Home       Trees       Indices       Help   
WinAppDbg - Programming Reference
Package winappdbg :: Module system :: Class System
[hide private]
[frames] | no frames]

Class System

source code

      object --+    
               |    
ProcessContainer --+
                   |
                  System

Interface to a batch of processes, plus some system wide settings. Contains a snapshot of processes.

Instance Methods [hide private]
bool
__contains__(self, anObject)
Returns: True if the snapshot contains a Process or Thread object with the same ID. (Inherited from winappdbg.system.ProcessContainer)		 source code
 
__init__(self)
x.__init__(...) initializes x; see x.__class__.__doc__ for signature (Inherited from winappdbg.system.ProcessContainer)		 source code
dictionary-valueiterator
__iter__(self)
Returns: Iterator of Process objects in this snapshot. (Inherited from winappdbg.system.ProcessContainer)		 source code
int
__len__(self)
Returns: Count of Process objects in this snapshot. (Inherited from winappdbg.system.ProcessContainer)		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

    Instrumentation
Process
start_process(self, lpCmdLine, bConsole=False, bDebug=False, bFollow=False, bSuspended=False, bInheritHandles=False, dwParentProcessId=None)
Starts a new process for instrumenting (or debugging). (Inherited from winappdbg.system.ProcessContainer)		 source code
    Processes snapshot
 
clear(self)
Clears this snapshot. (Inherited from winappdbg.system.ProcessContainer)		 source code
 
clear_dead_processes(self)
Removes Process objects from the snapshot referring to processes no longer running. (Inherited from winappdbg.system.ProcessContainer)		 source code
 
clear_processes(self)
Removes all Process, Thread and Module objects in this snapshot. (Inherited from winappdbg.system.ProcessContainer)		 source code
 
clear_unattached_processes(self)
Removes Process objects from the snapshot referring to processes not being debugged. (Inherited from winappdbg.system.ProcessContainer)		 source code
 
close_process_and_thread_handles(self)
Closes all open handles to processes and threads in this snapshot. (Inherited from winappdbg.system.ProcessContainer)		 source code
 
close_process_handles(self)
Closes all open handles to processes in this snapshot. (Inherited from winappdbg.system.ProcessContainer)		 source code
list of tuple( Process, str )
find_processes_by_filename(self, fileName)
Returns: List of processes matching the given main module filename. (Inherited from winappdbg.system.ProcessContainer)		 source code
int
get_pid_from_tid(self, dwThreadId)
Retrieves the global ID of the process that owns the thread. (Inherited from winappdbg.system.ProcessContainer)		 source code
Process
get_process(self, dwProcessId)
Returns: Process object with the given global ID. (Inherited from winappdbg.system.ProcessContainer)		 source code
int
get_process_count(self)
Returns: Count of Process objects in this snapshot. (Inherited from winappdbg.system.ProcessContainer)		 source code
list( int )
get_process_ids(self)
Returns: List of global process IDs in this snapshot. (Inherited from winappdbg.system.ProcessContainer)		 source code
list of Window
get_windows(self)
Returns: Returns a list of windows handled by all processes in this snapshot. (Inherited from winappdbg.system.ProcessContainer)		 source code
bool
has_process(self, dwProcessId)
Returns: True if the snapshot contains a Process object with the given global ID. (Inherited from winappdbg.system.ProcessContainer)		 source code
dictionary-keyiterator
iter_process_ids(self)
Returns: Iterator of global process IDs in this snapshot. (Inherited from winappdbg.system.ProcessContainer)		 source code
dictionary-valueiterator
iter_processes(self)
Returns: Iterator of Process objects in this snapshot. (Inherited from winappdbg.system.ProcessContainer)		 source code
 
scan(self)
Populates the snapshot with running processes and threads, and loaded modules. (Inherited from winappdbg.system.ProcessContainer)		 source code
 
scan_processes(self)
Populates the snapshot with running processes. (Inherited from winappdbg.system.ProcessContainer)		 source code
 
scan_processes_fast(self)
Populates the snapshot with running processes. (Inherited from winappdbg.system.ProcessContainer)		 source code
    Threads snapshots
Thread
get_thread(self, dwThreadId)
Returns: Thread object with the given global ID. (Inherited from winappdbg.system.ProcessContainer)		 source code
int
get_thread_count(self)
Returns: Count of Thread objects in this snapshot. (Inherited from winappdbg.system.ProcessContainer)		 source code
list( int )
get_thread_ids(self)
Returns: List of global thread IDs in this snapshot. (Inherited from winappdbg.system.ProcessContainer)		 source code
bool
has_thread(self, dwThreadId)
Returns: True if the snapshot contains a Thread object with the given global ID. (Inherited from winappdbg.system.ProcessContainer)		 source code
 
scan_processes_and_threads(self)
Populates the snapshot with running processes and threads. (Inherited from winappdbg.system.ProcessContainer)		 source code
    Modules snapshots
list( Module... )
find_modules_by_address(self, address)
Returns: List of Module objects that best match the given address. (Inherited from winappdbg.system.ProcessContainer)		 source code
list( Module... )
find_modules_by_base(self, lpBaseOfDll)
Returns: List of Module objects with the given base address. (Inherited from winappdbg.system.ProcessContainer)		 source code
list( Module... )
find_modules_by_name(self, fileName)
Returns: List of Module objects found. (Inherited from winappdbg.system.ProcessContainer)		 source code
int
get_module_count(self)
Returns: Count of Module objects in this snapshot. (Inherited from winappdbg.system.ProcessContainer)		 source code
 
scan_modules(self)
Populates the snapshot with loaded modules. (Inherited from winappdbg.system.ProcessContainer)		 source code
    Event notifications (private)
bool
notify_create_process(self, event)
Notify the creation of a new process. (Inherited from winappdbg.system.ProcessContainer)		 source code
bool
notify_exit_process(self, event)
Notify the termination of a process. (Inherited from winappdbg.system.ProcessContainer)		 source code
Class Methods [hide private]
    Global settings
ctypes.WinDLL
load_dbghelp(cls, pathname=None)
Load the dbghelp.dll library shipped with the Debugging Tools for Windows.		 source code
int
read_msr(cls, address)
Read the contents of the specified MSR (Machine Specific Register).		 source code
 
write_msr(cls, address, value)
Set the contents of the specified MSR (Machine Specific Register).		 source code
 
enable_step_on_branch_mode(cls)
When tracing, call this on every single step event for step on branch mode.		 source code
tuple( int, int )
get_last_branch_location(cls)
Returns the source and destination addresses of the last taken branch.		 source code
Static Methods [hide private]
    Instrumentation
Window or None
find_window(className=None, windowName=None)
Find the first top-level window in the current desktop to match the given class name and/or window name.		 source code
Window
get_window_at(x, y)
Get the window located at the given coordinates in the desktop.		 source code
Window
get_desktop_window()
Returns: Returns the desktop window.		 source code
Window
get_foreground_window()
Returns: Returns the foreground window.		 source code
str
argv_to_cmdline(argv)
Convert a list of arguments to a single command line string. (Inherited from winappdbg.system.ProcessContainer)		 source code
list( str )
cmdline_to_argv(lpCmdLine)
Convert a single command line string to a list of arguments. (Inherited from winappdbg.system.ProcessContainer)		 source code
    Global settings
 
request_debug_privileges(bIgnoreExceptions=False)
Requests debug privileges.		 source code
bool
set_kill_on_exit_mode(bKillOnExit=False)
Automatically detach from processes when the current thread dies.		 source code
Class Variables [hide private]
    Global settings
str arch = 'i386'
Name of the processor architecture we're running on.
int bits = 32
Size of the machine word in bits for the current architecture.
str os = 'Windows XP'
Name of the Windows version we're runing on.
bool wow64 = False
True if the debugger is a 32 bits process running in a 64 bits version of Windows, False otherwise.
int pageSize = 4096
Page size in bytes.
Properties [hide private]

Inherited from object: __class__

Method Details [hide private]

find_window(className=None, windowName=None)
Static Method

source code 

Find the first top-level window in the current desktop to match the given class name and/or window name. If neither are provided any top-level window will match.

Parameters:
  • className (str) - (Optional) Class name of the window to find. If None or not used any class name will match the search.
  • windowName (str) - (Optional) Caption text of the window to find. If None or not used any caption text will match the search.
Returns: Window or None
A window that matches the request. There may be more matching windows, but this method only returns one. If no matching window is found, the return value is None.
Raises:
  • WindowsError - An error occured while processing this request.

See Also: get_window_at

get_window_at(x, y)
Static Method

source code 

Get the window located at the given coordinates in the desktop. If no such window exists an exception is raised.

Parameters:
  • x (int) - Horizontal coordinate.
  • y (int) - Vertical coordinate.
Returns: Window
Window at the requested position. If no such window exists a WindowsError exception is raised.
Raises:
  • WindowsError - An error occured while processing this request.

See Also: find_window

get_desktop_window()
Static Method

source code 
Returns: Window
Returns the desktop window.
Raises:
  • WindowsError - An error occured while processing this request.

get_foreground_window()
Static Method

source code 
Returns: Window
Returns the foreground window.
Raises:
  • WindowsError - An error occured while processing this request.

request_debug_privileges(bIgnoreExceptions=False)
Static Method

source code 

Requests debug privileges.

This may be needed to debug processes running as SYSTEM (such as services) since Windows XP.

set_kill_on_exit_mode(bKillOnExit=False)
Static Method

source code 

Automatically detach from processes when the current thread dies.

Works on the following platforms:

  • Microsoft Windows XP and above.
  • Wine (Windows Emulator).

Fails on the following platforms:

  • Microsoft Windows 2000 and below.
  • ReactOS.
Parameters:
  • bKillOnExit (bool) - True to automatically kill processes when the debugger thread dies. False to automatically detach from processes when the debugger thread dies.
Returns: bool
True on success, False on error.

Note: This call will fail if a debug port was not created. That is, if the debugger isn't attached to at least one process. For more info see: http://msdn.microsoft.com/en-us/library/ms679307.aspx

load_dbghelp(cls, pathname=None)
Class Method

source code 

Load the dbghelp.dll library shipped with the Debugging Tools for Windows. Essentially this enables symbol server support, since this version is newer than the one pre-installed with Windows, and the symbol server loader library (SymSrv.dll) is present in the same directory.

For this method to have any effect it MUST be called BEFORE any function in dbghelp.dll. It's recommended that you call it right after starting your debug script, or after instancing the Debug object.

Example:

   from winappdbg import Debug

   def simple_debugger( argv ):

       # Instance a Debug object, passing it the event handler callback
       debug = Debug( my_event_handler )
       try:

           # Enable support for symbol downloading
           debug.system.load_dbghelp()

           # Start a new process for debugging
           debug.execv( argv )

           # Wait for the debugee to finish
           debug.loop()

       # Stop the debugger
       finally:
           debug.stop()
Parameters:
  • pathname (str) - (Optional) Full pathname to the dbghelp.dll library.
Returns: ctypes.WinDLL
Loaded instance of dbghelp.dll.
Raises:
  • NotImplementedError - This feature was not implemented for the current architecture.
  • WindowsError - An error occured while processing this request.

See Also: http://msdn.microsoft.com/en-us/library/ms679294(VS.85).aspx

read_msr(cls, address)
Class Method

source code 

Read the contents of the specified MSR (Machine Specific Register).

Parameters:
  • address (int) - MSR to read.
Returns: int
Value of the specified MSR.
Raises:
  • WindowsError - Raises an exception on error.
  • NotImplementedError - Current architecture is not i386 or amd64.

Warning: It could potentially brick your machine. It works on my machine, but your mileage may vary.

write_msr(cls, address, value)
Class Method

source code 

Set the contents of the specified MSR (Machine Specific Register).

Parameters:
  • address (int) - MSR to write.
  • value (int) - Contents to write on the MSR.
Raises:
  • WindowsError - Raises an exception on error.
  • NotImplementedError - Current architecture is not i386 or amd64.

Warning: It could potentially brick your machine. It works on my machine, but your mileage may vary.

enable_step_on_branch_mode(cls)
Class Method

source code 

When tracing, call this on every single step event for step on branch mode.

Raises:
  • WindowsError - Raises ERROR_DEBUGGER_INACTIVE if the debugger is not attached to least one process.
  • NotImplementedError - Current architecture is not i386 or amd64.

Warning: This method uses the processor's machine specific registers (MSR). It could potentially brick your machine. It works on my machine, but your mileage may vary.

Note: It doesn't seem to work in VMWare or VirtualBox machines. Maybe it fails in other virtualization/emulation environments, no extensive testing was made so far.

get_last_branch_location(cls)
Class Method

source code 

Returns the source and destination addresses of the last taken branch.

Returns: tuple( int, int )
Source and destination addresses of the last taken branch.
Raises:
  • WindowsError - Raises an exception on error.
  • NotImplementedError - Current architecture is not i386 or amd64.

Warning: This method uses the processor's machine specific registers (MSR). It could potentially brick your machine. It works on my machine, but your mileage may vary.

Note: It doesn't seem to work in VMWare or VirtualBox machines. Maybe it fails in other virtualization/emulation environments, no extensive testing was made so far.


Class Variable Details [hide private]

arch

Name of the processor architecture we're running on. For more details see win32.version.get_arch.
Type:
str
Value:
'i386'

bits

Size of the machine word in bits for the current architecture. For more details see win32.version.get_bits.
Type:
int
Value:
32

os

Name of the Windows version we're runing on. For more details see win32.version.get_os.
Type:
str
Value:
'Windows XP'

pageSize

Page size in bytes. Defaults to 0x1000 but it's automatically updated on runtime when importing the module.
Type:
int
Value:
4096

   Home       Trees       Indices       Help   
WinAppDbg - Programming Reference
Generated by Epydoc 3.0.1 on Tue Jul 20 14:32:16 2010 http://epydoc.sourceforge.net