Home       Trees       Indices       Help   
WinAppDbg - Programming Reference
Package winappdbg :: Module system :: Class MemoryOperations
[hide private]
[frames] | no frames]

Class MemoryOperations

source code

object --+
         |
        MemoryOperations
Known Subclasses:

Encapsulates the capabilities to manipulate the memory of a process.

Instance Methods [hide private]
bool
is_buffer_copy_on_write(self, address, size)
Determines if the given memory area is marked as copy-on-write.		 source code
 
__generate_memory_snapshot(self, minAddr=None, maxAddr=None)
Internally used by generate_memory_snapshot.		 source code
 
__restore_mbi(self, hProcess, new_mbi, old_mbi)
Used internally by restore_memory_snapshot.		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __init__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

    Instrumentation
int
malloc(self, dwSize, lpAddress=None)
Allocates memory into the address space of the process.		 source code
int
mprotect(self, lpAddress, dwSize, flNewProtect)
Set memory protection in the address space of the process.		 source code
win32.MemoryBasicInformation
mquery(self, lpAddress)
Query memory information from the address space of the process.		 source code
 
free(self, lpAddress, dwSize=0)
Frees memory from the address space of the process.		 source code
generator of win32.MemoryBasicInformation
generate_memory_snapshot(self, minAddr=None, maxAddr=None)
Returns a generator that allows you to iterate through the memory contents of a process.		 source code
list( win32.MemoryBasicInformation )
take_memory_snapshot(self, minAddr=None, maxAddr=None)
Takes a snapshot of the memory contents of the process.		 source code
 
restore_memory_snapshot(self, snapshot, bSkipMappedFiles=True)
Attempts to restore the memory state as it was when the given snapshot was taken.		 source code
    Memory mapping
bool
is_pointer(self, address)
Determines if an address is a valid code or data pointer.		 source code
bool
is_address_valid(self, address)
Determines if an address is a valid user mode address.		 source code
bool
is_address_free(self, address)
Determines if an address belongs to a free page.		 source code
bool
is_address_reserved(self, address)
Determines if an address belongs to a reserved page.		 source code
bool
is_address_commited(self, address)
Determines if an address belongs to a commited page.		 source code
bool
is_address_guard(self, address)
Determines if an address belongs to a guard page.		 source code
bool
is_address_readable(self, address)
Determines if an address belongs to a commited and readable page.		 source code
bool
is_address_writeable(self, address)
Determines if an address belongs to a commited and writeable page.		 source code
bool
is_address_copy_on_write(self, address)
Determines if an address belongs to a commited, copy-on-write page.		 source code
bool
is_address_executable(self, address)
Determines if an address belongs to a commited and executable page.		 source code
bool
is_address_executable_and_writeable(self, address)
Determines if an address belongs to a commited, writeable and executable page.		 source code
bool
is_buffer(self, address, size)
Determines if the given memory area is a valid code or data buffer.		 source code
bool
is_buffer_readable(self, address, size)
Determines if the given memory area is readable.		 source code
bool
is_buffer_writeable(self, address, size)
Determines if the given memory area is writeable.		 source code
bool
is_buffer_executable(self, address, size)
Determines if the given memory area is executable.		 source code
bool
is_buffer_executable_and_writeable(self, address, size)
Determines if the given memory area is writeable and executable.		 source code
list( win32.MemoryBasicInformation )
get_memory_map(self, minAddr=None, maxAddr=None)
Produces a memory map to the process address space.		 source code
dict( int → str )
get_mapped_filenames(self, memoryMap=None)
Retrieves the filenames for memory mapped files in the debugee.		 source code
    Memory read
str
read(self, lpBaseAddress, nSize)
Reads from the memory of the process.		 source code
int
read_uint(self, lpBaseAddress)
Reads a single unsigned integer from the memory of the process.		 source code
int
read_pointer(self, lpBaseAddress)
Reads a single pointer value from the memory of the process.		 source code
int
read_char(self, lpBaseAddress)
Reads a single character to the memory of the process.		 source code
int
read_structure(self, lpBaseAddress, stype)
Reads a ctypes structure from the memory of the process.		 source code
str, unicode
read_string(self, lpBaseAddress, nChars, fUnicode=False)
Reads an ASCII or Unicode string from the address space of the process.		 source code
str
peek(self, lpBaseAddress, nSize)
Reads the memory of the process.		 source code
int
peek_uint(self, lpBaseAddress)
Reads a single unsigned integer from the memory of the process.		 source code
int
peek_pointer(self, lpBaseAddress)
Reads a single pointer value from the memory of the process.		 source code
int
peek_char(self, lpBaseAddress)
Reads a single character from the memory of the process.		 source code
str, unicode
peek_string(self, lpBaseAddress, fUnicode=False, dwMaxSize=4096)
Tries to read an ASCII or Unicode string from the address space of the process.		 source code
    Memory write
 
write(self, lpBaseAddress, lpBuffer)
Writes to the memory of the process.		 source code
 
write_uint(self, lpBaseAddress, unpackedDword)
Writes a single unsigned integer to the memory of the process.		 source code
 
write_pointer(self, lpBaseAddress, unpackedValue)
Writes a single pointer value to the memory of the process.		 source code
 
write_char(self, lpBaseAddress, char)
Writes a single character to the memory of the process.		 source code
int
poke(self, lpBaseAddress, lpBuffer)
Writes to the memory of the process.		 source code
int
poke_uint(self, lpBaseAddress, unpackedDword)
Writes a single unsigned integer to the memory of the process.		 source code
int
poke_pointer(self, lpBaseAddress, unpackedValue)
Writes a single pointer value to the memory of the process.		 source code
int
poke_char(self, lpBaseAddress, char)
Writes a single character to the memory of the process.		 source code
Properties [hide private]

Inherited from object: __class__

Method Details [hide private]

read(self, lpBaseAddress, nSize)

source code 

Reads from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
  • nSize (int) - Number of bytes to read.
Returns: str
Bytes read from the process memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: peek

write(self, lpBaseAddress, lpBuffer)

source code 

Writes to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • lpBuffer (str) - Bytes to write.
Raises:
  • WindowsError - On error an exception is raised.

Note: Page permissions may be changed temporarily while writing.

See Also: poke

read_uint(self, lpBaseAddress)

source code 

Reads a single unsigned integer from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Integer value read from the process memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: peek

write_uint(self, lpBaseAddress, unpackedDword)

source code 

Writes a single unsigned integer to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • unpackedDword (int, long) - Value to write.
Raises:
  • WindowsError - On error an exception is raised.

Note: Page permissions may be changed temporarily while writing.

See Also: poke_uint

read_pointer(self, lpBaseAddress)

source code 

Reads a single pointer value from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Pointer value read from the process memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: peek_pointer

write_pointer(self, lpBaseAddress, unpackedValue)

source code 

Writes a single pointer value to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • unpackedValue (int, long) - Value to write.
Raises:
  • WindowsError - On error an exception is raised.

Note: Page permissions may be changed temporarily while writing.

See Also: poke_pointer

read_char(self, lpBaseAddress)

source code 

Reads a single character to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
Returns: int
Character value read from the process memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: write_char

write_char(self, lpBaseAddress, char)

source code 

Writes a single character to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • char (int) - Character to write.
Raises:
  • WindowsError - On error an exception is raised.

Note: Page permissions may be changed temporarily while writing.

See Also: write_char

read_structure(self, lpBaseAddress, stype)

source code 

Reads a ctypes structure from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
  • stype (class ctypes.Structure or a subclass.) - Structure definition.
Returns: int
Structure instance filled in with data read from the process memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: read

read_string(self, lpBaseAddress, nChars, fUnicode=False)

source code 

Reads an ASCII or Unicode string from the address space of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
  • nChars (int) - String length to read, in characters. Remember that Unicode strings have two byte characters.
  • fUnicode (bool) - True is the string is expected to be Unicode, False if it's expected to be ANSI.
Returns: str, unicode
String read from the process memory space.
Raises:
  • WindowsError - On error an exception is raised.

See Also: read

peek(self, lpBaseAddress, nSize)

source code 

Reads the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
  • nSize (int) - Number of bytes to read.
Returns: str
Bytes read from the process memory. Returns an empty string on error.

See Also: read

poke(self, lpBaseAddress, lpBuffer)

source code 

Writes to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • lpBuffer (str) - Bytes to write.
Returns: int
Number of bytes written. May be less than the number of bytes to write.

Note: Page permissions may be changed temporarily while writing.

See Also: write

peek_uint(self, lpBaseAddress)

source code 

Reads a single unsigned integer from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Integer value read from the process memory. Returns zero on error.

See Also: read_uint

poke_uint(self, lpBaseAddress, unpackedDword)

source code 

Writes a single unsigned integer to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • unpackedDword (int, long) - Value to write.
Returns: int
Number of bytes written. May be less than the number of bytes to write.

Note: Page permissions may be changed temporarily while writing.

See Also: write_uint

peek_pointer(self, lpBaseAddress)

source code 

Reads a single pointer value from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Pointer value read from the process memory. Returns zero on error.

See Also: read_pointer

poke_pointer(self, lpBaseAddress, unpackedValue)

source code 

Writes a single pointer value to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • unpackedValue (int, long) - Value to write.
Returns: int
Number of bytes written. May be less than the number of bytes to write.

Note: Page permissions may be changed temporarily while writing.

See Also: write_pointer

peek_char(self, lpBaseAddress)

source code 

Reads a single character from the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
Returns: int
Character read from the process memory. Returns zero on error.

See Also: read_char

poke_char(self, lpBaseAddress, char)

source code 

Writes a single character to the memory of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin writing.
  • char (str) - Character to write.
Returns: int
Number of bytes written. May be less than the number of bytes to write.

Note: Page permissions may be changed temporarily while writing.

See Also: write_char

peek_string(self, lpBaseAddress, fUnicode=False, dwMaxSize=4096)

source code 

Tries to read an ASCII or Unicode string from the address space of the process.

Parameters:
  • lpBaseAddress (int) - Memory address to begin reading.
  • fUnicode (bool) - True is the string is expected to be Unicode, False if it's expected to be ANSI.
  • dwMaxSize (int) - Maximum allowed string length to read, in bytes.
Returns: str, unicode
String read from the process memory space. It doesn't include the terminating null character. Returns an empty string on failure.

See Also: peek

malloc(self, dwSize, lpAddress=None)

source code 

Allocates memory into the address space of the process.

Parameters:
  • dwSize (int) - Number of bytes to allocate.
  • lpAddress (int) - (Optional) Desired address for the newly allocated memory. This is only a hint, the memory could still be allocated somewhere else.
Returns: int
Address of the newly allocated memory.
Raises:
  • WindowsError - On error an exception is raised.

See Also: free

mprotect(self, lpAddress, dwSize, flNewProtect)

source code 

Set memory protection in the address space of the process.

Parameters:
  • lpAddress (int) - Address of memory to protect.
  • dwSize (int) - Number of bytes to protect.
  • flNewProtect (int) - New protect flags.
Returns: int
Old protect flags.
Raises:
  • WindowsError - On error an exception is raised.

See Also: http://msdn.microsoft.com/en-us/library/aa366899.aspx

mquery(self, lpAddress)

source code 

Query memory information from the address space of the process. Returns a win32.MemoryBasicInformation object.

Parameters:
  • lpAddress (int) - Address of memory to query.
Returns: win32.MemoryBasicInformation
Memory region information.
Raises:
  • WindowsError - On error an exception is raised.

See Also: http://msdn.microsoft.com/en-us/library/aa366907(VS.85).aspx

free(self, lpAddress, dwSize=0)

source code 

Frees memory from the address space of the process.

Parameters:
  • lpAddress (int) - Address of memory to free.
  • dwSize (int) - (Optional) Number of bytes to free.
Raises:
  • WindowsError - On error an exception is raised.

See Also: malloc

is_pointer(self, address)

source code 

Determines if an address is a valid code or data pointer.

That is, the address must be valid and must point to code or data in the target process.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address is a valid code or data pointer.
Raises:
  • WindowsError - An exception is raised on error.

is_address_valid(self, address)

source code 

Determines if an address is a valid user mode address.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address is a valid user mode address.
Raises:
  • WindowsError - An exception is raised on error.

is_address_free(self, address)

source code 

Determines if an address belongs to a free page.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a free page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_reserved(self, address)

source code 

Determines if an address belongs to a reserved page.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a reserved page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_commited(self, address)

source code 

Determines if an address belongs to a commited page.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a commited page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_guard(self, address)

source code 

Determines if an address belongs to a guard page.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a guard page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_readable(self, address)

source code 

Determines if an address belongs to a commited and readable page. The page may or may not have additional permissions.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a commited and readable page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_writeable(self, address)

source code 

Determines if an address belongs to a commited and writeable page. The page may or may not have additional permissions.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a commited and writeable page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_copy_on_write(self, address)

source code 

Determines if an address belongs to a commited, copy-on-write page. The page may or may not have additional permissions.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a commited, copy-on-write page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_executable(self, address)

source code 

Determines if an address belongs to a commited and executable page. The page may or may not have additional permissions.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a commited and executable page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_address_executable_and_writeable(self, address)

source code 

Determines if an address belongs to a commited, writeable and executable page. The page may or may not have additional permissions.

Looking for writeable and executable pages is important when exploiting a software vulnerability.

Parameters:
  • address (int) - Memory address to query.
Returns: bool
True if the address belongs to a commited, writeable and executable page.
Raises:
  • WindowsError - An exception is raised on error.

Note: Returns always False for kernel mode addresses.

is_buffer(self, address, size)

source code 

Determines if the given memory area is a valid code or data buffer.

Parameters:
  • address (int) - Memory address.
  • size (int) - Number of bytes. Must be greater than zero.
Returns: bool
True if the memory area is a valid code or data buffer, False otherwise.
Raises:
  • ValueError - The size argument must be greater than zero.
  • WindowsError - On error an exception is raised.

Note: Returns always False for kernel mode addresses.

See Also: mquery

is_buffer_readable(self, address, size)

source code 

Determines if the given memory area is readable.

Parameters:
  • address (int) - Memory address.
  • size (int) - Number of bytes. Must be greater than zero.
Returns: bool
True if the memory area is readable, False otherwise.
Raises:
  • ValueError - The size argument must be greater than zero.
  • WindowsError - On error an exception is raised.

Note: Returns always False for kernel mode addresses.

See Also: mquery

is_buffer_writeable(self, address, size)

source code 

Determines if the given memory area is writeable.

Parameters:
  • address (int) - Memory address.
  • size (int) - Number of bytes. Must be greater than zero.
Returns: bool
True if the memory area is writeable, False otherwise.
Raises:
  • ValueError - The size argument must be greater than zero.
  • WindowsError - On error an exception is raised.

Note: Returns always False for kernel mode addresses.

See Also: mquery

is_buffer_copy_on_write(self, address, size)

source code 

Determines if the given memory area is marked as copy-on-write.

Parameters:
  • address (int) - Memory address.
  • size (int) - Number of bytes. Must be greater than zero.
Returns: bool
True if the memory area is marked as copy-on-write, False otherwise.
Raises:
  • ValueError - The size argument must be greater than zero.
  • WindowsError - On error an exception is raised.

Note: Returns always False for kernel mode addresses.

See Also: mquery

is_buffer_executable(self, address, size)

source code 

Determines if the given memory area is executable.

Parameters:
  • address (int) - Memory address.
  • size (int) - Number of bytes. Must be greater than zero.
Returns: bool
True if the memory area is executable, False otherwise.
Raises:
  • ValueError - The size argument must be greater than zero.
  • WindowsError - On error an exception is raised.

Note: Returns always False for kernel mode addresses.

See Also: mquery

is_buffer_executable_and_writeable(self, address, size)

source code 

Determines if the given memory area is writeable and executable.

Looking for writeable and executable pages is important when exploiting a software vulnerability.

Parameters:
  • address (int) - Memory address.
  • size (int) - Number of bytes. Must be greater than zero.
Returns: bool
True if the memory area is writeable and executable, False otherwise.
Raises:
  • ValueError - The size argument must be greater than zero.
  • WindowsError - On error an exception is raised.

Note: Returns always False for kernel mode addresses.

See Also: mquery

get_memory_map(self, minAddr=None, maxAddr=None)

source code 

Produces a memory map to the process address space. Optionally restrict the map to the given address range.

Parameters:
  • minAddr (int) - (Optional) Starting address in address range to query.
  • maxAddr (int) - (Optional) Ending address in address range to query.
Returns: list( win32.MemoryBasicInformation )
List of memory region information objects.

See Also: mquery

get_mapped_filenames(self, memoryMap=None)

source code 

Retrieves the filenames for memory mapped files in the debugee.

Parameters:
Returns: dict( int → str )
Dictionary mapping memory addresses to file names. Native filenames are converted to Win32 filenames when possible.

generate_memory_snapshot(self, minAddr=None, maxAddr=None)

source code 

Returns a generator that allows you to iterate through the memory contents of a process.

It's basically the same as the take_memory_snapshot method, but it takes the snapshot of each memory region as it goes, as opposed to taking the whole snapshot at once. This allows you to work with very large snapshots without a significant performance penalty.

Example:

   # Print the memory contents of a process.
   process.suspend()
   try:
       snapshot = process.generate_memory_snapshot()
       for mbi in snapshot:
           print HexDump.hexblock(mbi.content, mbi.BaseAddress)
   finally:
       process.resume()

The downside of this is the process must remain suspended while iterating the snapshot, otherwise strange things may happen.

The snapshot can be iterated more than once. Each time it's iterated the memory contents of the process will be fetched again.

You can also iterate the memory of a dead process, just as long as the last open handle to it hasn't been closed.

Parameters:
  • minAddr (int) - (Optional) Starting address in address range to query.
  • maxAddr (int) - (Optional) Ending address in address range to query.
Returns: generator of win32.MemoryBasicInformation
Generator that when iterated returns memory region information objects. Two extra properties are added to these objects:
  • filename: Mapped filename, or None.
  • content: Memory contents, or None.

See Also: take_memory_snapshot

take_memory_snapshot(self, minAddr=None, maxAddr=None)

source code 

Takes a snapshot of the memory contents of the process.

It's best if the process is suspended when taking the snapshot. Execution can be resumed afterwards.

You can also iterate the memory of a dead process, just as long as the last open handle to it hasn't been closed.

Parameters:
  • minAddr (int) - (Optional) Starting address in address range to query.
  • maxAddr (int) - (Optional) Ending address in address range to query.
Returns: list( win32.MemoryBasicInformation )
List of memory region information objects. Two extra properties are added to these objects:
  • filename: Mapped filename, or None.
  • content: Memory contents, or None.

Warning: If the target process has a very big memory footprint, the resulting snapshot will be equally big. This may result in a severe performance penalty.

See Also: generate_memory_snapshot

restore_memory_snapshot(self, snapshot, bSkipMappedFiles=True)

source code 

Attempts to restore the memory state as it was when the given snapshot was taken.

Parameters:
  • snapshot (list( win32.MemoryBasicInformation )) - Memory snapshot returned by take_memory_snapshot. Snapshots returned by generate_memory_snapshot don't work here.
  • bSkipMappedFiles (bool) - True to avoid restoring the contents of memory mapped files, False otherwise. Use with care! Setting this to False can cause undesired side effects - changes to memory mapped files may be written to disk by the OS. Also note that most mapped files are typically executables and don't change, so trying to restore their contents is usually a waste of time.
Raises:
  • WindowsError - An error occured while restoring the snapshot.
  • RuntimeError - An error occured while restoring the snapshot.
  • TypeError - A snapshot of the wrong type was passed.

Warning: Currently only the memory contents, state and protect bits are restored. Under some circumstances this method may fail (for example if memory was freed and then reused by a mapped file).


   Home       Trees       Indices       Help   
WinAppDbg - Programming Reference
Generated by Epydoc 3.0.1 on Tue Jul 20 14:32:15 2010 http://epydoc.sourceforge.net