Class ProcessDebugOperations

Disassemble instructions from a block of binary code.

Parameters:

• lpAddress (int) - Memory address where the code was read from.
• code (str) - Binary code to disassemble.

Returns: list of tuple( long, int, str, str )

List of tuples. Each tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.

Raises:

• NotImplementedError - No compatible disassembler was found for the current platform.

Disassemble instructions from the address space of the process.

Parameters:

• lpAddress (int) - Memory address where to read the code from.
• dwSize (int) - Size of binary code to disassemble.

Returns: list of tuple( long, int, str, str )

List of tuples. Each tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.

Disassemble around the given address.

Parameters:

• lpAddress (int) - Memory address where to read the code from.
• dwSize (int) - Delta offset. Code will be read from lpAddress - dwSize to lpAddress + dwSize.

Returns: list of tuple( long, int, str, str )

List of tuples. Each tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.

Disassemble around the program counter of the given thread.

Parameters:

• dwThreadId (int) - Global thread ID. The program counter for this thread will be used as the disassembly address.
• dwSize (int) - Delta offset. Code will be read from pc - dwSize to pc + dwSize.

Returns: list of tuple( long, int, str, str )

List of tuples. Each tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.

Disassemble the instruction at the given memory address.

Parameters:

• lpAddress (int) - Memory address where to read the code from.

Returns: tuple( long, int, str, str )

The tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.

Disassemble the instruction at the program counter of the given thread.

Parameters:

• dwThreadId (int) - Global thread ID. The program counter for this thread will be used as the disassembly address.

Returns: tuple( long, int, str, str )

The tuple represents an assembly instruction and contains:

• Memory address of instruction.
• Size of instruction in bytes.
• Disassembly line of instruction.
• Hexadecimal dump of instruction.

Flush the instruction cache. This is required if the process memory is modified and one or more threads are executing nearby the modified memory region.

Raises:

• WindowsError - Raises exception on error.

Triggers the system breakpoint in the process.

Raises:

• WindowsError - On error an exception is raised.

Determines if the process is running under WOW64.

Returns: bool

True if the process is running under WOW64. That is, a 32-bit application running in a 64-bit Windows.

False if the process is either a 32-bit application running in a 32-bit Windows, or a 64-bit application running in a 64-bit Windows.

Raises:

• WindowsError - On error an exception is raised.

Returns a copy of the PEB. To dereference pointers in it call Process.read_structure.

Returns: win32.PEB

PEB structure.

Raises:

• WindowsError - An exception is raised on error.

Returns a remote pointer to the PEB.

Returns: int

Remote pointer to the win32.PEB structure. Returns None on error.

Returns: Module

Module object for the process main module.

Returns: int

Image base address for the process main module.

Returns: int

Filename of the process main module.

This method does it's best to retrieve the filename. However sometimes this is not possible, so None may be returned instead.

Retrieves the command line block memory address and size.

Returns: tuple(int, int)

Tuple with the memory address of the command line block and it's maximum size in Unicode characters.

Raises:

• WindowsError - On error an exception is raised.

Retrieves the environment block memory address for the process.

Returns: tuple(int, int)

Tuple with the memory address of the environment block and it's size.

Raises:

• WindowsError - On error an exception is raised.

Retrieves the command line with wich the program was started.

Returns: str

Command line string.

Raises:

• WindowsError - On error an exception is raised.

Retrieves the environment block data with wich the program is running.

Returns: list of str

Environment keys and values separated by a = character, as found in the process memory.

Raises:

• WindowsError - On error an exception is raised.

Parse the environment block into a Python dictionary.

Parameters:

• block (list of str) - List of Unicode strings as returned by get_environment_data.

Returns: dict(str → str)

Dictionary of environment keys and values.

Retrieves the environment with wich the program is running.

Returns: dict(str → str)

Dictionary of environment keys and values.

Raises:

• WindowsError - On error an exception is raised.

Tries to guess which values in the given data are valid pointers, and reads some data from them.

Parameters:

• data (str) - Binary data to find pointers in.
• peekSize (int) - Number of bytes to read from each pointer found.
• peekStep (int) - Expected data alignment. Tipically you specify 1 when data alignment is unknown, or 4 when you expect data to be DWORD aligned. Any other value may be specified.

Returns: dict( str → str )

Dictionary mapping stack offsets to the data they point to.