Package Libs :: Module immlib :: Class Debugger
[hide private]
[frames] | no frames]

Class Debugger

source code

object --+
         |
        Debugger

Instance Methods [hide private]
 
__init__(self)
Initialize the Immunity Debugger API
source code
 
clearState(self) source code
 
getShellcodeExecutionNoMatterWhat(self) source code
 
addKnowledge(self, id, object, force_add=0x0)
This function add a python object to the knowledge database.
source code
PYTHON OBJECT
getKnowledge(self, id)
Gets python object from the knowledge database.
source code
TUPLE
listKnowledge(self)
Gets the list of saved objects in the knowledge database.
source code
LIST of TUPLES in the form of (DWORD, LIST OF STRING)
findPacker(self, name, OnMemory=True)
Find possible Packer/Cryptors/etc on a Module
source code
 
forgetKnowledge(self, id)
Remove python object from knowledge database.
source code
 
cleanKnowledge(self)
Clean ID memory from known objects
source code
 
addGenHook(self, object)
Add a hook to Immunity Debugger
source code
 
cleanHooks(self)
Clean ID memory from hook objects
source code
 
cleanUp(self)
Clean ID memory for every kind of object saved in it
source code
DWORD
getPEBAddress(self)
Gets PEB.
source code
 
analyseCode(self, address)
Analyse module's code
source code
DWORD
isAnalysed(self, address)
Check if module is already analysed
source code
 
setVariable(self, address, string)
Set Variable name to specified address.
source code
STRING
getVariable(self, address)
Get Variable name from specified address
source code
 
validateAddress(self, address, perm)
It validates if a given address has the permissions provided in <perm>.
source code
 
getCurrentTEBAddress(self) source code
opCode Object (Check libanalyze.py)
disasm(self, address, mode=DISASM_ALL)
disasm address
source code
opCode Object (Check libanalyze.py)
disasmSizeOnly(self, address)
Determine command size only
source code
opCode Object (Check libanalyze.py)
disasmData(self, address)
Determine size and analysis data
source code
opCode Object (Check libanalyze.py)
disasmTrace(self, address)
Trace integer registers
source code
opCode Object (Check libanalyze.py)
disasmFile(self, address)
Disassembly, no symbols/registers
source code
opCode Object (Check libanalyze.py)
disasmCode(self, address)
Disassembly, registers undefined
source code
opCode Object (Check libanalyze.py)
disasmRTrace(self, address)
Disassemble with run-trace registers
source code
opCode Object (Check libanalyze.py)
disasmForward(self, address, nlines=1, mode=DISASM_ALL)
disasm nlines forward of given address
source code
DWORD
disasmForwardAddressOnly(self, address, nlines=1)
disasm nlines forward to the given address
source code
opCode Object (Check libanalyze.py)
disasmForwardSizeOnly(self, address, nlines=1)
Determine command size only
source code
opCode Object (Check libanalyze.py)
disasmForwardData(self, address, nlines=1)
Determine size and analysis data
source code
opCode Object (Check libanalyze.py)
disasmForwardTrace(self, address, nlines=1)
Trace integer registers
source code
opCode Object (Check libanalyze.py)
disasmForwardFile(self, address, nlines=1)
Disassembly, no symbols/registers
source code
opCode Object (Check libanalyze.py)
disasmForwardCode(self, address, nlines=1)
Disassembly, registers undefined
source code
opCode Object (Check libanalyze.py)
disasmForwardRTrace(self, address, nlines=1)
Disassemble with run-trace registers
source code
opCode Object (Check libanalyze.py)
disasmBackward(self, address, nlines=1, mode=DISASM_ALL)
disasm nlines backward from the given address
source code
DWORD
disasmBackwardAddressOnly(self, address, nlines=1)
disasm nlines backward of given address
source code
opCode Object (Check libanalyze.py)
disasmBackwardSizeOnly(self, address, nlines=1)
Determine command size only
source code
opCode Object (Check libanalyze.py)
disasmBackwardData(self, address, nlines=1)
Determine size and analysis data
source code
opCode Object (Check libanalyze.py)
disasmBackwardTrace(self, address, nlines=1)
Trace integer registers
source code
opCode Object (Check libanalyze.py)
disasmBackwardFile(self, address, nlines=1)
Disassembly, no symbols/registers
source code
opCode Object (Check libanalyze.py)
disasmBackwardCode(self, address, nlines=1)
Disassembly, registers undefined
source code
opCode Object (Check libanalyze.py)
disasmBackwardRTrace(self, address, nlines=1)
Disassemble with run-trace registers
source code
Decode OBJECT
findDecode(self, address)
Get the internal decode information from an analysed module
source code
DWORD
goNextProcedure(self)
Go to next procedure
source code
DWORD
goPreviousProcedure(self)
Go to previous procedure
source code
opCode Object (Check libanalyze.py)
getOpcode(self, address)
Get address's Opcode
source code
STRING
assemble(self, code, address=0x0)
assemble code.
source code
STRING
decodeAddress(self, address)
Decode given address
source code
STRING
undecorateName(self, decorated)
Undecorate given name
source code
TUPLES
getTraceArgs(self, address, tracedarg, shownonusersupplied=False)
Trace Parameters of a function, return only when is user-supplied
source code
LIST
getAllFunctions(self, address)
Gets all function of given module's address
source code
Function Object
getFunction(self, address)
Get the Function information
source code
DWORD
getFunctionBegin(self, address)
Find start address of funcion
source code
LIST
getFunctionEnd(self, function_address)
Get all the possible ends of a Function
source code
LIST
getAllBasicBlocks(self, address)
Gets all basic blocks of given procedure (Deprecated, use Function)
source code
LIST
findDataRef(self, address)
Find data references to given address
source code
LIST
getXrefFrom(self, address)
Get X Reference from a given address
source code
LIST
getXrefTo(self, address)
Get X Reference to a given address
source code
DICTIONARY
getInterCalls(self, address)
Get intermodular calls
source code
DICTIONARY
getRegs(self)
Get CPU Context values.
source code
DICTIONARY
getRegsRepr(self)
We have to do this to handle the Long integers, which XML-RPC cannot do
source code
 
setReg(self, reg, value)
Set REG value
source code
PEB OBJECT
getPEB(self)
Get the PEB information of the debugged process
source code
PHeap OBJECT
getHeap(self, addr, restore=False)
Get Heap Information
source code
STRING
getDebuggedName(self)
Get debugged name
source code
DWORD
getDebuggedPid(self)
Get debugged pid
source code
INTEGER
isAdmin(self)
Is debugger running as admin?
source code
TUPLE
getInfoPanel(self)
Get information displayed on Info Panel
source code
DWORD
getCurrentAddress(self)
Get the current address been focus on the disasm window
source code
DICTIONARY
getAllModules(self)
Get all loaded modules.
source code
 
getModuleByAddress(self, address) source code
Module OBJECT
getModule(self, name)
Get Module Information
source code
 
_getmoduleinfo(self, base_address) source code
LIST
getReferencedStrings(self, code_base)
Get all referenced string from module
source code
LIST
ps(self)
List all active processes.
source code
LIST
getSehChain(self)
Get the SEH chain.
source code
Event Object
getEvent(self)
Get the current Event
source code
Page OBJECT
getPage(self, addr)
Get a memory page.
source code
LIST
getMemoryPageByOwner(self, owner)
Get the Memory Pages belonging to the given dll.
source code
LIST
getMemoryPageByOwnerAddress(self, owner_addr)
Get the Memory Pages belonging to the given dll by its base address.
source code
Page OBJECT
getMemoryPageByAddress(self, address)
Get a memory page.
source code
DICTIONARY
getMemoryPages(self)
Get All memory pages.
source code
Python List
vmQuery(self, address)
Query Memory Page
source code
DICTIONARY
getAllHandles(self)
Get all handles.
source code
LIST
getAllThreads(self)
Get all threads.
source code
DICTIONARY
getAllSymbols(self)
Get All Symbols.
source code
DICTIONARY
getAllSymbolsFromModule(self, address)
Get Symbols from module.
source code
LIST of Stack OBJECT
callStack(self)
Get a Back Trace (Call stack).
source code
LIST of Call tuples
getCallTree(self, address=0)
Get the call tree of given address.
source code
LIST
findModule(self, address)
Find which module an address belongs to.
source code
OBJECT|BOOLEAN
findModuleByName(self, modname)
Find a module by name (case insensitive).
source code
LIST of DWORD
getHeapsAddress(self)
Get a the process heaps
source code
DWORD
getAddressOfExpression(self, expression)
Get the address from an expression as ntdll.RtlAllocateHeap
source code
DWORD
getAddress(self, expression)
Get the address from an expression as ntdll.RtlAllocateHeap
source code
 
error(self, msg)
This function shows an Error dialog with a custom message.
source code
 
openTextFile(self, path="")
Opens text file in MDI windows.
source code
 
setStatusBar(self, msg)
Sets the status bar message.
source code
 
clearStatusBar(self)
Removes the current status bar message.
source code
 
logLines(self, data, address=0, highlight=False, gray=False, focus=0)
Adds multiple lines of ASCII text to the log window.
source code
 
log(self, msg, address=0xbadf00d, highlight=False, gray=False, focus=0)
Adds a single line of ASCII text to the log window.
source code
 
updateLog(self)
Forces an immediate update of the log window.
source code
 
createLogWindow(self)
Creates or restores the log window.
source code
 
createWindow(self, title, col_titles)
Creates a custom window.
source code
 
createTable(self, title, col_titles)
Creates a custom window.
source code
 
setFocus(self, handler)
Set focus on window.
source code
 
isValidHandle(self, handler)
Does a window still exist?
source code
 
setStatusBarAndLog(self, addr, msg)
Sets and logs a status bar message.
source code
 
flashMessage(self, msg)
Flashes a message at status bar.
source code
 
setProgressBar(self, message, promille=100)
Displays a progress bar which can contain formatted text and a progress percentage.
source code
 
closeProgressBar(self)
Close Progress Bar.
source code
STRING
getComment(self, address, type=0xFD)
Get the comment of the opcode line.
source code
 
getUserComment(self, address) source code
 
getArgumentsComment(self, address) source code
 
getAnalyseComment(self, address) source code
 
getLibraryComment(self, address) source code
 
setComment(self, address, comment)
Set a comment.
source code
 
setLabel(self, address, label)
Set a label.
source code
 
markBegin(self)
Place a start mark for timming your script
source code
 
markEnd(self)
Place an End mark for timming your script
source code
DICTIONARY
findDependecies(self, lookfor)
Find exported function on the loaded dlls.
source code
DWORD
isVmWare(self)
Check if debugger is running under a vmware machine
source code
 
manualBreakpoint(self, address, key, shiftkey, font)
Set a Manual Breakpoint.
source code
 
setUnconditionalBreakpoint(self, address, font="fixed")
Set an Unconditional Breakpoint.
source code
 
setConditionalBreakpoint(self, address, font="fixed")
Set a Conditional Breakpoint.
source code
 
setLoggingBreakpoint(self, address)
Set a Logging Breakpoint.
source code
 
setWatchPoint(self, address)
Set a watching Breakpoint.
source code
 
setTemporaryBreakpoint(self, address, continue_execution=False, stoptrace=False)
Set a Temporary Breakpoint.
source code
 
setBreakpoint(self, address)
Set a Breakpoint.
source code
DWORD
setBreakpointOnName(self, name)
Set a Breakpoint.
source code
 
disableBreakpoint(self, address)
Disable Breakpoint.
source code
 
deleteBreakpoint(self, address, address2=0)
Delete Breakpoint.
source code
STRING
getBreakpointType(self, address)
Get the Breakpoint type.
source code
 
setMemBreakpoint(self, addr, type, size=4)
Modifies or removes a memory breakpoint.
source code
 
disableMemBreakpoint(self, addr)
Disable Memory Breakpoint.
source code
 
setHardwareBreakpoint(self, addr, type=HB_CODE, size=1)
Sets Hardware breakpoint
source code
 
writeLong(self, address, dword)
Write long to memory address.
source code
 
writeMemory(self, address, buf)
Write buffer to memory address.
source code
BUFFER
readMemory(self, address, size)
Read block of memory.
source code
DWORD
readLong(self, address)
Read a Long from the debugged process
source code
String
readString(self, address)
Read a string from the remote process
source code
Unicode String
readWString(self, address)
Read a unicode string from the remote process
source code
 
readUntil(self, address, ending)
Read string until ending starting at given address
source code
Short Integer
readShort(self, address)
Read a short integer from the remote process
source code
List
searchShort(self, short, flag=None)
Search a short integer on the remote process memory
source code
List
searchLong(self, long, flag=None)
Search a short integer on the remote process memory
source code
 
searchOnExecute(self, buf)
Search string in executable memory.
source code
 
searchOnWrite(self, buf)
Search string in writable memory.
source code
 
searchOnRead(self, buf)
Search string in readable memory.
source code
 
search(self, buf, flag=None) source code
 
oldSearch(self, buf, flag=None)
Search string in memory.
source code
List
searchCommands(self, cmd)
Search for a sequence of commands in all executable modules loaded.
source code
List
searchCommandsOnModule(self, address, cmd)
Search for a sequence of commands in given executable module.
source code
 
run(self, address=0)
Run Process untill address.
source code
 
runTillRet(self)
Run Process till ret.
source code
 
pause(self)
Pause process
source code
 
stepOver(self, address=0)
Step-Over Process untill address.
source code
 
stepIn(self, address=0)
Step-in Process untill address.
source code
 
quitDebugger(self)
Quits debugger
source code
 
ignoreSingleStep(self, flag="CONTINUE")
Ignore Single Step events
source code
 
openProcess(self, path, mode=0)
Open process for debugging
source code
 
restartProcess(self, mode=-1)
Restart debuggee
source code
 
Attach(self, pid)
Attach to an active process
source code
 
Detach(self)
Detach from active process
source code
 
prepareForNewProcess(self)
Prepare Debugger for fresh debugging session NOTE: be sure to know what you are doing when calling this method
source code
 
goSilent(self, silent)
Set/Unset silent debugging flag
source code
 
addHeader(self, address, header, color="Black")
Add a header to given row.
source code
 
removeHeader(self, address)
Removes header from row.
source code
 
removeLine(self, address)
Removes header from row.
source code
 
getHeader(self, address)
Get Header from row.
source code
 
addLine(self, address, header, color="Black")
Add a line to cpu window.
source code
 
gotoDisasmWindow(self, addr)
GoTo the Disassembler Window.
source code
 
gotoDumpWindow(self, addr)
GoTo Dump Window.
source code
 
gotoStackWindow(self, addr)
GoTo the Stack Window.
source code
 
inputBox(self, title)
Creates Dialog with an input_box.
source code
 
comboBox(self, title, combolist)
Creates Dialog with a combo_box.
source code
 
getStatus(self)
Get the status of the debugged process.
source code
BOOL
isStopped(self)
Is the debugged process stopped?
source code
BOOL
isEvent(self)
Is the debugged process in an event state?
source code
BOOL
isRunning(self)
Is the debugged process running?
source code
BOOL
isFinished(self)
Is the debugged process finished?
source code
BOOL
isClosing(self)
Is the debugged process closed?
source code
LIST
listHooks(self)
List of active hooks
source code
 
removeHook(self, hook_str)
Unhook from memory
source code
 
_getHookEntry(self, entry) source code
 
_createCodeforHook(self, memAddress, afterHookAddr, ndx, table, execute_prelude, alloc_size) source code
 
addFastLogHook(self, hook, alloc_size=0x100000) source code
DWORD
rVirtualAlloc(self, lpAddress, dwSize, flAllocationType, flProtect)
Virtual Allocation on the Debugged Process
source code
DWORD
rVirtualFree(self, lpAddress, dwSize=0x0, dwFreeType=0x8000)
Virtual Free of memory on the Debugged Process
source code
DWORD
remoteVirtualAlloc(self, size=0x10000, interactive=True)
Virtual Allocation on the Debugged Process
source code
 
getOsVersion(self) source code
 
getOsRelease(self) source code
TUPLE
getOsInformation(self)
Get OS information
source code
 
getThreadId(self)
Return current debuggee thread id
source code
DWORD|None
searchFunctionByName(self, name, heuristic=90, module=None, version=None, data="")
Look up into our dictionaries to find a function match.
source code
DWORD|None
searchFunctionByHeuristic(self, csvline, heuristic=90, module=None, data="")
Search memory to find a function that fullfit the options.
source code
STRING
resolvFunctionByAddress(self, address, heuristic=90, data="")
Look up into our dictionaries to find a function match.
source code
LIST
makeFunctionHashHeuristic(self, address, compressed=False, followCalls=True, data="")
Returns: the first element is described below and the second is the result of this same function but over the first call of a single basic block function (if applies), each element is like this: a base64 representation of the compressed version of each bb hash: [4 bytes BB(i) start][4 bytes BB(i) 1st edge][4 bytes BB(i) 2nd edge] 0 <= i < BB count or the same but like a LIST with raw data.
source code
STRING
makeFunctionHashExact(self, address, data="")
Return a SHA-1 hash of the function, taking the raw bytes as data.
source code
LIST
makeFunctionHash(self, address, compressed=False, data="")
Return a list with the best BB to use for a search and the heuristic hash of the function.
source code
 
findLoops(self, address)
This function finds Natural Loops inside a function.
source code
 
sleepTillStopped(self, timeout)
timeout is in seconds.
source code
DWORD
injectDll(self, dll_path)
This function loads a DLL into the debugged process.
source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Properties [hide private]

Inherited from object: __class__

Method Details [hide private]

__init__(self)
(Constructor)

source code 

Initialize the Immunity Debugger API

Overrides: object.__init__

addKnowledge(self, id, object, force_add=0x0)

source code 

This function add a python object to the knowledge database.

Parameters:
  • id (STRING) - unique name tag of the object
  • object (Python object) - Object to be saved in the knowledge database

getKnowledge(self, id)

source code 

Gets python object from the knowledge database.

Parameters:
  • id (STRING) - unique name tag of the object
Returns: PYTHON OBJECT
Object retrieved from the knowledge database

listKnowledge(self)

source code 

Gets the list of saved objects in the knowledge database.

Returns: TUPLE
List of String ids currently saved

findPacker(self, name, OnMemory=True)

source code 

Find possible Packer/Cryptors/etc on a Module

Parameters:
  • name (STRING) - Module name
  • OnMemory ((Optional, Def: True) BOOLEAN) - Whether to look in memory or on a file.
Returns: LIST of TUPLES in the form of (DWORD, LIST OF STRING)
A list of the Packer founded (Offset, List of Packer found in that address)

forgetKnowledge(self, id)

source code 

Remove python object from knowledge database.

Parameters:
  • id (STRING) - unique name tag of the object

getPEBAddress(self)

source code 

Gets PEB.

Returns: DWORD
PEB address

analyseCode(self, address)

source code 

Analyse module's code

Parameters:
  • Address (DWORD) - Address from module to be analysed

isAnalysed(self, address)

source code 

Check if module is already analysed

Parameters:
  • Address (DWORD) - Address from module
Returns: DWORD
1 if module already analysed

setVariable(self, address, string)

source code 

Set Variable name to specified address.

Parameters:
  • Address (DWORD) - Address from assembly line
  • String (STRING) - Variable name to be set

getVariable(self, address)

source code 

Get Variable name from specified address

Parameters:
  • Address (DWORD) - Address from assembly line
Returns: STRING
Variable name for given address.

validateAddress(self, address, perm)

source code 

It validates if a given address has the permissions provided in <perm>. perm = RWXNC (N=No Access, C=Write Copy)

disasm(self, address, mode=DISASM_ALL)

source code 

disasm address

Parameters:
  • Address (DWORD) - Address to disasm
  • Mode ((Optional, Def: DISASM_ALL)) - disasm mode
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

disasmSizeOnly(self, address)

source code 

Determine command size only

Parameters:
  • Address (DWORD) - Address to disasm
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

disasmData(self, address)

source code 

Determine size and analysis data

Parameters:
  • Address (DWORD) - Address to disasm
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

disasmTrace(self, address)

source code 

Trace integer registers

Parameters:
  • Address (DWORD) - Address to disasm
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

disasmFile(self, address)

source code 

Disassembly, no symbols/registers

Parameters:
  • Address (DWORD) - Address to disasm
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

disasmCode(self, address)

source code 

Disassembly, registers undefined

Parameters:
  • Address (DWORD) - Address to disasm
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

disasmRTrace(self, address)

source code 

Disassemble with run-trace registers

Parameters:
  • Address (DWORD) - Address to disasm
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

disasmForward(self, address, nlines=1, mode=DISASM_ALL)

source code 

disasm nlines forward of given address

Parameters:
  • Address (DWORD) - Address to disasm
  • nlines (DWORD) - (Optional, Def: 1) Number of lines to disassemble forward
  • Mode ((Optional, Def: DISASM_ALL)) - disasm mode
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

disasmForwardAddressOnly(self, address, nlines=1)

source code 

disasm nlines forward to the given address

Parameters:
  • Address (DWORD) - Address to disasm
  • nlines (DWORD) - (Optional, Def: 1) Number of lines to disassemble forward
  • Mode ((Optional, Def: DISASM_ALL)) - disasm mode
Returns: DWORD
Address of the opcode

disasmForwardSizeOnly(self, address, nlines=1)

source code 

Determine command size only

Parameters:
  • Address (DWORD) - Address to disasm
  • nlines (DWORD) - (Optional, Def: 1) Number of lines to disassemble forward
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

disasmForwardData(self, address, nlines=1)

source code 

Determine size and analysis data

Parameters:
  • Address (DWORD) - Address to disasm
  • nlines (DWORD) - (Optional, Def: 1) Number of lines to disassemble forward
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

disasmForwardTrace(self, address, nlines=1)

source code 

Trace integer registers

Parameters:
  • Address (DWORD) - Address to disasm
  • nlines (DWORD) - (Optional, Def: 1) Number of lines to disassemble forward
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

disasmForwardFile(self, address, nlines=1)

source code 

Disassembly, no symbols/registers

Parameters:
  • Address (DWORD) - Address to disasm
  • nlines (DWORD) - (Optional, Def: 1) Number of lines to disassemble forward
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

disasmForwardCode(self, address, nlines=1)

source code 

Disassembly, registers undefined

Parameters:
  • Address (DWORD) - Address to disasm
  • nlines (DWORD) - (Optional, Def: 1) Number of lines to disassemble forward
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

disasmForwardRTrace(self, address, nlines=1)

source code 

Disassemble with run-trace registers

Parameters:
  • Address (DWORD) - Address to disasm
  • nlines (DWORD) - (Optional, Def: 1) Number of lines to disassemble forward
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

disasmBackward(self, address, nlines=1, mode=DISASM_ALL)

source code 

disasm nlines backward from the given address

Parameters:
  • Address (DWORD) - Address to disasm
  • nlines (DWORD) - (Optional, Def: 1) Number of lines to disassemble forward
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

disasmBackwardAddressOnly(self, address, nlines=1)

source code 

disasm nlines backward of given address

Parameters:
  • Address (DWORD) - Address to disasm
  • nlines (DWORD) - (Optional, Def: 1) Number of lines to disassemble forward
Returns: DWORD
Address of the Opcode

disasmBackwardSizeOnly(self, address, nlines=1)

source code 

Determine command size only

Parameters:
  • Address (DWORD) - Address to disasm
  • nlines (DWORD) - (Optional, Def: 1) Number of lines to disassemble forward
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

disasmBackwardData(self, address, nlines=1)

source code 

Determine size and analysis data

Parameters:
  • Address (DWORD) - Address to disasm
  • nlines (DWORD) - (Optional, Def: 1) Number of lines to disassemble forward
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

disasmBackwardTrace(self, address, nlines=1)

source code 

Trace integer registers

Parameters:
  • Address (DWORD) - Address to disasm
  • nlines (DWORD) - (Optional, Def: 1) Number of lines to disassemble forward
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

disasmBackwardFile(self, address, nlines=1)

source code 

Disassembly, no symbols/registers

Parameters:
  • Address (DWORD) - Address to disasm
  • nlines (DWORD) - (Optional, Def: 1) Number of lines to disassemble forward
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

disasmBackwardCode(self, address, nlines=1)

source code 

Disassembly, registers undefined

Parameters:
  • Address (DWORD) - Address to disasm
  • nlines (DWORD) - (Optional, Def: 1) Number of lines to disassemble forward
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

disasmBackwardRTrace(self, address, nlines=1)

source code 

Disassemble with run-trace registers

Parameters:
  • Address (DWORD) - Address to disasm
  • nlines (DWORD) - (Optional, Def: 1) Number of lines to disassemble forward
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

findDecode(self, address)

source code 

Get the internal decode information from an analysed module

Parameters:
  • Address (DWORD) - Address in the range of the module page
Returns: Decode OBJECT
Decode Object containing the analized information

goNextProcedure(self)

source code 

Go to next procedure

Returns: DWORD
Address of next procedure

goPreviousProcedure(self)

source code 

Go to previous procedure

Returns: DWORD
Address of previous procedure

getOpcode(self, address)

source code 

Get address's Opcode

Parameters:
  • Address (DWORD) - Address to disasm
Returns: opCode Object (Check libanalyze.py)
Disassmbled Opcode

assemble(self, code, address=0x0)

source code 

assemble code.

Parameters:
  • code (STRING) - Code to be assembled
Returns: STRING
Opcodes of the assembled code

decodeAddress(self, address)

source code 

Decode given address

Returns: STRING
decoded value

undecorateName(self, decorated)

source code 

Undecorate given name

Parameters:
  • decorated (STRING) - decorated name
Returns: STRING
undecorated name

getTraceArgs(self, address, tracedarg, shownonusersupplied=False)

source code 

Trace Parameters of a function, return only when is user-supplied

Parameters:
  • Address (DWORD) - Address of the function call
  • Tracedarg (DWORD) - Parameter to trace
  • Shownonusersupplied (BOOLEAN) - (Optional, Def: False) Flag whether or not show user supplied param
Returns: TUPLES
Returns a tuple of (Push Opcode, TABLE of OPCODES setting the PUSH)

getAllFunctions(self, address)

source code 

Gets all function of given module's address

Returns: LIST
Function start address

getFunction(self, address)

source code 

Get the Function information

Parameters:
  • Address (DWORD) - Address of the function
Returns: Function Object
Function Object containing information of the requested function

getFunctionBegin(self, address)

source code 

Find start address of funcion

Returns: DWORD
Start Address

getFunctionEnd(self, function_address)

source code 

Get all the possible ends of a Function

Parameters:
  • function_address (DWORD) - Address of the function
Returns: LIST
List of Address of all the possible ret address

getAllBasicBlocks(self, address)

source code 

Gets all basic blocks of given procedure (Deprecated, use Function)

Returns: LIST
(start,end) addresses of basic blocks

findDataRef(self, address)

source code 

Find data references to given address

Returns: LIST
Table with found references

getXrefFrom(self, address)

source code 

Get X Reference from a given address

Parameters:
  • Address (DWORD) - Address
Returns: LIST
List of X reference from the given address

getXrefTo(self, address)

source code 

Get X Reference to a given address

Parameters:
  • Address (DWORD) - Address
Returns: LIST
List of X reference to the given address

getInterCalls(self, address)

source code 

Get intermodular calls

Parameters:
  • Address (DWORD) - Address
Returns: DICTIONARY
Dict of intermodular calls to the given address

getRegs(self)

source code 

Get CPU Context values.

Returns: DICTIONARY
x86 Registers

getRegsRepr(self)

source code 

We have to do this to handle the Long integers, which XML-RPC cannot do

Returns: DICTIONARY
x86 registers in string format (repr)

setReg(self, reg, value)

source code 

Set REG value

Parameters:
  • reg (STRING) - Register name
  • vale - Value to set the register
  • value (DWORD)

getPEB(self)

source code 

Get the PEB information of the debugged process

Returns: PEB OBJECT
PEB

getHeap(self, addr, restore=False)

source code 

Get Heap Information

Parameters:
  • addr (DWORD) - Address of the heap
  • restore (BOOLEAN) - (Optional, Def: False) Flag whether or not use a restore heap
Returns: PHeap OBJECT
Heap

getDebuggedName(self)

source code 

Get debugged name

Returns: STRING
Name of the Process been debugged

getDebuggedPid(self)

source code 

Get debugged pid

Returns: DWORD
Process ID

isAdmin(self)

source code 

Is debugger running as admin?

Returns: INTEGER
1 if running as admin

getInfoPanel(self)

source code 

Get information displayed on Info Panel

Returns: TUPLE
Python Tuple with the 3 lines from InfoPanel

getCurrentAddress(self)

source code 

Get the current address been focus on the disasm window

Returns: DWORD
Address

getAllModules(self)

source code 

Get all loaded modules.

Returns: DICTIONARY
Dict of Modules

getModule(self, name)

source code 

Get Module Information

Parameters:
  • name (STRING) - Name of the module
Returns: Module OBJECT
A Module object

getReferencedStrings(self, code_base)

source code 

Get all referenced string from module

Parameters:
  • name (DWORD) - Code Base Address
Returns: LIST
A list of tuples with referenced strings (address, string, comment)

ps(self)

source code 

List all active processes.

Returns: LIST
A list of tuples with process information (pid, name, path, services, tcp list, udp list)

getSehChain(self)

source code 

Get the SEH chain.

Returns: LIST
A list of tuples with SEH information (seh, handler)

getEvent(self)

source code 

Get the current Event

Returns: Event Object
Event

getPage(self, addr)

source code 

Get a memory page.

Parameters:
  • addr (DWORD) - Address of a beginning of the Page
Returns: Page OBJECT
Memory Page

getMemoryPageByOwner(self, owner)

source code 

Get the Memory Pages belonging to the given dll.

Parameters:
  • owner (STRING) - Name of the dll
Returns: LIST
LIST of Memory Pages belonging to the given dll

getMemoryPageByOwnerAddress(self, owner_addr)

source code 

Get the Memory Pages belonging to the given dll by its base address.

Parameters:
  • owner (STRING) - Name of the dll
Returns: LIST
LIST of Memory Pages belonging to the given dll

getMemoryPageByAddress(self, address)

source code 

Get a memory page.

Parameters:
  • address (DWORD) - Address in the range of the Page
Returns: Page OBJECT
Memory Page

getMemoryPages(self)

source code 

Get All memory pages.

Returns: DICTIONARY
List of all memory pages

vmQuery(self, address)

source code 

Query Memory Page

Parameters:
  • address (DWORD) - Base Address of memory page
Returns: Python List
List with memory page structure

getAllHandles(self)

source code 

Get all handles.

Returns: DICTIONARY
All the process handles

getAllThreads(self)

source code 

Get all threads.

Returns: LIST
All process threads

getAllSymbols(self)

source code 

Get All Symbols.

Returns: DICTIONARY
All the symbols of the process

getAllSymbolsFromModule(self, address)

source code 

Get Symbols from module.

Parameters:
  • Address (DWORD) - Address from module.
Returns: DICTIONARY
All the symbols of the module

callStack(self)

source code 

Get a Back Trace (Call stack).

Returns: LIST of Stack OBJECT
list of all the stack trace

getCallTree(self, address=0)

source code 

Get the call tree of given address.

Returns: LIST of Call tuples
list of all the call tree ulong line; // Line number in column ulong dummy; // Must be 1 ulong type; // Type, set of TY_xxx ulong entry; // Address of function ulong from; // Address of calling instruction ulong calls; // Address of called subfunction

findModule(self, address)

source code 

Find which module an address belongs to.

Parameters:
  • address (DWORD) - Address
Returns: LIST
Tuple of module information (name, base address)

findModuleByName(self, modname)

source code 

Find a module by name (case insensitive).

Parameters:
  • modname (STRING) - Module Name
Returns: OBJECT|BOOLEAN
a Module object matching the given name or False if it's not found or name is ambiguous

getHeapsAddress(self)

source code 

Get a the process heaps

Returns: LIST of DWORD
List of Heap Address

getAddressOfExpression(self, expression)

source code 

Get the address from an expression as ntdll.RtlAllocateHeap

Parameters:
  • expression (STRING) - Expression to translate into an address
Returns: DWORD
Address of the Expression

getAddress(self, expression)

source code 

Get the address from an expression as ntdll.RtlAllocateHeap

Parameters:
  • expression (STRING) - Expression to translate into an address
Returns: DWORD
Address of the Expression

error(self, msg)

source code 

This function shows an Error dialog with a custom message.

Parameters:
  • msg (STRING) - Message

openTextFile(self, path="")

source code 

Opens text file in MDI windows. ( if no path is specified browsefile dialog will pop up )

setStatusBar(self, msg)

source code 

Sets the status bar message.

Parameters:
  • msg (STRING) - Message

logLines(self, data, address=0, highlight=False, gray=False, focus=0)

source code 

Adds multiple lines of ASCII text to the log window.

Parameters:
  • msg (LIST of STRING) - List of Message to add (max size of msg is 255 bytes)
  • address (DWORD) - Address associated with the message
  • highlight (BOOLEAN) - Set highlight text
  • gray (BOOLEAN) - Set gray text

log(self, msg, address=0xbadf00d, highlight=False, gray=False, focus=0)

source code 

Adds a single line of ASCII text to the log window.

Parameters:
  • msg (STRING) - Message (max size is 255 bytes)
  • address (DWORD) - Address associated with the message
  • highlight (BOOLEAN) - Set highlight text
  • gray (BOOLEAN) - Set gray text

createWindow(self, title, col_titles)

source code 

Creates a custom window.

Parameters:
  • title (STRING) - Window title
  • col_titles (LIST OF STRING) - Column titles list

createTable(self, title, col_titles)

source code 

Creates a custom window.

Parameters:
  • title (STRING) - Window title
  • col_titles (LIST OF STRING) - Column titles list

setFocus(self, handler)

source code 

Set focus on window.

Parameters:
  • handler (ULONG) - Windows Handler

isValidHandle(self, handler)

source code 

Does a window still exist?

Parameters:
  • handler (ULONG) - Windows to check handle
Returns:
INT : 1 Exists, 0 Doesnt exist

setStatusBarAndLog(self, addr, msg)

source code 

Sets and logs a status bar message.

Parameters:
  • addr (DWORD) - Address related with the message
  • msg (STRING) - Message

flashMessage(self, msg)

source code 

Flashes a message at status bar.

Parameters:
  • msg (STRING) - Message

setProgressBar(self, message, promille=100)

source code 

Displays a progress bar which can contain formatted text and a progress percentage. If the formatted text contains a dollar sign ('$') it will be replaced by the current progress percentage.

Parameters:
  • msg (STRING) - Message
  • promille (DWORD) - Progress. At 0 the progress bar is closed and the previous message restored.

getComment(self, address, type=0xFD)

source code 

Get the comment of the opcode line.

Parameters:
  • address (DWORD) - Address of the requested comment
Returns: STRING
Requested comment

setComment(self, address, comment)

source code 

Set a comment.

Parameters:
  • address (DWORD) - Address of the Comment
  • comment (STRING) - Comment to add

setLabel(self, address, label)

source code 

Set a label.

Parameters:
  • address - Address to the new label
  • label (STRING) - Label to add
  • adresss (DWORD)

findDependecies(self, lookfor)

source code 

Find exported function on the loaded dlls.

Parameters:
  • lookfor (TABLE of DWORD) - Table of functions to search
Returns: DICTIONARY
Dictionary

isVmWare(self)

source code 

Check if debugger is running under a vmware machine

Returns: DWORD
1 if vmware machine exists

manualBreakpoint(self, address, key, shiftkey, font)

source code 

Set a Manual Breakpoint.

Parameters:
  • address (DWORD) - Address of the breakpoint
  • key (DWORD) - VK_F2 (Conditional Breakpoint) or VK_F4 (Logging Breakpoint)
  • shiftkey (DWORD) - State of the shiftkey
  • font (STRING) - See ImmFonts

setUnconditionalBreakpoint(self, address, font="fixed")

source code 

Set an Unconditional Breakpoint.

Parameters:
  • address (DWORD) - Address for the breakpoint
  • font (STRING) - (Optional, Def: fixed) Font for the breakpoint

setConditionalBreakpoint(self, address, font="fixed")

source code 

Set a Conditional Breakpoint.

Parameters:
  • address (DWORD) - Address for the breakpoint
  • font (STRING) - (Optional, Def: fixed) Font for the breakpoint

setLoggingBreakpoint(self, address)

source code 

Set a Logging Breakpoint. (This breakpoint will not puase the execution, it will just act as a Watch point"

Parameters:
  • address (DWORD) - Address for the breakpoint

setWatchPoint(self, address)

source code 

Set a watching Breakpoint.

Parameters:
  • address (DWORD) - Address for the watchpoint

setTemporaryBreakpoint(self, address, continue_execution=False, stoptrace=False)

source code 

Set a Temporary Breakpoint.

Parameters:
  • address (DWORD) - Address for the breakpoint
  • continue_execution (BOOLEAN) - Automatically removes temporary breakpoint when hit and continue execution
  • stoptrace (BOOLEAN) - Stop any kind of trace or animation when hit

setBreakpoint(self, address)

source code 

Set a Breakpoint.

Parameters:
  • address (DWORD) - Address for the breakpoint

setBreakpointOnName(self, name)

source code 

Set a Breakpoint.

Parameters:
  • Name (STRING) - name of the function to bp
Returns: DWORD
Address of name

disableBreakpoint(self, address)

source code 

Disable Breakpoint.

Parameters:
  • address (DWORD) - Address for the breakpoint

deleteBreakpoint(self, address, address2=0)

source code 

Delete Breakpoint.

Parameters:
  • address (DWORD) - Start range of addresses to delete breakpoints
  • Address - End range of addresses to delete breakpoints
  • address2 (DWORD)

getBreakpointType(self, address)

source code 

Get the Breakpoint type.

Parameters:
  • address (DWORD) - Address for the breakpoint
Returns: STRING
Breakpoint type

setMemBreakpoint(self, addr, type, size=4)

source code 

Modifies or removes a memory breakpoint.

Parameters:
  • address (DWORD) - Address for the breakpoint
  • type (DWORD) - Type of Memory Breakpoint (READ/WRITE/SFX)
  • size (DWORD) - (Optional, Def: 4) Size of Memory Breakpoint

writeLong(self, address, dword)

source code 

Write long to memory address.

Parameters:
  • address (DWORD) - Address
  • dword (DWORD) - long to write

writeMemory(self, address, buf)

source code 

Write buffer to memory address.

Parameters:
  • address (DWORD) - Address
  • buf (BUFFER) - Buffer

readMemory(self, address, size)

source code 

Read block of memory.

Parameters:
  • address (DWORD) - Address
  • size (DWORD) - Size
Returns: BUFFER
Process memory

readLong(self, address)

source code 

Read a Long from the debugged process

Parameters:
  • address (DWORD) - Address
Returns: DWORD
Long

readString(self, address)

source code 

Read a string from the remote process

Parameters:
  • address (DWORD) - Address of the string
Returns: String
String

readWString(self, address)

source code 

Read a unicode string from the remote process

Parameters:
  • address (DWORD) - Address of the unicode string
Returns: Unicode String
Unicode String

readUntil(self, address, ending)

source code 

Read string until ending starting at given address

Parameters:
  • Address - Start address @return Readed String

readShort(self, address)

source code 

Read a short integer from the remote process

Parameters:
  • address (DWORD) - Address of the short
Returns: Short Integer
Short

searchShort(self, short, flag=None)

source code 

Search a short integer on the remote process memory

Parameters:
  • short (SHORT) - Short integer to search for
  • flag (STRING) - Memory Protection String Flag
Returns: List
List of address of the short integer founded

searchLong(self, long, flag=None)

source code 

Search a short integer on the remote process memory

Parameters:
  • long (DWORD) - integer to search for
  • flag (STRING) - Memory Protection String Flag
Returns: List
List of address of the integer founded

searchOnExecute(self, buf)

source code 

Search string in executable memory.

Parameters:
  • buf - Buffer to search for
Returns:
A list of address where the string was found on memory

searchOnWrite(self, buf)

source code 

Search string in writable memory.

Parameters:
  • buf - Buffer to search for
Returns:
A list of address where the string was found on memory

searchOnRead(self, buf)

source code 

Search string in readable memory.

Parameters:
  • buf - Buffer to search for
Returns:
A list of address where the string was found on memory

oldSearch(self, buf, flag=None)

source code 

Search string in memory.

Parameters:
  • buf - Buffer to search for
  • flag - Memory Protection String Flag
Returns:
A list of address where the string was found on memory

searchCommands(self, cmd)

source code 

Search for a sequence of commands in all executable modules loaded.

Parameters:
  • cmd (STRING) - Assembly code to search for (Search using regexp is available. See Documentation)
Returns: List
List of address of the command found

NOTE: Since ImmunityDebugger 1.2 , the returning tuple[1] value is deprecated, if you need the opcode string of the resulted address, you'll have to do a immlib.disasm(tuple[0]).

searchCommandsOnModule(self, address, cmd)

source code 

Search for a sequence of commands in given executable module.

Parameters:
  • cmd (STRING) - Assembly code to search for (Search using regexp is available. See Documentation)
Returns: List
List of address of the command found

NOTE: Since ImmunityDebugger 1.2 , the returning tuple[1] value is deprecated, if you need the opcode string of the resulted address, you'll have to do a immlib.disasm(tuple[0]).

run(self, address=0)

source code 

Run Process untill address.

Parameters:
  • address - Address

stepOver(self, address=0)

source code 

Step-Over Process untill address.

Parameters:
  • address (DWORD) - (Optional, Def = 0) Address

stepIn(self, address=0)

source code 

Step-in Process untill address.

Parameters:
  • address (DWORD) - (Optional, Def = 0) Address

ignoreSingleStep(self, flag="CONTINUE")

source code 

Ignore Single Step events

Parameters:
  • flag (STRING) - How to continue after a single event is catched flag = DISABLE : Disable ignoring flag = FORCE : Conventional Force continue method flag = CONTINUE : Transparent continue method

    CAUTION: This method overrides GUI option 'single-step break'

openProcess(self, path, mode=0)

source code 

Open process for debugging

Parameters:
  • path (STRING) - Path to file to debug
  • mode (INTEGER) - How to start: -2 SILENT, 0 NORMAL

restartProcess(self, mode=-1)

source code 

Restart debuggee

Parameters:
  • mode (INTEGER) - How to restart : -2 SILENT, -1 MSGBOX

Attach(self, pid)

source code 

Attach to an active process

Parameters:
  • pid (INTEGER) - Process Id.

goSilent(self, silent)

source code 

Set/Unset silent debugging flag

Parameters:
  • silent (INTEGER) - 1 to set silent, 0 to unset

addHeader(self, address, header, color="Black")

source code 

Add a header to given row.

Parameters:
  • address (DWORD) - Address to add the header into
  • header (STRING) - Header string to add into row
  • color (STRING) - Color of text

removeHeader(self, address)

source code 

Removes header from row.

Parameters:
  • address (DWORD) - Address to remove the header from

removeLine(self, address)

source code 

Removes header from row.

Parameters:
  • address (DWORD) - Address to remove the header from

getHeader(self, address)

source code 

Get Header from row.

Parameters:
  • address (DWORD) - Address to get the headers from

addLine(self, address, header, color="Black")

source code 

Add a line to cpu window.

Parameters:
  • address (DWORD) - Address to add line
  • header (STRING) - Header string to add into row
  • color (STRING) - Color of text

gotoDisasmWindow(self, addr)

source code 

GoTo the Disassembler Window.

Parameters:
  • addr (DWORD) - Address to show on the Disassembler Window

gotoDumpWindow(self, addr)

source code 

GoTo Dump Window.

Parameters:
  • addr (DWORD) - Address to show on the Dump Window

gotoStackWindow(self, addr)

source code 

GoTo the Stack Window.

Parameters:
  • addr (DWORD) - Address to show on the Stack Window

inputBox(self, title)

source code 

Creates Dialog with an input_box.

Parameters:
  • title (STRING) - Title for the input_box dialog
Returns:
String from the inputbox

comboBox(self, title, combolist)

source code 

Creates Dialog with a combo_box.

Parameters:
  • title (STRING) - Title for the dialog
  • combolist (LIST) - List of items to add to combo dialog
Returns:
Selected item

getStatus(self)

source code 

Get the status of the debugged process.

Returns:
Status of the debugged process

isStopped(self)

source code 

Is the debugged process stopped?

Returns: BOOL
Boolean (True/False)

isEvent(self)

source code 

Is the debugged process in an event state?

Returns: BOOL
Boolean (True/False)

isRunning(self)

source code 

Is the debugged process running?

Returns: BOOL
Boolean (True/False)

isFinished(self)

source code 

Is the debugged process finished?

Returns: BOOL
Boolean (True/False)

isClosing(self)

source code 

Is the debugged process closed?

Returns: BOOL
Boolean (True/False)

listHooks(self)

source code 

List of active hooks

Returns: LIST
List of active hooks

rVirtualAlloc(self, lpAddress, dwSize, flAllocationType, flProtect)

source code 

Virtual Allocation on the Debugged Process

Parameters:
  • lpAddress (DWORD) - Desired starting Address
  • dwSize (DWORD) - Size of the memory to be allocated (in bytes)
  • flAllocationType (DWORD) - Type of Memory Allocation (MEM_COMMIT, MEM_RESERVED, MEM_RESET, etc)
  • flProtect (DWORD) - Flag protection of the memory allocated
Returns: DWORD
Address of the memory allocated

rVirtualFree(self, lpAddress, dwSize=0x0, dwFreeType=0x8000)

source code 

Virtual Free of memory on the Debugged Process

Parameters:
  • size (DWORD) - (Optional, Def: 0) Size of the memory to free
  • dwFreeType (DWORD) - (Optional, Def: MEM_RELEASE) Type of Free operation
Returns: DWORD
On Successful, returns a non zero value

remoteVirtualAlloc(self, size=0x10000, interactive=True)

source code 

Virtual Allocation on the Debugged Process

Parameters:
  • size (DWORD) - (Optional, Def: 0x10000) Size of the memory to allocated, in bytes
Returns: DWORD
Address of the memory allocated

getOsInformation(self)

source code 

Get OS information

Returns: TUPLE
List with ( system, release, version)

getThreadId(self)

source code 

Return current debuggee thread id

Returns:
Thread ID

searchFunctionByName(self, name, heuristic=90, module=None, version=None, data="")

source code 

Look up into our dictionaries to find a function match.

Parameters:
  • name (STRING) - Name of the function to search
  • module (STRING) - name of a module to restrict the search
  • version (STRING) - restrict the search to the given version
  • heuristic (INTEGER) - heuristic threasold to consider a real function match
  • data (STRING|LIST) - Name (or list of names) of the .dat file inside the Data folder, where're stored the function patterns. Use an empty string to use all the files in the Data folder.
Returns: DWORD|None
the address of the function or None if we can't find it

searchFunctionByHeuristic(self, csvline, heuristic=90, module=None, data="")

source code 

Search memory to find a function that fullfit the options.

Parameters:
  • csvline (STRING) - A line of a Data CSV file. This's a simple support for copy 'n paste from a CSV file.
  • heuristic (INTEGER) - heuristic threasold to consider a real function match
  • module (STRING) - name of a module to restrict the search
  • data (STRING|LIST) - Name (or list of names) of the .dat file inside the Data folder, where're stored the function patterns. Use an empty string to use all the files in the Data folder.
Returns: DWORD|None
the address of the function or None if we can't find it

resolvFunctionByAddress(self, address, heuristic=90, data="")

source code 

Look up into our dictionaries to find a function match.

Parameters:
  • address (DWORD) - Address of the function to search
  • heuristic (INTEGER) - heuristic threasold to consider a real function match
  • data (STRING|LIST) - Name (or list of names) of the .dat file inside the Data folder, where're stored the function patterns. Use an empty string to use all the files in the Data folder.
Returns: STRING
a STRING with the function's real name or the given address if there's no match

makeFunctionHashHeuristic(self, address, compressed=False, followCalls=True, data="")

source code 
Parameters:
  • address (DWORD) - address of the function to hash
  • compressed (Boolean) - return a compressed base64 representation or the raw data
  • followCalls (Boolean) - follow the first call in a single basic block function
  • data (STRING|LIST) - Name (or list of names) of the .dat file inside the Data folder, where're stored the function patterns. Use an empty string to use all the files in the Data folder.
Returns: LIST
the first element is described below and the second is the result of this same function but over the first call of a single basic block function (if applies), each element is like this: a base64 representation of the compressed version of each bb hash: [4 bytes BB(i) start][4 bytes BB(i) 1st edge][4 bytes BB(i) 2nd edge] 0 <= i < BB count or the same but like a LIST with raw data.

makeFunctionHashExact(self, address, data="")

source code 

Return a SHA-1 hash of the function, taking the raw bytes as data.

Parameters:
  • address (DWORD) - address of the function to hash
  • data (STRING|LIST) - Name (or list of names) of the .dat file inside the Data folder, where're stored the function patterns. Use an empty string to use all the files in the Data folder.
Returns: STRING
SHA-1 hash of the function

makeFunctionHash(self, address, compressed=False, data="")

source code 

Return a list with the best BB to use for a search and the heuristic hash of the function. This two components are the function hash.

Parameters:
  • address (DWORD) - address of the function to hash
  • compressed (Boolean) - return a compressed base64 representation or the raw data
  • data (STRING|LIST) - Name (or list of names) of the .dat file inside the Data folder, where're stored the function patterns. Use an empty string to use all the files in the Data folder.
Returns: LIST
1st element is the generalized instructions to use with searchCommand 2nd element is the heuristic function hash (makeFunctionHashHeuristic) 3rd element is an exact hash of the function (makeFunctionHashExact)

findLoops(self, address)

source code 

This function finds Natural Loops inside a function.

Each loop item has the following structure:
  [ start, end, nodes ]
  start: address of node receiving the back edge.
  end: address of node which has the back edge.
  node: list of node's addresses involved in this loop.

@type  address: DWORD
@param address: function start address

@rtype: LIST
@return: A list of loops

sleepTillStopped(self, timeout)

source code 

timeout is in seconds. this function will sleep 1 second at a time until timeout is reached or the debugger has stopped (probably due to AV) returns True if we were stopped before timeout happened

injectDll(self, dll_path)

source code 

This function loads a DLL into the debugged process.

Parameters:
  • dll_path (STRING) - The full path to the DLL. ie C:\WINDOWS\system32\kernel32.dll
Returns: DWORD
The thread ID of the DLL loading thread.