winappdbg.win32.context_i386

i386 (x86) processor context structures and functions.

This module provides the CONTEXT structure definitions and related functions for i386 (x86) architecture, including:

  • Thread context manipulation (get/set context)

  • LDT (Local Descriptor Table) entry management

  • Floating point register handling

  • Extended register support

The main classes include:

  • CONTEXT - The main context structure for i386 threads

  • Context - A dictionary-like wrapper for context data

  • FLOATING_SAVE_AREA - Floating point register save area

  • LDT_ENTRY - Local Descriptor Table entry structure

The module also provides Win32 API wrappers for context operations:

  • GetThreadContext() / SetThreadContext()

  • GetThreadSelectorEntry()

Note

This module is specific to i386/x86 architecture. For AMD64 support, see context_amd64.

class winappdbg.win32.context_i386.CONTEXT

i386 thread context structure.

This structure contains the processor state for an i386 thread, including all general-purpose registers, segment registers, floating point state, debug registers, and control flags.

The context can be used with GetThreadContext() and SetThreadContext() to save and restore thread state. The ContextFlags field controls which parts of the context are valid.

Context Flags:

  • CONTEXT_CONTROL - Control registers (SegSs, Esp, SegCs, Eip, EFlags, Ebp)

  • CONTEXT_INTEGER - Integer registers (Eax, Ebx, Ecx, Edx, Esi, Edi)

  • CONTEXT_SEGMENTS - Segment registers (SegDs, SegEs, SegFs, SegGs)

  • CONTEXT_FLOATING_POINT - Floating point registers (x87 FPU state)

  • CONTEXT_DEBUG_REGISTERS - Debug registers (Dr0-Dr7)

  • CONTEXT_EXTENDED_REGISTERS - Extended registers (MMX, SSE)

  • CONTEXT_FULL - Control + Integer + Segments

  • CONTEXT_ALL - All of the above

Register Groups:

  • Integer registers: Eax, Ebx, Ecx, Edx, Esi, Edi, Ebp, Esp

  • Control registers: Eip (instruction pointer), EFlags (flags register)

  • Segment registers: SegCs, SegDs, SegEs, SegFs, SegGs, SegSs

  • Debug registers: Dr0-Dr3 (breakpoint addresses), Dr6 (status), Dr7 (control)

  • Floating point: x87 FPU registers and state

Variables:

  • ContextFlags (int) – Flags indicating which context parts are valid

  • Eax (int) – EAX general purpose register

  • Ebx (int) – EBX general purpose register

  • Ecx (int) – ECX general purpose register

  • Edx (int) – EDX general purpose register

  • Esi (int) – ESI source index register

  • Edi (int) – EDI destination index register

  • Ebp (int) – EBP base pointer register

  • Esp (int) – ESP stack pointer register

  • Eip (int) – EIP instruction pointer

  • EFlags (int) – EFLAGS processor flags

  • SegCs (int) – CS code segment

  • SegDs (int) – DS data segment

  • SegEs (int) – ES extra segment

  • SegFs (int) – FS segment

  • SegGs (int) – GS segment

  • SegSs (int) – SS stack segment

  • Dr0-Dr3 (int) – Debug address registers

  • Dr6 (int) – Debug status register

  • Dr7 (int) – Debug control register

  • FloatSave (FLOATING_SAVE_AREA) – Floating point register state

  • ExtendedRegisters (tuple) – Extended processor registers (MMX, SSE)

class winappdbg.win32.context_i386.Context

Register context dictionary for the i386 architecture.

This class provides a convenient dictionary interface for working with thread context data. It extends the standard Python dictionary with properties for common register access patterns.

The dictionary can contain any of the register fields from the CONTEXT structure, and provides convenient properties for the most commonly accessed registers:

  • pc - Program Counter (Eip register)

  • sp - Stack Pointer (Esp register)

  • fp - Frame Pointer (Ebp register)

Example:

# Create a context and access registers
ctx = Context()
ctx['Eax'] = 0x12345678
ctx.pc = 0x401000  # Set instruction pointer

# Use with GetThreadContext
context = GetThreadContext(hThread)
print(f"PC: {hex(context.pc)}")
print(f"SP: {hex(context.sp)}")
property fp

Frame pointer (Ebp register).

Type:

int

property pc

Program counter (Eip register).

Type:

int

property sp

Stack pointer (Esp register).

Type:

int

class winappdbg.win32.context_i386.FLOATING_SAVE_AREA

Floating point register save area for i386 architecture.

This structure represents the floating point register state that can be saved and restored. It corresponds to the Windows FLOATING_SAVE_AREA structure and contains the complete state of the x87 FPU.

Variables:

  • ControlWord (int) – FPU control word

  • StatusWord (int) – FPU status word

  • TagWord (int) – FPU tag word

  • ErrorOffset (int) – FPU instruction pointer offset

  • ErrorSelector (int) – FPU instruction pointer selector

  • DataOffset (int) – FPU operand pointer offset

  • DataSelector (int) – FPU operand pointer selector

  • RegisterArea (tuple) – FPU register stack (ST0-ST7)

  • Cr0NpxState (int) – CR0 NPX state

class winappdbg.win32.context_i386.LDT_ENTRY

Local Descriptor Table (LDT) entry structure.

This structure represents an entry in the Local Descriptor Table, which contains segment descriptors for the current process. It corresponds to the Windows LDT_ENTRY structure.

Variables:

  • LimitLow (int) – Low 16 bits of segment limit

  • BaseLow (int) – Low 16 bits of segment base address

  • HighWord (_LDT_ENTRY_HIGHWORD_) – High-order fields containing additional segment information

The HighWord union provides access to segment attributes either as individual bytes or as bit fields for fine-grained control.

winappdbg.win32.context_i386.LPCONTEXT

alias of LP_CONTEXT

winappdbg.win32.context_i386.LPFLOATING_SAVE_AREA

alias of LP_FLOATING_SAVE_AREA

winappdbg.win32.context_i386.LPLDT_ENTRY

alias of LP_LDT_ENTRY

winappdbg.win32.context_i386.PCONTEXT

alias of LP_CONTEXT

winappdbg.win32.context_i386.PFLOATING_SAVE_AREA

alias of LP_FLOATING_SAVE_AREA

winappdbg.win32.context_i386.PLDT_ENTRY

alias of LP_LDT_ENTRY