Trees | Index | Help |
|
---|
Package pydbg :: Module pydbg :: Class pydbg |
|
object
--+ |pydbg_core
--+ | pydbg
Method Summary | |
---|---|
Set the default attributes. | |
pydbg |
Removes the breakpoint from target address. |
pydbg |
Removes all breakpoints from the debuggee. |
pydbg |
Removes the hardware breakpoint from the specified address or slot. |
pydbg |
Removes the memory breakpoint from target address. |
pydbg |
Removes all memory breakpoints from the debuggee. |
Bool |
Determine if a breakpoint address belongs to us. |
Mixed |
Determines if the specified address falls within the range of one of our memory breakpoints. |
pydbg |
Sets a breakpoint at the designated address. |
pydbg |
Sets a hardware breakpoint at the designated address. |
pydbg |
Sets a memory breakpoint at the target address. |
pydbg |
Clean up after ourselves by removing all breakpoints. |
*** DEBUG ROUTINE *** | |
String |
Pydasm disassemble utility function wrapper. |
List |
Given a specified address this routine will return the list of 5 instructions before and after the instruction at address (including the instruction at address, so 11 instructions in total). |
String |
Return an informational block of text describing the CPU context of the current thread. |
Dictionary |
Return an informational list of items describing the CPU context of the current thread. |
DWORD |
This is the default CREATE_PROCESS_DEBUG_EVENT handler. |
DWORD |
This is the default CREATE_THREAD_DEBUG_EVENT handler. |
This is the default EXIT_PROCESS_DEBUG_EVENT handler. | |
DWORD |
This is the default EXIT_THREAD_DEBUG_EVENT handler. |
DWORD |
This is the default LOAD_DLL_DEBUG_EVENT handler. |
DWORD |
This is the default UNLOAD_DLL_DEBUG_EVENT handler. |
DWORD |
This is the default EXCEPTION_ACCESS_VIOLATION handler. |
DWORD |
This is the default EXCEPTION_BREAKPOINT handler, responsible for transparently restoring soft breakpoints and passing control to the registered user callback handler. |
DWORD |
This is the default EXCEPTION_GUARD_PAGE handler, responsible for transparently restoring memory breakpoints passing control to the registered user callback handler. |
DWORD |
This is the default EXCEPTION_SINGLE_STEP handler, responsible for transparently restoring breakpoints and passing control to the registered user callback handler. |
Raw Bytes |
Utility function to flip the endianess a given DWORD into raw bytes. |
DWORD |
Utility function to flip the endianess of a given set of raw bytes into a DWORD. |
DWORD |
Utility function that resolves the address of a given module / function name pair under the context of the debugger. |
DWORD |
Utility function that resolves the address of a given module / function name pair under the context of the debuggee. |
DWORD |
Given a thread context, this convenience routine will retrieve the function argument at the specified index. |
String |
Retrieve the ASCII string, if any, from data. |
String |
description |
String |
description |
String |
Utility function that converts data into hex dump format. |
Hide the presence of the debugger. | |
Bool |
Utility function to determine if the specified address exists on the current thread stack or not. |
pydbg |
Restore memory / context snapshot of the debuggee. |
pydbg |
Take memory / context snapshot of the debuggee. |
List of Tuples |
Unwind the the Structured Exception Handler (SEH) chain of the current or specified thread to the best of our abilities. |
pydbg |
Set the value of a register in the debuggee within the context of the self.h_thread. |
String |
"Intelligently" discover data behind an address. |
Mixed |
Determine the stack range (top and bottom) of the current or specified thread. |
List |
Unwind the stack to the best of our ability. |
String |
Convert a number into a binary string. |
Integer |
Convert a binary string into a decimal number. |
Inherited from pydbg_core | |
system_dll |
Return the system DLL that contains the address specified. |
MODULEENTRY32 |
Return the MODULEENTRY32 structure for the module that contains the address specified. |
pydbg_core |
Attach to the specified process by PID. |
Bool |
Convenience wraper around kernel32.CloseHandle(). |
Convenience wrapper around GetLastError() and FormatMessage(). | |
Enter the infinite debug event handling loop. | |
Convenience wrapper around DebugSetProcessKillOnExit(). | |
Detach from debuggee. | |
List |
Using the CreateToolhelp32Snapshot() API enumerate and return the list of module name / base address tuples that belong to the debuggee |
List |
Using the CreateToolhelp32Snapshot() API enumerate all system processes returning a list of pid / process name tuples. |
List |
Using the CreateToolhelp32Snapshot() API enumerate all system threads returning a list of thread IDs that belong to the debuggee. |
Mixed |
Return the value for the specified class attribute. |
Obtain necessary privileges for debugging. | |
Mixed |
Return the system DLL at the specified index. |
CONTEXT |
Convenience wrapper around GetThreadContext(). |
MODULEENTRY32 |
A simple iterator function that can be used to iterate through all modules the target process has mapped in its address space. |
PROCESSENTRY32 |
A simple iterator function that can be used to iterate through all running processes. |
PROCESSENTRY32 |
A simple iterator function that can be used to iterate through all running processes. |
Load the specified executable and optional command line arguments into the debugger. | |
Convenience wrapper around OpenProcess(). | |
Convenience wrapper around OpenThread(). | |
Alias to read_process_memory(). | |
Raw |
Read from the debuggee process space. |
pydbg_core |
Resume all process threads. |
pydbg_core |
Resume the specified thread. |
This convenience routine exists for internal functions to call and transparently return the correct version of self. | |
Alias for debug_event_loop(). | |
Return the value for the specified class attribute. | |
Set a callback for the specified exception (or debug event) code. | |
Enable or disable the control flag for the main debug event loop. | |
pydbg_core |
Convenience wrapper around SetThreadContext(). |
Interrupt signal handler. | |
pydbg_core |
Enable or disable single stepping in the specified thread or self.h_thread if a thread handle is not specified. |
pydbg_core |
Suspend all process threads. |
pydbg_core |
Suspend the specified thread. |
Terminate the debuggee. | |
DWORD |
Convenience wrapper around VirtualAllocEx() |
Convenience wrapper around VirtualFreeEx() | |
DWORD |
Convenience wrapper around VirtualProtectEx() |
MEMORY_BASIC_INFORMATION |
Convenience wrapper around VirtualQueryEx(). |
Convenience wrapper around GetLastError() and FormatMessage(). | |
Alias to write_process_memory(). | |
Write to the debuggee process space. | |
Inherited from object | |
x.__delattr__('name') <==> del x.name | |
x.__getattribute__('name') <==> x.name | |
x.__hash__() <==> hash(x) | |
T.__new__(S, ...) -> a new object with type S, a subtype of T | |
helper for pickle | |
helper for pickle | |
x.__repr__() <==> repr(x) | |
x.__setattr__('name', value) <==> x.name = value | |
x.__str__() <==> str(x) |
Class Variable Summary | |
---|---|
dict |
breakpoints = {}
|
bool |
first_breakpoint = True
|
NoneType |
hardware_breakpoint_hit = None |
dict |
hardware_breakpoints = {}
|
NoneType |
instruction = None |
int |
memory_breakpoint_hit = 0 |
dict |
memory_breakpoints = {}
|
list |
memory_snapshot_blocks = []
|
list |
memory_snapshot_contexts = []
|
NoneType |
mnemonic = None |
NoneType |
op1 = None |
NoneType |
op2 = None |
NoneType |
op3 = None |
NoneType |
restore_breakpoint = None |
int |
STRING_EXPLORATION_MIN_LENGTH = 2 |
int |
STRING_EXPLORATON_BUF_SIZE = 256 |
Inherited from pydbg_core | |
dict |
callbacks = {}
|
bool |
client_server = False
|
NoneType |
context = None |
NoneType |
dbg = None |
bool |
debugger_active = True
|
bool |
dirty = False
|
NoneType |
exception_address = None |
bool |
follow_forks = False
|
NoneType |
h_process = None |
NoneType |
h_thread = None |
int |
page_size = 0 |
int |
pid = 0 |
list |
system_dlls = []
|
NoneType |
violation_address = None |
NoneType |
write_violation = None |
Method Details |
---|
__init__(self,
ff=True,
cs=False)
Set the default attributes. See the source if you want to modify the
default creation values.
|
bp_del(self, address)Removes the breakpoint from target address.
|
bp_del_all(self)Removes all breakpoints from the debuggee.
|
bp_del_hw(self, address=None, slot=None)Removes the hardware breakpoint from the specified address or slot. Either an address or a slot must be specified, but not both.
|
bp_del_mem(self, address)Removes the memory breakpoint from target address.
|
bp_del_mem_all(self)Removes all memory breakpoints from the debuggee.
|
bp_is_ours(self, address_to_check)Determine if a breakpoint address belongs to us.
|
bp_is_ours_mem(self, address_to_check)Determines if the specified address falls within the range of one of our memory breakpoints. When handling potential memory breakpoint exceptions it is mandatory to check the offending address with this routine as memory breakpoints are implemented by changing page permissions and the referenced address may very well exist within the same page as a memory breakpoint but not within the actual range of the buffer we wish to break on.
|
bp_set(self, address, description='', restore=True, handler=None)Sets a breakpoint at the designated address. Register an EXCEPTION_BREAKPOINT callback handler to catch breakpoint events. If a list of addresses is submitted to this routine then the entire list of new breakpoints get the same description and restore. The optional "handler" parameter can be used to identify a function to specifically handle the specified bp, as opposed to the generic bp callback handler. The prototype of the callback routines is:func (pydbg) return DBG_CONTINUE # or other continue status
|
bp_set_hw(self, address, length, condition, description='', restore=True, handler=None)Sets a hardware breakpoint at the designated address. Register an EXCEPTION_SINGLE_STEP callback handler to catch hardware breakpoint events. Setting hardware breakpoints requires the internal h_thread handle be set. This means that you can not set one outside the context of an debug event handler. If you want to set a hardware breakpoint as soon as you attach to or load a process, do so in the first chance breakpoint handler. For more information regarding the Intel x86 debug registers and hardware breakpoints see:http://pdos.csail.mit.edu/6.828/2005/readings/ia32/IA32-3.pdf Section 15.2Alternatively, you can register a custom handler to handle hits on the specific hw breakpoint slot.
|
bp_set_mem(self, address, size, description='', handler=None)Sets a memory breakpoint at the target address. This is implemented by changing the permissions of the page containing the address to PAGE_GUARD. To catch memory breakpoints you have to register the EXCEPTION_GUARD_PAGE callback. Within the callback handler check the internal pydbg variable self.memory_breakpoint_hit to determine if the violation was a result of a direct memory breakpoint hit or some unrelated event. Alternatively, you can register a custom handler to handle the memory breakpoint. Memory breakpoints are automatically restored via the internal single step handler. To remove a memory breakpoint, you must explicitly call bp_del_mem().
|
cleanup(self)Clean up after ourselves by removing all breakpoints.
|
dbg_print_all_guarded_pages(self)*** DEBUG ROUTINE *** This is a debugging routine that was used when debugging memory breakpoints. It was too useful to be removed from the release code. |
disasm(self, address)Pydasm disassemble utility function wrapper. Stores the pydasm decoded instruction in self.instruction.
|
disasm_around(self, address, num_inst=5)Given a specified address this routine will return the list of 5 instructions before and after the instruction at address (including the instruction at address, so 11 instructions in total). This is accomplished by grabbing a larger chunk of data around the address than what is predicted as necessary and then disassembling forward. If during the forward disassembly the requested address lines up with the start of an instruction, then the assumption is made that the forward disassembly self corrected itself and the instruction set is returned. If we are unable to align with the original address, then we modify our data slice and try again until we do.
|
dump_context(self, context=None, stack_depth=5, print_dots=True)Return an informational block of text describing the CPU context of the current thread. Information includes:
|
dump_context_list(self, context=None, stack_depth=5, print_dots=True)Return an informational list of items describing the CPU context of the current thread. Information includes:
|
event_handler_create_process(self)This is the default CREATE_PROCESS_DEBUG_EVENT handler.
|
event_handler_create_thread(self)This is the default CREATE_THREAD_DEBUG_EVENT handler.
|
event_handler_exit_process(self)This is the default EXIT_PROCESS_DEBUG_EVENT handler.
|
event_handler_exit_thread(self)This is the default EXIT_THREAD_DEBUG_EVENT handler.
|
event_handler_load_dll(self)This is the default LOAD_DLL_DEBUG_EVENT handler. You can access the last loaded dll in your callback handler with the following example code:last_dll = pydbg.get_system_dll(-1) print "loading:%s into:%08x size:%d" % (last_dll.name, last_dll.base, last_dll.size)The get_system_dll() routine is preferred over directly accessing the internal data structure for proper and transparent client/server support.
|
event_handler_unload_dll(self)This is the default UNLOAD_DLL_DEBUG_EVENT handler.
|
exception_handler_access_violation(self)This is the default EXCEPTION_ACCESS_VIOLATION handler. Responsible for handling the access violation and passing control to the registered user callback handler.
|
exception_handler_breakpoint(self)This is the default EXCEPTION_BREAKPOINT handler, responsible for transparently restoring soft breakpoints and passing control to the registered user callback handler.
|
exception_handler_guard_page(self)This is the default EXCEPTION_GUARD_PAGE handler, responsible for transparently restoring memory breakpoints passing control to the registered user callback handler.
|
exception_handler_single_step(self)This is the default EXCEPTION_SINGLE_STEP handler, responsible for transparently restoring breakpoints and passing control to the registered user callback handler.
|
flip_endian(self, dword)Utility function to flip the endianess a given DWORD into raw bytes.
|
flip_endian_dword(self, bytes)Utility function to flip the endianess of a given set of raw bytes into a DWORD.
|
func_resolve(self, dll, function)Utility function that resolves the address of a given module / function name pair under the context of the debugger.
|
func_resolve_debuggee(self, dll_name, func_name)Utility function that resolves the address of a given module / function name pair under the context of the debuggee.
|
get_arg(self, index, context=None)Given a thread context, this convenience routine will retrieve the function argument at the specified index. The return address of the function can be retrieved by specifying an index of 0. This routine should be called from breakpoint handlers at the top of a function.
|
get_ascii_string(self, data)Retrieve the ASCII string, if any, from data. Ensure that the string is valid by checking against the minimum length requirement defined in self.STRING_EXPLORATION_MIN_LENGTH.
|
get_printable_string(self, data, print_dots=True)description
|
get_unicode_string(self, data)description
|
hex_dump(self, data, addr=0)Utility function that converts data into hex dump format.
|
hide_debugger(self)Hide the presence of the debugger.
|
is_address_on_stack(self, address, context=None)Utility function to determine if the specified address exists on the current thread stack or not.
|
process_restore(self)Restore memory / context snapshot of the debuggee. All threads must be suspended before calling this routine.
|
process_snapshot(self)Take memory / context snapshot of the debuggee. All threads must be suspended before calling this routine.
|
seh_unwind(self, context=None)Unwind the the Structured Exception Handler (SEH) chain of the current or specified thread to the best of our abilities. The SEH chain is a simple singly linked list, the head of which is pointed to by fs:0. In cases where the SEH chain is corrupted and the handler address points to invalid memory, it will be returned as 0xFFFFFFFF.
|
set_register(self, register, value)Set the value of a register in the debuggee within the context of the self.h_thread.
|
smart_dereference(self, address, print_dots=True)"Intelligently" discover data behind an address. The address is dereferenced and explored in search of an ASCII or Unicode string. In the absense of a string the printable characters are returned with non-printables represented as dots (.). The location of the discovered data is returned as well as either "heap", "stack" or the name of the module it lies in (global data).
|
stack_range(self, context=None)Determine the stack range (top and bottom) of the current or specified thread. The desired information is located at offsets 4 and 8 from the Thread Environment Block (TEB), which in turn is pointed to by fs:0.
|
stack_unwind(self, context=None)Unwind the stack to the best of our ability. This function is really only useful if called when EBP is actually used as a frame pointer. If it is otherwise being used as a general purpose register then stack unwinding will fail immediately.
|
to_binary(self, number, bit_count=32)Convert a number into a binary string. This is an ugly one liner that I ripped off of some site.
|
to_decimal(self, binary)Convert a binary string into a decimal number. This is an ugly one liner that I ripped off of some site.
|
Class Variable Details |
---|
breakpoints
|
first_breakpoint
|
hardware_breakpoint_hit
|
hardware_breakpoints
|
instruction
|
memory_breakpoint_hit
|
memory_breakpoints
|
memory_snapshot_blocks
|
memory_snapshot_contexts
|
mnemonic
|
op1
|
op2
|
op3
|
restore_breakpoint
|
STRING_EXPLORATION_MIN_LENGTH
|
STRING_EXPLORATON_BUF_SIZE
|
Trees | Index | Help |
|
---|
Generated by Epydoc 2.1 on Fri Jun 16 17:16:24 2006 | http://epydoc.sf.net |