architecture does not support selectors. Selectors only exist in x86-based systems.

get_label_at_pc(self)

source code 
Returns: str
Label that points to the instruction currently being executed.

get_seh_chain(self)

source code 
Returns: list of tuple( int, int )
List of structured exception handlers. Each SEH is represented as a tuple of two addresses:
  • Address of the SEH block
  • Address of the SEH callback function
Raises:
  • NotImplementedError - This method is only supported in 32 bits versions of Windows.

get_wait_chain(self)

source code 
Returns: tuple of ( list of win32.WAITCHAIN_NODE_INFO structures, bool)
Wait chain for the thread. The boolean indicates if there's a cycle in the chain.
Raises:
  • AttributeError - This method is only suppported in Windows Vista and above.

get_stack_range(self)

source code 
Returns: tuple( int, int )
Stack beginning and end pointers, in memory addresses order. That is, the first pointer is the stack top, and the second pointer is the stack bottom, since the stack grows towards lower memory addresses.
Raises:
  • WindowsError - Raises an exception on error.

__get_stack_trace(self, depth=16, bUseLabels=True, bMakePretty=True)

source code 

Tries to get a stack trace for the current function. Only works for functions with standard prologue and epilogue.

Parameters:
  • depth (int) - Maximum depth of stack trace.
  • bUseLabels (bool) - True to use labels, False to use addresses.
Returns: tuple of tuple( int, int, str )
Stack trace of the thread as a tuple of ( return address, frame pointer address, module filename ) when bUseLabels is True, or a tuple of ( return address, frame pointer label ) when bUseLabels is False.
Raises:
  • WindowsError - Raises an exception on error.

get_stack_trace(self, depth=16)

source code 

Tries to get a stack trace for the current function. Only works for functions with standard prologue and epilogue.

Parameters:
  • depth (int) - Maximum depth of stack trace.
Returns: tuple of tuple( int, int, str )
Stack trace of the thread as a tuple of ( return address, frame pointer address, module filename ).
Raises:
  • WindowsError - Raises an exception on error.

get_stack_trace_with_labels(self, depth=16, bMakePretty=True)

source code 

Tries to get a stack trace for the current function. Only works for functions with standard prologue and epilogue.

Parameters:
  • depth (int) - Maximum depth of stack trace.
  • bMakePretty (bool) - True for user readable labels, False for labels that can be passed to Process.resolve_label.

    "Pretty" labels look better when producing output for the user to read, while pure labels are more useful programatically.

Returns: tuple of tuple( int, int, str )
Stack trace of the thread as a tuple of ( return address, frame pointer label ).
Raises:
  • WindowsError - Raises an exception on error.

get_stack_frame_range(self)

source code 

Returns the starting and ending addresses of the stack frame. Only works for functions with standard prologue and epilogue.

Returns: tuple( int, int )
Stack frame range. May not be accurate, depending on the compiler used.
Raises:
  • RuntimeError - The stack frame is invalid, or the function doesn't have a standard prologue and epilogue.
  • WindowsError - An error occured when getting the thread context.

get_stack_frame(self, max_size=None)

source code 

Reads the contents of the current stack frame. Only works for functions with standard prologue and epilogue.

Parameters:
  • max_size (int) - (Optional) Maximum amount of bytes to read.
Returns: str
Stack frame data. May not be accurate, depending on the compiler used. May return an empty string.
Raises:
  • RuntimeError - The stack frame is invalid, or the function doesn't have a standard prologue and epilogue.
  • WindowsError - An error occured when getting the thread context or reading data from the process memory.

read_stack_data(self, size=128, offset=0)

source code 

Reads the contents of the top of the stack.

Parameters:
  • size (int) - Number of bytes to read.
  • offset (int) - Offset from the stack pointer to begin reading.
Returns: str
Stack data.
Raises:
  • WindowsError - Could not read the requested data.

peek_stack_data(self, size=128, offset=0)

source code 

Tries to read the contents of the top of the stack.

Parameters:
  • size (int) - Number of bytes to read.
  • offset (int) - Offset from the stack pointer to begin reading.
Returns: str
Stack data. Returned data may be less than the requested size.

read_stack_dwords(self, count, offset=0)

source code 

Reads DWORDs from the top of the stack.

Parameters:
  • count (int) - Number of DWORDs to read.
  • offset (int) - Offset from the stack pointer to begin reading.
Returns: tuple( int... )
Tuple of integers read from the stack.
Raises:
  • WindowsError - Could not read the requested data.

peek_stack_dwords(self, count, offset=0)

source code 

Tries to read DWORDs from the top of the stack.

Parameters:
  • count (int) - Number of DWORDs to read.
  • offset (int) - Offset from the stack pointer to begin reading.
Returns: tuple( int... )
Tuple of integers read from the stack. May be less than the requested number of DWORDs.

read_stack_qwords(self, count, offset=0)

source code 

Reads QWORDs from the top of the stack.

Parameters:
  • count (int) - Number of QWORDs to read.
  • offset (int) - Offset from the stack pointer to begin reading.
Returns: tuple( int... )
Tuple of integers read from the stack.
Raises:
  • WindowsError - Could not read the requested data.

peek_stack_qwords(self, count, offset=0)

source code 

Tries to read QWORDs from the top of the stack.

Parameters:
  • count (int) - Number of QWORDs to read.
  • offset (int) - Offset from the stack pointer to begin reading.
Returns: tuple( int... )
Tuple of integers read from the stack. May be less than the requested number of QWORDs.

read_code_bytes(self, size=128, offset=0)

source code 

Tries to read some bytes of the code currently being executed.

Parameters:
  • size (int) - Number of bytes to read.
  • offset (int) - Offset from the program counter to begin reading.
Returns: str
Bytes read from the process memory.
Raises:
  • WindowsError - Could not read the requested data.

peek_code_bytes(self, size=128, offset=0)

source code 

Tries to read some bytes of the code currently being executed.

Parameters:
  • size (int) - Number of bytes to read.
  • offset (int) - Offset from the program counter to begin reading.
Returns: str
Bytes read from the process memory. May be less than the requested number of bytes.

peek_pointers_in_registers(self, peekSize=16, context=None)

source code 

Tries to guess which values in the registers are valid pointers, and reads some data from them.

Parameters:
  • peekSize (int) - Number of bytes to read from each pointer found.
  • context (dict( str → int )) - (Optional) Dictionary mapping register names to their values. If not given, the current thread context will be used.
Returns: dict( str → str )
Dictionary mapping register names to the data they point to.

peek_pointers_in_data(self, data, peekSize=16, peekStep=1)

source code 

Tries to guess which values in the given data are valid pointers, and reads some data from them.

Parameters:
  • data (str) - Binary data to find pointers in.
  • peekSize (int) - Number of bytes to read from each pointer found.
  • peekStep (int) - Expected data alignment. Tipically you specify 1 when data alignment is unknown, or 4 when you expect data to be DWORD aligned. Any other value may be specified.
Returns: dict( str → str )
Dictionary mapping stack offsets to the data they point to.

disassemble_string(self, lpAddress, code)

source code 

Disassemble instructions from a block of binary code.

Parameters:
  • lpAddress (int) - Memory address where the code was read from.
  • code (str) - Binary code to disassemble.
Returns: list of tuple( long, int, str, str )
List of tuples. Each tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.

disassemble(self, lpAddress, dwSize)

source code 

Disassemble instructions from the address space of the process.

Parameters:
  • lpAddress (int) - Memory address where to read the code from.
  • dwSize (int) - Size of binary code to disassemble.
Returns: list of tuple( long, int, str, str )
List of tuples. Each tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.

disassemble_around(self, lpAddress, dwSize=64)

source code 

Disassemble around the given address.

Parameters:
  • lpAddress (int) - Memory address where to read the code from.
  • dwSize (int) - Delta offset. Code will be read from lpAddress - dwSize to lpAddress + dwSize.
Returns: list of tuple( long, int, str, str )
List of tuples. Each tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.

disassemble_around_pc(self, dwSize=64)

source code 

Disassemble around the program counter of the given thread.

Parameters:
  • dwSize (int) - Delta offset. Code will be read from pc - dwSize to pc + dwSize.
Returns: list of tuple( long, int, str, str )
List of tuples. Each tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.

disassemble_instruction(self, lpAddress)

source code 

Disassemble the instruction at the given memory address.

Parameters:
  • lpAddress (int) - Memory address where to read the code from.
Returns: tuple( long, int, str, str )
The tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.

disassemble_current(self)

source code 

Disassemble the instruction at the program counter of the given thread.

Returns: tuple( long, int, str, str )
The tuple represents an assembly instruction and contains:
  • Memory address of instruction.
  • Size of instruction in bytes.
  • Disassembly line of instruction.
  • Hexadecimal dump of instruction.