Programming guide

This guide will show you through the most commonly used classes and methods of the WinAppDbg module, and provide some examples of use for each one. The goal is to give you a bird’s eye perspective on what the library can do and how, without having to go through the reference material.

• Instrumentation
  • The System class
    • Example #1: knowing on which platform we’re running
    • Example #2: enumerating running processes
    • Example #3: starting a new process
  • The Process class
    • Example #4: enumerating threads and DLL modules in a process
    • Example #5: killing a process
    • Example #6: reading the process memory
    • Example #7: getting the command line for a process
    • Example #8: getting the environment variables for a process
    • Example #9: loading a DLL into the process
    • Example #10: getting the process memory map
    • Example #11: searching the process memory
    • Example #12: dumping ASCII strings from the process memory
  • The Thread class
    • Example #13: freeze all threads in a process
    • Example #14: print a thread’s context
    • Example #15: print a thread’s code disassembly
  • The Module class
    • Example #16: resolve an API function in a process
  • The Window class
    • Example #17: enumerate the top-level windows
    • Example #18: minimize all top-level windows
    • Example #19: traverse the windows tree
    • Example #20: get windows by screen position
    • Example #21: find windows by class and caption
    • Example #22: kill a program using its window
  • Back to the System class
    • Example #23: exporting a Registry key
    • Example #24: searching the Registry
    • Example #25: listing system services
    • Example #26: stopping and starting a system service
• Debugging
  • The Debug class
    • Example #1: starting a new process and waiting for it to finish
    • Example #2: attaching to a process and waiting for it to finish
    • Example #3: attaching to a process by filename
    • Example #4: killing the debugged process when the debugger is closed
  • The interactive debugger
    • Example #5: running an interactive debugger session
  • The Event class
    • Example #6: handling debug events
  • The Crash and CrashDAO classes
    • Example #7: saving crash dumps
  • The EventHandler class
    • Example #8: tracing execution
    • Example #9: intercepting API calls
  • The EventSift class
    • Example #10: sifting events per process
  • Breakpoints, watches and hooks
    • Example #11: setting a breakpoint
    • Example #12: hooking a function
    • Example #13: watching a variable
    • Example #14: watching a buffer
  • Labels
    • Example #15: getting the label for a given memory address
    • Example #16: resolving a label back into a memory address
• Helper classes and functions
  • Console output with colors
    • Example #1: printing text with colors
  • Text output in tables
    • Example #2: printing a text table
  • Logging
    • Example #3: logging debug events
  • Hexadecimal input
  • Hexadecimal output
  • Dumping code, stack and registers
    • Example #4: dumping code, stack and registers
  • Pathname and filename handling
    • Example #5: pathname and filename handling
• The Win32 API wrappers
  • Example #1: finding a DLL in the search path
  • Example #2: killing a process by attaching to it
  • Example #3: enumerating heap blocks using the Toolhelp library
  • Example #4: enumerating modules using the Toolhelp library
  • Example #5: enumerating device drivers
• More examples
  • Set a debugging timeout
  • Dump the memory of a process
  • Find alphanumeric addresses to jump to
  • Show processes DEP settings
  • Choose the disassembler you want to use
  • Enumerate all named global atoms
• Advanced topics
  • About the heuristic crash signatures
  • A closer look at how labels work
    • Labels syntax
    • Generating labels
    • Splitting labels
    • Resolving labels
  • A closer look at how breakpoints work
    • Breakpoint types
    • Conditional and automatic breakpoints
    • One-shot breakpoints
    • Batch operations on breakpoints
    • Accessing the breakpoint objects
    • Listing the breakpoints