winappdbg.win32.context_amd64

AMD64 (x86-64) processor context structures and functions.

This module provides the CONTEXT structure definitions and related functions for AMD64 (x86-64) architecture, including:

  • Thread context manipulation (get/set context)

  • LDT (Local Descriptor Table) entry management

  • WOW64 context support for 32-bit processes on 64-bit systems

  • Floating point and MMX register handling

The main classes include:

  • CONTEXT - The main context structure for AMD64 threads

  • Context - A dictionary-like wrapper for context data

  • XMM_SAVE_AREA32 - Extended floating point save area

  • LDT_ENTRY - Local Descriptor Table entry structure

The module also provides Win32 API wrappers for context operations:

  • GetThreadContext() / SetThreadContext()

  • Wow64GetThreadContext() / Wow64SetThreadContext()

  • GetThreadSelectorEntry() / Wow64GetThreadSelectorEntry()

Note

This module is specific to AMD64/x86-64 architecture. For i386 support, see context_i386.

class winappdbg.win32.context_amd64.CONTEXT

AMD64 thread context structure.

This structure contains the processor state for an AMD64 thread, including all general-purpose registers, segment registers, floating point state, debug registers, and control flags.

The context can be used with GetThreadContext() and SetThreadContext() to save and restore thread state. The ContextFlags field controls which parts of the context are valid.

Context Flags:

  • CONTEXT_CONTROL - Control registers (SegSs, Rsp, SegCs, Rip, EFlags)

  • CONTEXT_INTEGER - Integer registers (Rax, Rcx, Rdx, Rbx, Rbp, Rsi, Rdi, R8-R15)

  • CONTEXT_SEGMENTS - Segment registers (SegDs, SegEs, SegFs, SegGs)

  • CONTEXT_FLOATING_POINT - Floating point and SSE registers

  • CONTEXT_DEBUG_REGISTERS - Debug registers (Dr0-Dr7)

  • CONTEXT_FULL - Control + Integer + Floating Point

  • CONTEXT_ALL - All of the above

Register Groups:

  • Integer registers: Rax, Rbx, Rcx, Rdx, Rsi, Rdi, Rbp, Rsp, R8-R15

  • Control registers: Rip (instruction pointer), EFlags (flags register)

  • Segment registers: SegCs, SegDs, SegEs, SegFs, SegGs, SegSs

  • Debug registers: Dr0-Dr3 (breakpoint addresses), Dr6 (status), Dr7 (control)

  • Floating point: XMM registers, control/status words

Variables:

  • ContextFlags (int) – Flags indicating which context parts are valid

  • Rax (int) – RAX general purpose register

  • Rbx (int) – RBX general purpose register

  • Rcx (int) – RCX general purpose register

  • Rdx (int) – RDX general purpose register

  • Rsi (int) – RSI source index register

  • Rdi (int) – RDI destination index register

  • Rbp (int) – RBP base pointer register

  • Rsp (int) – RSP stack pointer register

  • R8-R15 (int) – Extended general purpose registers

  • Rip (int) – RIP instruction pointer

  • EFlags (int) – EFLAGS processor flags

  • SegCs (int) – CS code segment

  • SegDs (int) – DS data segment

  • SegEs (int) – ES extra segment

  • SegFs (int) – FS segment

  • SegGs (int) – GS segment

  • SegSs (int) – SS stack segment

  • Dr0-Dr3 (int) – Debug address registers

  • Dr6 (int) – Debug status register

  • Dr7 (int) – Debug control register

  • FltSave (_CONTEXT_FLTSAVE_UNION) – Floating point and SSE state

  • VectorRegister (tuple) – AVX vector registers

to_dict()

Convert a structure into a Python dictionary.

class winappdbg.win32.context_amd64.Context

Register context dictionary for the AMD64 architecture.

This class provides a convenient dictionary interface for working with thread context data. It extends the standard Python dictionary with properties for common register access patterns.

The dictionary can contain any of the register fields from the CONTEXT structure, and provides convenient properties for the most commonly accessed registers:

  • pc - Program Counter (Rip register)

  • sp - Stack Pointer (Rsp register)

  • fp - Frame Pointer (Rbp register)

Example:

# Create a context and access registers
ctx = Context()
ctx['Rax'] = 0x1234567890ABCDEF
ctx.pc = 0x401000  # Set instruction pointer

# Use with GetThreadContext
context = GetThreadContext(hThread)
print(f"PC: {hex(context.pc)}")
print(f"SP: {hex(context.sp)}")
property fp

Frame pointer (Rbp register).

Type:

int

property pc

Program counter (Rip register).

Type:

int

property sp

Stack pointer (Rsp register).

Type:

int

class winappdbg.win32.context_amd64.LDT_ENTRY

Local Descriptor Table (LDT) entry structure.

This structure represents an entry in the Local Descriptor Table, which contains segment descriptors for the current process. It corresponds to the Windows LDT_ENTRY structure.

Variables:

  • LimitLow (int) – Low 16 bits of segment limit

  • BaseLow (int) – Low 16 bits of segment base address

  • HighWord (_LDT_ENTRY_HIGHWORD_) – High-order fields containing additional segment information

The HighWord union provides access to segment attributes either as individual bytes or as bit fields for fine-grained control.

winappdbg.win32.context_amd64.LPCONTEXT

alias of LP_CONTEXT

winappdbg.win32.context_amd64.LPLDT_ENTRY

alias of LP_LDT_ENTRY

winappdbg.win32.context_amd64.LPXMM_SAVE_AREA32

alias of LP_XMM_SAVE_AREA32

winappdbg.win32.context_amd64.PCONTEXT

alias of LP_CONTEXT

winappdbg.win32.context_amd64.PLDT_ENTRY

alias of LP_LDT_ENTRY

winappdbg.win32.context_amd64.PWOW64_CONTEXT

alias of LP_WOW64_CONTEXT

winappdbg.win32.context_amd64.PWOW64_FLOATING_SAVE_AREA

alias of LP_WOW64_FLOATING_SAVE_AREA

winappdbg.win32.context_amd64.PWOW64_LDT_ENTRY

alias of LP_WOW64_LDT_ENTRY

winappdbg.win32.context_amd64.PXMM_SAVE_AREA32

alias of LP_XMM_SAVE_AREA32

class winappdbg.win32.context_amd64.WOW64_CONTEXT
class winappdbg.win32.context_amd64.WOW64_FLOATING_SAVE_AREA
class winappdbg.win32.context_amd64.WOW64_LDT_ENTRY
class winappdbg.win32.context_amd64.XMM_SAVE_AREA32

XMM floating point save area for 32-bit compatibility mode.

This structure represents the floating point and SSE register state that can be saved and restored. It corresponds to the Windows XMM_SAVE_AREA32 structure.

Variables:

  • ControlWord (int) – FPU control word

  • StatusWord (int) – FPU status word

  • TagWord (int) – FPU tag word

  • ErrorOpcode (int) – Last FPU instruction opcode

  • ErrorOffset (int) – FPU instruction pointer offset

  • ErrorSelector (int) – FPU instruction pointer selector

  • DataOffset (int) – FPU operand pointer offset

  • DataSelector (int) – FPU operand pointer selector

  • MxCsr (int) – MXCSR register (SSE control/status)

  • MxCsr_Mask (int) – MXCSR mask

  • FloatRegisters (tuple) – FPU/MMX registers (ST0-ST7/MM0-MM7)

  • XmmRegisters (tuple) – SSE registers (XMM0-XMM15)