winappdbg.win32.context

1 # Copyright (c) 2009-2010, Mario Vilas 2 # All rights reserved. 3 # 4 # Redistribution and use in source and binary forms, with or without 5 # modification, are permitted provided that the following conditions are met: 6 # 7 # * Redistributions of source code must retain the above copyright notice, 8 # this list of conditions and the following disclaimer. 9 # * Redistributions in binary form must reproduce the above copyright 10 # notice,this list of conditions and the following disclaimer in the 11 # documentation and/or other materials provided with the distribution. 12 # * Neither the name of the copyright holder nor the names of its 13 # contributors may be used to endorse or promote products derived from 14 # this software without specific prior written permission. 15 # 16 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 17 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 20 # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 # POSSIBILITY OF SUCH DAMAGE. 27 28 """ 29 CONTEXT structure for amd64. 30 """ 31 32 __revision__ = "$Id: context_amd64.py 655 2010-03-30 17:00:27Z qvasimodo $" 33 34 from defines import * 35 import context_i386 36 37 # The following values specify the type of access in the first parameter 38 # of the exception record when the exception code specifies an access 39 # violation. 40 EXCEPTION_READ_FAULT = 0 # exception caused by a read 41 EXCEPTION_WRITE_FAULT = 1 # exception caused by a write 42 EXCEPTION_EXECUTE_FAULT = 8 # exception caused by an instruction fetch 43 44 CONTEXT_AMD64 = 0x00100000 45 46 CONTEXT_CONTROL = (CONTEXT_AMD64 | 0x1L) 47 CONTEXT_INTEGER = (CONTEXT_AMD64 | 0x2L) 48 CONTEXT_SEGMENTS = (CONTEXT_AMD64 | 0x4L) 49 CONTEXT_FLOATING_POINT = (CONTEXT_AMD64 | 0x8L) 50 CONTEXT_DEBUG_REGISTERS = (CONTEXT_AMD64 | 0x10L) 51 52 CONTEXT_MMX_REGISTERS = CONTEXT_FLOATING_POINT 53 54 CONTEXT_FULL = (CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_FLOATING_POINT) 55 56 CONTEXT_ALL = (CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS | \ 57 CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS) 58 59 CONTEXT_EXCEPTION_ACTIVE = 0x8000000 60 CONTEXT_SERVICE_ACTIVE = 0x10000000 61 CONTEXT_EXCEPTION_REQUEST = 0x40000000 62 CONTEXT_EXCEPTION_REPORTING = 0x80000000 63 64 INITIAL_MXCSR = 0x1f80 # initial MXCSR value 65 INITIAL_FPCSR = 0x027f # initial FPCSR value

66 67 # typedef struct _XMM_SAVE_AREA32 { 68 # WORD ControlWord; 69 # WORD StatusWord; 70 # BYTE TagWord; 71 # BYTE Reserved1; 72 # WORD ErrorOpcode; 73 # DWORD ErrorOffset; 74 # WORD ErrorSelector; 75 # WORD Reserved2; 76 # DWORD DataOffset; 77 # WORD DataSelector; 78 # WORD Reserved3; 79 # DWORD MxCsr; 80 # DWORD MxCsr_Mask; 81 # M128A FloatRegisters[8]; 82 # M128A XmmRegisters[16]; 83 # BYTE Reserved4[96]; 84 # } XMM_SAVE_AREA32, *PXMM_SAVE_AREA32; 85 -class XMM_SAVE_AREA32(Structure):

86 _pack_ = 1 87 _fields_ = [ 88 ('ControlWord', WORD), 89 ('StatusWord', WORD), 90 ('TagWord', BYTE), 91 ('Reserved1', BYTE), 92 ('ErrorOpcode', WORD), 93 ('ErrorOffset', DWORD), 94 ('ErrorSelector', WORD), 95 ('Reserved2', WORD), 96 ('DataOffset', DWORD), 97 ('DataSelector', WORD), 98 ('Reserved3', WORD), 99 ('MxCsr', DWORD), 100 ('MxCsr_Mask', DWORD), 101 ('FloatRegisters', M128A * 8), 102 ('XmmRegisters', M128A * 16), 103 ('Reserved4', BYTE * 96), 104 ]

105 106 LEGACY_SAVE_AREA_LENGTH = sizeof(XMM_SAVE_AREA32) 107 108 PXMM_SAVE_AREA32 = ctypes.POINTER(XMM_SAVE_AREA32) 109 LPXMM_SAVE_AREA32 = PXMM_SAVE_AREA32

110 111 # // 112 # // Context Frame 113 # // 114 # // This frame has a several purposes: 1) it is used as an argument to 115 # // NtContinue, 2) is is used to constuct a call frame for APC delivery, 116 # // and 3) it is used in the user level thread creation routines. 117 # // 118 # // 119 # // The flags field within this record controls the contents of a CONTEXT 120 # // record. 121 # // 122 # // If the context record is used as an input parameter, then for each 123 # // portion of the context record controlled by a flag whose value is 124 # // set, it is assumed that that portion of the context record contains 125 # // valid context. If the context record is being used to modify a threads 126 # // context, then only that portion of the threads context is modified. 127 # // 128 # // If the context record is used as an output parameter to capture the 129 # // context of a thread, then only those portions of the thread's context 130 # // corresponding to set flags will be returned. 131 # // 132 # // CONTEXT_CONTROL specifies SegSs, Rsp, SegCs, Rip, and EFlags. 133 # // 134 # // CONTEXT_INTEGER specifies Rax, Rcx, Rdx, Rbx, Rbp, Rsi, Rdi, and R8-R15. 135 # // 136 # // CONTEXT_SEGMENTS specifies SegDs, SegEs, SegFs, and SegGs. 137 # // 138 # // CONTEXT_DEBUG_REGISTERS specifies Dr0-Dr3 and Dr6-Dr7. 139 # // 140 # // CONTEXT_MMX_REGISTERS specifies the floating point and extended registers 141 # // Mm0/St0-Mm7/St7 and Xmm0-Xmm15). 142 # // 143 # 144 # typedef struct DECLSPEC_ALIGN(16) _CONTEXT { 145 # 146 # // 147 # // Register parameter home addresses. 148 # // 149 # // N.B. These fields are for convience - they could be used to extend the 150 # // context record in the future. 151 # // 152 # 153 # DWORD64 P1Home; 154 # DWORD64 P2Home; 155 # DWORD64 P3Home; 156 # DWORD64 P4Home; 157 # DWORD64 P5Home; 158 # DWORD64 P6Home; 159 # 160 # // 161 # // Control flags. 162 # // 163 # 164 # DWORD ContextFlags; 165 # DWORD MxCsr; 166 # 167 # // 168 # // Segment Registers and processor flags. 169 # // 170 # 171 # WORD SegCs; 172 # WORD SegDs; 173 # WORD SegEs; 174 # WORD SegFs; 175 # WORD SegGs; 176 # WORD SegSs; 177 # DWORD EFlags; 178 # 179 # // 180 # // Debug registers 181 # // 182 # 183 # DWORD64 Dr0; 184 # DWORD64 Dr1; 185 # DWORD64 Dr2; 186 # DWORD64 Dr3; 187 # DWORD64 Dr6; 188 # DWORD64 Dr7; 189 # 190 # // 191 # // Integer registers. 192 # // 193 # 194 # DWORD64 Rax; 195 # DWORD64 Rcx; 196 # DWORD64 Rdx; 197 # DWORD64 Rbx; 198 # DWORD64 Rsp; 199 # DWORD64 Rbp; 200 # DWORD64 Rsi; 201 # DWORD64 Rdi; 202 # DWORD64 R8; 203 # DWORD64 R9; 204 # DWORD64 R10; 205 # DWORD64 R11; 206 # DWORD64 R12; 207 # DWORD64 R13; 208 # DWORD64 R14; 209 # DWORD64 R15; 210 # 211 # // 212 # // Program counter. 213 # // 214 # 215 # DWORD64 Rip; 216 # 217 # // 218 # // Floating point state. 219 # // 220 # 221 # union { 222 # XMM_SAVE_AREA32 FltSave; 223 # struct { 224 # M128A Header[2]; 225 # M128A Legacy[8]; 226 # M128A Xmm0; 227 # M128A Xmm1; 228 # M128A Xmm2; 229 # M128A Xmm3; 230 # M128A Xmm4; 231 # M128A Xmm5; 232 # M128A Xmm6; 233 # M128A Xmm7; 234 # M128A Xmm8; 235 # M128A Xmm9; 236 # M128A Xmm10; 237 # M128A Xmm11; 238 # M128A Xmm12; 239 # M128A Xmm13; 240 # M128A Xmm14; 241 # M128A Xmm15; 242 # }; 243 # }; 244 # 245 # // 246 # // Vector registers. 247 # // 248 # 249 # M128A VectorRegister[26]; 250 # DWORD64 VectorControl; 251 # 252 # // 253 # // Special debug control registers. 254 # // 255 # 256 # DWORD64 DebugControl; 257 # DWORD64 LastBranchToRip; 258 # DWORD64 LastBranchFromRip; 259 # DWORD64 LastExceptionToRip; 260 # DWORD64 LastExceptionFromRip; 261 # } CONTEXT, *PCONTEXT; 262 263 -class _CONTEXT_FLTSAVE_STRUCT(Structure):

264 _fields_ = [ 265 ('Header', M128A * 2), 266 ('Legacy', M128A * 8), 267 ('Xmm0', M128A), 268 ('Xmm1', M128A), 269 ('Xmm2', M128A), 270 ('Xmm3', M128A), 271 ('Xmm4', M128A), 272 ('Xmm5', M128A), 273 ('Xmm6', M128A), 274 ('Xmm7', M128A), 275 ('Xmm8', M128A), 276 ('Xmm9', M128A), 277 ('Xmm10', M128A), 278 ('Xmm11', M128A), 279 ('Xmm12', M128A), 280 ('Xmm13', M128A), 281 ('Xmm14', M128A), 282 ('Xmm15', M128A), 283 ]

284 -class _CONTEXT_FLTSAVE_UNION(Union):

285 _fields_ = [ 286 ('flt', XMM_SAVE_AREA32), 287 ('xmm', _CONTEXT_FLTSAVE_STRUCT), 288 ]

289

290 -class CONTEXT(Structure):

291 arch = 'amd64' 292 293 _pack_ = 16 294 _fields_ = [ 295 296 # Register parameter home addresses. 297 ('P1Home', DWORD64), 298 ('P2Home', DWORD64), 299 ('P3Home', DWORD64), 300 ('P4Home', DWORD64), 301 ('P5Home', DWORD64), 302 ('P6Home', DWORD64), 303 304 # Control flags. 305 ('ContextFlags', DWORD), 306 ('MxCsr', DWORD), 307 308 # Segment Registers and processor flags. 309 ('SegCs', WORD), 310 ('SegDs', WORD), 311 ('SegEs', WORD), 312 ('SegFs', WORD), 313 ('SegGs', WORD), 314 ('SegSs', WORD), 315 ('EFlags', DWORD), 316 317 # Debug registers. 318 ('Dr0', DWORD64), 319 ('Dr1', DWORD64), 320 ('Dr2', DWORD64), 321 ('Dr3', DWORD64), 322 ('Dr6', DWORD64), 323 ('Dr7', DWORD64), 324 325 # Integer registers. 326 ('Rax', DWORD64), 327 ('Rcx', DWORD64), 328 ('Rdx', DWORD64), 329 ('Rbx', DWORD64), 330 ('Rsp', DWORD64), 331 ('Rbp', DWORD64), 332 ('Rsi', DWORD64), 333 ('Rdi', DWORD64), 334 ('R8', DWORD64), 335 ('R9', DWORD64), 336 ('R10', DWORD64), 337 ('R11', DWORD64), 338 ('R12', DWORD64), 339 ('R13', DWORD64), 340 ('R14', DWORD64), 341 ('R15', DWORD64), 342 343 # Program counter. 344 ('Rip', DWORD64), 345 346 # Floating point state. 347 ('FltSave', _CONTEXT_FLTSAVE_UNION), 348 349 # Vector registers. 350 ('VectorRegister', M128A * 26), 351 ('VectorControl', DWORD64), 352 353 # Special debug control registers. 354 ('DebugControl', DWORD64), 355 ('LastBranchToRip', DWORD64), 356 ('LastBranchFromRip', DWORD64), 357 ('LastExceptionToRip', DWORD64), 358 ('LastExceptionFromRip', DWORD64), 359 ] 360 361 _others = ('P1Home', 'P2Home', 'P3Home', 'P4Home', 'P5Home', 'P6Home', \ 362 'MxCsr', 'VectorRegister', 'VectorControl') 363 _control = ('SegSs', 'Rsp', 'SegCs', 'Rip', 'EFlags') 364 _integer = ('Rax', 'Rcx', 'Rdx', 'Rbx', 'Rsp', 'Rbp', 'Rsi', 'Rdi', \ 365 'R8', 'R9', 'R10', 'R11', 'R12', 'R13', 'R14', 'R15') 366 _segments = ('SegDs', 'SegEs', 'SegFs', 'SegGs') 367 _debug = ('Dr0', 'Dr1', 'Dr2', 'Dr3', 'Dr6', 'Dr7', \ 368 'DebugControl', 'LastBranchToRip', 'LastBranchFromRip', \ 369 'LastExceptionToRip', 'LastExceptionFromRip') 370 _mmx = ('Xmm0', 'Xmm1', 'Xmm2', 'Xmm3', 'Xmm4', 'Xmm5', 'Xmm6', 'Xmm7', \ 371 'Xmm8', 'Xmm9', 'Xmm10', 'Xmm11', 'Xmm12', 'Xmm13', 'Xmm14', 'Xmm15') 372 373 # XXX TODO 374 # Convert VectorRegister and Xmm0-Xmm15 to pure Python types! 375 376 @classmethod

377 - def from_dict(cls, ctx):

378 'Instance a new structure from a Python dictionary.' 379 ctx = Context(ctx) 380 s = cls() 381 ContextFlags = ctx['ContextFlags'] 382 s.ContextFlags = ContextFlags 383 for key in cls._others: 384 setattr(s, key, ctx[key]) 385 if (ContextFlags & CONTEXT_CONTROL) == CONTEXT_CONTROL: 386 for key in cls._control: 387 setattr(s, key, ctx[key]) 388 if (ContextFlags & CONTEXT_INTEGER) == CONTEXT_INTEGER: 389 for key in cls._integer: 390 setattr(s, key, ctx[key]) 391 if (ContextFlags & CONTEXT_SEGMENTS) == CONTEXT_SEGMENTS: 392 for key in cls._segments: 393 setattr(s, key, ctx[key]) 394 if (ContextFlags & CONTEXT_DEBUG_REGISTERS) == CONTEXT_DEBUG_REGISTERS: 395 for key in cls._debug: 396 setattr(s, key, ctx[key]) 397 if (ContextFlags & CONTEXT_MMX_REGISTERS) == CONTEXT_MMX_REGISTERS: 398 xmm = s.FltSave.xmm 399 for key in cls._mmx: 400 setattr(xmm, key, ctx[key]) 401 return s

402

403 - def to_dict(self):

404 'Convert a structure into a Python dictionary.' 405 ctx = Context() 406 ContextFlags = self.ContextFlags 407 ctx['ContextFlags'] = ContextFlags 408 for key in self._others: 409 ctx[key] = getattr(self, key) 410 if (ContextFlags & CONTEXT_CONTROL) == CONTEXT_CONTROL: 411 for key in self._control: 412 ctx[key] = getattr(self, key) 413 if (ContextFlags & CONTEXT_INTEGER) == CONTEXT_INTEGER: 414 for key in self._integer: 415 ctx[key] = getattr(self, key) 416 if (ContextFlags & CONTEXT_SEGMENTS) == CONTEXT_SEGMENTS: 417 for key in self._segments: 418 ctx[key] = getattr(self, key) 419 if (ContextFlags & CONTEXT_DEBUG_REGISTERS) == CONTEXT_DEBUG_REGISTERS: 420 for key in self._debug: 421 ctx[key] = getattr(self, key) 422 if (ContextFlags & CONTEXT_MMX_REGISTERS) == CONTEXT_MMX_REGISTERS: 423 xmm = self.FltSave.xmm 424 for key in self._mmx: 425 ctx[key] = getattr(xmm, key) 426 return ctx

427 428 PCONTEXT = ctypes.POINTER(CONTEXT) 429 LPCONTEXT = PCONTEXT

430 431 -class Context(dict):

432 """ 433 Register context dictionary for the %s architecture. 434 """ % CONTEXT.arch 435 arch = CONTEXT.arch 436

437 - def __get_pc(self):

438 return self['Rip']

439 - def __set_pc(self, value):

440 self['Rip'] = value

441 pc = property(__get_pc, __set_pc) 442

443 - def __get_sp(self):

444 return self['Rsp']

445 - def __set_sp(self, value):

446 self['Rsp'] = value

447 sp = property(__get_sp, __set_sp) 448

449 - def __get_fp(self):

450 return self['Rbp']

451 - def __set_fp(self, value):

452 self['Rbp'] = value

453 fp = property(__get_fp, __set_fp)

454

455 #--- LDT_ENTRY structure ------------------------------------------------------ 456 457 # typedef struct _LDT_ENTRY { 458 # WORD LimitLow; 459 # WORD BaseLow; 460 # union { 461 # struct { 462 # BYTE BaseMid; 463 # BYTE Flags1; 464 # BYTE Flags2; 465 # BYTE BaseHi; 466 # } Bytes; 467 # struct { 468 # DWORD BaseMid :8; 469 # DWORD Type :5; 470 # DWORD Dpl :2; 471 # DWORD Pres :1; 472 # DWORD LimitHi :4; 473 # DWORD Sys :1; 474 # DWORD Reserved_0 :1; 475 # DWORD Default_Big :1; 476 # DWORD Granularity :1; 477 # DWORD BaseHi :8; 478 # } Bits; 479 # } HighWord; 480 # } LDT_ENTRY, 481 # *PLDT_ENTRY; 482 483 -class _LDT_ENTRY_BYTES_(Structure):

484 _pack_ = 1 485 _fields_ = [ 486 ('BaseMid', BYTE), 487 ('Flags1', BYTE), 488 ('Flags2', BYTE), 489 ('BaseHi', BYTE), 490 ]

491

492 -class _LDT_ENTRY_BITS_(Structure):

493 _pack_ = 1 494 _fields_ = [ 495 ('BaseMid', DWORD, 8), 496 ('Type', DWORD, 5), 497 ('Dpl', DWORD, 2), 498 ('Pres', DWORD, 1), 499 ('LimitHi', DWORD, 4), 500 ('Sys', DWORD, 1), 501 ('Reserved_0', DWORD, 1), 502 ('Default_Big', DWORD, 1), 503 ('Granularity', DWORD, 1), 504 ('BaseHi', DWORD, 8), 505 ]

506

507 -class _LDT_ENTRY_HIGHWORD_(Union):

508 _pack_ = 1 509 _fields_ = [ 510 ('Bytes', _LDT_ENTRY_BYTES_), 511 ('Bits', _LDT_ENTRY_BITS_), 512 ]

513

514 -class LDT_ENTRY(Structure):

515 _pack_ = 1 516 _fields_ = [ 517 ('LimitLow', WORD), 518 ('BaseLow', WORD), 519 ('HighWord', _LDT_ENTRY_HIGHWORD_), 520 ]

521 522 PLDT_ENTRY = POINTER(LDT_ENTRY) 523 LPLDT_ENTRY = PLDT_ENTRY 524 525 #--- WOW64 CONTEXT structure and constants ------------------------------------ 526 527 # Value of SegCs in a Wow64 thread when running in 32 bits mode 528 WOW64_CS32 = 0x23 529 530 WOW64_CONTEXT_i386 = 0x00010000L 531 WOW64_CONTEXT_i486 = 0x00010000L 532 533 WOW64_CONTEXT_CONTROL = (WOW64_CONTEXT_i386 | 0x00000001L) 534 WOW64_CONTEXT_INTEGER = (WOW64_CONTEXT_i386 | 0x00000002L) 535 WOW64_CONTEXT_SEGMENTS = (WOW64_CONTEXT_i386 | 0x00000004L) 536 WOW64_CONTEXT_FLOATING_POINT = (WOW64_CONTEXT_i386 | 0x00000008L) 537 WOW64_CONTEXT_DEBUG_REGISTERS = (WOW64_CONTEXT_i386 | 0x00000010L) 538 WOW64_CONTEXT_EXTENDED_REGISTERS = (WOW64_CONTEXT_i386 | 0x00000020L) 539 540 WOW64_CONTEXT_FULL = (WOW64_CONTEXT_CONTROL | WOW64_CONTEXT_INTEGER | WOW64_CONTEXT_SEGMENTS) 541 WOW64_CONTEXT_ALL = (WOW64_CONTEXT_CONTROL | WOW64_CONTEXT_INTEGER | WOW64_CONTEXT_SEGMENTS | WOW64_CONTEXT_FLOATING_POINT | WOW64_CONTEXT_DEBUG_REGISTERS | WOW64_CONTEXT_EXTENDED_REGISTERS) 542 543 WOW64_SIZE_OF_80387_REGISTERS = 80 544 WOW64_MAXIMUM_SUPPORTED_EXTENSION = 512

545 546 -class WOW64_FLOATING_SAVE_AREA (context_i386.FLOATING_SAVE_AREA):

547 pass

548

549 -class WOW64_CONTEXT (context_i386.CONTEXT):

550 pass

551

552 -class WOW64_LDT_ENTRY (context_i386.LDT_ENTRY):

553 pass

554 555 PWOW64_FLOATING_SAVE_AREA = POINTER(WOW64_FLOATING_SAVE_AREA) 556 PWOW64_CONTEXT = POINTER(WOW64_CONTEXT) 557 PWOW64_LDT_ENTRY = POINTER(WOW64_LDT_ENTRY)

558 559 ############################################################################### 560 561 # BOOL WINAPI GetThreadSelectorEntry( 562 # __in HANDLE hThread, 563 # __in DWORD dwSelector, 564 # __out LPLDT_ENTRY lpSelectorEntry 565 # ); 566 -def GetThreadSelectorEntry(hThread, dwSelector):

567 _GetThreadSelectorEntry = windll.kernel32.GetThreadSelectorEntry 568 _GetThreadSelectorEntry.argtypes = [HANDLE, DWORD, LPLDT_ENTRY] 569 _GetThreadSelectorEntry.restype = bool 570 _GetThreadSelectorEntry.errcheck = RaiseIfZero 571 572 ldt = LDT_ENTRY() 573 _GetThreadSelectorEntry(hThread, dwSelector, ctypes.byref(ldt)) 574 return ldt

575

576 # BOOL WINAPI GetThreadContext( 577 # __in HANDLE hThread, 578 # __inout LPCONTEXT lpContext 579 # ); 580 -def GetThreadContext(hThread, ContextFlags = None):

581 _GetThreadContext = windll.kernel32.GetThreadContext 582 _GetThreadContext.argtypes = [HANDLE, LPCONTEXT] 583 _GetThreadContext.restype = bool 584 _GetThreadContext.errcheck = RaiseIfZero 585 586 if ContextFlags is None: 587 ContextFlags = CONTEXT_ALL 588 lpContext = CONTEXT() 589 lpContext.ContextFlags = ContextFlags 590 _GetThreadContext(hThread, ctypes.byref(lpContext)) 591 return lpContext.to_dict()

592

593 # BOOL WINAPI SetThreadContext( 594 # __in HANDLE hThread, 595 # __in const CONTEXT* lpContext 596 # ); 597 -def SetThreadContext(hThread, lpContext):

598 _SetThreadContext = windll.kernel32.SetThreadContext 599 _SetThreadContext.argtypes = [HANDLE, LPCONTEXT] 600 _SetThreadContext.restype = bool 601 _SetThreadContext.errcheck = RaiseIfZero 602 603 if isinstance(lpContext, dict): 604 lpContext = CONTEXT.from_dict(lpContext) 605 _SetThreadContext(hThread, ctypes.byref(lpContext))

606

607 # BOOL Wow64GetThreadSelectorEntry( 608 # __in HANDLE hThread, 609 # __in DWORD dwSelector, 610 # __out PWOW64_LDT_ENTRY lpSelectorEntry 611 # ); 612 -def Wow64GetThreadSelectorEntry(hThread, dwSelector):

613 _Wow64GetThreadSelectorEntry = windll.kernel32.Wow64GetThreadSelectorEntry 614 _Wow64GetThreadSelectorEntry.argtypes = [HANDLE, DWORD, PWOW64_LDT_ENTRY] 615 _Wow64GetThreadSelectorEntry.restype = bool 616 _Wow64GetThreadSelectorEntry.errcheck = RaiseIfZero 617 618 lpSelectorEntry = WOW64_LDT_ENTRY() 619 _Wow64GetThreadSelectorEntry(hThread, dwSelector, ctypes.byref(lpSelectorEntry)) 620 return lpSelectorEntry

621

622 # DWORD WINAPI Wow64ResumeThread( 623 # __in HANDLE hThread 624 # ); 625 -def Wow64ResumeThread(hThread):

626 _Wow64ResumeThread = windll.kernel32.Wow64ResumeThread 627 _Wow64ResumeThread.argtypes = [HANDLE] 628 _Wow64ResumeThread.restype = DWORD 629 630 previousCount = _Wow64ResumeThread(hThread) 631 if previousCount == DWORD(-1).value: 632 raise ctypes.WinError() 633 return previousCount

634

635 # DWORD WINAPI Wow64SuspendThread( 636 # __in HANDLE hThread 637 # ); 638 -def Wow64SuspendThread(hThread):

639 _Wow64SuspendThread = windll.kernel32.Wow64SuspendThread 640 _Wow64SuspendThread.argtypes = [HANDLE] 641 _Wow64SuspendThread.restype = DWORD 642 643 previousCount = _Wow64SuspendThread(hThread) 644 if previousCount == DWORD(-1).value: 645 raise ctypes.WinError() 646 return previousCount

647

648 # XXX TODO Use this http://www.nynaeve.net/Code/GetThreadWow64Context.cpp 649 # Also see http://www.woodmann.com/forum/archive/index.php/t-11162.html 650 651 # BOOL WINAPI Wow64GetThreadContext( 652 # __in HANDLE hThread, 653 # __inout PWOW64_CONTEXT lpContext 654 # ); 655 -def Wow64GetThreadContext(hThread, ContextFlags = None, lpContext = None):

656 _Wow64GetThreadContext = windll.kernel32.Wow64GetThreadContext 657 _Wow64GetThreadContext.argtypes = [HANDLE, LPVOID] 658 _Wow64GetThreadContext.restype = bool 659 _Wow64GetThreadContext.errcheck = RaiseIfZero 660 661 # XXX doesn't exist in XP 64 bits 662 663 if lpContext is None: 664 lpContext = WOW64_CONTEXT() 665 if ContextFlags is None: 666 lpContext.ContextFlags = WOW64_CONTEXT_ALL 667 else: 668 lpContext.ContextFlags = ContextFlags 669 elif ContextFlags is not None: 670 lpContext.ContextFlags = ContextFlags 671 _Wow64GetThreadContext(hThread, ctypes.byref(lpContext)) 672 return lpContext.to_dict()

673

674 # BOOL WINAPI Wow64SetThreadContext( 675 # __in HANDLE hThread, 676 # __in const WOW64_CONTEXT *lpContext 677 # ); 678 -def Wow64SetThreadContext(hThread, lpContext):

679 _Wow64SetThreadContext = windll.kernel32.Wow64SetThreadContext 680 _Wow64SetThreadContext.argtypes = [HANDLE, PWOW64_CONTEXT] 681 _Wow64SetThreadContext.restype = bool 682 _Wow64SetThreadContext.errcheck = RaiseIfZero 683 684 # XXX doesn't exist in XP 64 bits 685 686 if isinstance(lpContext, dict): 687 lpContext = WOW64_CONTEXT.from_dict(lpContext) 688 _Wow64SetThreadContext(hThread, ctypes.byref(lpContext))

689

Source Code for Module winappdbg.win32.context_amd64