Class ThreadDebugOperations

Determines if the thread is running under WOW64.

Returns: bool

True if the thread is running under WOW64. That is, it belongs to a 32-bit application running in a 64-bit Windows.

False if the thread belongs to either a 32-bit application running in a 32-bit Windows, or a 64-bit application running in a 64-bit Windows.

Raises:

• WindowsError - On error an exception is raised.

Returns a copy of the TEB. To dereference pointers in it call Process.read_structure.

Returns: TEB

TEB structure.

Raises:

• WindowsError - An exception is raised on error.

Returns a remote pointer to the TEB.

Returns: int

Remote pointer to the TEB structure.

Raises:

• WindowsError - An exception is raised on error.

Translates segment-relative addresses to linear addresses.

Linear addresses can be used to access a process memory, calling Process.read and Process.write.

Parameters:

• segment (str) - Segment register name.
• address (int) - Segment relative memory address.

Returns: int

Linear memory address.

Raises:

• ValueError - Address is too large for selector.
• WindowsError - The current architecture does not support selectors. Selectors only exist in x86-based systems.

Returns: str

Label that points to the instruction currently being executed.

Returns: list of tuple( int, int )

List of structured exception handlers. Each SEH is represented as a tuple of two addresses:

• Address of the SEH block
• Address of the SEH callback function

Raises:

• NotImplementedError - This method is only supported in 32 bits versions of Windows.

Returns: tuple of ( list of win32.WAITCHAIN_NODE_INFO structures, bool)

Wait chain for the thread. The boolean indicates if there's a cycle in the chain.

Raises:

• AttributeError - This method is only suppported in Windows Vista and above.

Returns: tuple( int, int )

Stack beginning and end pointers, in memory addresses order. That is, the first pointer is the stack top, and the second pointer is the stack bottom, since the stack grows towards lower memory addresses.

Raises:

• WindowsError - Raises an exception on error.

Tries to get a stack trace for the current function. Only works for functions with standard prologue and epilogue.

Parameters:

• depth (int) - Maximum depth of stack trace.

Returns: tuple of tuple( int, int, str )

Stack trace of the thread as a tuple of ( return address, frame pointer address, module filename ).

Raises:

• WindowsError - Raises an exception on error.

Tries to get a stack trace for the current function. Only works for functions with standard prologue and epilogue.

Parameters:

• depth (int) - Maximum depth of stack trace.
• bMakePretty (bool) - True for user readable labels, False for labels that can be passed to Process.resolve_label.

  "Pretty" labels look better when producing output for the user to read, while pure labels are more useful programatically.

Returns: tuple of tuple( int, int, str )

Stack trace of the thread as a tuple of ( return address, frame pointer label ).

Raises:

• WindowsError - Raises an exception on error.

Returns the starting and ending addresses of the stack frame. Only works for functions with standard prologue and epilogue.

Returns: tuple( int, int )

Stack frame range. May not be accurate, depending on the compiler used.

Raises:

• RuntimeError - The stack frame is invalid, or the function doesn't have a standard prologue and epilogue.
• WindowsError - An error occured when getting the thread context.

Reads the contents of the current stack frame. Only works for functions with standard prologue and epilogue.

Parameters:

• max_size (int) - (Optional) Maximum amount of bytes to read.

Returns: str

Stack frame data. May not be accurate, depending on the compiler used. May return an empty string.

Raises:

• RuntimeError - The stack frame is invalid, or the function doesn't have a standard prologue and epilogue.
• WindowsError - An error occured when getting the thread context or reading data from the process memory.

Reads the contents of the top of the stack.

Parameters:

• size (int) - Number of bytes to read.
• offset (int) - Offset from the stack pointer to begin reading.

Returns: str

Stack data.

Raises:

• WindowsError - Could not read the requested data.

Tries to read the contents of the top of the stack.

Parameters:

• size (int) - Number of bytes to read.
• offset (int) - Offset from the stack pointer to begin reading.

Returns: str

Stack data. Returned data may be less than the requested size.

Reads DWORDs from the top of the stack.

Parameters:

• count (int) - Number of DWORDs to read.
• offset (int) - Offset from the stack pointer to begin reading.

Returns: tuple( int... )

Tuple of integers read from the stack.

Raises:

• WindowsError - Could not read the requested data.

Tries to read DWORDs from the top of the stack.

Parameters:

• count (int) - Number of DWORDs to read.
• offset (int) - Offset from the stack pointer to begin reading.

Returns: tuple( int... )

Tuple of integers read from the stack. May be less than the requested number of DWORDs.

Reads QWORDs from the top of the stack.

Parameters:

• count (int) - Number of QWORDs to read.
• offset (int) - Offset from the stack pointer to begin reading.

Returns: tuple( int... )

Tuple of integers read from the stack.

Raises:

• WindowsError - Could not read the requested data.

Tries to read QWORDs from the top of the stack.

Parameters:

• count (int) - Number of QWORDs to read.
• offset (int) - Offset from the stack pointer to begin reading.

Returns: tuple( int... )

Tuple of integers read from the stack. May be less than the requested number of QWORDs.

Tries to read some bytes of the code currently being executed.

Parameters:

• size (int) - Number of bytes to read.
• offset (int) - Offset from the program counter to begin reading.

Returns: str

Bytes read from the process memory.

Raises:

• WindowsError - Could not read the requested data.

Tries to read some bytes of the code currently being executed.

Parameters:

• size (int) - Number of bytes to read.
• offset (int) - Offset from the program counter to begin reading.

Returns: str

Bytes read from the process memory. May be less than the requested number of bytes.

Tries to guess which values in the registers are valid pointers, and reads some data from them.

Parameters:

• peekSize (int) - Number of bytes to read from each pointer found.
• context (dict( str → int )) - (Optional) Dictionary mapping register names to their values. If not given, the current thread context will be used.

Returns: dict( str → str )

Dictionary mapping register names to the data they point to.

Tries to guess which values in the given data are valid pointers, and reads some data from them.

Parameters:

• data (str) - Binary data to find pointers in.
• peekSize (int) - Number of bytes to read from each pointer found.
• peekStep (int) - Expected data alignment. Tipically you specify 1 when data alignment is unknown, or 4 when you expect data to be DWORD aligned. Any other value may be specified.

Returns: dict( str → str )

Dictionary mapping stack offsets to the data they point to.

Disassemble instructions from a block of binary code.

Parameters:

• lpAddress (int) - Memory address where the code was read from.
• code (str) - Binary code to disassemble.

Returns: list of tuple( long, int, str, str )

List of tuples. Each tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.

Disassemble instructions from the address space of the process.

Parameters:

• lpAddress (int) - Memory address where to read the code from.
• dwSize (int) - Size of binary code to disassemble.

Returns: list of tuple( long, int, str, str )

List of tuples. Each tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.

Disassemble around the given address.

Parameters:

• lpAddress (int) - Memory address where to read the code from.
• dwSize (int) - Delta offset. Code will be read from lpAddress - dwSize to lpAddress + dwSize.

Returns: list of tuple( long, int, str, str )

List of tuples. Each tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.

Disassemble around the program counter of the given thread.

Parameters:

• dwSize (int) - Delta offset. Code will be read from pc - dwSize to pc + dwSize.

Returns: list of tuple( long, int, str, str )

List of tuples. Each tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.

Disassemble the instruction at the given memory address.

Parameters:

• lpAddress (int) - Memory address where to read the code from.

Returns: tuple( long, int, str, str )

The tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.

Disassemble the instruction at the program counter of the given thread.

Returns: tuple( long, int, str, str )

The tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.