winappdbg.win32.kernel32

Wrapper for kernel32.dll in ctypes.

class winappdbg.win32.kernel32.APP_MEMORY_INFORMATION

class winappdbg.win32.kernel32.BY_HANDLE_FILE_INFORMATION

class winappdbg.win32.kernel32.CHAR_INFO

class winappdbg.win32.kernel32.CONSOLE_SCREEN_BUFFER_INFO

class winappdbg.win32.kernel32.COORD

class winappdbg.win32.kernel32.CREATE_PROCESS_DEBUG_INFO

class winappdbg.win32.kernel32.CREATE_THREAD_DEBUG_INFO

class winappdbg.win32.kernel32.DEBUG_EVENT

class winappdbg.win32.kernel32.EXCEPTION_DEBUG_INFO

class winappdbg.win32.kernel32.EXCEPTION_RECORD

class winappdbg.win32.kernel32.EXCEPTION_RECORD32

class winappdbg.win32.kernel32.EXCEPTION_RECORD64

class winappdbg.win32.kernel32.EXIT_PROCESS_DEBUG_INFO

class winappdbg.win32.kernel32.EXIT_THREAD_DEBUG_INFO

class winappdbg.win32.kernel32.FILETIME

class winappdbg.win32.kernel32.FileHandle(aHandle=None, bOwnership=True)

Win32 file handle.

See also

Handle

get_filename()

Return type:: None or str
Returns:: Name of the open file, or None if unavailable.

class winappdbg.win32.kernel32.FileMappingHandle(aHandle=None, bOwnership=True): File mapping handle.

See also

Handle

class winappdbg.win32.kernel32.HEAPENTRY32

class winappdbg.win32.kernel32.HEAPLIST32

class winappdbg.win32.kernel32.Handle(aHandle=None, bOwnership=True)

Encapsulates Win32 handles to avoid leaking them.

Variables:

inherit – True if the handle is to be inherited by child processes, False otherwise.
protectFromClose – Set to True to prevent the handle from being closed. Must be set to False before you’re done using the handle, or it will be left open until the debugger exits. Use with care!

close(): Closes the Win32 handle.

dup()

Return type:: Handle
Returns:: A new handle to the same Win32 object.

static from_param(value)

Compatibility with ctypes. Allows passing transparently a Handle object to an API call.

Parameters:: value (int) – Numeric handle value.

wait(dwMilliseconds=None)

Wait for the Win32 object to be signaled.

Parameters:: dwMilliseconds (int) – (Optional) Timeout value in milliseconds. Use INFINITE or None for no timeout.

class winappdbg.win32.kernel32.JIT_DEBUG_INFO

winappdbg.win32.kernel32.JIT_DEBUG_INFO32: alias of JIT_DEBUG_INFO

winappdbg.win32.kernel32.JIT_DEBUG_INFO64: alias of JIT_DEBUG_INFO

class winappdbg.win32.kernel32.LOAD_DLL_DEBUG_INFO

winappdbg.win32.kernel32.LPBY_HANDLE_FILE_INFORMATION: alias of LP_BY_HANDLE_FILE_INFORMATION

winappdbg.win32.kernel32.LPDEBUG_EVENT: alias of LP_DEBUG_EVENT

winappdbg.win32.kernel32.LPFILETIME: alias of LP_FILETIME

winappdbg.win32.kernel32.LPHEAPENTRY32: alias of LP_HEAPENTRY32

winappdbg.win32.kernel32.LPHEAPLIST32: alias of LP_HEAPLIST32

winappdbg.win32.kernel32.LPJIT_DEBUG_INFO: alias of LP_JIT_DEBUG_INFO

winappdbg.win32.kernel32.LPJIT_DEBUG_INFO32: alias of LP_JIT_DEBUG_INFO

winappdbg.win32.kernel32.LPJIT_DEBUG_INFO64: alias of LP_JIT_DEBUG_INFO

winappdbg.win32.kernel32.LPMODULEENTRY32: alias of LP_MODULEENTRY32

winappdbg.win32.kernel32.LPOVERLAPPED: alias of LP_OVERLAPPED

winappdbg.win32.kernel32.LPPROCESSENTRY32: alias of LP_PROCESSENTRY32

winappdbg.win32.kernel32.LPPROCESSENTRY32W: alias of LP_PROCESSENTRY32W

winappdbg.win32.kernel32.LPPROCESS_INFORMATION: alias of LP_PROCESS_INFORMATION

winappdbg.win32.kernel32.LPPROC_THREAD_ATTRIBUTE_LIST: alias of c_void_p

winappdbg.win32.kernel32.LPSECURITY_ATTRIBUTES: alias of LP_SECURITY_ATTRIBUTES

winappdbg.win32.kernel32.LPSTARTUPINFO: alias of LP_STARTUPINFO

winappdbg.win32.kernel32.LPSTARTUPINFOEX: alias of LP_STARTUPINFOEX

winappdbg.win32.kernel32.LPSTARTUPINFOEXW: alias of LP_STARTUPINFOEXW

winappdbg.win32.kernel32.LPSTARTUPINFOW: alias of LP_STARTUPINFOW

winappdbg.win32.kernel32.LPSYSTEMTIME: alias of LP_SYSTEMTIME

winappdbg.win32.kernel32.LPTHREADENTRY32: alias of LP_THREADENTRY32

class winappdbg.win32.kernel32.MEMORY_BASIC_INFORMATION

class winappdbg.win32.kernel32.MEMORY_BASIC_INFORMATION32

class winappdbg.win32.kernel32.MEMORY_BASIC_INFORMATION64

class winappdbg.win32.kernel32.MEMORY_PRIORITY_INFORMATION

class winappdbg.win32.kernel32.MODULEENTRY32

class winappdbg.win32.kernel32.MemoryBasicInformation(mbi=None)

Memory information object returned by VirtualQueryEx().

has_content()

Return type:: bool
Returns:: True if the memory in this region has any data in it.

is_commited()

Return type:: bool
Returns:: True if the memory in this region is commited.

is_copy_on_write()

Return type:: bool
Returns:: True if all pages in this region are marked as copy-on-write. This means the pages are writeable, but changes are not propagated to disk.

Note

Typically data sections in executable images are marked like this.

is_executable()

Return type:: bool
Returns:: True if all pages in this region are executable.

Note

Executable pages are always readable.

is_executable_and_writeable()

Return type:: bool
Returns:: True if all pages in this region are executable and writeable.

Note

The presence of such pages make memory corruption vulnerabilities much easier to exploit.

is_free()

Return type:: bool
Returns:: True if the memory in this region is free.

is_guard()

Return type:: bool
Returns:: True if all pages in this region are guard pages.

is_image()

Return type:: bool
Returns:: True if the memory in this region belongs to an executable image.

is_mapped()

Return type:: bool
Returns:: True if the memory in this region belongs to a mapped file.

is_private()

Return type:: bool
Returns:: True if the memory in this region is private.

is_readable()

Return type:: bool
Returns:: True if all pages in this region are readable.

is_reserved()

Return type:: bool
Returns:: True if the memory in this region is reserved.

is_writeable()

Return type:: bool
Returns:: True if all pages in this region are writeable.

class winappdbg.win32.kernel32.OUTPUT_DEBUG_STRING_INFO

class winappdbg.win32.kernel32.OVERLAPPED

winappdbg.win32.kernel32.PCHAR_INFO: alias of LP_CHAR_INFO

winappdbg.win32.kernel32.PCONSOLE_SCREEN_BUFFER_INFO: alias of LP_CONSOLE_SCREEN_BUFFER_INFO

winappdbg.win32.kernel32.PCOORD: alias of LP_COORD

winappdbg.win32.kernel32.PEXCEPTION_RECORD: alias of LP_EXCEPTION_RECORD

winappdbg.win32.kernel32.PEXCEPTION_RECORD32: alias of LP_EXCEPTION_RECORD32

winappdbg.win32.kernel32.PEXCEPTION_RECORD64: alias of LP_EXCEPTION_RECORD64

winappdbg.win32.kernel32.PMEMORY_BASIC_INFORMATION: alias of LP_MEMORY_BASIC_INFORMATION

winappdbg.win32.kernel32.PPROC_THREAD_ATTRIBUTE_LIST: alias of c_void_p

class winappdbg.win32.kernel32.PROCESSENTRY32

class winappdbg.win32.kernel32.PROCESSENTRY32W

class winappdbg.win32.kernel32.PROCESS_INFORMATION

class winappdbg.win32.kernel32.PROCESS_LEAP_SECOND_INFO

class winappdbg.win32.kernel32.PROCESS_MACHINE_INFORMATION

class winappdbg.win32.kernel32.PROCESS_MEMORY_EXHAUSTION_INFO

class winappdbg.win32.kernel32.PROCESS_POWER_THROTTLING_STATE

class winappdbg.win32.kernel32.PROCESS_PROTECTION_LEVEL_INFORMATION

winappdbg.win32.kernel32.PSMALL_RECT: alias of LP_SMALL_RECT

class winappdbg.win32.kernel32.ProcThreadAttributeList(AttributeList)

Extended process and thread attribute support.

To be used with STARTUPINFOEX. Only available for Windows Vista and above.

Variables:

AttributeList – List of (Attribute, Value) pairs.
AttributeListBuffer – Memory buffer used to store the attribute list. InitializeProcThreadAttributeList(), UpdateProcThreadAttribute(), DeleteProcThreadAttributeList() and STARTUPINFOEX.

class winappdbg.win32.kernel32.ProcessHandle(aHandle=None, bOwnership=True, dwAccess=2035711)

Win32 process handle.

Variables:: dwAccess – Current access flags to this handle. This is the same value passed to OpenProcess(). Can only be None if aHandle is also None. Defaults to PROCESS_ALL_ACCESS.

See also

Handle

get_pid()

Return type:: int
Returns:: Process global ID.

class winappdbg.win32.kernel32.ProcessInformation(pi): Process information object returned by CreateProcess().

class winappdbg.win32.kernel32.RIP_INFO

winappdbg.win32.kernel32.RaiseIfLastError(result, func=None, arguments=())

Error checking for Win32 API calls with no error-specific return value.

Regardless of the return value, the function calls GetLastError(). If the code is not ERROR_SUCCESS then a WindowsError exception is raised.

For this to work, the user MUST call SetLastError(ERROR_SUCCESS) prior to calling the API. Otherwise an exception may be raised even on success, since most API calls don’t clear the error status code.

class winappdbg.win32.kernel32.SECURITY_ATTRIBUTES

class winappdbg.win32.kernel32.SMALL_RECT

class winappdbg.win32.kernel32.STARTUPINFO

class winappdbg.win32.kernel32.STARTUPINFOEX

class winappdbg.win32.kernel32.STARTUPINFOEXW

class winappdbg.win32.kernel32.STARTUPINFOW

class winappdbg.win32.kernel32.SYSTEMTIME

class winappdbg.win32.kernel32.SnapshotHandle(aHandle=None, bOwnership=True): Toolhelp32 snapshot handle.

See also

Handle

class winappdbg.win32.kernel32.THREADENTRY32

class winappdbg.win32.kernel32.THREADNAME_INFO

class winappdbg.win32.kernel32.ThreadHandle(aHandle=None, bOwnership=True, dwAccess=2032639)

Win32 thread handle.

Variables:: dwAccess – Current access flags to this handle. This is the same value passed to OpenThread(). Can only be None if aHandle is also None. Defaults to THREAD_ALL_ACCESS.

See also

Handle

get_tid()

Return type:: int
Returns:: Thread global ID.

class winappdbg.win32.kernel32.UNLOAD_DLL_DEBUG_INFO

class winappdbg.win32.kernel32.UserModeHandle(aHandle=None, bOwnership=True)

Base class for non-kernel handles. Generally this means they are closed by special Win32 API functions instead of CloseHandle() and some standard operations (synchronizing, duplicating, inheritance) are not supported.

Variables:: _TYPE – C type to translate this handle to. Subclasses should override this. Defaults to HANDLE.

dup()

Return type:: Handle
Returns:: A new handle to the same Win32 object.

classmethod from_param(value)

Compatibility with ctypes. Allows passing transparently a Handle object to an API call.

Parameters:: value (int) – Numeric handle value.

wait(dwMilliseconds=None)

Wait for the Win32 object to be signaled.

Parameters:: dwMilliseconds (int) – (Optional) Timeout value in milliseconds. Use INFINITE or None for no timeout.

class winappdbg.win32.kernel32.VS_FIXEDFILEINFO

winappdbg.win32.kernel32.Wow64EnableWow64FsRedirection(Wow64FsEnableRedirection): This function may not work reliably when there are nested calls. Therefore, this function has been replaced by the Wow64DisableWow64FsRedirection() and Wow64RevertWow64FsRedirection() functions.

See also

http://msdn.microsoft.com/en-us/library/windows/desktop/aa365744(v=vs.85).aspx