You are on page 1of 1214

WinAppDbg - Programming Reference

API Documentation
December 20, 2013

Contents
Contents
1 Package winappdbg
1.1 Modules . . . . .
1.2 Classes . . . . . .
1.3 Functions . . . .
1.4 Variables . . . .

1
.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

2
2
3
6
9

2 Module winappdbg.breakpoint
10
2.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3 Module winappdbg.crash
11
3.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4 Module winappdbg.debug
12
4.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5 Module winappdbg.disasm
13
5.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
6 Module winappdbg.event
14
6.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
7 Module winappdbg.interactive
16
7.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
8 Module winappdbg.module
17
8.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
9 Module winappdbg.process
18
9.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
10 Module winappdbg.registry
19
10.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
11 Module winappdbg.search
20
11.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

CONTENTS

CONTENTS

12 Module winappdbg.sql
21
12.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
13 Module winappdbg.system
22
13.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
14 Module winappdbg.textio
23
14.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
15 Module winappdbg.thread
24
15.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
16 Module winappdbg.util
25
16.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
16.2 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
17 Package winappdbg.win32
17.1 Modules . . . . . . . . .
17.2 Classes . . . . . . . . . .
17.3 Functions . . . . . . . .
17.4 Variables . . . . . . . .

.
.
.
.

29
29
29
39
68

18 Module winappdbg.win32.advapi32
18.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18.2 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18.3 Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

140
140
141
147

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

19 Module winappdbg.win32.context
19.1 Classes . . . . . . . . . . . . . . .
19.2 Functions . . . . . . . . . . . . .
19.3 Variables . . . . . . . . . . . . .

amd64
162
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

20 Module winappdbg.win32.context
20.1 Classes . . . . . . . . . . . . . . .
20.2 Functions . . . . . . . . . . . . .
20.3 Variables . . . . . . . . . . . . .

i386
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

165
165
165
165

21 Module winappdbg.win32.dbghelp
21.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21.2 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21.3 Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

167
167
168
170

22 Module winappdbg.win32.defines
176
22.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
22.2 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
22.3 Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
23 Module winappdbg.win32.gdi32
183
23.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
23.2 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
23.3 Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
24 Module winappdbg.win32.kernel32

191

CONTENTS

CONTENTS

24.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191


24.2 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
24.3 Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
25 Module winappdbg.win32.ntdll
233
25.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
25.2 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
25.3 Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
26 Module winappdbg.win32.peb teb
243
26.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
26.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
27 Module winappdbg.win32.psapi
247
27.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
27.2 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
27.3 Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
28 Module winappdbg.win32.shell32
249
28.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
28.2 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
28.3 Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
29 Module winappdbg.win32.shlwapi
254
29.1 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
29.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
30 Module winappdbg.win32.user32
262
30.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
30.2 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
30.3 Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
31 Module winappdbg.win32.version
275
31.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
31.2 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
31.3 Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
32 Module winappdbg.win32.wtsapi32
32.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32.2 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32.3 Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

286
286
286
286

33 Module winappdbg.window
324
33.1 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
34 Class ctypes.c byte
325
34.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
34.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
34.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
35 Class ctypes.c char
326
35.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
35.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

CONTENTS

CONTENTS

35.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326


36 Class ctypes.c char p
36.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
36.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
36.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

327
327
327
327

37 Class ctypes.c float


329
37.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
37.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
37.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
38 Class ctypes.c float.
38.1 Methods . . . . .
38.2 Properties . . . .
38.3 Class Variables .

ctype be
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

330
330
330
330

39 Class ctypes.c long


331
39.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
39.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
39.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
40 Class ctypes.c long.
40.1 Methods . . . . .
40.2 Properties . . . .
40.3 Class Variables .

ctype be
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

332
332
332
332

41 Class ctypes.c longlong


333
41.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
41.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
41.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
42 Class ctypes.c longlong.
42.1 Methods . . . . . . . .
42.2 Properties . . . . . . .
42.3 Class Variables . . . .

ctype
. . . .
. . . .
. . . .

be
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

334
334
334
334

43 Class ctypes.c short


335
43.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
43.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
43.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
44 Class ctypes.c short.
44.1 Methods . . . . . .
44.2 Properties . . . . .
44.3 Class Variables . .

ctype
. . . .
. . . .
. . . .

be
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

336
336
336
336

45 Class ctypes.c ubyte


45.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
45.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
45.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

337
337
337
337

46 Class ctypes.c ulong

338

CONTENTS

CONTENTS

46.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338


46.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
46.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
47 Class ctypes.c ulong.
47.1 Methods . . . . . .
47.2 Properties . . . . .
47.3 Class Variables . .

ctype be
339
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

48 Class ctypes.c ulonglong


340
48.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
48.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
48.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
49 Class ctypes.c ulonglong.
49.1 Methods . . . . . . . . .
49.2 Properties . . . . . . . .
49.3 Class Variables . . . . .

be
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

341
341
341
341

50 Class ctypes.c ushort


50.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
50.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
50.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

342
342
342
342

51 Class ctypes.c ushort.


51.1 Methods . . . . . . .
51.2 Properties . . . . . .
51.3 Class Variables . . .

ctype
. . . .
. . . .
. . . .

ctype
. . . .
. . . .
. . . .

be
343
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

52 Class ctypes.c void p


52.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
52.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
52.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

344
344
344
344

53 Class ctypes.c wchar


53.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
53.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
53.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

345
345
345
345

54 Class ctypes.c wchar p


346
54.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
54.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
54.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
55 Class str
347
55.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
55.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
56 Class unicode
357
56.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
56.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
57 Class winappdbg.breakpoint.ApiHook

368

CONTENTS

CONTENTS

57.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370


57.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
57.3 Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
58 Class winappdbg.breakpoint.Breakpoint
58.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
58.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
58.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

373
374
380
380

59 Class winappdbg.breakpoint.BreakpointCallbackWarning
381
59.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
59.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
60 Class winappdbg.breakpoint.BreakpointWarning
382
60.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
60.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
61 Class winappdbg.breakpoint.BufferWatch
383
61.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
61.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
61.3 Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
62 Class winappdbg.breakpoint.CodeBreakpoint
385
62.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
62.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
62.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
63 Class winappdbg.breakpoint.HardwareBreakpoint
392
63.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
63.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
63.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
64 Class winappdbg.breakpoint.Hook
64.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
64.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
64.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

401
401
404
404

65 Class winappdbg.breakpoint.PageBreakpoint
406
65.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
65.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
65.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
66 Class winappdbg.crash.Crash
413
66.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
66.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
66.3 Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
67 Class winappdbg.crash.CrashContainer
67.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
67.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
67.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

421
421
426
426

68 Class winappdbg.crash.CrashDictionary

428

CONTENTS

CONTENTS

68.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428


68.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
69 Class winappdbg.crash.CrashTable
432
69.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
69.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
70 Class winappdbg.crash.CrashTableMSSQL
436
70.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
70.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
71 Class winappdbg.crash.CrashWarning
440
71.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
71.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
72 Class winappdbg.crash.DummyCrashContainer
441
72.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
72.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
73 Class winappdbg.crash.VolatileCrashContainer
444
73.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
73.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
74 Class winappdbg.debug.Debug
74.1 Methods . . . . . . . . . . . .
74.2 Properties . . . . . . . . . . .
74.3 Class Variables . . . . . . . .
74.4 Instance Variables . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

448
449
462
462
462

75 Class winappdbg.debug.MixedBitsWarning
463
75.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
75.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
76 Class winappdbg.disasm.BeaEngine
76.1 Methods . . . . . . . . . . . . . . .
76.2 Properties . . . . . . . . . . . . . .
76.3 Class Variables . . . . . . . . . . .
76.4 Instance Variables . . . . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

464
464
465
465
466

77 Class winappdbg.disasm.CapstoneEngine
77.1 Methods . . . . . . . . . . . . . . . . . . .
77.2 Properties . . . . . . . . . . . . . . . . . .
77.3 Class Variables . . . . . . . . . . . . . . .
77.4 Instance Variables . . . . . . . . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

467
467
468
468
469

.
.
.
.

.
.
.
.

.
.
.
.

78 Class winappdbg.disasm.Disassembler
470
78.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
78.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
78.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
79 Class winappdbg.disasm.DistormEngine
472
79.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
79.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

CONTENTS

CONTENTS

79.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473


79.4 Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
80 Class winappdbg.disasm.Engine
80.1 Methods . . . . . . . . . . . . .
80.2 Properties . . . . . . . . . . . .
80.3 Class Variables . . . . . . . . .
80.4 Instance Variables . . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

475
475
476
476
477

81 Class winappdbg.disasm.LibdisassembleEngine
81.1 Methods . . . . . . . . . . . . . . . . . . . . . . .
81.2 Properties . . . . . . . . . . . . . . . . . . . . . .
81.3 Class Variables . . . . . . . . . . . . . . . . . . .
81.4 Instance Variables . . . . . . . . . . . . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

478
478
479
479
480

82 Class winappdbg.disasm.PyDasmEngine
82.1 Methods . . . . . . . . . . . . . . . . . . .
82.2 Properties . . . . . . . . . . . . . . . . . .
82.3 Class Variables . . . . . . . . . . . . . . .
82.4 Instance Variables . . . . . . . . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

481
481
482
482
483

83 Class winappdbg.event.CreateProcessEvent
83.1 Methods . . . . . . . . . . . . . . . . . . . . .
83.2 Properties . . . . . . . . . . . . . . . . . . . .
83.3 Class Variables . . . . . . . . . . . . . . . . .
83.4 Instance Variables . . . . . . . . . . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

484
484
487
487
487

84 Class winappdbg.event.CreateThreadEvent
84.1 Methods . . . . . . . . . . . . . . . . . . . .
84.2 Properties . . . . . . . . . . . . . . . . . . .
84.3 Class Variables . . . . . . . . . . . . . . . .
84.4 Instance Variables . . . . . . . . . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

489
489
491
491
491

85 Class winappdbg.event.Event
85.1 Methods . . . . . . . . . . .
85.2 Properties . . . . . . . . . .
85.3 Class Variables . . . . . . .
85.4 Instance Variables . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

493
493
494
494
495

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

86 Class winappdbg.event.EventCallbackWarning
496
86.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
86.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
87 Class winappdbg.event.EventDispatcher
497
87.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
87.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
88 Class winappdbg.event.EventFactory
500
88.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
88.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
88.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
89 Class winappdbg.event.EventHandler

502

CONTENTS

CONTENTS

89.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504


89.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
89.3 Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
90 Class winappdbg.event.EventSift
90.1 Methods . . . . . . . . . . . . . .
90.2 Properties . . . . . . . . . . . . .
90.3 Class Variables . . . . . . . . . .
90.4 Instance Variables . . . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

509
511
512
512
515

91 Class winappdbg.event.ExceptionEvent
91.1 Methods . . . . . . . . . . . . . . . . . .
91.2 Properties . . . . . . . . . . . . . . . . .
91.3 Class Variables . . . . . . . . . . . . . .
91.4 Instance Variables . . . . . . . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

516
516
521
521
522

92 Class winappdbg.event.ExitProcessEvent
92.1 Methods . . . . . . . . . . . . . . . . . . .
92.2 Properties . . . . . . . . . . . . . . . . . .
92.3 Class Variables . . . . . . . . . . . . . . .
92.4 Instance Variables . . . . . . . . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

523
523
525
525
525

93 Class winappdbg.event.ExitThreadEvent
93.1 Methods . . . . . . . . . . . . . . . . . . .
93.2 Properties . . . . . . . . . . . . . . . . . .
93.3 Class Variables . . . . . . . . . . . . . . .
93.4 Instance Variables . . . . . . . . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

527
527
528
529
529

94 Class winappdbg.event.LoadDLLEvent
94.1 Methods . . . . . . . . . . . . . . . . . .
94.2 Properties . . . . . . . . . . . . . . . . .
94.3 Class Variables . . . . . . . . . . . . . .
94.4 Instance Variables . . . . . . . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

530
530
532
532
532

95 Class winappdbg.event.NoEvent
95.1 Methods . . . . . . . . . . . . .
95.2 Properties . . . . . . . . . . . .
95.3 Class Variables . . . . . . . . .
95.4 Instance Variables . . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

534
534
536
536
536

96 Class winappdbg.event.OutputDebugStringEvent
96.1 Methods . . . . . . . . . . . . . . . . . . . . . . . .
96.2 Properties . . . . . . . . . . . . . . . . . . . . . . .
96.3 Class Variables . . . . . . . . . . . . . . . . . . . .
96.4 Instance Variables . . . . . . . . . . . . . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

537
537
538
539
539

97 Class winappdbg.event.RIPEvent
97.1 Methods . . . . . . . . . . . . . .
97.2 Properties . . . . . . . . . . . . .
97.3 Class Variables . . . . . . . . . .
97.4 Instance Variables . . . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

540
540
542
542
542

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

98 Class winappdbg.event.UnloadDLLEvent

.
.
.
.

.
.
.
.

.
.
.
.

543
9

CONTENTS

98.1
98.2
98.3
98.4

Methods . . . . . .
Properties . . . . .
Class Variables . .
Instance Variables

CONTENTS

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

543
545
545
545

99 Class winappdbg.interactive.CmdError
547
99.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
99.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
100Class winappdbg.interactive.ConsoleDebugger
548
100.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
100.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
100.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
101Class winappdbg.module.DebugSymbolsWarning
564
101.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
101.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
102Class winappdbg.module.Module
102.1Methods . . . . . . . . . . . . . .
102.2Properties . . . . . . . . . . . . .
102.3Class Variables . . . . . . . . . .
102.4Instance Variables . . . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

565
565
571
571
571

103Class winappdbg.process.Process
573
103.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
103.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
103.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
104Class winappdbg.registry.Registry
104.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
104.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
104.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

631
631
633
633

105Class winappdbg.search.BytePattern
634
105.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
105.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
105.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
106Class winappdbg.search.HexPattern
638
106.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
106.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
106.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642
107Class winappdbg.search.Pattern
643
107.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643
107.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
108Class winappdbg.search.RegExpPattern
108.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
108.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
108.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

10

646
646
648
649

CONTENTS

CONTENTS

109Class winappdbg.search.Search
650
109.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652
109.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
110Class winappdbg.search.TextPattern
654
110.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654
110.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656
110.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656
111Class winappdbg.sql.CrashDAO
658
111.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658
111.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
112Class winappdbg.system.System
662
112.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664
112.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680
112.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680
113Class winappdbg.textio.Color
681
113.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681
113.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
114Class winappdbg.textio.CrashDump
684
114.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
114.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
114.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
115Class winappdbg.textio.DebugLog
691
115.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691
115.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692
116Class winappdbg.textio.HexDump
116.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
116.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
116.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

693
693
702
702

117Class winappdbg.textio.HexInput
704
117.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704
117.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
118Class winappdbg.textio.HexOutput
118.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
118.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
118.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

708
708
710
710

119Class winappdbg.textio.Logger
119.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
119.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
119.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

711
711
712
712

120Class winappdbg.textio.Table
713
120.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713
120.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714

11

CONTENTS

CONTENTS

121Class winappdbg.thread.Thread
715
121.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
121.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739
121.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740
122Class winappdbg.thread.Thread.Flags
741
122.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741
122.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741
122.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741
123Class winappdbg.util.DebugRegister
742
123.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742
123.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743
123.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743
124Class winappdbg.util.MemoryAddresses
746
124.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746
124.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748
125Class winappdbg.util.PathOperations
749
125.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749
125.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 752
126Class winappdbg.util.Regenerator
753
126.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753
126.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753
127Class winappdbg.win32.LPADDRESS64
755
127.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
127.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
128Class winappdbg.win32.LPBYTE
756
128.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 756
128.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 756
129Class winappdbg.win32.LPENUM SERVICE STATUSA
757
129.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
129.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
130Class winappdbg.win32.LPENUM SERVICE STATUSW
758
130.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 758
130.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 758
131Class winappdbg.win32.LPENUM SERVICE STATUS PROCESSA
759
131.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759
131.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759
132Class winappdbg.win32.LPENUM SERVICE STATUS PROCESSW
760
132.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760
132.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760
133Class winappdbg.win32.LPHANDLE
761
133.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761

12

CONTENTS

CONTENTS

133.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761
134Class winappdbg.win32.LPMODULEENTRY32
762
134.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762
134.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762
135Class winappdbg.win32.LPMODULEINFO
763
135.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
135.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
136Class winappdbg.win32.LPSBYTE
764
136.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764
136.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764
137Class winappdbg.win32.LPSECURITY ATTRIBUTES
765
137.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
137.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
138Class winappdbg.win32.LPSERVICE STATUS
766
138.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766
138.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766
139Class winappdbg.win32.LPSYSTEM INFO
767
139.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767
139.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767
140Class winappdbg.win32.LPULONG
768
140.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768
140.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768
141Class winappdbg.win32.LPWORD
769
141.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769
141.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769
142Class winappdbg.win32.PAPI VERSION
770
142.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
142.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
143Class winappdbg.win32.PCHAR INFO
771
143.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771
143.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771
144Class winappdbg.win32.PFUNCTION
144.1Methods . . . . . . . . . . . . . . . . .
144.2Properties . . . . . . . . . . . . . . . .
144.3Class Variables . . . . . . . . . . . . .
145Class winappdbg.win32.PGET
145.1Methods . . . . . . . . . . . .
145.2Properties . . . . . . . . . . .
145.3Class Variables . . . . . . . .

TABLE ACCESS ROUTINE64


772
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772

MODULE
. . . . . . .
. . . . . . .
. . . . . . .

BASE ROUTINE64
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

773
773
773
773

146Class winappdbg.win32.PGUITHREADINFO
774
146.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774
13

CONTENTS

CONTENTS

146.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774
147Class winappdbg.win32.PIMAGEHLP MODULE
775
147.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775
147.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775
148Class winappdbg.win32.PIMAGEHLP MODULE64
776
148.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776
148.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776
149Class winappdbg.win32.PIMAGEHLP MODULEW
777
149.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
149.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
150Class winappdbg.win32.PIMAGEHLP MODULEW64
778
150.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 778
150.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 778
151Class winappdbg.win32.PIMAGEHLP SYMBOL64
779
151.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779
151.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779
152Class winappdbg.win32.PIMAGEHLP SYMBOLW64
780
152.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780
152.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780
153Class winappdbg.win32.PIO STATUS BLOCK
781
153.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781
153.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781
154Class winappdbg.win32.PKDHELP64
782
154.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782
154.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782
155Class winappdbg.win32.PLUID
783
155.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783
155.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783
156Class winappdbg.win32.PM128A
784
156.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 784
156.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 784
157Class winappdbg.win32.POSVERSIONINFOA
785
157.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785
157.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785
158Class winappdbg.win32.POSVERSIONINFOW
786
158.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786
158.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786
159Class winappdbg.win32.PREAD
159.1Methods . . . . . . . . . . . . .
159.2Properties . . . . . . . . . . . .
159.3Class Variables . . . . . . . . .

PROCESS MEMORY
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
14

ROUTINE64
787
. . . . . . . . . . . . . . . . . . . . 787
. . . . . . . . . . . . . . . . . . . . 787
. . . . . . . . . . . . . . . . . . . . 787

CONTENTS

CONTENTS

160Class winappdbg.win32.PSECURITY IMPERSONATION LEVEL


788
160.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788
160.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788
161Class winappdbg.win32.PSID AND ATTRIBUTES
789
161.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789
161.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789
162Class winappdbg.win32.PSYM
162.1Methods . . . . . . . . . . . .
162.2Properties . . . . . . . . . . .
162.3Class Variables . . . . . . . .

ENUMMODULES CALLBACK
790
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790

163Class winappdbg.win32.PSYM
163.1Methods . . . . . . . . . . . .
163.2Properties . . . . . . . . . . .
163.3Class Variables . . . . . . . .

ENUMMODULES CALLBACKW64
791
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791

164Class winappdbg.win32.PSYM
164.1Methods . . . . . . . . . . . .
164.2Properties . . . . . . . . . . .
164.3Class Variables . . . . . . . .

ENUMSYMBOLS CALLBACK
792
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792

165Class winappdbg.win32.PSYM
165.1Methods . . . . . . . . . . . .
165.2Properties . . . . . . . . . . .
165.3Class Variables . . . . . . . .

ENUMSYMBOLS CALLBACK64
793
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793

166Class winappdbg.win32.PSYM
166.1Methods . . . . . . . . . . . .
166.2Properties . . . . . . . . . . .
166.3Class Variables . . . . . . . .

ENUMSYMBOLS CALLBACKW
794
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794

167Class winappdbg.win32.PSYM
167.1Methods . . . . . . . . . . . .
167.2Properties . . . . . . . . . . .
167.3Class Variables . . . . . . . .

ENUMSYMBOLS CALLBACKW64
795
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795

168Class winappdbg.win32.PTOKEN LINKED TOKEN


796
168.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796
168.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796
169Class winappdbg.win32.PTOKEN ORIGIN
797
169.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797
169.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797
170Class winappdbg.win32.PTOKEN OWNER
798
170.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798
170.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798
171Class winappdbg.win32.PTOKEN PRIMARY GROUP
799
171.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799
171.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799

15

CONTENTS

CONTENTS

172Class winappdbg.win32.PTOKEN PRIVILEGES


800
172.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 800
172.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 800
173Class winappdbg.win32.PTOKEN STATISTICS
801
173.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801
173.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801
174Class winappdbg.win32.PULONG64
802
174.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802
174.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802
175Class winappdbg.win32.PWAITCHAINCALLBACK
803
175.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803
175.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803
175.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803
176Class winappdbg.win32.PWAITCHAIN NODE INFO
804
176.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804
176.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804
177Class winappdbg.win32.PWTS CLIENT DISPLAY
805
177.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805
177.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805
178Class winappdbg.win32.PWTS PROCESS INFOW
806
178.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
178.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
179Class winappdbg.win32.WNDENUMPROC
179.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
179.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
179.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

807
807
807
807

180Class winappdbg.win32.advapi32.ENUM SERVICE STATUSA


180.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
180.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
180.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

808
808
808
808

181Class winappdbg.win32.advapi32.ENUM SERVICE STATUSW


810
181.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
181.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
181.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
182Class winappdbg.win32.advapi32.ENUM SERVICE STATUS PROCESSA
812
182.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812
182.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812
182.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812
183Class winappdbg.win32.advapi32.ENUM SERVICE STATUS PROCESSW
814
183.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
183.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
183.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814

16

CONTENTS

CONTENTS

184Class winappdbg.win32.advapi32.LPSERVICE STATUS PROCESS


816
184.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816
184.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816
185Class winappdbg.win32.advapi32.LUID
185.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
185.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
185.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

817
817
817
817

186Class winappdbg.win32.advapi32.LUID AND ATTRIBUTES


818
186.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 818
186.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 818
186.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 818
187Class winappdbg.win32.advapi32.PTOKEN APPCONTAINER INFORMATION
819
187.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819
187.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819
188Class winappdbg.win32.advapi32.PTOKEN MANDATORY LABEL
820
188.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 820
188.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 820
189Class winappdbg.win32.advapi32.PTOKEN USER
821
189.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821
189.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821
190Class winappdbg.win32.advapi32.RegistryKeyHandle
822
190.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822
190.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 824
191Class winappdbg.win32.advapi32.SERVICE STATUS
191.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
191.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
191.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

825
825
825
825

192Class winappdbg.win32.advapi32.SERVICE STATUS PROCESS


827
192.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827
192.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827
192.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827
193Class winappdbg.win32.advapi32.SID AND ATTRIBUTES
829
193.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 829
193.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 829
193.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 829
194Class winappdbg.win32.advapi32.SaferLevelHandle
830
194.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 830
194.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832
195Class winappdbg.win32.advapi32.ServiceControlManagerHandle
833
195.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833
195.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835

17

CONTENTS

CONTENTS

196Class winappdbg.win32.advapi32.ServiceHandle
836
196.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836
196.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838
197Class winappdbg.win32.advapi32.ServiceStatus
839
197.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839
197.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839
198Class winappdbg.win32.advapi32.ServiceStatusEntry
840
198.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840
198.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840
199Class winappdbg.win32.advapi32.ServiceStatusProcess
841
199.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841
199.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841
200Class winappdbg.win32.advapi32.ServiceStatusProcessEntry
842
200.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 842
200.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 842
201Class winappdbg.win32.advapi32.TOKEN APPCONTAINER
201.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
201.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
201.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . .

INFORMATION
843
. . . . . . . . . . . . . . . . 843
. . . . . . . . . . . . . . . . 843
. . . . . . . . . . . . . . . . 843

202Class winappdbg.win32.advapi32.TOKEN LINKED TOKEN


844
202.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844
202.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844
202.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844
203Class winappdbg.win32.advapi32.TOKEN MANDATORY LABEL
203.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
203.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
203.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

845
845
845
845

204Class winappdbg.win32.advapi32.TOKEN ORIGIN


846
204.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 846
204.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 846
204.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 846
205Class winappdbg.win32.advapi32.TOKEN OWNER
847
205.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847
205.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847
205.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847
206Class winappdbg.win32.advapi32.TOKEN PRIMARY
206.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . .
206.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . .
206.3Class Variables . . . . . . . . . . . . . . . . . . . . . . .

GROUP
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .

848
848
848
848

207Class winappdbg.win32.advapi32.TOKEN PRIVILEGES


849
207.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849
207.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849

18

CONTENTS

CONTENTS

207.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849


208Class winappdbg.win32.advapi32.TOKEN STATISTICS
850
208.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 850
208.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 850
208.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 850
209Class winappdbg.win32.advapi32.TOKEN USER
209.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
209.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
209.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

852
852
852
852

210Class winappdbg.win32.advapi32.ThreadWaitChainSessionHandle
853
210.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 853
210.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 855
211Class winappdbg.win32.advapi32.TokenHandle
856
211.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 856
211.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 858
211.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 858
212Class winappdbg.win32.advapi32.WAITCHAIN
212.1Methods . . . . . . . . . . . . . . . . . . . . . . .
212.2Properties . . . . . . . . . . . . . . . . . . . . . .
212.3Class Variables . . . . . . . . . . . . . . . . . . .

NODE
. . . . .
. . . . .
. . . . .

INFO
859
. . . . . . . . . . . . . . . . . . . . 859
. . . . . . . . . . . . . . . . . . . . 859
. . . . . . . . . . . . . . . . . . . . 859

213Class winappdbg.win32.advapi32.WaitChainNodeInfo
213.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
213.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
213.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

861
861
861
861

215Class winappdbg.win32.context amd64.Context


864
215.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 864
215.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 864
215.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 864
215Class winappdbg.win32.context amd64.Context
864
215.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 864
215.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 864
215.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 864
216Class winappdbg.win32.context amd64.LDT ENTRY
216.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
216.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
216.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

865
865
865
865

217Class winappdbg.win32.context amd64.PCONTEXT


867
217.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867
217.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867
218Class winappdbg.win32.context amd64.PLDT ENTRY
868
218.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868
218.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868

19

CONTENTS

CONTENTS

219Class winappdbg.win32.context amd64.PWOW64 CONTEXT


869
219.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869
219.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869
220Class winappdbg.win32.context amd64.PWOW64 FLOATING SAVE AREA
870
220.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 870
220.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 870
221Class winappdbg.win32.context amd64.PWOW64 LDT ENTRY
871
221.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 871
221.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 871
222Class winappdbg.win32.context amd64.PXMM SAVE AREA32
872
222.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 872
222.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 872
223Class winappdbg.win32.context amd64.WOW64 CONTEXT
873
223.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 873
223.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 873
223.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 873
224Class winappdbg.win32.context amd64.WOW64 FLOATING SAVE
224.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
224.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
224.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
225Class winappdbg.win32.context amd64.WOW64 LDT
225.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . .
225.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . .
225.3Class Variables . . . . . . . . . . . . . . . . . . . . . . .
226Class winappdbg.win32.context amd64.XMM SAVE
226.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . .
226.2Properties . . . . . . . . . . . . . . . . . . . . . . . . .
226.3Class Variables . . . . . . . . . . . . . . . . . . . . . .

AREA
876
. . . . . . . . . . . . 876
. . . . . . . . . . . . 876
. . . . . . . . . . . . 876

ENTRY
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .

878
878
878
878

AREA32
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .

880
880
880
880

228Class winappdbg.win32.context i386.Context


883
228.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
228.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
228.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
228Class winappdbg.win32.context i386.Context
883
228.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
228.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
228.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
229Class winappdbg.win32.context i386.FLOATING
229.1Methods . . . . . . . . . . . . . . . . . . . . . . . .
229.2Properties . . . . . . . . . . . . . . . . . . . . . . .
229.3Class Variables . . . . . . . . . . . . . . . . . . . .

SAVE AREA
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .

884
884
884
884

230Class winappdbg.win32.context i386.LDT ENTRY


886
230.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886

20

CONTENTS

CONTENTS

230.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886
230.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886
231Class winappdbg.win32.context i386.PCONTEXT
888
231.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 888
231.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 888
232Class winappdbg.win32.context i386.PLDT ENTRY
889
232.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
232.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
233Class winappdbg.win32.dbghelp.ADDRESS64
890
233.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890
233.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890
233.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890
234Class winappdbg.win32.dbghelp.API
234.1Methods . . . . . . . . . . . . . . . .
234.2Properties . . . . . . . . . . . . . . .
234.3Class Variables . . . . . . . . . . . .

VERSION
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

892
892
892
892

235Class winappdbg.win32.dbghelp.IMAGEHLP MODULE


894
235.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894
235.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894
235.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894
236Class winappdbg.win32.dbghelp.IMAGEHLP MODULE64
236.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
236.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
236.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

896
896
896
896

237Class winappdbg.win32.dbghelp.IMAGEHLP MODULEW


237.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
237.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
237.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

898
898
898
898

238Class winappdbg.win32.dbghelp.IMAGEHLP MODULEW64


900
238.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 900
238.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 900
238.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 900
239Class winappdbg.win32.dbghelp.IMAGEHLP SYMBOL64
239.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
239.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
239.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

902
902
902
902

240Class winappdbg.win32.dbghelp.IMAGEHLP SYMBOLW64


904
240.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 904
240.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 904
240.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 904
241Class winappdbg.win32.dbghelp.KDHELP64
906
241.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 906

21

CONTENTS

CONTENTS

241.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 906
241.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 906
242Class winappdbg.win32.dbghelp.LPSTACKFRAME64
908
242.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 908
242.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 908
243Class winappdbg.win32.dbghelp.PSYM ENUMMODULES CALLBACK64
909
243.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909
243.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909
243.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909
244Class winappdbg.win32.dbghelp.PSYM ENUMMODULES CALLBACKW
910
244.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 910
244.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 910
244.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 910
245Class winappdbg.win32.dbghelp.PSYM INFO
911
245.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911
245.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911
246Class winappdbg.win32.dbghelp.PSYM INFOW
912
246.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 912
246.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 912
247Class winappdbg.win32.dbghelp.STACKFRAME64
913
247.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913
247.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913
247.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913
248Class winappdbg.win32.dbghelp.SYM INFO
248.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
248.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
248.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

915
915
915
915

249Class winappdbg.win32.dbghelp.SYM INFOW


917
249.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917
249.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917
249.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917
250Class winappdbg.win32.defines.DefaultStringType
919
250.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 919
250.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 919
250.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 919
251Class winappdbg.win32.defines.FLOAT128
921
251.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 921
251.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 921
251.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 921
252Class winappdbg.win32.defines.GUID
922
252.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 922
252.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 922

22

CONTENTS

CONTENTS

252.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 922


253Class winappdbg.win32.defines.GuessStringType
253.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
253.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
253.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
254Class winappdbg.win32.defines.LIST
254.1Methods . . . . . . . . . . . . . . . .
254.2Properties . . . . . . . . . . . . . . .
254.3Class Variables . . . . . . . . . . . .

924
924
924
925

ENTRY
926
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 926
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 926
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 926

255Class winappdbg.win32.defines.LPSWORD
927
255.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927
255.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927
256Class winappdbg.win32.defines.M128A
256.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
256.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
256.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

928
928
928
928

257Class winappdbg.win32.defines.PFLOAT128
929
257.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 929
257.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 929
258Class winappdbg.win32.defines.UNICODE STRING
930
258.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930
258.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930
258.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930
259Class winappdbg.win32.defines.WinCallHook
932
259.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 932
259.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 932
260Class winappdbg.win32.defines.WinDllHook
933
260.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933
260.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933
261Class winappdbg.win32.defines.WinFuncHook
934
261.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 934
261.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 934
262Class winappdbg.win32.gdi32.BITMAP
262.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
262.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
262.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

935
935
935
935

263Class winappdbg.win32.gdi32.PBITMAP
937
263.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 937
263.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 937
264Class winappdbg.win32.gdi32.POINT
938
264.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 938

23

CONTENTS

CONTENTS

264.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 938
264.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 938
265Class winappdbg.win32.gdi32.PPOINT
939
265.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939
265.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939
266Class winappdbg.win32.gdi32.PRECT
940
266.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 940
266.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 940
267Class winappdbg.win32.gdi32.RECT
941
267.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941
267.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941
267.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941
268Class winappdbg.win32.kernel32.BY HANDLE FILE INFORMATION
943
268.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943
268.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943
268.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943
269Class winappdbg.win32.kernel32.CHAR
269.1Methods . . . . . . . . . . . . . . . . . .
269.2Properties . . . . . . . . . . . . . . . . .
269.3Class Variables . . . . . . . . . . . . . .

INFO
945
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945

270Class winappdbg.win32.kernel32.CONSOLE SCREEN BUFFER


270.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
270.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
270.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

INFO
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . .

946
946
946
946

271Class winappdbg.win32.kernel32.COORD
948
271.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 948
271.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 948
271.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 948
272Class winappdbg.win32.kernel32.CREATE PROCESS
272.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . .
272.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . .
272.3Class Variables . . . . . . . . . . . . . . . . . . . . . . .

DEBUG
. . . . . .
. . . . . .
. . . . . .

INFO
949
. . . . . . . . . . . . . . . 949
. . . . . . . . . . . . . . . 949
. . . . . . . . . . . . . . . 949

273Class winappdbg.win32.kernel32.CREATE THREAD DEBUG INFO


951
273.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 951
273.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 951
273.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 951
274Class winappdbg.win32.kernel32.DEBUG
274.1Methods . . . . . . . . . . . . . . . . . . .
274.2Properties . . . . . . . . . . . . . . . . . .
274.3Class Variables . . . . . . . . . . . . . . .

EVENT
953
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 953
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 953
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 953

275Class winappdbg.win32.kernel32.EXCEPTION DEBUG INFO


955
275.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 955

24

CONTENTS

CONTENTS

275.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 955
275.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 955
276Class winappdbg.win32.kernel32.EXCEPTION RECORD
276.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
276.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
276.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

956
956
956
956

277Class winappdbg.win32.kernel32.EXCEPTION RECORD32


958
277.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 958
277.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 958
277.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 958
278Class winappdbg.win32.kernel32.EXCEPTION RECORD64
960
278.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 960
278.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 960
278.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 960
279Class winappdbg.win32.kernel32.EXIT PROCESS DEBUG INFO
962
279.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 962
279.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 962
279.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 962
280Class winappdbg.win32.kernel32.EXIT THREAD DEBUG INFO
963
280.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963
280.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963
280.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963
281Class winappdbg.win32.kernel32.FILETIME
281.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
281.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
281.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

964
964
964
964

282Class winappdbg.win32.kernel32.FILE
282.1Methods . . . . . . . . . . . . . . . . .
282.2Properties . . . . . . . . . . . . . . . .
282.3Class Variables . . . . . . . . . . . . .

CLASS
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .

965
965
965
965

283Class winappdbg.win32.kernel32.FileHandle
283.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
283.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
283.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

966
966
968
968

284Class winappdbg.win32.kernel32.FileMappingHandle
284.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
284.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
284.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

969
969
971
971

INFO
. . . .
. . . .
. . . .

BY
. . .
. . .
. . .

HANDLE
. . . . . . .
. . . . . . .
. . . . . . .

285Class winappdbg.win32.kernel32.HEAPENTRY32
972
285.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 972
285.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 972
285.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 972

25

CONTENTS

CONTENTS

286Class winappdbg.win32.kernel32.HEAPLIST32
974
286.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 974
286.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 974
286.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 974
287Class winappdbg.win32.kernel32.Handle
287.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
287.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
287.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
288Class winappdbg.win32.kernel32.JIT
288.1Methods . . . . . . . . . . . . . . . .
288.2Properties . . . . . . . . . . . . . . .
288.3Class Variables . . . . . . . . . . . .

DEBUG
. . . . . .
. . . . . .
. . . . . .

976
976
978
978

INFO
979
. . . . . . . . . . . . . . . . . . . . . . . . . . 979
. . . . . . . . . . . . . . . . . . . . . . . . . . 979
. . . . . . . . . . . . . . . . . . . . . . . . . . 979

289Class winappdbg.win32.kernel32.LOAD DLL DEBUG INFO


981
289.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 981
289.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 981
289.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 981
290Class winappdbg.win32.kernel32.LPBY HANDLE FILE INFORMATION
983
290.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 983
290.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 983
291Class winappdbg.win32.kernel32.LPDEBUG EVENT
984
291.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984
291.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984
292Class winappdbg.win32.kernel32.LPFILETIME
985
292.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985
292.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985
293Class winappdbg.win32.kernel32.LPFLOATING SAVE AREA
986
293.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 986
293.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 986
294Class winappdbg.win32.kernel32.LPHEAPENTRY32
987
294.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 987
294.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 987
295Class winappdbg.win32.kernel32.LPHEAPLIST32
988
295.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988
295.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988
296Class winappdbg.win32.kernel32.LPJIT DEBUG INFO
989
296.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 989
296.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 989
297Class winappdbg.win32.kernel32.LPOSVERSIONINFOEXW
990
297.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 990
297.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 990
298Class winappdbg.win32.kernel32.LPOVERLAPPED

26

991

CONTENTS

CONTENTS

298.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991
298.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991
299Class winappdbg.win32.kernel32.LPPROCESSENTRY32
992
299.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 992
299.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 992
300Class winappdbg.win32.kernel32.LPPROCESS INFORMATION
993
300.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993
300.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993
301Class winappdbg.win32.kernel32.LPSTARTUPINFO
994
301.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 994
301.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 994
302Class winappdbg.win32.kernel32.LPSTARTUPINFOEX
995
302.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 995
302.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 995
303Class winappdbg.win32.kernel32.LPSTARTUPINFOEXW
996
303.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 996
303.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 996
304Class winappdbg.win32.kernel32.LPSTARTUPINFOW
997
304.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 997
304.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 997
305Class winappdbg.win32.kernel32.LPSYSTEMTIME
998
305.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998
305.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998
306Class winappdbg.win32.kernel32.LPTHREADENTRY32
999
306.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 999
306.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 999
307Class winappdbg.win32.kernel32.MEMORY BASIC INFORMATION
307.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
307.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
307.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1000
. 1000
. 1000
. 1000

308Class winappdbg.win32.kernel32.MEMORY BASIC INFORMATION32


1002
308.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1002
308.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1002
308.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1002
309Class winappdbg.win32.kernel32.MEMORY BASIC INFORMATION64
1004
309.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1004
309.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1004
309.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1004
310Class winappdbg.win32.kernel32.MODULEENTRY32
1006
310.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006
310.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006

27

CONTENTS

CONTENTS

310.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006


311Class winappdbg.win32.kernel32.MemoryBasicInformation
1008
311.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1008
311.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1010
311.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1011
312Class winappdbg.win32.kernel32.OUTPUT
312.1Methods . . . . . . . . . . . . . . . . . . . .
312.2Properties . . . . . . . . . . . . . . . . . . .
312.3Class Variables . . . . . . . . . . . . . . . .

DEBUG
. . . . . .
. . . . . .
. . . . . .

STRING INFO
1012
. . . . . . . . . . . . . . . . . . . . . . 1012
. . . . . . . . . . . . . . . . . . . . . . 1012
. . . . . . . . . . . . . . . . . . . . . . 1012

313Class winappdbg.win32.kernel32.OVERLAPPED
1014
313.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1014
313.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1014
313.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1014
314Class winappdbg.win32.kernel32.PCONSOLE SCREEN BUFFER INFO
1016
314.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1016
314.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1016
315Class winappdbg.win32.kernel32.PCOORD
1017
315.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1017
315.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1017
316Class winappdbg.win32.kernel32.PEXCEPTION RECORD
1018
316.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1018
316.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1018
317Class winappdbg.win32.kernel32.PEXCEPTION RECORD32
1019
317.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1019
317.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1019
318Class winappdbg.win32.kernel32.PEXCEPTION RECORD64
1020
318.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1020
318.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1020
319Class winappdbg.win32.kernel32.PHANDLER
319.1Methods . . . . . . . . . . . . . . . . . . . . . .
319.2Properties . . . . . . . . . . . . . . . . . . . . .
319.3Class Variables . . . . . . . . . . . . . . . . . .

ROUTINE
1021
. . . . . . . . . . . . . . . . . . . . . . . . . . 1021
. . . . . . . . . . . . . . . . . . . . . . . . . . 1021
. . . . . . . . . . . . . . . . . . . . . . . . . . 1021

320Class winappdbg.win32.kernel32.PMEMORY BASIC INFORMATION


1022
320.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1022
320.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1022
321Class winappdbg.win32.kernel32.POSVERSIONINFOEXA
1023
321.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1023
321.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1023
322Class winappdbg.win32.kernel32.PROCESSENTRY32
1024
322.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1024
322.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1024

28

CONTENTS

CONTENTS

322.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1024


323Class winappdbg.win32.kernel32.PROCESS INFORMATION
323.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
323.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
323.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1026
. 1026
. 1026
. 1026

324Class winappdbg.win32.kernel32.PSMALL RECT


1028
324.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1028
324.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1028
325Class winappdbg.win32.kernel32.PVS FIXEDFILEINFO
1029
325.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029
325.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029
326Class winappdbg.win32.kernel32.ProcThreadAttributeList
1030
326.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1030
326.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1030
326.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1031
327Class winappdbg.win32.kernel32.ProcessHandle
327.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
327.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
327.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1032
. 1032
. 1034
. 1034

328Class winappdbg.win32.kernel32.ProcessInformation
1035
328.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1035
328.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1035
329Class winappdbg.win32.kernel32.RIP INFO
1036
329.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036
329.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036
329.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036
330Class winappdbg.win32.kernel32.SECURITY ATTRIBUTES
330.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
330.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
330.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1037
. 1037
. 1037
. 1037

331Class winappdbg.win32.kernel32.SMALL RECT


1039
331.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1039
331.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1039
331.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1039
332Class winappdbg.win32.kernel32.STARTUPINFO
1041
332.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1041
332.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1041
332.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1041
333Class winappdbg.win32.kernel32.STARTUPINFOEX
1043
333.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1043
333.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1043
333.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1043

29

CONTENTS

CONTENTS

334Class winappdbg.win32.kernel32.STARTUPINFOEXW
1044
334.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1044
334.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1044
334.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1044
335Class winappdbg.win32.kernel32.STARTUPINFOW
335.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
335.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
335.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1045
. 1045
. 1045
. 1045

336Class winappdbg.win32.kernel32.SYSTEMTIME
1047
336.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1047
336.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1047
336.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1047
337Class winappdbg.win32.kernel32.SnapshotHandle
1049
337.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1049
337.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1051
337.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1051
338Class winappdbg.win32.kernel32.THREADENTRY32
1052
338.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1052
338.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1052
338.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1052
339Class winappdbg.win32.kernel32.THREADNAME INFO
339.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
339.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
339.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1054
. 1054
. 1054
. 1054

340Class winappdbg.win32.kernel32.ThreadHandle
340.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
340.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
340.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1056
. 1056
. 1058
. 1058

341Class winappdbg.win32.kernel32.UNLOAD
341.1Methods . . . . . . . . . . . . . . . . . . . .
341.2Properties . . . . . . . . . . . . . . . . . . .
341.3Class Variables . . . . . . . . . . . . . . . .

DLL DEBUG INFO


1059
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1059
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1059
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1059

342Class winappdbg.win32.kernel32.UserModeHandle
1060
342.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1060
342.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1062
343Class winappdbg.win32.kernel32.VS FIXEDFILEINFO
1063
343.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1063
343.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1063
343.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1063
344Class winappdbg.win32.ntdll.FILE NAME INFORMATION
344.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
344.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
344.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

30

1065
. 1065
. 1065
. 1065

CONTENTS

CONTENTS

345Class winappdbg.win32.ntdll.IO
345.1Methods . . . . . . . . . . . . .
345.2Properties . . . . . . . . . . . .
345.3Class Variables . . . . . . . . .

STATUS
. . . . . .
. . . . . .
. . . . . .

346Class winappdbg.win32.ntdll.PROCESS
346.1Methods . . . . . . . . . . . . . . . . . .
346.2Properties . . . . . . . . . . . . . . . . .
346.3Class Variables . . . . . . . . . . . . . .

BLOCK
1066
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1066
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1066
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1066

BASIC
. . . . .
. . . . .
. . . . .

INFORMATION
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .

1068
. 1068
. 1068
. 1068

347Class winappdbg.win32.ntdll.SYSDBG MSR


1070
347.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1070
347.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1070
347.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1070
348Class winappdbg.win32.ntdll.THREAD BASIC
348.1Methods . . . . . . . . . . . . . . . . . . . . . . .
348.2Properties . . . . . . . . . . . . . . . . . . . . . .
348.3Class Variables . . . . . . . . . . . . . . . . . . .

INFORMATION
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .

1071
. 1071
. 1071
. 1071

349Class winappdbg.win32.peb
349.1Methods . . . . . . . . . .
349.2Properties . . . . . . . . .
349.3Class Variables . . . . . .

teb.ACTIVATION CONTEXT STACK


1073
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1073
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1073
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1073

350Class winappdbg.win32.peb
350.1Methods . . . . . . . . . .
350.2Properties . . . . . . . . .
350.3Class Variables . . . . . .

teb.CLIENT ID
1075
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1075
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1075
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1075

351Class winappdbg.win32.peb
351.1Methods . . . . . . . . . .
351.2Properties . . . . . . . . .
351.3Class Variables . . . . . .

teb.CURDIR
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

352Class winappdbg.win32.peb
352.1Methods . . . . . . . . . .
352.2Properties . . . . . . . . .
352.3Class Variables . . . . . .

teb.EXCEPTION
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .

353Class winappdbg.win32.peb
353.1Methods . . . . . . . . . .
353.2Properties . . . . . . . . .
353.3Class Variables . . . . . .

teb.GDI
. . . . . .
. . . . . .
. . . . . .

354Class winappdbg.win32.peb
354.1Methods . . . . . . . . . .
354.2Properties . . . . . . . . .
354.3Class Variables . . . . . .

teb.LDR MODULE
1080
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1080
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1080
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1080

1076
. 1076
. 1076
. 1076

REGISTRATION RECORD
1077
. . . . . . . . . . . . . . . . . . . . . . . . . . 1077
. . . . . . . . . . . . . . . . . . . . . . . . . . 1077
. . . . . . . . . . . . . . . . . . . . . . . . . . 1077

TEB BATCH
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1078
. 1078
. 1078
. 1078

355Class winappdbg.win32.peb teb.NT TIB


1082
355.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1082
355.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1082

31

CONTENTS

CONTENTS

355.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1082


356Class winappdbg.win32.peb
356.1Methods . . . . . . . . . .
356.2Properties . . . . . . . . .
356.3Class Variables . . . . . .

teb.PEB
1084
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1084
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1084
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1084

357Class winappdbg.win32.peb
357.1Methods . . . . . . . . . .
357.2Properties . . . . . . . . .
357.3Class Variables . . . . . .

teb.PEB
. . . . . .
. . . . . .
. . . . . .

32
1089
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1089
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1089
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1089

358Class winappdbg.win32.peb
358.1Methods . . . . . . . . . .
358.2Properties . . . . . . . . .
358.3Class Variables . . . . . .

teb.PEB
. . . . . .
. . . . . .
. . . . . .

FREE BLOCK
1094
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1094
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1094
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1094

359Class winappdbg.win32.peb
359.1Methods . . . . . . . . . .
359.2Properties . . . . . . . . .
359.3Class Variables . . . . . .

teb.PEB
. . . . . .
. . . . . .
. . . . . .

LDR
. . . .
. . . .
. . . .

DATA
1095
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1095
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1095
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1095

360Class winappdbg.win32.peb teb.PNTTIB


1097
360.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1097
360.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1097
361Class winappdbg.win32.peb teb.PPEB LDR DATA
1098
361.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1098
361.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1098
362Class winappdbg.win32.peb
362.1Methods . . . . . . . . . .
362.2Properties . . . . . . . . .
362.3Class Variables . . . . . .

teb.PROCESSOR NUMBER
1099
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099

363Class winappdbg.win32.peb teb.PRTL CRITICAL SECTION


1101
363.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101
363.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101
364Class winappdbg.win32.peb teb.PRTL CRITICAL SECTION DEBUG
1102
364.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1102
364.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1102
365Class winappdbg.win32.peb teb.PRTL USER PROCESS PARAMETERS
1103
365.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1103
365.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1103
366Class winappdbg.win32.peb teb.PTEB
1104
366.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1104
366.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1104
367Class winappdbg.win32.peb teb.PTEB ACTIVE FRAME
1105
367.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105

32

CONTENTS

CONTENTS

367.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105
368Class winappdbg.win32.peb teb.PTEB ACTIVE FRAME CONTEXT
1106
368.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1106
368.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1106
369Class winappdbg.win32.peb
369.1Methods . . . . . . . . . .
369.2Properties . . . . . . . . .
369.3Class Variables . . . . . .

teb.RTL
. . . . . .
. . . . . .
. . . . . .

ACTIVATION
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .

CONTEXT
. . . . . . . .
. . . . . . . .
. . . . . . . .

STACK FRAME
1107
. . . . . . . . . . . . . . 1107
. . . . . . . . . . . . . . 1107
. . . . . . . . . . . . . . 1107

370Class winappdbg.win32.peb
370.1Methods . . . . . . . . . .
370.2Properties . . . . . . . . .
370.3Class Variables . . . . . .

teb.RTL
. . . . . .
. . . . . .
. . . . . .

CRITICAL
. . . . . . . .
. . . . . . . .
. . . . . . . .

SECTION
. . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . .

371Class winappdbg.win32.peb
371.1Methods . . . . . . . . . .
371.2Properties . . . . . . . . .
371.3Class Variables . . . . . .

teb.RTL
. . . . . .
. . . . . .
. . . . . .

CRITICAL
. . . . . . . .
. . . . . . . .
. . . . . . . .

SECTION DEBUG
1111
. . . . . . . . . . . . . . . . . . . . . . . . 1111
. . . . . . . . . . . . . . . . . . . . . . . . 1111
. . . . . . . . . . . . . . . . . . . . . . . . 1111

372Class winappdbg.win32.peb
372.1Methods . . . . . . . . . .
372.2Properties . . . . . . . . .
372.3Class Variables . . . . . .

teb.RTL
. . . . . .
. . . . . .
. . . . . .

DRIVE LETTER
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .

CURDIR
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .

373Class winappdbg.win32.peb
373.1Methods . . . . . . . . . .
373.2Properties . . . . . . . . .
373.3Class Variables . . . . . .

teb.RTL
. . . . . .
. . . . . .
. . . . . .

USER PROCESS
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .

PARAMETERS
1115
. . . . . . . . . . . . . . . . . . . . 1115
. . . . . . . . . . . . . . . . . . . . 1115
. . . . . . . . . . . . . . . . . . . . 1115

374Class winappdbg.win32.peb
374.1Methods . . . . . . . . . .
374.2Properties . . . . . . . . .
374.3Class Variables . . . . . .

teb.TEB
1117
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1117
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1117
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1117

375Class winappdbg.win32.peb
375.1Methods . . . . . . . . . .
375.2Properties . . . . . . . . .
375.3Class Variables . . . . . .

teb.TEB
. . . . . .
. . . . . .
. . . . . .

ACTIVE FRAME
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

376Class winappdbg.win32.peb
376.1Methods . . . . . . . . . .
376.2Properties . . . . . . . . .
376.3Class Variables . . . . . .

teb.TEB
. . . . . .
. . . . . .
. . . . . .

ACTIVE FRAME CONTEXT


1125
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1125
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1125
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1125

377Class winappdbg.win32.peb
377.1Methods . . . . . . . . . .
377.2Properties . . . . . . . . .
377.3Class Variables . . . . . .

teb.Wx86ThreadState
1126
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1126
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1126
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1126

1109
. 1109
. 1109
. 1109

1113
. 1113
. 1113
. 1113

1123
. 1123
. 1123
. 1123

378Class winappdbg.win32.psapi.MODULEINFO
1128
378.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1128

33

CONTENTS

CONTENTS

378.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1128
378.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1128
379Class winappdbg.win32.shell32.LPSHELLEXECUTEINFO
1130
379.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1130
379.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1130
380Class winappdbg.win32.shell32.SHELLEXECUTEINFO
380.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
380.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
380.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1131
. 1131
. 1131
. 1131

381Class winappdbg.win32.user32.GUITHREADINFO
381.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
381.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
381.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1133
. 1133
. 1133
. 1133

382Class winappdbg.win32.user32.PWINDOWPLACEMENT
1135
382.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1135
382.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1135
383Class winappdbg.win32.user32.Point
1136
383.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136
383.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1137
383.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1138
384Class winappdbg.win32.user32.Rect
1139
384.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1139
384.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1141
384.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1141
386Class winappdbg.win32.user32.WindowPlacement
1143
386.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1143
386.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1143
386Class winappdbg.win32.user32.WindowPlacement
1143
386.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1143
386.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1143
387Class winappdbg.win32.version.OSVERSIONINFOA
1144
387.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1144
387.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1144
387.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1144
388Class winappdbg.win32.version.OSVERSIONINFOEXA
388.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
388.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
388.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1146
. 1146
. 1146
. 1146

389Class winappdbg.win32.version.OSVERSIONINFOEXW
389.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
389.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
389.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1148
. 1148
. 1148
. 1148

34

CONTENTS

CONTENTS

390Class winappdbg.win32.version.OSVERSIONINFOW
1150
390.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1150
390.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1150
390.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1150
391Class winappdbg.win32.version.SYSTEM
391.1Methods . . . . . . . . . . . . . . . . . . .
391.2Properties . . . . . . . . . . . . . . . . . .
391.3Class Variables . . . . . . . . . . . . . . .

INFO
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .

1152
. 1152
. 1152
. 1152

392Class winappdbg.win32.version.VS FIXEDFILEINFO


1154
392.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1154
392.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1154
392.3Class Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1154
393Class winappdbg.win32.wtsapi32.PWTS PROCESS INFOA
1156
393.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1156
393.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1156
394Class winappdbg.win32.wtsapi32.WTS
394.1Methods . . . . . . . . . . . . . . . . .
394.2Properties . . . . . . . . . . . . . . . .
394.3Class Variables . . . . . . . . . . . . .

CLIENT DISPLAY
1157
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1157
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1157
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1157

395Class winappdbg.win32.wtsapi32.WTS
395.1Methods . . . . . . . . . . . . . . . . .
395.2Properties . . . . . . . . . . . . . . . .
395.3Class Variables . . . . . . . . . . . . .

PROCESS INFOA
1159
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1159
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1159
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1159

396Class winappdbg.win32.wtsapi32.WTS
396.1Methods . . . . . . . . . . . . . . . . .
396.2Properties . . . . . . . . . . . . . . . .
396.3Class Variables . . . . . . . . . . . . .

PROCESS INFOW
1161
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1161
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1161
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1161

397Class winappdbg.window.Window
397.1Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
397.2Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
397.3Instance Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

35

1163
. 1163
. 1174
. 1174

Package winappdbg

Package winappdbg

Windows application debugging engine for Python.


by Mario Vilas (mvilas at gmail.com)
Project: http://sourceforge.net/projects/winappdbg/
Web: http://winappdbg.sourceforge.net/
Blog: http://breakingcode.wordpress.com

1.1

Modules

breakpoint: Breakpoints.
(Section 2, p. 10)
crash: Crash dump support.
(Section 3, p. 11)
debug: Debugging.
(Section 4, p. 12)
disasm: Binary code disassembly.
(Section 5, p. 13)
event: Event handling module.
(Section 6, p. 14)
interactive: Interactive debugging console.
(Section 7, p. 16)
module: Module instrumentation.
(Section 8, p. 17)
process: Process instrumentation.
(Section 9, p. 18)
registry: Registry access.
(Section 10, p. 19)
search: Process memory search.
(Section 11, p. 20)
sql: SQL database storage support.
(Section 12, p. 21)
system: System settings.
(Section 13, p. 22)
textio: Functions for text input, logging or text output.
(Section 14, p. 23)
thread: Thread instrumentation.
(Section 15, p. 24)
util: Miscellaneous utility classes and functions.
(Section 16, p. 25)
window: Window instrumentation.
(Section 33, p. 324)
Win32 API wrappers
win32: Debugging API wrappers in ctypes.
(Section 17, p. 29)
advapi32: Wrapper for advapi32.dll in ctypes.
(Section 18, p. 140)

36

Classes

Package winappdbg

context amd64: CONTEXT structure for amd64.


(Section 19, p. 162)
context i386: CONTEXT structure for i386.
(Section 20, p. 165)
dbghelp: Wrapper for dbghelp.dll in ctypes.
(Section 21, p. 167)
defines: Common definitions.
(Section 22, p. 176)
gdi32: Wrapper for gdi32.dll in ctypes.
(Section 23, p. 183)
kernel32: Wrapper for kernel32.dll in ctypes.
(Section 24, p. 191)
ntdll: Wrapper for ntdll.dll in ctypes.
(Section 25, p. 233)
peb teb: PEB and TEB structures, constants and data types.
(Section 26, p. 243)
psapi: Wrapper for psapi.dll in ctypes.
(Section 27, p. 247)
shell32: Wrapper for shell32.dll in ctypes.
(Section 28, p. 249)
shlwapi: Wrapper for shlwapi.dll in ctypes.
(Section 29, p. 254)
user32: Wrapper for user32.dll in ctypes.
(Section 30, p. 262)
version: Detect the current architecture and operating system.
(Section 31, p. 275)
wtsapi32: Wrapper for wtsapi32.dll in ctypes.
(Section 32, p. 286)

1.2

Classes

Debugging
Debug: The main debugger class.
(Section 74, p. 448)
EventHandler: Base class for debug event handlers.
(Section 89, p. 502)
EventSift: Event handler that allows you to use customized event handlers for each process
youre attached to.
(Section 90, p. 509)
DebugLog: Static functions for debug logging.
(Section 115, p. 691)
Instrumentation
Module: Interface to a DLL library loaded in the context of another process.
(Section 102, p. 565)
Process: Interface to a process.
(Section 103, p. 573)
Registry: Exposes the Windows Registry as a Python container.
(Section 104, p. 631)
System: Interface to a batch of processes, plus some system wide settings.
(Section 112, p. 662)
Thread: Interface to a thread in another process.
37

Classes

Package winappdbg

(Section 121, p. 715)


Window: Interface to an open window in the current desktop.
(Section 397, p. 1163)
Disassemblers
PyDasmEngine: Integration with PyDasm: Python bindings to libdasm.
(Section 82, p. 481)
Disassembler: Generic disassembler.
(Section 78, p. 470)
DistormEngine: Integration with the diStorm disassembler by Gil Dabah.
(Section 79, p. 472)
BeaEngine: Integration with the BeaEngine disassembler by Beatrix.
(Section 76, p. 464)
Crash reporting
CrashDictionary: Dictionary-like persistence interface for Crash objects.
(Section 68, p. 428)
Crash: Represents a crash, bug, or another interesting event in the debugee.
(Section 66, p. 413)
CrashDump: Static functions for crash dumps.
(Section 114, p. 684)
CrashDAO: Data Access Object to read, write and search for Crash objects in a database.
(Section 111, p. 658)
Memory search
Search: Static class to group the search functionality.
(Section 109, p. 650)
TextPattern: Text pattern.
(Section 110, p. 654)
Pattern: Base class for search patterns.
(Section 107, p. 643)
BytePattern: Fixed byte pattern.
(Section 105, p. 634)
HexPattern: Hexadecimal pattern.
(Section 106, p. 638)
RegExpPattern: Regular expression pattern.
(Section 108, p. 646)
Debug events
UnloadDLLEvent: Module unload event.
(Section 98, p. 543)
ExitThreadEvent: Thread termination event.
(Section 93, p. 527)
OutputDebugStringEvent: Debug string output event.
(Section 96, p. 537)
RIPEvent: RIP event.
(Section 97, p. 540)
ExitProcessEvent: Process termination event.
(Section 92, p. 523)
CreateProcessEvent: Process creation event.
(Section 83, p. 484)
LoadDLLEvent: Module load event.
(Section 94, p. 530)
Event: Event object.
(Section 85, p. 493)

38

Classes

Package winappdbg

ExceptionEvent: Exception event.


(Section 91, p. 516)
CreateThreadEvent: Thread creation event.
(Section 84, p. 489)
Win32 API wrappers
Handle: Encapsulates Win32 handles to avoid leaking them.
(Section 287, p. 976)
ProcessHandle: Win32 process handle.
(Section 327, p. 1032)
ThreadHandle: Win32 thread handle.
(Section 340, p. 1056)
FileHandle: Win32 file handle.
(Section 283, p. 966)
Helpers
HexDump: Static functions for hexadecimal dumps.
(Section 116, p. 693)
Color: Colored console output.
(Section 113, p. 681)
HexOutput: Static functions for user output parsing.
(Section 118, p. 708)
Table: Text based table.
(Section 120, p. 713)
HexInput: Static functions for user input parsing.
(Section 117, p. 704)
Logger: Logs text to standard output and/or a text file.
(Section 119, p. 711)
MemoryAddresses: Class to manipulate memory addresses.
(Section 124, p. 746)
DebugRegister: Class to manipulate debug registers.
(Section 123, p. 742)
PathOperations: Static methods for filename and pathname manipulation.
(Section 125, p. 749)
Warnings
BreakpointWarning: This warning is issued when a non-fatal error occurs thats related to
breakpoints.
(Section 60, p. 382)
BreakpointCallbackWarning: This warning is issued when an uncaught exception was raised
by a breakpoints user-defined callback.
(Section 59, p. 381)
CrashWarning: An error occurred while gathering crash data.
(Section 71, p. 440)
MixedBitsWarning: This warning is issued when mixing 32 and 64 bit processes.
(Section 75, p. 463)
EventCallbackWarning: This warning is issued when an uncaught exception was raised by a
user-defined event handler.
(Section 86, p. 496)
DebugSymbolsWarning: This warning is issued if the support for debug symbols isnt working
properly.
(Section 101, p. 564)
Deprecated classes
CrashTableMSSQL: Old crash dump persistencer using a Microsoft SQL Server database.

39

Functions

Package winappdbg

(Section 70, p. 436)


DummyCrashContainer: Fakes a database of volatile Crash objects, trying to mimic part of
its interface, but doesnt actually store anything.
(Section 72, p. 441)
VolatileCrashContainer: Old in-memory crash dump storage.
(Section 73, p. 444)
CrashTable: Old crash dump persistencer using a SQLite database.
(Section 69, p. 432)
CrashContainer: Old crash dump persistencer using a DBM database.
(Section 67, p. 421)

1.3

Functions

Helpers
WriteableAddressIterator(memory map)
Generator function that iterates through a memory map, returning only those
memory blocks that are writeable.
Parameters
memory map: List of memory region information objects. Returned
by Process.get memory map.
(type=list( win32.MemoryBasicInformation ))
Return Value
Generator object to iterate memory blocks.
(type=generator of win32.MemoryBasicInformation)
Note: Writeable memory is always readable too.

40

Functions

Package winappdbg

CustomAddressIterator(memory map, condition)


Generator function that iterates through a memory map, filtering memory
region blocks by any given condition.
Parameters
memory map: List of memory region information objects. Returned
by Process.get memory map.
(type=list( win32.MemoryBasicInformation ))
condition: Callback function that returns True if the memory
block should be returned, or False if it should be
filtered.
(type=function)
Return Value
Generator object to iterate memory blocks.
(type=generator of win32.MemoryBasicInformation)
MappedAddressIterator(memory map)
Generator function that iterates through a memory map, returning only those
memory blocks that belong to memory mapped files.
Parameters
memory map: List of memory region information objects. Returned
by Process.get memory map.
(type=list( win32.MemoryBasicInformation ))
Return Value
Generator object to iterate memory blocks.
(type=generator of win32.MemoryBasicInformation)

41

Functions

Package winappdbg

ExecutableAddressIterator(memory map)
Generator function that iterates through a memory map, returning only those
memory blocks that are executable.
Parameters
memory map: List of memory region information objects. Returned
by Process.get memory map.
(type=list( win32.MemoryBasicInformation ))
Return Value
Generator object to iterate memory blocks.
(type=generator of win32.MemoryBasicInformation)
Note: Executable memory is always readable too.
ReadableAddressIterator(memory map)
Generator function that iterates through a memory map, returning only those
memory blocks that are readable.
Parameters
memory map: List of memory region information objects. Returned
by Process.get memory map.
(type=list( win32.MemoryBasicInformation ))
Return Value
Generator object to iterate memory blocks.
(type=generator of win32.MemoryBasicInformation)
DataAddressIterator(memory map)
Generator function that iterates through a memory map, returning only those
memory blocks that contain data.
Parameters
memory map: List of memory region information objects. Returned
by Process.get memory map.
(type=list( win32.MemoryBasicInformation ))
Return Value
Generator object to iterate memory blocks.
(type=generator of win32.MemoryBasicInformation)

42

Variables

Package winappdbg

ExecutableAndWriteableAddressIterator(memory map)
Generator function that iterates through a memory map, returning only those
memory blocks that are executable and writeable.
Parameters
memory map: List of memory region information objects. Returned
by Process.get memory map.
(type=list( win32.MemoryBasicInformation ))
Return Value
Generator object to iterate memory blocks.
(type=generator of win32.MemoryBasicInformation)
Note: The presence of such pages make memory corruption vulnerabilities
much easier to exploit.
ImageAddressIterator(memory map)
Generator function that iterates through a memory map, returning only those
memory blocks that belong to executable images.
Parameters
memory map: List of memory region information objects. Returned
by Process.get memory map.
(type=list( win32.MemoryBasicInformation ))
Return Value
Generator object to iterate memory blocks.
(type=generator of win32.MemoryBasicInformation)

1.4

Variables
Name
version number

version

Description
This WinAppDbg major and minor version, as
a floating point number. Use this for
compatibility checking.
Value: 1.5 (type=float)
This WinAppDbg release version, as a printable
string. Use this to show to the user.
Value: Version 1.5 (type=str)

43

Module winappdbg.breakpoint

Module winappdbg.breakpoint

Breakpoints.
2.1

Classes

Breakpoints
Breakpoint: Base class for breakpoints.
(Section 58, p. 373)
CodeBreakpoint: Code execution breakpoints (using an int3 opcode).
(Section 62, p. 385)
PageBreakpoint: Page access breakpoint (using guard pages).
(Section 65, p. 406)
HardwareBreakpoint: Hardware breakpoint (using debug registers).
(Section 63, p. 392)
Hook: Factory class to produce hook objects.
(Section 64, p. 401)
ApiHook: Used by EventHandler.
(Section 57, p. 368)
BufferWatch: Returned by Debug.watch buffer.
(Section 61, p. 383)
Warnings
BreakpointWarning: This warning is issued when a non-fatal error occurs thats
related to breakpoints.
(Section 60, p. 382)
BreakpointCallbackWarning: This warning is issued when an uncaught exception was raised by a breakpoints user-defined callback.
(Section 59, p. 381)

44

Module winappdbg.crash

Module winappdbg.crash

Crash dump support.


3.1

Classes

Crash reporting
Crash: Represents a crash, bug, or another interesting event in the debugee.
(Section 66, p. 413)
CrashDictionary: Dictionary-like persistence interface for Crash objects.
(Section 68, p. 428)
Warnings
CrashWarning: An error occurred while gathering crash data.
(Section 71, p. 440)
Deprecated classes
CrashContainer: Old crash dump persistencer using a DBM database.
(Section 67, p. 421)
CrashTable: Old crash dump persistencer using a SQLite database.
(Section 69, p. 432)
CrashTableMSSQL: Old crash dump persistencer using a Microsoft SQL Server
database.
(Section 70, p. 436)
VolatileCrashContainer: Old in-memory crash dump storage.
(Section 73, p. 444)
DummyCrashContainer: Fakes a database of volatile Crash objects, trying to
mimic part of its interface, but doesnt actually store anything.
(Section 72, p. 441)

45

Module winappdbg.debug

Module winappdbg.debug

Debugging.
4.1

Classes

Debugging
Debug: The main debugger class.
(Section 74, p. 448)
Warnings
MixedBitsWarning: This warning is issued when mixing 32 and 64 bit processes.
(Section 75, p. 463)

46

Module winappdbg.disasm

Module winappdbg.disasm

Binary code disassembly.


5.1

Classes

Disassembler loader
Engine: Base class for disassembly engine adaptors.
(Section 80, p. 475)
Disassembler: Generic disassembler.
(Section 78, p. 470)
Disassembler engines
BeaEngine: Integration with the BeaEngine disassembler by Beatrix.
(Section 76, p. 464)
DistormEngine: Integration with the diStorm disassembler by Gil Dabah.
(Section 79, p. 472)
PyDasmEngine: Integration with PyDasm: Python bindings to libdasm.
(Section 82, p. 481)
LibdisassembleEngine: Integration with Immunity libdisassemble.
(Section 81, p. 478)
CapstoneEngine: Integration with the Capstone disassembler by Nguyen Anh
Quynh.
(Section 77, p. 467)

47

Module winappdbg.event

Module winappdbg.event

Event handling module.


See Also: http://apps.sourceforge.net/trac/winappdbg/wiki/Debugging
6.1

Classes

Debugging
EventHandler: Base class for debug event handlers.
(Section 89, p. 502)
EventSift: Event handler that allows you to use customized event handlers for
each process youre attached to.
(Section 90, p. 509)
Debug events
Event: Event object.
(Section 85, p. 493)
NoEvent: No event.
(Section 95, p. 534)
ExceptionEvent: Exception event.
(Section 91, p. 516)
CreateThreadEvent: Thread creation event.
(Section 84, p. 489)
CreateProcessEvent: Process creation event.
(Section 83, p. 484)
ExitThreadEvent: Thread termination event.
(Section 93, p. 527)
ExitProcessEvent: Process termination event.
(Section 92, p. 523)
LoadDLLEvent: Module load event.
(Section 94, p. 530)
UnloadDLLEvent: Module unload event.
(Section 98, p. 543)
OutputDebugStringEvent: Debug string output event.
(Section 96, p. 537)
RIPEvent: RIP event.
(Section 97, p. 540)
EventFactory: Factory of Event objects.
(Section 88, p. 500)
EventDispatcher: Implements debug event dispatching capabilities.
(Section 87, p. 497)
Warnings
EventCallbackWarning: This warning is issued when an uncaught exception was
raised by a user-defined event handler.
48

Classes

Module winappdbg.event

(Section 86, p. 496)

49

Module winappdbg.interactive

Module winappdbg.interactive

Interactive debugging console.


7.1

Classes

Debugging
ConsoleDebugger: Interactive console debugger.
(Section 100, p. 548)
Exceptions
CmdError: Exception raised when a command parsing error occurs.
(Section 99, p. 547)

50

Module winappdbg.module

Module winappdbg.module

Module instrumentation.
8.1

Classes

Instrumentation
Module: Interface to a DLL library loaded in the context of another process.
(Section 102, p. 565)
Warnings
DebugSymbolsWarning: This warning is issued if the support for debug symbols
isnt working properly.
(Section 101, p. 564)

51

Module winappdbg.process

Module winappdbg.process

Process instrumentation.
9.1

Classes

Instrumentation
Process: Interface to a process.
(Section 103, p. 573)

52

Module winappdbg.registry

10

Module winappdbg.registry

Registry access.
10.1

Classes

Instrumentation
Registry: Exposes the Windows Registry as a Python container.
(Section 104, p. 631)

53

Module winappdbg.search

11

Module winappdbg.search

Process memory search.


11.1

Classes

Memory search
Pattern: Base class for search patterns.
(Section 107, p. 643)
BytePattern: Fixed byte pattern.
(Section 105, p. 634)
TextPattern: Text pattern.
(Section 110, p. 654)
RegExpPattern: Regular expression pattern.
(Section 108, p. 646)
HexPattern: Hexadecimal pattern.
(Section 106, p. 638)
Search: Static class to group the search functionality.
(Section 109, p. 650)

54

Module winappdbg.sql

12

Module winappdbg.sql

SQL database storage support.


12.1

Classes

Crash reporting
CrashDAO: Data Access Object to read, write and search for Crash objects in a
database.
(Section 111, p. 658)

55

Module winappdbg.system

13

Module winappdbg.system

System settings.
13.1

Classes

Instrumentation
System: Interface to a batch of processes, plus some system wide settings.
(Section 112, p. 662)

56

Module winappdbg.textio

14

Module winappdbg.textio

Functions for text input, logging or text output.


14.1

Classes

Helpers
HexInput: Static functions for user input parsing.
(Section 117, p. 704)
HexOutput: Static functions for user output parsing.
(Section 118, p. 708)
HexDump: Static functions for hexadecimal dumps.
(Section 116, p. 693)
Color: Colored console output.
(Section 113, p. 681)
Table: Text based table.
(Section 120, p. 713)
CrashDump: Static functions for crash dumps.
(Section 114, p. 684)
DebugLog: Static functions for debug logging.
(Section 115, p. 691)
Logger: Logs text to standard output and/or a text file.
(Section 119, p. 711)

57

Module winappdbg.thread

15

Module winappdbg.thread

Thread instrumentation.
15.1

Classes

Instrumentation
Thread: Interface to a thread in another process.
(Section 121, p. 715)

58

Module winappdbg.util

16

Module winappdbg.util

Miscellaneous utility classes and functions.


16.1

Classes

Helpers
Regenerator: Calls a generator and iterates it.
(Section 126, p. 753)
PathOperations: Static methods for filename and pathname manipulation.
(Section 125, p. 749)
MemoryAddresses: Class to manipulate memory addresses.
(Section 124, p. 746)
DebugRegister: Class to manipulate debug registers.
(Section 123, p. 742)
16.2

Functions

Helpers
CustomAddressIterator(memory map, condition)
Generator function that iterates through a memory map, filtering memory
region blocks by any given condition.
Parameters
memory map: List of memory region information objects. Returned
by Process.get memory map.
(type=list( win32.MemoryBasicInformation ))
condition: Callback function that returns True if the memory
block should be returned, or False if it should be
filtered.
(type=function)
Return Value
Generator object to iterate memory blocks.
(type=generator of win32.MemoryBasicInformation)

59

Functions

Module winappdbg.util

DataAddressIterator(memory map)
Generator function that iterates through a memory map, returning only those
memory blocks that contain data.
Parameters
memory map: List of memory region information objects. Returned
by Process.get memory map.
(type=list( win32.MemoryBasicInformation ))
Return Value
Generator object to iterate memory blocks.
(type=generator of win32.MemoryBasicInformation)
ImageAddressIterator(memory map)
Generator function that iterates through a memory map, returning only those
memory blocks that belong to executable images.
Parameters
memory map: List of memory region information objects. Returned
by Process.get memory map.
(type=list( win32.MemoryBasicInformation ))
Return Value
Generator object to iterate memory blocks.
(type=generator of win32.MemoryBasicInformation)
MappedAddressIterator(memory map)
Generator function that iterates through a memory map, returning only those
memory blocks that belong to memory mapped files.
Parameters
memory map: List of memory region information objects. Returned
by Process.get memory map.
(type=list( win32.MemoryBasicInformation ))
Return Value
Generator object to iterate memory blocks.
(type=generator of win32.MemoryBasicInformation)

60

Functions

Module winappdbg.util

ReadableAddressIterator(memory map)
Generator function that iterates through a memory map, returning only those
memory blocks that are readable.
Parameters
memory map: List of memory region information objects. Returned
by Process.get memory map.
(type=list( win32.MemoryBasicInformation ))
Return Value
Generator object to iterate memory blocks.
(type=generator of win32.MemoryBasicInformation)
WriteableAddressIterator(memory map)
Generator function that iterates through a memory map, returning only those
memory blocks that are writeable.
Parameters
memory map: List of memory region information objects. Returned
by Process.get memory map.
(type=list( win32.MemoryBasicInformation ))
Return Value
Generator object to iterate memory blocks.
(type=generator of win32.MemoryBasicInformation)
Note: Writeable memory is always readable too.
ExecutableAddressIterator(memory map)
Generator function that iterates through a memory map, returning only those
memory blocks that are executable.
Parameters
memory map: List of memory region information objects. Returned
by Process.get memory map.
(type=list( win32.MemoryBasicInformation ))
Return Value
Generator object to iterate memory blocks.
(type=generator of win32.MemoryBasicInformation)
Note: Executable memory is always readable too.

61

Functions

Module winappdbg.util

ExecutableAndWriteableAddressIterator(memory map)
Generator function that iterates through a memory map, returning only those
memory blocks that are executable and writeable.
Parameters
memory map: List of memory region information objects. Returned
by Process.get memory map.
(type=list( win32.MemoryBasicInformation ))
Return Value
Generator object to iterate memory blocks.
(type=generator of win32.MemoryBasicInformation)
Note: The presence of such pages make memory corruption vulnerabilities
much easier to exploit.

62

Package winappdbg.win32

17

Package winappdbg.win32

Debugging API wrappers in ctypes.


17.1

Modules

advapi32: Wrapper for advapi32.dll in ctypes.


(Section 18, p. 140)
context amd64: CONTEXT structure for amd64.
(Section 19, p. 162)
context i386: CONTEXT structure for i386.
(Section 20, p. 165)
dbghelp: Wrapper for dbghelp.dll in ctypes.
(Section 21, p. 167)
defines: Common definitions.
(Section 22, p. 176)
gdi32: Wrapper for gdi32.dll in ctypes.
(Section 23, p. 183)
kernel32: Wrapper for kernel32.dll in ctypes.
(Section 24, p. 191)
ntdll: Wrapper for ntdll.dll in ctypes.
(Section 25, p. 233)
peb teb: PEB and TEB structures, constants and data types.
(Section 26, p. 243)
psapi: Wrapper for psapi.dll in ctypes.
(Section 27, p. 247)
shell32: Wrapper for shell32.dll in ctypes.
(Section 28, p. 249)
shlwapi: Wrapper for shlwapi.dll in ctypes.
(Section 29, p. 254)
user32: Wrapper for user32.dll in ctypes.
(Section 30, p. 262)
version: Detect the current architecture and operating system.
(Section 31, p. 275)
wtsapi32: Wrapper for wtsapi32.dll in ctypes.
(Section 32, p. 286)
17.2

Classes

Rect: Python wrapper over the RECT class.


(Section 384, p. 1139)
LPWINDOWPLACEMENT (Section 382, p. 1135)
PGUITHREADINFO (Section 146, p. 774)
63

Classes

Package winappdbg.win32

WINDOWPLACEMENT (Section ??, p. ??)


Point: Python wrapper over the POINT class.
(Section 383, p. 1136)
WNDENUMPROC (Section 179, p. 807)
PWINDOWPLACEMENT (Section 382, p. 1135)
WindowPlacement: Python wrapper over the WINDOWPLACEMENT class.
(Section 386, p. 1143)
GUITHREADINFO (Section 381, p. 1133)
LPGUITHREADINFO (Section 146, p. 774)
ServiceStatusEntry: Service status entry returned by EnumServicesStatus.
(Section 198, p. 840)
PWTS PROCESS INFOW (Section 178, p. 806)
ENUM SERVICE STATUSA (Section 180, p. 808)
WTS INFO CLASS (Section 39, p. 331)
PSECURITY IMPERSONATION LEVEL (Section 160, p. 788)
TOKEN INFORMATION CLASS (Section 39, p. 331)
LPENUM SERVICE STATUSA (Section 129, p. 757)
PWAITCHAINCALLBACK (Section 175, p. 803)
SID AND ATTRIBUTES (Section 193, p. 829)
TOKEN ELEVATION TYPE (Section 39, p. 331)
PTOKEN ORIGIN (Section 169, p. 797)
TOKEN APPCONTAINER INFORMATION (Section 201, p. 843)
LPSERVICE STATUS (Section 138, p. 766)
TOKEN LINKED TOKEN (Section 202, p. 844)
LPENUM SERVICE STATUSW (Section 130, p. 758)
PTOKEN ELEVATION TYPE (Section 160, p. 788)
ServiceStatus: Wrapper for the SERVICE STATUS structure.
(Section 197, p. 839)
SAFER POLICY INFO CLASS (Section 46, p. 338)
HWCT (Section 52, p. 344)
PTOKEN LINKED TOKEN (Section 168, p. 796)
LPENUM SERVICE STATUS PROCESSW (Section 132, p. 760)
LPENUM SERVICE STATUS PROCESSA (Section 131, p. 759)
TOKEN STATISTICS (Section 208, p. 850)
WTS PROCESS INFOA (Section 395, p. 1159)
WTS PROCESS INFOW (Section 396, p. 1161)
ThreadWaitChainSessionHandle: Thread wait chain session handle.
(Section 210, p. 853)
LUID AND ATTRIBUTES (Section 186, p. 818)
SaferLevelHandle: Safer level handle.
(Section 194, p. 830)
ServiceStatusProcessEntry: Service status entry returned by EnumServicesStatusEx.
(Section 200, p. 842)
PWTS CLIENT DISPLAY (Section 177, p. 805)
64

Classes

Package winappdbg.win32

PSID AND ATTRIBUTES (Section 161, p. 789)


ServiceControlManagerHandle: Service Control Manager (SCM) handle.
(Section 195, p. 833)
WTS CLIENT DISPLAY (Section 394, p. 1157)
SERVICE STATUS (Section 191, p. 825)
SECURITY IMPERSONATION LEVEL (Section 39, p. 331)
TOKEN MANDATORY LABEL (Section 203, p. 845)
TOKEN OWNER (Section 205, p. 847)
ENUM SERVICE STATUSW (Section 181, p. 810)
SC ENUM TYPE (Section 39, p. 331)
WCT OBJECT TYPE (Section 46, p. 338)
PWAITCHAIN NODE INFO (Section 176, p. 804)
TOKEN ORIGIN (Section 204, p. 846)
SERVICE STATUS PROCESS (Section 192, p. 827)
PTOKEN STATISTICS (Section 173, p. 801)
PTOKEN PRIMARY GROUP (Section 171, p. 799)
TokenHandle: Access token handle.
(Section 211, p. 856)
TOKEN PRIVILEGES (Section 207, p. 849)
LUID (Section 185, p. 817)
PTOKEN USER (Section 189, p. 821)
PLUID (Section 155, p. 783)
PTOKEN PRIVILEGES (Section 172, p. 800)
PTOKEN APPCONTAINER INFORMATION (Section 187, p. 819)
WAITCHAIN NODE INFO (Section 212, p. 859)
WCT OBJECT STATUS (Section 46, p. 338)
PTOKEN TYPE (Section 160, p. 788)
PWTS PROCESS INFOA (Section 393, p. 1156)
PTOKEN OWNER (Section 170, p. 798)
SC HANDLE (Section 52, p. 344)
RegistryKeyHandle: Registry key handle.
(Section 190, p. 822)
PTOKEN MANDATORY LABEL (Section 188, p. 820)
SC STATUS TYPE (Section 39, p. 331)
WTS CONNECTSTATE CLASS (Section 39, p. 331)
ENUM SERVICE STATUS PROCESSW (Section 183, p. 814)
ServiceStatusProcess: Wrapper for the SERVICE STATUS PROCESS structure.
(Section 199, p. 841)
ENUM SERVICE STATUS PROCESSA (Section 182, p. 812)
SAFER LEVEL HANDLE (Section 52, p. 344)
TOKEN USER (Section 209, p. 852)
TOKEN TYPE (Section 39, p. 331)
WaitChainNodeInfo: Represents a node in the wait chain.
(Section 213, p. 861)
65

Classes

Package winappdbg.win32

TOKEN PRIMARY GROUP (Section 206, p. 848)


LPSERVICE STATUS PROCESS (Section 184, p. 816)
ServiceHandle: Service handle.
(Section 196, p. 836)
SHELLEXECUTEINFO (Section 380, p. 1131)
LPSHELLEXECUTEINFO (Section 379, p. 1130)
LPMODULEINFO (Section 135, p. 763)
MODULEINFO (Section 378, p. 1128)
OSVERSIONINFOW (Section 390, p. 1150)
LPSECURITY ATTRIBUTES (Section 137, p. 765)
OSVERSIONINFOA (Section 387, p. 1144)
RIP INFO (Section 329, p. 1036)
THREADNAME INFO (Section 339, p. 1054)
STARTUPINFOEXW (Section 334, p. 1044)
PCHAR INFO (Section 143, p. 771)
FILE INFO BY HANDLE CLASS (Section 282, p. 965)
LPHEAPLIST32 (Section 295, p. 988)
STARTUPINFO (Section 332, p. 1041)
THREADENTRY32 (Section 338, p. 1052)
PSYM ENUMSYMBOLS CALLBACKW64 (Section 167, p. 795)
PSYM ENUMMODULES CALLBACK (Section 162, p. 790)
POSVERSIONINFOA (Section 157, p. 785)
POSVERSIONINFOW (Section 158, p. 786)
LPMODULEENTRY32 (Section 134, p. 762)
PGET MODULE BASE ROUTINE64 (Section 145, p. 773)
MEMORY BASIC INFORMATION64 (Section 309, p. 1004)
IMAGEHLP MODULEW (Section 237, p. 898)
ProcessHandle: Win32 process handle.
(Section 327, p. 1032)
OUTPUT DEBUG STRING INFO (Section 312, p. 1012)
PSYM ENUMMODULES CALLBACKW64 (Section 163, p. 791)
PSYM ENUMSYMBOLS CALLBACK64 (Section 165, p. 793)
MEMORY BASIC INFORMATION (Section 307, p. 1000)
PFUNCTION TABLE ACCESS ROUTINE64 (Section 144, p. 772)
PPROC THREAD ATTRIBUTE LIST (Section 52, p. 344)
IMAGEHLP MODULE (Section 235, p. 894)
EXCEPTION RECORD (Section 276, p. 956)
STACKFRAME64 (Section 247, p. 913)
SnapshotHandle: Toolhelp32 snapshot handle.
(Section 337, p. 1049)
LPJIT DEBUG INFO64 (Section 296, p. 989)
Handle: Encapsulates Win32 handles to avoid leaking them.
(Section 287, p. 976)
PREAD PROCESS MEMORY ROUTINE64 (Section 159, p. 787)
66

Classes

Package winappdbg.win32

EXIT PROCESS DEBUG INFO (Section 279, p. 962)


LPLDT ENTRY (Section 232, p. 889)
PSYM ENUMSYMBOLS CALLBACK (Section 164, p. 792)
LPJIT DEBUG INFO (Section 296, p. 989)
STARTUPINFOEX (Section 333, p. 1043)
PIMAGEHLP MODULEW64 (Section 150, p. 778)
PTRANSLATE ADDRESS ROUTINE64 (Section 145, p. 773)
HEAPENTRY32 (Section 285, p. 972)
SECURITY ATTRIBUTES (Section 330, p. 1037)
JIT DEBUG INFO32 (Section 288, p. 979)
LPFILETIME (Section 292, p. 985)
PIMAGEHLP MODULEW (Section 149, p. 777)
LPTHREADENTRY32 (Section 306, p. 999)
LPFLOATING SAVE AREA (Section 293, p. 986)
API VERSION (Section 234, p. 892)
PROCESSENTRY32 (Section 322, p. 1024)
OVERLAPPED (Section 313, p. 1014)
ThreadHandle: Win32 thread handle.
(Section 340, p. 1056)
PKDHELP64 (Section 154, p. 782)
KDHELP64 (Section 241, p. 906)
LPSYSTEM INFO (Section 139, p. 767)
SMALL RECT (Section 331, p. 1039)
LPOVERLAPPED (Section 298, p. 991)
PIMAGEHLP SYMBOLW64 (Section 152, p. 780)
PAPI VERSION (Section 142, p. 770)
JIT DEBUG INFO (Section 288, p. 979)
DEBUG EVENT (Section 274, p. 953)
LPPROCESSENTRY32 (Section 299, p. 992)
PEXCEPTION RECORD (Section 316, p. 1018)
LPVS FIXEDFILEINFO (Section 325, p. 1029)
UNLOAD DLL DEBUG INFO (Section 341, p. 1059)
PHANDLER ROUTINE (Section 319, p. 1021)
LPOSVERSIONINFOEXW (Section 297, p. 990)
LPOSVERSIONINFOEXA (Section 321, p. 1023)
ProcThreadAttributeList: Extended process and thread attribute support.
(Section 326, p. 1030)
EXCEPTION RECORD32 (Section 277, p. 958)
PLDT ENTRY (Section 232, p. 889)
IMAGEHLP MODULE64 (Section 236, p. 896)
ADDRESS64 (Section 233, p. 890)
SYM INFO (Section 248, p. 915)
LPPROC THREAD ATTRIBUTE LIST (Section 52, p. 344)
FileHandle: Win32 file handle.
67

Classes

Package winappdbg.win32

(Section 283, p. 966)


JIT DEBUG INFO64 (Section 288, p. 979)
IMAGEHLP SYMBOL64 (Section 239, p. 902)
MemoryBasicInformation: Memory information object returned by VirtualQueryEx.
(Section 311, p. 1008)
SYSTEM INFO (Section 391, p. 1152)
PSYM ENUMSYMBOLS CALLBACKW (Section 166, p. 794)
LPHEAPENTRY32 (Section 294, p. 987)
PIMAGEHLP MODULE (Section 147, p. 775)
ProcessInformation: Process information object returned by CreateProcess.
(Section 328, p. 1035)
PIMAGEHLP SYMBOL64 (Section 151, p. 779)
PCOORD (Section 315, p. 1017)
LPSYSTEMTIME (Section 305, p. 998)
EXIT THREAD DEBUG INFO (Section 280, p. 963)
PIMAGEHLP MODULE64 (Section 148, p. 776)
LPSTARTUPINFOEX (Section 302, p. 995)
LPJIT DEBUG INFO32 (Section 296, p. 989)
SYM INFOW (Section 249, p. 917)
FLOATING SAVE AREA (Section 229, p. 884)
CREATE THREAD DEBUG INFO (Section 273, p. 951)
LOAD DLL DEBUG INFO (Section 289, p. 981)
PFLOATING SAVE AREA (Section 293, p. 986)
EXCEPTION RECORD64 (Section 278, p. 960)
FileMappingHandle: File mapping handle.
(Section 284, p. 969)
LPSTARTUPINFOW (Section 304, p. 997)
LPADDRESS64 (Section 127, p. 755)
PEXCEPTION RECORD64 (Section 318, p. 1020)
LPSTARTUPINFO (Section 301, p. 994)
UserModeHandle: Base class for non-kernel handles.
(Section 342, p. 1060)
HEAPLIST32 (Section 286, p. 974)
ADDRESS MODE (Section 46, p. 338)
PSYM INFO (Section 245, p. 911)
COORD (Section 271, p. 948)
VS FIXEDFILEINFO (Section 343, p. 1063)
LPBY HANDLE FILE INFORMATION (Section 290, p. 983)
LPCONTEXT (Section 231, p. 888)
SYSTEMTIME (Section 336, p. 1047)
LPAPI VERSION (Section 142, p. 770)
PSYM ENUMMODULES CALLBACKW (Section 244, p. 910)
PCONSOLE SCREEN BUFFER INFO (Section 314, p. 1016)
LDT ENTRY (Section 230, p. 886)
68

Classes

Package winappdbg.win32

POSVERSIONINFOEXA (Section 321, p. 1023)


MEMORY BASIC INFORMATION32 (Section 308, p. 1002)
POSVERSIONINFOEXW (Section 157, p. 785)
LPDEBUG EVENT (Section 291, p. 984)
PVS FIXEDFILEINFO (Section 325, p. 1029)
LPSTACKFRAME64 (Section 242, p. 908)
IMAGEHLP SYMBOLW64 (Section 240, p. 904)
PMEMORY BASIC INFORMATION (Section 320, p. 1022)
EXCEPTION DEBUG INFO (Section 275, p. 955)
LPSTARTUPINFOEXW (Section 303, p. 996)
IMAGEHLP MODULEW64 (Section 238, p. 900)
FILETIME (Section 281, p. 964)
CONTEXT (Section ??, p. ??)
CONSOLE SCREEN BUFFER INFO (Section 270, p. 946)
PEXCEPTION RECORD32 (Section 317, p. 1019)
BY HANDLE FILE INFORMATION (Section 268, p. 943)
CHAR INFO (Section 269, p. 945)
CREATE PROCESS DEBUG INFO (Section 272, p. 949)
PROCESS INFORMATION (Section 323, p. 1026)
PSYM ENUMMODULES CALLBACK64 (Section 243, p. 909)
OSVERSIONINFOEXW (Section 389, p. 1148)
MODULEENTRY32 (Section 310, p. 1006)
PCONTEXT (Section 231, p. 888)
LPOSVERSIONINFOA (Section 157, p. 785)
LPOSVERSIONINFOW (Section 158, p. 786)
LPPROCESS INFORMATION (Section 300, p. 993)
PSMALL RECT (Section 324, p. 1028)
STARTUPINFOW (Section 335, p. 1045)
PSYM INFOW (Section 246, p. 912)
OSVERSIONINFOEXA (Section 388, p. 1146)
Context: Register context dictionary for the i386 architecture.
(Section 228, p. 883)
DWORD PTR (Section 46, p. 338)
CURDIR (Section 351, p. 1076)
GuessStringType: Decorator that guesses the correct version (A or W) to call based
on the types of the strings passed as parameters.
(Section 253, p. 924)
PSTR (Section 36, p. 327)
HMODULE (Section 52, p. 344)
LONG64 (Section 41, p. 333)
PTEB (Section 366, p. 1104)
LONGLONG (Section 41, p. 333)
LPHANDLE (Section 133, p. 761)
PBOOL (Section 160, p. 788)
69

Classes

Package winappdbg.win32

PROCESS BASIC INFORMATION (Section 346, p. 1068)


SYSDBG COMMAND (Section 46, p. 338)
HDESK (Section 52, p. 344)
RTL ACTIVATION CONTEXT STACK FRAME (Section 369, p. 1107)
PTEB ACTIVE FRAME (Section 367, p. 1105)
LPARAM (Section 52, p. 344)
PULONG64 (Section 174, p. 802)
SQWORD (Section 41, p. 333)
INT64 (Section 41, p. 333)
REGSAM (Section 46, p. 338)
GDI TEB BATCH (Section 353, p. 1078)
FILE NAME INFORMATION (Section 344, p. 1065)
CCHAR (Section 35, p. 326)
HENHMETAFILE (Section 52, p. 344)
PSIZE T (Section 140, p. 768)
Wx86ThreadState (Section 377, p. 1126)
PRTL CRITICAL SECTION (Section 363, p. 1101)
HMETAFILE (Section 52, p. 344)
SYSDBG MSR (Section 347, p. 1070)
PPEBLOCKROUTINE (Section 52, p. 344)
FILE INFORMATION CLASS (Section 46, p. 338)
LPULONG (Section 140, p. 768)
HBITMAP (Section 52, p. 344)
SSIZE T (Section 39, p. 331)
HKEY (Section 52, p. 344)
PPEB FREE BLOCK (Section 52, p. 344)
DWORD64 (Section 48, p. 340)
ULONG PTR (Section 46, p. 338)
PPVOID (Section 133, p. 761)
UINT16 (Section 50, p. 342)
PNTTIB (Section 360, p. 1097)
PFLOAT128 (Section 257, p. 929)
PRTL USER PROCESS PARAMETERS (Section 365, p. 1103)
HRESULT (Section 39, p. 331)
RTL CRITICAL SECTION (Section 370, p. 1109)
SWORD (Section 43, p. 335)
DWORDLONG (Section 48, p. 340)
LPVOID (Section 52, p. 344)
ULONG32 (Section 46, p. 338)
LONG PTR (Section 46, p. 338)
TCHAR (Section 35, p. 326)
HDC (Section 52, p. 344)
HPEN (Section 52, p. 344)
HMF (Section 52, p. 344)
70

Classes

Package winappdbg.win32

HEMF (Section 52, p. 344)


THREAD BASIC INFORMATION (Section 348, p. 1071)
SIZE T (Section 46, p. 338)
WCHAR (Section 53, p. 345)
TEB ACTIVE FRAME CONTEXT (Section 376, p. 1125)
LPWORD (Section 141, p. 769)
CHAR (Section 35, p. 326)
IO STATUS BLOCK (Section 345, p. 1066)
NTSTATUS (Section 39, p. 331)
WORD (Section 50, p. 342)
PTEB ACTIVE FRAME CONTEXT (Section 368, p. 1106)
LPSBYTE (Section 136, p. 764)
PROCESSINFOCLASS (Section 46, p. 338)
PDWORD32 (Section 140, p. 768)
HANDLE (Section 52, p. 344)
RTL CRITICAL SECTION DEBUG (Section 371, p. 1111)
EXCEPTION DISPOSITION (Section 46, p. 338)
BOOLEAN (Section 45, p. 337)
LPSTR (Section 36, p. 327)
PDWORD PTR (Section 140, p. 768)
PEB FREE BLOCK (Section 358, p. 1094)
HSTR (Section 52, p. 344)
LONG32 (Section 39, p. 331)
CLIENT ID (Section 350, p. 1075)
LPLONG (Section 160, p. 788)
DWORD (Section 46, p. 338)
LPBOOL (Section 160, p. 788)
INT32 (Section 39, p. 331)
INT8 (Section 34, p. 325)
PACCESS MASK (Section 140, p. 768)
PWSTR (Section 54, p. 346)
FLOAT (Section 37, p. 329)
PIO STATUS BLOCK (Section 153, p. 781)
FLOAT128 (Section 251, p. 921)
PVOID (Section 52, p. 344)
PM128A (Section 156, p. 784)
PREGSAM (Section 140, p. 768)
HGLOBAL (Section 52, p. 344)
QWORD (Section 48, p. 340)
LPULONG32 (Section 140, p. 768)
LPSWORD (Section 255, p. 927)
ACCESS MASK (Section 46, p. 338)
PPEB (Section 52, p. 344)
SHORT (Section 43, p. 335)
71

Classes

Package winappdbg.win32

PWCHAR (Section 54, p. 346)


RTL DRIVE LETTER CURDIR (Section 372, p. 1113)
TEB ACTIVE FRAME (Section 375, p. 1123)
RVA64 (Section 48, p. 340)
LPWSTR (Section 54, p. 346)
HRSRC (Section 52, p. 344)
NT TIB (Section 355, p. 1082)
HBRUSH (Section 52, p. 344)
UNICODE STRING (Section 258, p. 930)
LPULONG64 (Section 174, p. 802)
HGDIOBJ (Section 52, p. 344)
DefaultStringType: Decorator that uses the default version (A or W) to call based
on the configuration of the GuessStringType decorator.
(Section 250, p. 919)
LONG (Section 39, p. 331)
PPS POST PROCESS INIT ROUTINE (Section 52, p. 344)
HINSTANCE (Section 52, p. 344)
PEB (Section 356, p. 1084)
SDWORD (Section 39, p. 331)
HPALETTE (Section 52, p. 344)
PRTL CRITICAL SECTION DEBUG (Section 364, p. 1102)
PEB 32 (Section 357, p. 1089)
DWORD32 (Section 46, p. 338)
PULONG32 (Section 140, p. 768)
UINT8 (Section 45, p. 337)
BYTE (Section 45, p. 337)
UINT64 (Section 48, p. 340)
LPDWORD (Section 140, p. 768)
INT (Section 39, p. 331)
EXCEPTION REGISTRATION RECORD (Section 352, p. 1077)
LIST ENTRY (Section 254, p. 926)
M128A (Section 256, p. 928)
LPDWORD64 (Section 174, p. 802)
GUID (Section 252, p. 922)
ULONG64 (Section 48, p. 340)
THREADINFOCLASS (Section 46, p. 338)
UINT (Section 46, p. 338)
PPEB LDR DATA (Section 361, p. 1098)
SBYTE (Section 34, p. 325)
PDWORD (Section 140, p. 768)
PROCESSOR NUMBER (Section 362, p. 1099)
HDWP (Section 52, p. 344)
HFILE (Section 52, p. 344)
RVA (Section 46, p. 338)
72

Functions

17.3

Package winappdbg.win32

HKL (Section 52, p. 344)


PEB LDR DATA (Section 359, p. 1095)
PHKEY (Section 133, p. 761)
PNTSTATUS (Section 160, p. 788)
HWND (Section 52, p. 344)
HTASK (Section 52, p. 344)
PLONG (Section 160, p. 788)
ULONG (Section 46, p. 338)
UINT32 (Section 46, p. 338)
PEXCEPTION REGISTRATION RECORD (Section 52, p. 344)
UCHAR (Section 45, p. 337)
LPDWORD32 (Section 140, p. 768)
PSID (Section 52, p. 344)
HLOCAL (Section 52, p. 344)
KAFFINITY (Section 46, p. 338)
PULONG (Section 140, p. 768)
HRGN (Section 52, p. 344)
LPBYTE (Section 128, p. 756)
ACTIVATION CONTEXT STACK (Section 349, p. 1073)
INT16 (Section 43, p. 335)
PEXCEPTION DISPOSITION (Section 52, p. 344)
LDR MODULE (Section 354, p. 1080)
TEB (Section 374, p. 1117)
WPARAM (Section 46, p. 338)
USHORT (Section 50, p. 342)
BOOL (Section 39, p. 331)
LRESULT (Section 52, p. 344)
PDWORD64 (Section 174, p. 802)
PHANDLE (Section 133, p. 761)
HWINSTA (Section 52, p. 344)
PCHAR (Section 36, p. 327)
ULONGLONG (Section 48, p. 340)
LPSDWORD (Section 160, p. 788)
ATOM (Section 50, p. 342)
RTL USER PROCESS PARAMETERS (Section 373, p. 1115)
HMETAFILEPICT (Section 52, p. 344)
Functions
ShowWindowAsync(hWnd, nCmdShow =5)
SendMessageW(hWnd, Msg, wParam=0, lParam=0)

73

Functions

Package winappdbg.win32

GetClientRect(hWnd )
GetWindow(hWnd, uCmd )
IsWindowEnabled(hWnd )
WaitForInputIdle(hProcess, dwMilliseconds=-1)
GetWindowLongW(hWnd, nIndex =0)
PostMessageA(hWnd, Msg, wParam=0, lParam=0)
PostMessageW(hWnd, Msg, wParam=0, lParam=0)
ScreenToClient(hWnd, lpPoint)
FindWindowExA(hwndParent=None, hwndChildAfter =None,
lpClassName=None, lpWindowName=None)
FindWindowExW(hwndParent=None, hwndChildAfter =None,
lpClassName=None, lpWindowName=None)
GetWindowThreadProcessId(hWnd )
MoveWindow(hWnd, X, Y, nWidth, nHeight, bRepaint=True)
GetDesktopWindow()
SendMessageA(hWnd, Msg, wParam=0, lParam=0)
MapWindowPoints(hWndFrom, hWndTo, lpPoints)
RegisterClipboardFormatA(lpString)
GetForegroundWindow()
RegisterWindowMessageW(lpString)
SetWindowLongPtrW(hWnd, nIndex, dwNewLong)
74

Functions

Package winappdbg.win32

IsWindow(hWnd )
WindowFromPoint(point)
ShowWindow(hWnd, nCmdShow =5)
EnableWindow(hWnd, bEnable=True)
SetWindowPlacement(hWnd, lpwndpl )
IsZoomed(hWnd )
GetWindowPlacement(hWnd )
SetWindowLongW(hWnd, nIndex, dwNewLong)
IsIconic(hWnd )
IsChild(hWnd )
SendNotifyMessageA(hWnd, Msg, wParam=0, lParam=0)
SetLastErrorEx(dwErrCode, dwType=0)
SendNotifyMessageW(hWnd, Msg, wParam=0, lParam=0)
SendDlgItemMessageA(hDlg, nIDDlgItem, Msg, wParam=0, lParam=0)
SendDlgItemMessageW(hDlg, nIDDlgItem, Msg, wParam=0, lParam=0)
ClientToScreen(hWnd, lpPoint)
GetClassNameW(hWnd )
GetPropA(hWnd, lpString)
SetWindowLongA(hWnd, nIndex, dwNewLong)

75

Functions

Package winappdbg.win32

MAKE LPARAM(lParam)
Convert arguments to the LPARAM type. Used automatically by
SendMessage, PostMessage, etc. You shouldnt need to call this function.
GetWindowLongPtrW(hWnd, nIndex =0)
SendMessageTimeoutA(hWnd, Msg, wParam=0, lParam=0, fuFlags=0,
uTimeout=0)
GetAncestor(hWnd, gaFlags=1)
SendMessageTimeoutW(hWnd, Msg, wParam=0, lParam=0)
EnumChildWindows(hWndParent=None)
ChildWindowFromPoint(hWndParent, point)
GetPropW(hWnd, lpString)
EnumThreadWindows(dwThreadId )
GetWindowLongA(hWnd, nIndex =0)
SetWindowTextW(hWnd, lpString=None)
PostThreadMessageW(idThread, Msg, wParam=0, lParam=0)
SetForegroundWindow(hWnd )
PostThreadMessageA(idThread, Msg, wParam=0, lParam=0)
FindWindowW(lpClassName=None, lpWindowName=None)
GetShellWindow()
FindWindowA(lpClassName=None, lpWindowName=None)
RealChildWindowFromPoint(hWndParent, ptParentClientCoords)

76

Functions

Package winappdbg.win32

RegisterClipboardFormatW(lpString)
IsWindowVisible(hWnd )
GetGUIThreadInfo(idThread )
GetWindowTextW(hWnd )
GetWindowTextA(hWnd )
SetPropA(hWnd, lpString, hData)
SetPropW(hWnd, lpString, hData)
MAKE WPARAM(wParam)
Convert arguments to the WPARAM type. Used automatically by
SendMessage, PostMessage, etc. You shouldnt need to call this function.
GetWindowRect(hWnd )
GetWindowLongPtrA(hWnd, nIndex =0)
RegisterWindowMessageA(lpString)
GetParent(hWnd )
EnumWindows()
RemovePropA(hWnd, lpString)
RemovePropW(hWnd, lpString)
SetWindowLongPtrA(hWnd, nIndex, dwNewLong)
SetWindowTextA(hWnd, lpString=None)
GetClassNameA(hWnd )

77

Functions

Package winappdbg.win32

ConvertSidToStringSidW(Sid )
ConvertSidToStringSidA(Sid )
OpenServiceW(hSCManager, lpServiceName, dwDesiredAccess=983551)
CreateProcessAsUserA(hToken=None, lpApplicationName=None,
lpCommandLine=None, lpProcessAttributes=None, lpThreadAttributes=None,
bInheritHandles=False, dwCreationFlags=0, lpEnvironment=None,
lpCurrentDirectory=None, lpStartupInfo=None)
CreateProcessAsUserW(hToken=None, lpApplicationName=None,
lpCommandLine=None, lpProcessAttributes=None, lpThreadAttributes=None,
bInheritHandles=False, dwCreationFlags=0, lpEnvironment=None,
lpCurrentDirectory=None, lpStartupInfo=None)
EqualSid(pSid1, pSid2 )
GetServiceKeyNameW(hSCManager, lpDisplayName)
GetServiceKeyNameA(hSCManager, lpDisplayName)
SaferIsExecutableFileType(szFullPath, bFromShellExecute=False)
CloseServiceHandle(hSCObject)
OpenServiceA(hSCManager, lpServiceName, dwDesiredAccess=983551)
LookupPrivilegeValueA(lpSystemName, lpName)
LookupPrivilegeValueW(lpSystemName, lpName)
RegFlushKey(hKey)
RegDeleteKeyExA(hKeySrc, lpSubKey=None, samDesired =512)
RegDeleteKeyExW(hKeySrc, lpSubKey=None, samDesired =512)
StartServiceW(hService, ServiceArgVectors=None)

78

Functions

Package winappdbg.win32

EnumServicesStatusExW(hSCManager, InfoLevel =0, dwServiceType=59,


dwServiceState=3, pszGroupName=None)
EnumServicesStatusExA(hSCManager, InfoLevel =0, dwServiceType=59,
dwServiceState=3, pszGroupName=None)
QueryServiceStatus(hService)
DeleteService(hService)
RegDeleteTreeW(hKey, lpSubKey=None)
RegDeleteTreeA(hKey, lpSubKey=None)
IsValidSid(pSid )
GetUserNameW()
RegConnectRegistryA(lpMachineName=None, hKey=2147483650)
OpenSCManagerW(lpMachineName=None, lpDatabaseName=None,
dwDesiredAccess=983103)
OpenSCManagerA(lpMachineName=None, lpDatabaseName=None,
dwDesiredAccess=983103)
RegCreateKeyW(hKey=2147483650, lpSubKey=None)
WTSEnumerateProcessesW(hServer =0)
WTSEnumerateProcessesA(hServer =0)
AdjustTokenPrivileges(TokenHandle, NewState=())
GetLengthSid(pSid )
RegSetValueExW(hKey, lpValueName=None, lpData=None, dwType=None)
RegSetValueExA(hKey, lpValueName=None, lpData=None, dwType=None)

79

Functions

Package winappdbg.win32

RegEnumValueW(hKey, dwIndex, bGetData=True)


RegEnumValueA(hKey, dwIndex, bGetData=True)
RegDeleteKeyA(hKeySrc, lpSubKey=None)
RegOpenCurrentUser(samDesired =983103)
RegDeleteKeyW(hKeySrc, lpSubKey=None)
RegOpenKeyA(hKey=2147483650, lpSubKey=None)
RegOpenKeyW(hKey=2147483650, lpSubKey=None)
SaferCloseLevel(hLevelHandle)
SaferComputeTokenFromLevel(LevelHandle, InAccessToken=None,
dwFlags=0)
RegCloseKey(hKey)
RegDeleteKeyValueA(hKeySrc, lpSubKey=None, lpValueName=None)
RegDeleteKeyValueW(hKeySrc, lpSubKey=None, lpValueName=None)
RegCopyTreeW(hKeySrc, lpSubKey, hKeyDest)
RegCopyTreeA(hKeySrc, lpSubKey, hKeyDest)
WTSFreeMemory(pMemory)
CreateProcessWithLogonA(*argv, **argd )
CreateProcessWithLogonW(lpUsername=None, lpDomain=None,
lpPassword =None, dwLogonFlags=0, lpApplicationName=None,
lpCommandLine=None, dwCreationFlags=0, lpEnvironment=None,
lpCurrentDirectory=None, lpStartupInfo=None)
OpenProcessToken(ProcessHandle, DesiredAccess=983551)

80

Functions

Package winappdbg.win32

EnumServicesStatusA(hSCManager, dwServiceType=59,
dwServiceState=3)
EnumServicesStatusW(hSCManager, dwServiceType=59,
dwServiceState=3)
DuplicateTokenEx(hExistingToken, dwDesiredAccess=983551,
lpTokenAttributes=None, ImpersonationLevel =2, TokenType=1)
GetUserNameA()
GetThreadWaitChain(WctHandle, Context=None, Flags=7, ThreadId =-1,
NodeCount=16)
ConvertStringSidToSidW(StringSid )
RegQueryValueA(hKey, lpSubKey=None)
ConvertStringSidToSidA(StringSid )
RegQueryValueW(hKey, lpSubKey=None)
GetServiceDisplayNameW(hSCManager, lpServiceName)
GetServiceDisplayNameA(hSCManager, lpServiceName)
CloseThreadWaitChainSession(WctHandle)
OpenThreadToken(ThreadHandle, DesiredAccess, OpenAsSelf =True)
CreateProcessWithTokenA(*argv, **argd )
CreateProcessWithTokenW(hToken=None, dwLogonFlags=0,
lpApplicationName=None, lpCommandLine=None, dwCreationFlags=0,
lpEnvironment=None, lpCurrentDirectory=None, lpStartupInfo=None)
CreateServiceA(hSCManager, lpServiceName, lpDisplayName=None,
dwDesiredAccess=983551, dwServiceType=16, dwStartType=3,
dwErrorControl =1, lpBinaryPathName=None, lpLoadOrderGroup=None,
lpDependencies=None, lpServiceStartName=None, lpPassword =None)
81

Functions

Package winappdbg.win32

CreateServiceW(hSCManager, lpServiceName, lpDisplayName=None,


dwDesiredAccess=983551, dwServiceType=16, dwStartType=3,
dwErrorControl =1, lpBinaryPathName=None, lpLoadOrderGroup=None,
lpDependencies=None, lpServiceStartName=None, lpPassword =None)
FreeSid(pSid )
RegEnumKeyW(hKey, dwIndex )
RegEnumKeyA(hKey, dwIndex )
RegQueryValueExA(hKey, lpValueName=None, bGetData=True)
RegQueryValueExW(hKey, lpValueName=None, bGetData=True)
StartServiceA(hService, ServiceArgVectors=None)
WTSTerminateProcess(hServer, ProcessId, ExitCode)
IsTokenRestricted(hTokenHandle)
ProcessIdToSessionId(dwProcessId )
CopySid(pSourceSid )
ControlService(hService, dwControl )
QueryServiceStatusEx(hService, InfoLevel =0)
WTSGetActiveConsoleSessionId()
SaferiIsExecutableFileType(szFullPath, bFromShellExecute=False)
RegOpenUserClassesRoot(hToken, samDesired =983103)
RegOpenKeyExW(hKey=2147483650, lpSubKey=None,
samDesired =983103)

82

Functions

Package winappdbg.win32

RegOpenKeyExA(hKey=2147483650, lpSubKey=None,
samDesired =983103)
RegCreateKeyA(hKey=2147483650, lpSubKey=None)
RegDeleteValueW(hKeySrc, lpValueName=None)
RegDeleteValueA(hKeySrc, lpValueName=None)
OpenThreadWaitChainSession(Flags=0, callback =None)
GetTokenInformation(hTokenHandle, TokenInformationClass)
RegConnectRegistryW(lpMachineName=None, hKey=2147483650)
SaferCreateLevel(dwScopeId =2, dwLevelId =131072, OpenFlags=0)
LookupAccountSidW(lpSystemName, lpSid )
DuplicateToken(ExistingTokenHandle, ImpersonationLevel =2)
LookupAccountSidA(lpSystemName, lpSid )
RegSetValueEx(hKey, lpValueName=None, lpData=None, dwType=None)
LookupPrivilegeNameW(lpSystemName, lpLuid )
LookupPrivilegeNameA(lpSystemName, lpLuid )
CommandLineToArgvA(lpCmdLine)
CommandLineToArgvW(lpCmdLine)
ShellExecuteExA(lpExecInfo)
ShellExecuteExW(lpExecInfo)
SHGetFolderPathW(nFolder, hToken=None, dwFlags=0)

83

Functions

Package winappdbg.win32

SHGetFolderPathA(nFolder, hToken=None, dwFlags=0)


ShellExecuteEx(lpExecInfo)
FindExecutableW(lpFile, lpDirectory=None)
ShellExecuteW(hwnd =None, lpOperation=None, lpFile=None,
lpParameters=None, lpDirectory=None, nShowCmd =None)
FindExecutableA(lpFile, lpDirectory=None)
IsUserAnAdmin()
ShellExecuteA(hwnd =None, lpOperation=None, lpFile=None,
lpParameters=None, lpDirectory=None, nShowCmd =None)
PathMakePrettyW(pszPath)
PathMakePrettyA(pszPath)
PathFindFileNameW(pszPath)
PathFindFileNameA(pszPath)
PathIsContentTypeW(pszPath, pszContentType)
PathIsContentTypeA(pszPath, pszContentType)
PathIsUNCA(pszPath)
PathCombineA(lpszDir, lpszFile)
PathCombineW(lpszDir, lpszFile)
PathRenameExtensionW(pszPath, pszExt)
PathRenameExtensionA(pszPath, pszExt)
IsOS(dwOS )
84

Functions

Package winappdbg.win32

PathCanonicalizeA(lpszSrc)
PathCanonicalizeW(lpszSrc)
PathFindNextComponentW(pszPath)
PathFindNextComponentA(pszPath)
PathIsDirectoryEmptyW(pszPath)
PathIsDirectoryEmptyA(pszPath)
PathFindOnPathW(pszFile, ppszOtherDirs=None)
PathFindOnPathA(pszFile, ppszOtherDirs=None)
PathRelativePathToA(pszFrom=None, dwAttrFrom=16, pszTo=None,
dwAttrTo=16)
PathIsNetworkPathW(pszPath)
PathUnExpandEnvStringsA(pszPath)
PathIsDirectoryW(pszPath)
PathFindExtensionA(pszPath)
PathFindExtensionW(pszPath)
PathIsRootA(pszPath)
PathUnExpandEnvStringsW(pszPath)
PathIsDirectoryA(pszPath)
PathAppendA(lpszPath, pszMore=None)
PathAppendW(lpszPath, pszMore=None)

85

Functions

Package winappdbg.win32

PathGetArgsA(pszPath)
PathGetArgsW(pszPath)
PathRemoveExtensionA(pszPath)
PathRemoveExtensionW(pszPath)
PathIsRelativeA(pszPath)
PathIsRelativeW(pszPath)
PathIsUNCW(pszPath)
PathIsNetworkPathA(pszPath)
PathRemoveArgsW(pszPath)
PathRemoveBackslashA(pszPath)
PathIsRootW(pszPath)
PathRemoveBackslashW(pszPath)
PathAddExtensionA(lpszPath, pszExtension=None)
PathAddExtensionW(lpszPath, pszExtension=None)
PathFileExistsA(pszPath)
PathFileExistsW(pszPath)
PathRemoveFileSpecW(pszPath)
PathIsSameRootW(pszPath1, pszPath2 )
PathIsSameRootA(pszPath1, pszPath2 )
PathAddBackslashA(lpszPath)
86

Functions

Package winappdbg.win32

PathAddBackslashW(lpszPath)
PathRelativePathToW(pszFrom=None, dwAttrFrom=16, pszTo=None,
dwAttrTo=16)
PathRemoveFileSpecA(pszPath)
PathRemoveArgsA(pszPath)
EnumProcesses()
GetProcessImageFileNameW(hProcess)
GetMappedFileNameA(hProcess, lpv )
GetDeviceDriverFileNameA(ImageBase)
GetModuleInformation(hProcess, hModule, lpmodinfo=None)
GetDeviceDriverFileNameW(ImageBase)
EnumProcessModules(hProcess)
GetProcessImageFileNameA(hProcess)
GetModuleFileNameExW(hProcess, hModule=None)
GetDeviceDriverBaseNameA(ImageBase)
EnumDeviceDrivers()
EnumProcessModulesEx(hProcess, dwFilterFlag=0)
GetDeviceDriverBaseNameW(ImageBase)
GetModuleFileNameExA(hProcess, hModule=None)
GetMappedFileNameW(hProcess, lpv )

87

Functions

Package winappdbg.win32

WaitForSingleObject(hHandle, dwMilliseconds=-1)
GetGuiResources(hProcess, uiFlags=0)
ReleaseMutex(hMutex )
GetProcessAffinityMask(hProcess)
SymCleanup(hProcess)
VerQueryValueW(pBlock, lpSubBlock )
SetConsoleActiveScreenBuffer(hConsoleOutput=None)
VerQueryValueA(pBlock, lpSubBlock )
SetHandleInformation(hObject, dwMask, dwFlags)
OpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId )
SetProcessPriorityBoost(hProcess, DisablePriorityBoost)
GetFileInformationByHandleEx(hFile, FileInformationClass,
lpFileInformation, dwBufferSize)
StackWalk64(MachineType, hProcess, hThread, StackFrame,
ContextRecord =None, ReadMemoryRoutine=None,
FunctionTableAccessRoutine=None, GetModuleBaseRoutine=None,
TranslateAddress=None)
VirtualAllocEx(hProcess, lpAddress=0, dwSize=4096,
flAllocationType=12288, flProtect=64)
ContinueDebugEvent(dwProcessId, dwThreadId,
dwContinueStatus=2147549185)
SymSetParentWindow(hwnd )
GetThreadContext(hThread, ContextFlags=None, raw =False)

88

Functions

Package winappdbg.win32

GetLogicalDriveStringsA()
OpenMutexA(dwDesiredAccess=2031617, bInitialOwner =True,
lpName=None)
CreateMutexA(lpMutexAttributes=None, bInitialOwner =True,
lpName=None)
CreateMutexW(lpMutexAttributes=None, bInitialOwner =True,
lpName=None)
SearchPathW(lpPath, lpFileName, lpExtension)
SearchPathA(lpPath, lpFileName, lpExtension)
VirtualQueryEx(hProcess, lpAddress)
GetSystemMetrics(nIndex )
VirtualProtectEx(hProcess, lpAddress, dwSize, flNewProtect=64)
CreateFileW(lpFileName, dwDesiredAccess=268435456, dwShareMode=0,
lpSecurityAttributes=None, dwCreationDisposition=4,
dwFlagsAndAttributes=128, hTemplateFile=None)
CreateFileA(lpFileName, dwDesiredAccess=268435456, dwShareMode=0,
lpSecurityAttributes=None, dwCreationDisposition=4,
dwFlagsAndAttributes=128, hTemplateFile=None)
SetLastError(dwErrCode)
VerSetConditionMask(dwlConditionMask, dwTypeBitMask,
dwConditionMask )
GetThreadErrorMode()
GetProcAddressW(*argv, **argd )
GetProcAddressA(hModule, lpProcName)

89

Functions

Package winappdbg.win32

SetThreadContext(hThread, lpContext)
GetVersion()
SymUnloadModule(hProcess, BaseOfDll )
GetCurrentThreadId()
GetCurrentProcessorNumber()
MapViewOfFile(hFileMappingObject, dwDesiredAccess=983103,
dwFileOffsetHigh=0, dwFileOffsetLow =0, dwNumberOfBytesToMap=0)
GetModuleHandleA(lpModuleName)
SetDllDirectoryA(lpPathName=None)
Wow64RevertWow64FsRedirection(OldValue)
SetDllDirectoryW(lpPathName)
GetModuleHandleW(lpModuleName)
GetFileVersionInfoA(lptstrFilename)
GetFileVersionInfoW(lptstrFilename)
QueryFullProcessImageNameA(hProcess, dwFlags=0)
SymSetSearchPathW(hProcess, SearchPath=None)
SymSetSearchPathA(hProcess, SearchPath=None)
QueryFullProcessImageNameW(hProcess, dwFlags=0)
SetErrorMode(uMode)
GetSystemTimeAsFileTime()

90

Functions

Package winappdbg.win32

SymGetModuleInfo64W(hProcess, dwAddr )
SymGetModuleInfo64A(hProcess, dwAddr )
SymSetOptions(SymOptions)
TerminateProcess(hProcess, dwExitCode=0)
FreeLibrary(hModule)
WaitForMultipleObjects(handles, bWaitAll =False, dwMilliseconds=-1)
GetConsoleCP()
SymGetOptions()
Heap32ListNext(hSnapshot, hl =None)
GetHandleInformation(hObject)
OpenFileMappingW(dwDesiredAccess, bInheritHandle, lpName)
OpenFileMappingA(dwDesiredAccess, bInheritHandle, lpName)
CheckRemoteDebuggerPresent(hProcess)
SetConsoleCP(wCodePageID)
SetConsoleWindowInfo(hConsoleOutput, bAbsolute, lpConsoleWindow )
SymEnumerateModulesA(hProcess, EnumModulesCallback,
UserContext=None)
SymUnloadModule64(hProcess, BaseOfDll )
GlobalGetAtomNameW(nAtom)
SymFromNameW(hProcess, Name)

91

Functions

Package winappdbg.win32

GetSystemInfo()
GlobalGetAtomNameA(nAtom)
AllocConsole()
CreateProcessA(lpApplicationName, lpCommandLine=None,
lpProcessAttributes=None, lpThreadAttributes=None, bInheritHandles=False,
dwCreationFlags=0, lpEnvironment=None, lpCurrentDirectory=None,
lpStartupInfo=None)
CreateProcessW(lpApplicationName, lpCommandLine=None,
lpProcessAttributes=None, lpThreadAttributes=None, bInheritHandles=False,
dwCreationFlags=0, lpEnvironment=None, lpCurrentDirectory=None,
lpStartupInfo=None)
SymGetModuleInfoA(hProcess, dwAddr )
VerifyVersionInfoA(lpVersionInfo, dwTypeMask, dwlConditionMask )
FileTimeToSystemTime(lpFileTime)
SymGetModuleInfoW(hProcess, dwAddr )
VerifyVersionInfoW(lpVersionInfo, dwTypeMask, dwlConditionMask )
SymEnumerateModules64W(hProcess, EnumModulesCallback,
UserContext=None)
SymEnumerateModules64A(hProcess, EnumModulesCallback,
UserContext=None)
LocalFree(hMem)
OpenThread(dwDesiredAccess, bInheritHandle, dwThreadId )
SymLoadModuleA(hProcess, hFile=None, ImageName=None,
ModuleName=None, BaseOfDll =None, SizeOfDll =None)
SymLoadModuleW(*argv, **argd )
92

Functions

Package winappdbg.win32

SetConsoleOutputCP(wCodePageID)
SetConsoleTextAttribute(hConsoleOutput=None, wAttributes=0)
FlushFileBuffers(hFile)
ResetEvent(hEvent)
SymEnumerateSymbols64A(hProcess, BaseOfDll, EnumSymbolsCallback,
UserContext=None)
SymEnumerateSymbols64W(hProcess, BaseOfDll, EnumSymbolsCallback,
UserContext=None)
GetFileInformationByHandle(hFile)
GetErrorMode()
MakeSureDirectoryPathExistsA(DirPath)
Wow64DisableWow64FsRedirection()
SymInitializeW(*argv, **argd )
GetProcessVersion(ProcessId )
GetExitCodeProcess(hProcess)
GetProcessId(hProcess)
Thread32First(hSnapshot)
GlobalFindAtomW(lpString)
GlobalFindAtomA(lpString)
SymFromAddrW(hProcess, Address)
GetLogicalDriveStringsW()
93

Functions

Package winappdbg.win32

Heap32First(th32ProcessID, th32HeapID)
LoadLibraryW(pszLibrary)
LoadLibraryA(pszLibrary)
ReadProcessMemory(hProcess, lpBaseAddress, nSize)
GetConsoleScreenBufferInfo(hConsoleOutput=None)
DuplicateHandle(hSourceHandle, hSourceProcessHandle=None,
hTargetProcessHandle=None, dwDesiredAccess=2031616,
bInheritHandle=False, dwOptions=2)
SymGetSearchPathW(hProcess)
SymGetSymFromAddr64(hProcess, Address)
GetStdHandle(nStdHandle)
ImagehlpApiVersion()
MakeSureDirectoryPathExistsW(*argv, **argd )
LoadLibraryExA(pszLibrary, dwFlags=0)
LoadLibraryExW(pszLibrary, dwFlags=0)
CreateToolhelp32Snapshot(dwFlags=15, th32ProcessID=0)
ImagehlpApiVersionEx(MajorVersion, MinorVersion, Revision)
UpdateProcThreadAttribute(lpAttributeList, Attribute, Value,
cbSize=None)
GetCurrentThread()
DeleteProcThreadAttributeList(lpAttributeList)

94

Functions

Package winappdbg.win32

VerifyVersionInfo(lpVersionInfo, dwTypeMask, dwlConditionMask )


GetCurrentProcess()
FlushProcessWriteBuffers()
UnDecorateSymbolNameA(DecoratedName, Flags=0)
UnDecorateSymbolNameW(DecoratedName, Flags=0)
FlushInstructionCache(hProcess, lpBaseAddress=None, dwSize=0)
SymEnumerateSymbolsA(hProcess, BaseOfDll, EnumSymbolsCallback,
UserContext=None)
GetTempFileNameW(lpPathName=None, lpPrefixString=uTMP,
uUnique=0)
GetTempFileNameA(lpPathName=None, lpPrefixString=TMP,
uUnique=0)
Thread32Next(hSnapshot, te=None)
GetProcessTimes(hProcess=None)
PulseEvent(hEvent)
SymFromAddr(hProcess, Address)
UnmapViewOfFile(lpBaseAddress)
GetConsoleOutputCP()
Wow64SuspendThread(hThread )
DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize,
lpOutBuffer, nOutBufferSize, lpOverlapped )
SymLoadModule64W(*argv, **argd )

95

Functions

Package winappdbg.win32

SymLoadModule64A(hProcess, hFile=None, ImageName=None,


ModuleName=None, BaseOfDll =None, SizeOfDll =None)
SetProcessAffinityMask(hProcess, dwProcessAffinityMask )
GlobalAddAtomA(lpString)
GetThreadSelectorEntry(hThread, dwSelector )
GetVersionExW()
GetVersionExA()
Process32First(hSnapshot)
CreateEventW(lpMutexAttributes=None, bManualReset=False,
bInitialState=False, lpName=None)
CreateEventA(lpMutexAttributes=None, bManualReset=False,
bInitialState=False, lpName=None)
OpenMutexW(dwDesiredAccess=2031617, bInitialOwner =True,
lpName=None)
Toolhelp32ReadProcessMemory(th32ProcessID, lpBaseAddress, cbRead )
Heap32Next(he)
WaitForDebugEvent(dwMilliseconds=-1)
ResumeThread(hThread )
SymEnumerateModulesW(hProcess, EnumModulesCallback,
UserContext=None)
GetProcessPriorityBoost(hProcess)
WaitForMultipleObjectsEx(handles, bWaitAll =False, dwMilliseconds=-1,
bAlertable=True)

96

Functions

Package winappdbg.win32

CreateFileMappingW(hFile, lpAttributes=None, flProtect=64,


dwMaximumSizeHigh=0, dwMaximumSizeLow =0, lpName=None)
CreateFileMappingA(hFile, lpAttributes=None, flProtect=64,
dwMaximumSizeHigh=0, dwMaximumSizeLow =0, lpName=None)
GetLastError()
SymInitializeA(hProcess, UserSearchPath=None, fInvadeProcess=False)
SuspendThread(hThread )
CloseHandle(hHandle)
GetProcessHandleCount(hProcess)
GetThreadId(hThread )
OpenEventW(dwDesiredAccess=2031619, bInheritHandle=False,
lpName=None)
OpenEventA(dwDesiredAccess=2031619, bInheritHandle=False,
lpName=None)
SymGetSearchPathA(hProcess)
GetTempPathA()
GetTempPathW()
OutputDebugStringW(lpOutputString)
OutputDebugStringA(lpOutputString)
WriteProcessMemory(hProcess, lpBaseAddress, lpBuffer )
GetProcessDEPPolicy(hProcess)
FlushViewOfFile(lpBaseAddress, dwNumberOfBytesToFlush=0)

97

Functions

Package winappdbg.win32

SetThreadErrorMode(dwNewMode)
InitializeProcThreadAttributeList(dwAttributeCount)
GlobalAddAtomW(lpString)
SetPriorityClass(hProcess, dwPriorityClass=32)
CreateRemoteThread(hProcess, lpThreadAttributes, dwStackSize,
lpStartAddress, lpParameter, dwCreationFlags)
GetDllDirectoryW()
GetCurrentDirectoryW()
VirtualFreeEx(hProcess, lpAddress, dwSize=0, dwFreeType=32768)
GetCurrentDirectoryA()
RaiseIfLastError(result, func=None, arguments=())
Error checking for Win32 API calls with no error-specific return value.
Regardless of the return value, the function calls GetLastError(). If the code is
not ERROR SUCCESS then a WindowsError exception is raised.
For this to work, the user MUST call SetLastError(ERROR SUCCESS) prior
to calling the API. Otherwise an exception may be raised even on success,
since most API calls dont clear the error status code.
SymEnumerateSymbolsW(hProcess, BaseOfDll, EnumSymbolsCallback,
UserContext=None)
SymGetHomeDirectoryW(type)
SymSetHomeDirectoryW(hProcess, dir =None)
SymGetHomeDirectoryA(type)
SymSetHomeDirectoryA(hProcess, dir =None)

98

Functions

Package winappdbg.win32

GenerateConsoleCtrlEvent(dwCtrlEvent, dwProcessGroupId )
GetDllDirectoryA()
GetNativeSystemInfo()
Heap32ListFirst(hSnapshot)
SymFromName(hProcess, Name)
GetFinalPathNameByHandleW(hFile, dwFlags=0)
GetFinalPathNameByHandleA(hFile, dwFlags=0)
GetLargePageMinimum()
DebugActiveProcessStop(dwProcessId )
IsWow64Process(hProcess)
SetConsoleCtrlHandler(HandlerRoutine=None, Add =True)
Module32First(hSnapshot)
SymRefreshModuleList(hProcess)
GetExitCodeThread(hThread )
Module32Next(hSnapshot, me=None)
DebugActiveProcess(dwProcessId )
Process32Next(hSnapshot, pe=None)
RtlPcToFileHeader(PcValue)
DebugBreakProcess(hProcess)
AttachConsole(dwProcessId =4294967295)
99

Functions

Package winappdbg.win32

GlobalDeleteAtom(nAtom)
WaitForSingleObjectEx(hHandle, dwMilliseconds=-1, bAlertable=True)
SetSearchPathMode(Flags)
GetCurrentProcessId()
GetFullPathNameA(lpFileName)
SetEvent(hEvent)
QueryDosDeviceA(lpDeviceName=None)
QueryDosDeviceW(lpDeviceName)
GetFullPathNameW(lpFileName)
GetPriorityClass(hProcess)
DebugSetProcessKillOnExit(KillOnExit)
TerminateThread(hThread, dwExitCode=0)
GetProductInfo(dwOSMajorVersion, dwOSMinorVersion,
dwSpMajorVersion, dwSpMinorVersion)
FreeConsole()
GetProcessIdOfThread(hThread )
Wow64EnableWow64FsRedirection(Wow64FsEnableRedirection)
This function may not work reliably when there are nested calls. Therefore,
this function has been replaced by the Wow64DisableWow64FsRedirection
and Wow64RevertWow64FsRedirection functions.
See Also:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa365744(v=vs.85).aspx

100

Functions

Package winappdbg.win32

MakeWideVersion(fn)
Decorator that generates a Unicode (wide) version of an ANSI only API call.
Parameters
fn: ANSI version of the API function to call.
(type=callable)
RaiseIfNotZero(result, func=None, arguments=())
Error checking for some odd Win32 API calls.
The function is assumed to return an integer, which is zero on success. If the
return value is nonzero the WindowsError exception is raised.
This is mostly useful for free() like functions, where the return value is the
pointer to the memory block on failure or a NULL pointer on success.
CsrGetProcessId()
RaiseIfNotErrorSuccess(result, func=None, arguments=())
Error checking for Win32 Registry API calls.
The function is assumed to return a Win32 error code. If the code is not
ERROR SUCCESS then a WindowsError exception is raised.
RaiseIfZero(result, func=None, arguments=())
Error checking for most Win32 API calls.
The function is assumed to return an integer, which is 0 on error. In that case
the WindowsError exception is raised.
ZwQueryInformationFile(FileHandle, FileInformationClass,
FileInformation, Length)
NtSystemDebugControl(Command, InputBuffer =None,
InputBufferLength=None, OutputBuffer =None, OutputBufferLength=None)
NtQueryInformationProcess(ProcessHandle, ProcessInformationClass,
ProcessInformationLength=None)
ZwQueryInformationThread(ThreadHandle, ThreadInformationClass,
ThreadInformationLength=None)

101

Variables

Package winappdbg.win32

ZwQueryInformationProcess(ProcessHandle, ProcessInformationClass,
ProcessInformationLength=None)
NtQueryInformationFile(FileHandle, FileInformationClass,
FileInformation, Length)
ZwSystemDebugControl(Command, InputBuffer =None,
InputBufferLength=None, OutputBuffer =None, OutputBufferLength=None)
RtlNtStatusToDosError(Status)
NtQueryInformationThread(ThreadHandle, ThreadInformationClass,
ThreadInformationLength=None)
MakeANSIVersion(fn)
Decorator that generates an ANSI version of a Unicode (wide) only API call.
Parameters
fn: Unicode (wide) version of the API function to call.
(type=callable)

17.4

Variables
Name
WM PRINTCLIENT
WM DEVMODECHANGE
WM GETTEXTLENGTH
WM INITMENUPOPUP
CN TRANSMIT
WM SYSCHAR
SMTO ERRORONEXIT
WM MENUCHAR
WM NOTIFYFORMAT
SW MAXIMIZE
GWL HINSTANCE
WM GETICON
SMTO NOTIMEOUTIFNOTHUNG

Description
Value: 792
Value: 27
Value: 14
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

279
2
262
32
288
85
3
-6
127
8
continued on next page

102

Variables

Name
WM ENTERMENULOOP
WPF RESTORETOMAXIMIZED
SW SHOWNORMAL
WM PALETTEISCHANGING
WM PRINT
SW SHOWNOACTIVATE
WM SYSDEADCHAR
WM NULL
WM KEYFIRST
WM DELETEITEM
WM CLOSE
WM SYSCOMMAND
WM NCLBUTTONDOWN
WM ERASEBKGND
WM ASKCBFORMATNAME
WM NCDESTROY
SW SHOWMINIMIZED
GW ENABLEDPOPUP
WM NCMOUSEMOVE
WM MDINEXT
WM QUERYOPEN
RegisterClipboardFormat
WM MDIDESTROY
WM QUERYENDSESSION
POINT
WM SIZECLIPBOARD
WM KEYDOWN
WM CANCELMODE
WM CONTEXTMENU
GW CHILD
WM QUERYDRAGICON
WM FONTCHANGE
WM CREATE

Package winappdbg.win32

Description
Value: 529
Value: 2
Value: 1
Value: 784
Value: 791
Value: 4
Value:
Value:
Value:
Value:
Value:
Value:
Value:

263
0
256
45
16
274
161

Value: 20
Value: 780
Value: 130
Value: 2
Value: 6
Value: 160
Value: 548
Value: 19
Value:
GuessStringType(RegisterClipboardFormatA,
RegisterClipboa...
Value: 545
Value: 17

Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

779
256
31
123
5
55
29
1
continued on next page

103

Variables

Name
WM STYLECHANGED
WM MENUSELECT
WM MDIMAXIMIZE
WM COPY
WM ACTIVATE
SetWindowText
WM CHILDACTIVATE
GWL ID
HWND DESKTOP
WM MOUSEMOVE
WM PAINTICON
WM PAINTCLIPBOARD
SMTO BLOCK
GW HWNDFIRST
GA PARENT
WM INPUTLANGCHANGEREQUEST
WM GETHOTKEY
WM OTHERWINDOWCREATED
GetWindowLongPtr
WM MDICREATE
WM DROPFILES
WM DRAWCLIPBOARD
WM NCMBUTTONDBLCLK
WM NCRBUTTONDBLCLK
WM TIMER
WM CTLCOLORSTATIC
WM SYSKEYDOWN
HWND TOP
WM MOUSEFIRST
FindWindowEx
WM NCMBUTTONDOWN

Package winappdbg.win32

Description
Value: 125
Value: 287
Value: 549
Value: 769
Value: 6
Value: GuessStringType(SetWindowTextA,
SetWindowTextW)
Value: 34
Value: -12
Value: 0
Value: 512
Value: 38
Value: 777
Value:
Value:
Value:
Value:

1
0
1
80

Value: 51
Value: 66
Value: DefaultStringType(GetWindowLongA,
GetWindowLongW)
Value: 544
Value: 563
Value: 776
Value: 169
Value: 166
Value: 275
Value: 312
Value: 260
Value: 1
Value: 512
Value: GuessStringType(FindWindowExA,
FindWindowExW)
Value: 167
continued on next page

104

Variables

Name
LPPOINT
WM MBUTTONUP
WM COMMNOTIFY
WM MOUSELAST
WM NCACTIVATE
WM SIZE
WM GETOBJECT
WA CLICKACTIVE
WM ENABLE
HWND MESSAGE
WM CTLCOLORMSGBOX
SendMessageTimeout
WM CTLCOLORBTN
WM VKEYTOITEM
WM CTLCOLORDLG
WM CUT
GWLP USERDATA
WM NCLBUTTONDBLCLK
WM RENDERFORMAT
WM PARENTNOTIFY
WM ICONERASEBKGND
WM HELP
WM SPOOLERSTATUS
WM INITDIALOG
RemoveProp
WM APP
WM LBUTTONDBLCLK
GW HWNDPREV
WM SYSCOLORCHANGE
CN RECEIVE
CN EVENT
WM MDIACTIVATE
GWL EXSTYLE
WM CHANGECBCHAIN
GWL HWNDPARENT

Package winappdbg.win32

Description
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

520
68
521
134
5
61
2
10
-3
306

Value:
GuessStringType(SendMessageTimeoutA,
SendMessageTimeoutW)
Value: 309
Value: 46
Value: 310
Value: 768
Value: -21
Value: 163
Value: 773
Value: 528
Value: 39
Value: 83
Value: 42
Value: 272
Value: GuessStringType(RemovePropA,
RemovePropW)
Value: 2048
Value: 515
Value: 3
Value: 21
Value:
Value:
Value:
Value:
Value:
Value:

1
4
546
-20
781
-8
continued on next page

105

Variables

Name
PWR OK
WM GETDLGCODE
WM CLEAR
PWR FAIL
GWL USERDATA
SW RESTORE
WM PENWINLAST
WM CANCELJOURNAL
WM WINDOWPOSCHANGING
SW SHOW
GW HWNDLAST
SW SHOWMAXIMIZED
WM MBUTTONDOWN
WM MOVE
WM HOTKEY
WM SETICON
PostThreadMessage
WM HSCROLLCLIPBOARD
WM RBUTTONDOWN
LPRECT
WM SETHOTKEY
SW NORMAL
WM SETCURSOR
WM COMPAREITEM
WM SETREDRAW
WM PAINT
WM MDICASCADE
WM MDIREFRESHMENU
WM TCARD
WM LBUTTONUP
WM MDIGETACTIVE
WM KEYLAST
WM VSCROLL
GWLP ID
SW SHOWNA
WM MDISETMENU
WA ACTIVE

Package winappdbg.win32

Description
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

1
135
771
-1
-21
9
911
75
70

Value: 5
Value: 1
Value: 3
Value: 519
Value: 3
Value: 786
Value: 128
Value:
GuessStringType(PostThreadMessageA,
PostThreadMessageW)
Value: 782
Value: 516
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

50
1
32
57
11
15
551
564

Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

82
514
553
264
277
-12
8
560
1
continued on next page

106

Variables

Package winappdbg.win32

Name
SetProp
WM DESTROY
GA ROOTOWNER
GetWindowLong
WM GETFONT
WM CTLCOLORLISTBOX
WM CHARTOITEM
WM NCPAINT
GW HWNDNEXT
PWR SUSPENDRESUME
WM MDIICONARRANGE
WM ENTERIDLE
WM COMPACTING
FindWindow
WM CHAR
GWLP HWNDPARENT
WM DISPLAYCHANGE
WM INITMENU
SW FORCEMINIMIZE
WM ACTIVATEAPP
WPF SETMINPOSITION
WM QUIT
PostMessage
WM LBUTTONDOWN
GA ROOT
WM COMMAND
RECT
WM NEXTDLGCTL
WM NOTIFY
WM CTLCOLOREDIT
SW MINIMIZE
HWND NOTOPMOST
WM ENDSESSION
WM NCRBUTTONUP

Description
Value: GuessStringType(SetPropA,
SetPropW)
Value: 2
Value: 3
Value: DefaultStringType(GetWindowLongA,
GetWindowLongW)
Value: 49
Value: 308
Value:
Value:
Value:
Value:

47
133
2
2

Value: 552
Value: 289
Value: 65
Value: GuessStringType(FindWindowA,
FindWindowW)
Value: 258
Value: -8
Value: 126
Value: 278
Value: 11
Value: 28
Value: 1
Value: 18
Value: GuessStringType(PostMessageA,
PostMessageW)
Value: 513
Value: 2
Value: 273
Value:
Value:
Value:
Value:
Value:
Value:
Value:

40
78
307
6
-2
22
165
continued on next page

107

Variables

Name
WM USERCHANGED
PWR SUSPENDREQUEST
GWLP EXSTYLE
WM DESTROYCLIPBOARD
WM MEASUREITEM
WM SETTEXT
WM NCRBUTTONDOWN
SendMessage
WM DRAWITEM
WM MDIRESTORE
WM PALETTECHANGED
WM MDITILE
WM PASTE
WPF ASYNCWINDOWPLACEMENT
WM INPUTLANGCHANGE
SMTO ABORTIFHUNG
SetWindowLongPtr
WM NCMBUTTONUP
SetWindowLong
GW OWNER
PPOINT
WM GETMINMAXINFO
WM KILLFOCUS
WM MOUSEACTIVATE
WM QUEUESYNC
WM RENDERALLFORMATS
WM TIMECHANGE
SMTO NORMAL
WM SYSKEYUP
GWLP HINSTANCE
GetClassName

Package winappdbg.win32

Description
Value: 84
Value: 1
Value: -20
Value: 775
Value: 44
Value: 12
Value: 164
Value: GuessStringType(SendMessageA,
SendMessageW)
Value: 43
Value: 547
Value: 785
Value: 550
Value: 770
Value: 4
Value: 81
Value: 2
Value: DefaultStringType(SetWindowLongA,
SetWindowLongW)
Value: 168
Value: DefaultStringType(SetWindowLongA,
SetWindowLongW)
Value: 4
Value:
Value:
Value:
Value:
Value:

36
8
33
35
774

Value: 30
Value: 0
Value: 261
Value: -6
Value: GuessStringType(GetClassNameA,
GetClassNameW)
continued on next page

108

Variables

Name
SW SHOWDEFAULT
WA INACTIVE
WM PENWINFIRST
WM NCCREATE
PRECT
GetWindowText
WM GETTEXT
WM SETFOCUS
RegisterWindowMessage
GetProp
WM UNDO
SendDlgItemMessage
WM HSCROLL
WM SETTINGCHANGE
WM SYNCPAINT
WM VSCROLLCLIPBOARD
GWL STYLE
WM WINDOWPOSCHANGED
WM WININICHANGE
WM COPYDATA
HWND BOTTOM
GWLP STYLE
WM NCHITTEST
SendNotifyMessage
WM USER
HWND TOPMOST
WM MBUTTONDBLCLK
WM KEYUP
WM RBUTTONDBLCLK
WM STYLECHANGING

Package winappdbg.win32

Description
Value:
Value:
Value:
Value:

10
0
896
129

Value: GuessStringType(GetWindowTextA,
GetWindowTextW)
Value: 13
Value: 7
Value:
GuessStringType(RegisterWindowMessageA,
RegisterWindowMes...
Value: GuessStringType(GetPropA,
GetPropW)
Value: 772
Value:
GuessStringType(SendDlgItemMessageA,
SendDlgItemMessageW)
Value: 276
Value: 26
Value: 136
Value: 778
Value: -16
Value: 71
Value: 26
Value: 74
Value: 1
Value: -16
Value: 132
Value:
GuessStringType(SendNotifyMessageA,
SendNotifyMessageW)
Value: 1024
Value: -1
Value: 521
Value: 257
Value: 518
Value: 124
continued on next page

109

Variables

Name
WM QUERYNEWPALETTE
WM DEADCHAR
SW HIDE
GWL WNDPROC
WM SHOWWINDOW
GWLP WNDPROC
WM EXITMENULOOP
WM POWER
WM CTLCOLORSCROLLBAR
WM NCCALCSIZE
WM OTHERWINDOWDESTROYED
PWR CRITICALRESUME
WM SETFONT
SW SHOWMINNOACTIVE
WM RBUTTONUP
WM NCLBUTTONUP
WTSConnected
SERVICES FAILED DATABASEW
KEY QUERY VALUE
WTSValidationInfo
SE SYSTEMTIME NAME
WTSOEMId
SC MANAGER ENUMERATE SERVICE
SERVICE STOP PENDING
KEY WOW64 32KEY
LOGON WITH PROFILE
SAFER LEVELID DISALLOWED
SC STATUS PROCESS INFO
WTSUserName
SidTypeDomain

Package winappdbg.win32

Description
Value: 783
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

259
0
-4
24
-4
530
72
311

Value: 131
Value: 67
Value: 3
Value: 48
Value: 7
Value:
Value:
Value:
Value:

517
162
1
uServicesFailed

Value: 1
Value: 27
Value: SeSystemtimePrivilege
Value: 3
Value: 4
Value: 3
Value: 512
Value: 1
Value: 0
Value: 0
Value: 5
Value: 3
continued on next page

110

Variables

Name
SERVICE CONFIG DESCRIPTION
TokenDefaultDacl
SE LOCK MEMORY NAME
LookupPrivilegeValue
KEY ENUMERATE SUBKEYS
SE CREATE PAGEFILENAME
LOGON NETCREDENTIALS ONLY
TokenElevationTypeLimited
SC ACTION REBOOT
SE MACHINE ACCOUNT NAME
WCTP OPEN ALL FLAGS
TokenUserClaimAttributes
WTSIsRemoteSession
REG RESOURCE REQUIREMENTS LIST
SERVICE ACTIVE
SERVICE RUNS IN SYSTEM PROCESS
HKEY USERS
TokenPrimaryGroup
SERVICE START PENDING
SERVICE START
SE IMPERSONATE NAME
SAFER LEVELID UNTRUSTED
WctStatusPidOnlyRpcss
SERVICE PAUSED
SERVICE ACCEPT SESSIONCHANGE

Package winappdbg.win32

Description
Value: 1
Value: 6
Value: SeLockMemoryPrivilege
Value:
GuessStringType(LookupPrivilegeValueA,
LookupPrivilegeVal...
Value: 8
Value: SeCreatePagefilePrivilege
Value: 2
Value: 3
Value: 2
Value: SeMachineAccountPrivilege
Value: 1
Value: 33
Value: 29
Value: 10
Value: 1
Value: 1
Value: 2147483651
Value: 5
Value: 2
Value: 16
Value: SeImpersonatePrivilege
Value: 4096
Value: 5
Value: 7
Value: 128
continued on next page

111

Variables

Name
REG FULL RESOURCE DESCRIPTOR
KEY ALL ACCESS
SERVICE CONTROL POWEREVENT
SERVICE STATE ALL
SaferPolicyDefaultLevel
SE BACKUP NAME
SE AUDIT NAME
SERVICES FAILED DATABASEA
SE PRIVILEGE REMOVED
WTSInit
SidTypeWellKnownGroup
SERVICE ACCEPT HARDWAREPROFILECHANGE
SE ENABLE DELEGATION NAME
RegDeleteValue
WTSClientName
TokenPrimary
CreateProcessWithLogon
TokenUser
SaferPolicyEvaluateUserScope
HKEY CURRENT USER
SidTypeAlias
SE INC BASE PRIORITY NAME
RegCopyTree
SERVICES ACTIVE DATABASEW
REG QWORD
TokenLinkedToken
WTSReset
SERVICE CONTROL DEVICEEVENT

Package winappdbg.win32

Description
Value: 9
Value: 983103
Value: 13
Value:
Value:
Value:
Value:
Value:

3
3
SeBackupPrivilege
SeAuditPrivilege
ServicesFailed

Value: 4
Value: 9
Value: 5
Value: 32

Value: SeEnableDelegationPrivilege
Value: GuessStringType(RegDeleteValueA,
RegDeleteValueW)
Value: 10
Value: 1
Value:
DefaultStringType(CreateProcessWithLogonA,
CreateProcessW...
Value: 1
Value: 4
Value: 2147483649
Value: 4
Value: SeIncreaseBasePriorityPrivilege
Value: GuessStringType(RegCopyTreeA,
RegCopyTreeW)
Value: uServicesActive
Value:
Value:
Value:
Value:

11
19
7
11
continued on next page

112

Variables

Name
TokenElevationType
SidTypeInvalid
SE INC WORKING SETNAME
KEY EXECUTE
RegQueryValue
SERVICE DEMAND START
SE RELABEL NAME
MaxTokenInfoClass
EnumServicesStatus
SERVICE CONTROL NETBINDENABLE
WTSClientProtocolType
TokenHasRestrictions
SERVICE ACCEPT STOP
SERVICE RECOGNIZER DRIVER
SidTypeComputer
SERVICE RUNNING
WTSWorkingDirectory
SE TCB NAME
SERVICE CONTROL NETBINDREMOVE
TOKEN ALL ACCESS
TokenDeviceClaimAttributes
GetServiceKeyName
SERVICE NO CHANGE
WTSActive
KEY CREATE SUB KEY
SERVICE AUTO START
TOKEN ADJUST GROUPS

Package winappdbg.win32

Description
Value: 18
Value: 7
Value: SeIncreaseWorkingSetPrivilege
Value: 131097
Value: GuessStringType(RegQueryValueA,
RegQueryValueW)
Value: 3
Value: SeRelabelPrivilege
Value: 41
Value:
DefaultStringType(EnumServicesStatusA,
EnumServicesStatusW)
Value: 9
Value: 16
Value: 21
Value: 1
Value: 8
Value:
Value:
Value:
Value:
Value:

9
4
2
SeTcbPrivilege
8

Value: 983551
Value: 34
Value:
GuessStringType(GetServiceKeyNameA,
GetServiceKeyNameW)
Value: 4294967295
Value: 0
Value: 4
Value: 2
Value: 64
continued on next page

113

Variables

Name
WTSIncomingFrames
HKEY CLASSES ROOT
REG SZ
WCTP GETINFO ALL FLAGS
SERVICE KERNEL DRIVER
SERVICE CONTROL SESSIONCHANGE
SERVICE CONFIG FAILURE ACTIONS
TokenRestrictedDeviceGroups
TokenUIAccess
SC MANAGER CREATESERVICE
TOKEN READ
SE TRUSTED CREDMAN ACCESS NAME
TokenVirtualizationEnabled
WctMaxType
WctProcessWaitType
SE CREATE SYMBOLIC LINK NAME
WTSIncomingBytes
TokenSessionId
SERVICE ACCEPT USERMODEREBOOT
TokenSessionReference
WctThreadType
WTSOutgoingBytes
SE SYNC AGENT NAME
SERVICE INTERROGATE
TOKEN QUERY
RegOpenKeyEx
WctStatusAbandoned
SC MANAGER QUERY LOCK STATUS

Package winappdbg.win32

Value:
Value:
Value:
Value:

Description
21
2147483648
1
7

Value: 1
Value: 14
Value: 2
Value: 38
Value: 26
Value: 2
Value: 131080
Value: SeTrustedCredManAccessPrivilege
Value: 24
Value: 11
Value: 7
Value: SeCreateSymbolicLinkPrivilege
Value: 19
Value: 12
Value: 2048
Value:
Value:
Value:
Value:

14
8
20
SeSyncAgentPrivilege

Value: 128
Value: 8
Value: GuessStringType(RegOpenKeyExA,
RegOpenKeyExW)
Value: 8
Value: 16
continued on next page

114

Variables

Name
SidTypeGroup
SERVICE WIN32
RegConnectRegistry
TOKEN ADJUST SESSIONID
WTSClientDisplay
SERVICE ENUMERATEDEPENDENTS
TokenStatistics
RegDeleteKeyValue
TokenGroupsAndPrivileges
WTSConnectQuery
TokenGroups
SERVICE ERROR IGNORE
TokenDeviceGroups
WTSClientBuildNumber
CreateProcessAsUser
SE ASSIGNPRIMARYTOKEN NAME
SecurityDelegation
WTSClientInfo
TOKEN ADJUST PRIVILEGES
SidTypeUnknown
WctStatusPidOnly
SE CREATE PERMANENT NAME
TokenCapabilities
SE MANAGE VOLUME NAME
SERVICE ACCEPT NETBINDCHANGE
SERVICE PAUSE PENDING

Package winappdbg.win32

Description
Value: 2
Value: 48
Value:
GuessStringType(RegConnectRegistryA,
RegConnectRegistryW)
Value: 256
Value: 15
Value: 8
Value: 10
Value:
GuessStringType(RegDeleteKeyValueA,
RegDeleteKeyValueW)
Value: 13
Value: 2
Value: 2
Value: 0
Value: 37
Value: 9
Value:
GuessStringType(CreateProcessAsUserA,
CreateProcessAsUserW)
Value: SeAssignPrimaryTokenPrivilege
Value: 3
Value: 23
Value: 32
Value: 8
Value: 4
Value: SeCreatePermanentPrivilege
Value: 30
Value: SeManageVolumePrivilege
Value: 16
Value: 6
continued on next page

115

Variables

Name
WCT OUT OF PROC FLAG
WctStatusBlocked
SERVICE CONTROL PAUSE
WctStatusRunning
TokenIntegrityLevel
SERVICE ACCEPT PARAMCHANGE
SERVICE ERROR SEVERE
WCT ASYNC OPEN FLAG
REG EXPAND SZ
SE SHUTDOWN NAME
OpenSCManager
WTSSessionAddressV4
SERVICE DISABLED
SE PRIVILEGE ENABLED
SAFER LEVELID NORMALUSER
WTS CURRENT SERVER HANDLE
SC GROUP IDENTIFIERA
SC GROUP IDENTIFIERW
SAFER SCOPEID USER
SE REMOTE SHUTDOWN NAME
REG MULTI SZ
SE CREATE GLOBAL NAME
TokenRestrictedUserClaimAttributes
TokenMandatoryPolicy
REG LINK
RegQueryValueEx
SERVICE WIN32 OWN PROCESS

Package winappdbg.win32

Description
Value: 1
Value: 3
Value: 2
Value: 2
Value: 25
Value: 8
Value: 2
Value: 1
Value: 2
Value: SeShutdownPrivilege
Value: GuessStringType(OpenSCManagerA,
OpenSCManagerW)
Value: 28
Value: 4
Value: 2
Value: 131072
Value: 0
Value: +
Value: u+
Value: 2
Value: SeRemoteShutdownPrivilege
Value: 7
Value: SeCreateGlobalPrivilege
Value: 35
Value: 27
Value: 6
Value: GuessStringType(RegQueryValueExA,
RegQueryValueExW)
Value: 16
continued on next page

116

Variables

Name
SERVICE CONTROL STOP
SE DEBUG NAME
WTSConfigInfo
RegDeleteTree
ConvertStringSidToSid
WCT OBJNAME LENGTH
WTSEnumerateProcesses
TokenOwner
OpenService
WctComType
WTSListen
SE SYSTEM PROFILE NAME
GetServiceDisplayName
SERVICE FILE SYSTEM DRIVER
TOKEN DUPLICATE
SAFER TOKEN MASK
TokenVirtualizationAllowed
TokenSource
WTSSessionId
TokenAppContainerNumber
SE UNDOCK NAME
RegCreateKey
KEY NOTIFY
SC MANAGER MODIFYBOOT CONFIG
WTS CURRENT SESSION

Package winappdbg.win32

Description
Value: 1
Value: SeDebugPrivilege
Value: 26
Value: GuessStringType(RegDeleteTreeA,
RegDeleteTreeW)
Value:
GuessStringType(ConvertStringSidToSidA,
ConvertStringSidT...
Value: 128
Value:
DefaultStringType(WTSEnumerateProcessesA,
WTSEnumeratePro...
Value: 4
Value: GuessStringType(OpenServiceA,
OpenServiceW)
Value: 5
Value: 6
Value: SeSystemProfilePrivilege
Value:
GuessStringType(GetServiceDisplayNameA,
GetServiceDisplay...
Value: 2
Value: 2
Value: 15
Value: 23
Value: 7
Value: 4
Value: 32
Value: SeUndockPrivilege
Value: GuessStringType(RegCreateKeyA,
RegCreateKeyW)
Value: 16
Value: 32
Value: 1
continued on next page

117

Variables

Name
SERVICE ERROR CRITICAL
SERVICE CONTINUE PENDING
WTSConnectState
WctStatusUnknown
REG DWORD LITTLE ENDIAN
SE CHANGE NOTIFY NAME
SERVICE USER DEFINED CONTROL
SidTypeLabel
WTSIdle
EnumServicesStatusEx
SE SECURITY NAME
SE PROF SINGLE PROCESS NAME
SERVICE ADAPTER
TokenRestrictedDeviceClaimAttributes
SERVICE CHANGE CONFIG
REG QWORD LITTLE ENDIAN
SERVICE DRIVER
WCT MAX NODE COUNT
SaferPolicyLevelList
SC ACTION RESTART
WTSInitialProgram
WTSLogonTime
SAFER TOKEN NULL IF EQUAL
SE PRIVILEGE ENABLED BY DEFAULT
SecurityAnonymous
REG RESOURCE LIST
SE RESTORE NAME
RegEnumKey

Package winappdbg.win32

Description
Value: 3
Value: 5
Value: 8
Value: 9
Value: 4
Value: SeChangeNotifyPrivilege
Value: 256
Value: 10
Value: 5
Value:
DefaultStringType(EnumServicesStatusExA,
EnumServicesStat...
Value: SeSecurityPrivilege
Value: SeProfileSingleProcessPrivilege
Value: 4
Value: 36
Value: 2
Value: 11
Value: 11
Value: 16
Value:
Value:
Value:
Value:
Value:

1
1
0
18
1

Value: 1
Value: 0
Value: 8
Value: SeRestorePrivilege
Value: DefaultStringType(RegEnumKeyA,
RegEnumKeyW)
continued on next page

118

Variables

Name
CreateProcessWithToken
RegEnumValue
KEY READ
TokenRestrictedSids
SecurityIdentification
SE CREATE TOKEN NAME
SE PRIVILEGE USED FOR ACCESS
WTSSessionInfoEx
TokenImpersonationLevel
SE SYSTEM ENVIRONMENT NAME
SERVICE ERROR NORMAL
HKEY LOCAL MACHINE
StartService
SERVICE CONTROL CONTINUE
SERVICE CONTROL PARAMCHANGE
WTSClientAddress
KEY WRITE
SERVICE ACCEPT TRIGGEREVENT
SERVICE STOPPED
SERVICE QUERY STATUS
TokenAuditPolicy
SAFER TOKEN WANT FLAGS
SAFER LEVELID CONSTRAINED
WctStatusMax
SC ACTION RUN COMMAND

Package winappdbg.win32

Description
Value:
DefaultStringType(CreateProcessWithTokenA,
CreateProcessW...
Value: DefaultStringType(RegEnumValueA,
RegEnumValueW)
Value: 131097
Value: 11
Value: 1
Value: SeCreateTokenPrivilege
Value: 2147483648
Value: 25
Value: 9
Value: SeSystemEnvironmentPrivilege
Value: 1
Value: 2147483650
Value: GuessStringType(StartServiceA,
StartServiceW)
Value: 3
Value: 6
Value: 14
Value: 131078
Value: 1024
Value: 1
Value: 4
Value: 16
Value: 8
Value: 65536
Value: 11
Value: 3
continued on next page

119

Variables

Name
SERVICE CONTROL SHUTDOWN
WTSApplicationName
SERVICE CONTROL NETBINDADD
WctStatusNoAccess
SC ACTION NONE
KEY CREATE LINK
TokenAccessInformation
SERVICE PAUSE CONTINUE
SERVICE STOP
WTSClientHardwareId
WTSDisconnected
KEY WOW64 64KEY
SAFER LEVELID FULLYTRUSTED
KEY SET VALUE
WTSClientDirectory
SidTypeUser
SC MANAGER ALL ACCESS
SAFER SCOPEID MACHINE
TokenType
WctSendMessageType
TokenIsAppContainer
TokenIsRestricted
WctStatusOwned
WctStatusNotOwned
SC MANAGER CONNECT
WTSWinStationName
RegOpenKey
TokenSandBoxInert
REG NONE
SE INCREASE QUOTA NAME
SAFER LEVEL OPEN
SERVICE ACCEPT SHUTDOWN

Package winappdbg.win32

Description
Value: 5
Value: 1
Value: 7
Value:
Value:
Value:
Value:
Value:

1
0
32
22
64

Value:
Value:
Value:
Value:
Value:

32
13
4
256
262144

Value:
Value:
Value:
Value:

2
11
1
983103

Value: 1
Value:
Value:
Value:
Value:
Value:
Value:
Value:

8
2
29
40
6
7
1

Value: 6
Value: GuessStringType(RegOpenKeyA,
RegOpenKeyW)
Value: 15
Value: 0
Value: SeIncreaseQuotaPrivilege
Value: 1
Value: 4
continued on next page

120

Variables

Name
WTSShadow
WTSDomainName
WTSDown
SERVICE ALL ACCESS
SecurityImpersonation
SaferPolicyEnableTransparentEnforcement
TokenElevation
HKEY CURRENT CONFIG
SAFER TOKEN MAKE INERT
WctComActivationType
WctMutexType
REG DWORD BIG ENDIAN
SERVICE ACCEPT POWEREVENT
TokenElevationTypeDefault
REG DWORD
SE UNSOLICITED INPUT NAME
TokenOrigin
GetUserName
SE TAKE OWNERSHIP NAME
WCT OUT OF PROC CS FLAG
SERVICE CONTROL HARDWAREPROFILECHANGE
TOKEN QUERY SOURCE
SaferPolicyScopeFlags
WctAlpcType
RegDeleteKey
SERVICE ACCEPT TIMECHANGE
TokenSecurityAttributes

Package winappdbg.win32

Description
Value:
Value:
Value:
Value:
Value:
Value:

3
7
8
983551
2
2

Value: 20
Value: 2147483653
Value: 4
Value: 9
Value: 3
Value: 5
Value: 64
Value: 1
Value: 4
Value: SeUnsolicitedInputPrivilege
Value: 17
Value: DefaultStringType(GetUserNameA,
GetUserNameW)
Value: SeTakeOwnershipPrivilege
Value: 4
Value: 12

Value: 16
Value: 5
Value: 4
Value: GuessStringType(RegDeleteKeyA,
RegDeleteKeyW)
Value: 512
Value: 39
continued on next page

121

Variables

Name
REG BINARY
SERVICE ACCEPT PAUSE CONTINUE
RegDeleteKeyEx
WctStatusError
TOKEN IMPERSONATE
TOKEN ASSIGN PRIMARY
TokenPrivileges
SE TIME ZONE NAME
TokenAppContainerSid
WctThreadWaitType
WctCriticalSectionType
SidTypeDeletedAccount
WTSIdleTime
SAFER TOKEN COMPARE ONLY
SERVICE BOOT START
SERVICE QUERY CONFIG
SERVICE ACCEPT PRESHUTDOWN
SC ENUM PROCESS INFO
CreateService
TOKEN ADJUST DEFAULT
WCT OUT OF PROC COM FLAG
SC MANAGER LOCK
SERVICE INTERACTIVE PROCESS
WctUnknownType
SERVICE CONTROL INTERROGATE
WTSSessionInfo
WTSClientProductId
SERVICE INACTIVE

Package winappdbg.win32

Description
Value: 3
Value: 2
Value: GuessStringType(RegDeleteKeyExA,
RegDeleteKeyExW)
Value: 10
Value: 4
Value: 1
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

3
SeTimeZonePrivilege
31
6
1
6
17
2

Value: 0
Value: 1
Value: 256
Value: 0
Value: GuessStringType(CreateServiceA,
CreateServiceW)
Value: 128
Value: 2
Value: 8
Value: 256
Value: 10
Value: 4
Value: 24
Value: 12
Value: 2
continued on next page

122

Variables

Name
TokenElevationTypeFull
ConvertSidToStringSid
LookupAccountSid
HKEY PERFORMANCEDATA
SERVICE CONTROL NETBINDDISABLE
TokenImpersonation
LookupPrivilegeName
SERVICES ACTIVE DATABASEA
TokenLogonSid
SE LOAD DRIVER NAME
WTSOutgoingFrames
SERVICE SYSTEM START
SERVICE WIN32 SHARE PROCESS
CSIDL RESOURCES
CSIDL FONTS
CSIDL PROGRAM FILESX86
CSIDL COMMON FAVORITES
SEE MASK HOTKEY
CSIDL COMMON PICTURES
SEE MASK INVOKEIDLIST
SEE MASK WAITFORINPUTIDLE
CSIDL FLAG DONT VERIFY
SEE MASK ICON
CSIDL PROGRAM FILES

Package winappdbg.win32

Description
Value: 2
Value:
DefaultStringType(ConvertSidToStringSidA,
ConvertSidToStr...
Value:
GuessStringType(LookupAccountSidA,
LookupAccountSidW)
Value: 2147483652
Value: 10
Value: 2
Value:
GuessStringType(LookupPrivilegeNameA,
LookupPrivilegeNameW)
Value: ServicesActive
Value: 28
Value: SeLoadDriverPrivilege
Value: 22
Value: 1
Value: 32
Value: 56
Value: 20
Value: 42
Value: 31
Value: 32
Value: 54
Value: 12
Value: 33554432
Value: 16384
Value: 16
Value: 38
continued on next page

123

Variables

Name
SEE MASK FLAG NO UI
SEE MASK FLAG LOG USAGE
SEE MASK DEFAULT
CSIDL WINDOWS
CSIDL COMMON OEM LINKS
CSIDL PROFILES
CSIDL LOCAL APPDATA
CSIDL FLAG PER USER INIT
CSIDL FLAG MASK
CSIDL PERSONAL
CSIDL FOLDER MASK
SEE MASK CLASSKEY
SE ERR OOM
CSIDL CDBURN AREA
CSIDL MYPICTURES
CSIDL SENDTO
SE ERR DDETIMEOUT
CSIDL STARTUP
CSIDL ADMINTOOLS
SEE MASK CLASSNAME
CSIDL COMMON APPDATA
CSIDL FLAG CREATE
CSIDL MYDOCUMENTS
CSIDL RESOURCES LOCALIZED
CSIDL COMMON TEMPLATES
SEE MASK UNICODE
CSIDL APPDATA
SE ERR PNF
CSIDL HISTORY
CSIDL INTERNET
SEE MASK DOENVSUBST

Package winappdbg.win32

Description
Value: 1024
Value: 67108864
Value: 0
Value: 36
Value: 58
Value: 62
Value: 28
Value: 2048
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

65280
5
255
3
8
59
39
9
28
7
48
1

Value: 35
Value: 32768
Value: 5
Value: 57
Value: 45
Value:
Value:
Value:
Value:
Value:
Value:

16384
26
3
34
1
512
continued on next page

124

Variables

Name
CSIDL PROGRAMS
SE ERR ASSOCINCOMPLETE
CSIDL DESKTOPDIRECTORY
CSIDL STARTMENU
SEE MASK IDLIST
SE ERR DLLNOTFOUND
CSIDL FLAG NO ALIAS
CSIDL RECENT
SEE MASK NO CONSOLE
SE ERR FNF
CSIDL PRINTERS
CSIDL FAVORITES
CSIDL PROFILE
CSIDL MYVIDEO
SE ERR SHARE
ShellExecute
CSIDL COMMON ADMINTOOLS
SEE MASK NOZONECHECKS
CSIDL DRIVES
SHGFP TYPE DEFAULT
SEE MASK HMONITOR
SE ERR DDEFAIL
CSIDL SYSTEM
CSIDL ALTSTARTUP
CSIDL CONTROLS
CSIDL DESKTOP
CSIDL COMMON DOCUMENTS
SE ERR ACCESSDENIED
SE ERR NOASSOC
CSIDL COMMON DESKTOPDIRECTORY
SHGFP TYPE CURRENT

Package winappdbg.win32

Description
Value: 2
Value: 27
Value: 16
Value: 11
Value: 4
Value: 32
Value: 4096
Value: 8
Value: 32768
Value: 2
Value: 4
Value: 6
Value: 40
Value: 14
Value: 26
Value: GuessStringType(ShellExecuteA,
ShellExecuteW)
Value: 47
Value: 8388608
Value: 17
Value: 1
Value:
Value:
Value:
Value:
Value:
Value:
Value:

2097152
29
37
29
3
0
46

Value: 5
Value: 31
Value: 25
Value: 0
continued on next page

125

Variables

Name
CSIDL PRINTHOOD
CSIDL COMPUTERSNEARME
CSIDL BITBUCKET
SEE MASK ASYNCOK
CSIDL COMMON STARTUP
SEE MASK NOASYNC
CSIDL CONNECTIONS
CSIDL PROGRAM FILES COMMONX86
CSIDL NETHOOD
SEE MASK NOCLOSEPROCESS
CSIDL COMMON VIDEO
SE ERR DDEBUSY
FindExecutable
CommandLineToArgv
CSIDL COMMON MUSIC
CSIDL COOKIES
CSIDL COMMON PROGRAMS
CSIDL COMMON STARTMENU
CSIDL NETWORK
SHGetFolderPath
SEE MASK CONNECTNETDRV
CSIDL PROGRAM FILES COMMON
CSIDL MYMUSIC
CSIDL COMMON ALTSTARTUP
CSIDL SYSTEMX86

Package winappdbg.win32

Description
Value: 27
Value: 61
Value: 10
Value: 1048576
Value: 24
Value: 256
Value: 49
Value: 44
Value: 19
Value: 64
Value: 55
Value: 30
Value: GuessStringType(FindExecutableA,
FindExecutableW)
Value:
GuessStringType(CommandLineToArgvA,
CommandLineToArgvW)
Value: 53
Value: 33
Value: 23
Value: 22
Value: 18
Value:
DefaultStringType(SHGetFolderPathA,
SHGetFolderPathW)
Value: 128
Value: 43
Value: 13
Value: 30
Value: 41
continued on next page

126

Variables

Name
CSIDL INTERNET CACHE
CSIDL TEMPLATES
OS WIN95 GOLD
OS TERMINALSERVER
PathRemoveBackslash
OS NT4ORGREATER
OS WIN2000DATACENTER
OS DOMAINMEMBER
OS WOW6432
OS WELCOMELOGONUI
PathUnExpandEnvStrings
OS WEBSERVER
PathIsDirectory
PathFindExtension
PathRelativePathTo
PathAddExtension
OS XPORGREATER
PathIsRoot
PathFindNextComponent
OS WIN2000PRO
OS ANYSERVER
PathRemoveExtension
OS APPLIANCE

Package winappdbg.win32

Description
Value: 32
Value: 21
Value: 16
Value: 24
Value:
GuessStringType(PathRemoveBackslashA,
PathRemoveBackslashW)
Value: 3
Value: 11
Value: 28
Value: 30
Value: 27
Value:
GuessStringType(PathUnExpandEnvStringsA,
PathUnExpandEnvS...
Value: 31
Value: GuessStringType(PathIsDirectoryA,
PathIsDirectoryW)
Value:
GuessStringType(PathFindExtensionA,
PathFindExtensionW)
Value:
GuessStringType(PathRelativePathToA,
PathRelativePathToW)
Value:
GuessStringType(PathAddExtensionA,
PathAddExtensionW)
Value: 18
Value: GuessStringType(PathIsRootA,
PathIsRootW)
Value:
GuessStringType(PathFindNextComponentA,
PathFindNextCompo...
Value: 8
Value: 29
Value:
GuessStringType(PathRemoveExtensionA,
PathRemoveExtensionW)
Value: 36
continued on next page

127

Variables

Name
OS HOME
PathRemoveArgs
OS FASTUSERSWITCHING
OS PROFESSIONAL
OS WIN2000TERMINAL
OS TERMINALCLIENT
OS TABLETPC
PathFileExists
OS PERSONALTERMINALSERVER
PathMakePretty
OS MEORGREATER
OS SERVERADMINUI
OS WIN2000ADVSERVER
PathIsNetworkPath
OS WIN2000ORGREATER
PathCombine
OS DATACENTER
PathIsSameRoot
PathAddBackslash
PathRenameExtension
OS WIN2000SERVER
OS MEDIACENTER
PathRemoveFileSpec
PathIsUNC

Package winappdbg.win32

Description
Value: 19
Value: GuessStringType(PathRemoveArgsA,
PathRemoveArgsW)
Value: 26
Value: 20
Value: 12
Value: 14
Value: 33
Value: GuessStringType(PathFileExistsA,
PathFileExistsW)
Value: 25
Value: GuessStringType(PathMakePrettyA,
PathMakePrettyW)
Value: 17
Value: 34
Value: 10
Value:
GuessStringType(PathIsNetworkPathA,
PathIsNetworkPathW)
Value: 7
Value: GuessStringType(PathCombineA,
PathCombineW)
Value: 21
Value: GuessStringType(PathIsSameRootA,
PathIsSameRootW)
Value:
GuessStringType(PathAddBackslashA,
PathAddBackslashW)
Value:
GuessStringType(PathRenameExtensionA,
PathRenameExtensionW)
Value: 9
Value: 35
Value:
GuessStringType(PathRemoveFileSpecA,
PathRemoveFileSpecW)
Value: GuessStringType(PathIsUNCA,
PathIsUNCW)
continued on next page

128

Variables

Name
PathIsDirectoryEmpty
OS SMALLBUSINESSSERVER
OS TERMINALREMOTEADMIN
PathFindFileName
PathCanonicalize
OS WIN95ORGREATER
PathFindOnPath
PathIsContentType
PathIsRelative
OS ADVSERVER
OS WIN98 GOLD
OS WIN98ORGREATER
OS EMBEDDED
PathAppend
OS WINDOWS
PathGetArgs
OS SERVER
GetMappedFileName
GetModuleFileNameEx
GetDeviceDriverBaseName
GetProcessImageFileName

Package winappdbg.win32

Description
Value:
GuessStringType(PathIsDirectoryEmptyA,
PathIsDirectoryEmp...
Value: 32
Value: 15
Value:
GuessStringType(PathFindFileNameA,
PathFindFileNameW)
Value:
GuessStringType(PathCanonicalizeA,
PathCanonicalizeW)
Value: 2
Value: GuessStringType(PathFindOnPathA,
PathFindOnPathW)
Value:
GuessStringType(PathIsContentTypeA,
PathIsContentTypeW)
Value: GuessStringType(PathIsRelativeA,
PathIsRelativeW)
Value: 22
Value: 6
Value: 5
Value: 13
Value: GuessStringType(PathAppendA,
PathAppendW)
Value: 0
Value: GuessStringType(PathGetArgsA,
PathGetArgsW)
Value: 23
Value:
GuessStringType(GetMappedFileNameA,
GetMappedFileNameW)
Value:
GuessStringType(GetModuleFileNameExA,
GetModuleFileNameExW)
Value:
GuessStringType(GetDeviceDriverBaseNameA,
GetDeviceDriver...
Value:
GuessStringType(GetProcessImageFileNameA,
GetProcessImage...
continued on next page

129

Variables

Name
LIST MODULES 64BIT
LIST MODULES ALL
LIST MODULES 32BIT
GetDeviceDriverFileName
LIST MODULES DEFAULT
SLE ERROR
THREAD BASE PRIORITY LOWRT
DBG REPLY LATER
CONTEXT FULL
EXCEPTION FLT UNDERFLOW
OpenFileMapping
SYMOPT FAVOR COMPRESSED
STATUS PENDING
SYMOPT NO IMAGE SEARCH
ARCH AMD64
OS WINDOWS 2008 64
VFT DRV
PAGE EXECUTE READ
SEC COMMIT
NTDDI WIN7SP1
ProcThreadAttributeGroupAffinity
SM CARETBLINKINGENABLED
SM YVIRTUALSCREEN
EXCEPTION ARRAY BOUNDS EXCEEDED
SymLoadModule
SEMAPHORE MODIFY STATE
PAGE WRITECOPY
EXCEPTION BREAKPOINT

Package winappdbg.win32

Description
Value: 2
Value: 3
Value: 1
Value:
GuessStringType(GetDeviceDriverFileNameA,
GetDeviceDriver...
Value: 0
Value: 1
Value: 15
Value: 1073807361
Value: 65543
Value: 3221225619
Value: GuessStringType(OpenFileMappingA,
OpenFileMappingW)
Value: 8388608
Value: 259
Value: 131072
Value:
Value:
Value:
Value:
Value:
Value:
Value:

amd64
Windows 2008 (64 bits)
3
32
134217728
100729088
3

Value: 8194
Value: 77
Value: 3221225612
Value: GuessStringType(SymLoadModuleA,
SymLoadModuleW)
Value: 2
Value: 8
Value: 2147483651
continued on next page

130

Variables

Name
SymCoff
STACK SIZE PARAM ISA RESERVATION
SYMOPT NO PUBLICS
SEM NOOPENFILEERRORBOX
MAXINTATOM
Wow64GetThreadContext
COMMON LVB LEADING BYTE
OS SEVEN
SM CXDLGFRAME
DEBUG PROCESS
OS W2K3 64
SM ARRANGE
PROCESS ALL ACCESSVISTA
VFT2 DRV DISPLAY
WOW64 CONTEXT CONTROL
VER SUITE BACKOFFICE
LPXMM SAVE AREA32
STATUS STACK OVERFLOW
MEM 4MB PAGES
VER SUITE DATACENTER
arch
Wow64GetThreadSelectorEntry
OS WINDOWS 2003 R2 64
GR USEROBJECTS
PWOW64 FLOATING SAVE AREA
VOS NT WINDOWS32
PRODUCT MEDIUMBUSINESS SERVER SECURITY
ARCH SHX
OS WINDOWS XP 64

Package winappdbg.win32

Description
Value: 1
Value: 65536
Value: 32768
Value: 2048
Value: 49152
Value: 256
Value:
Value:
Value:
Value:
Value:
Value:

Windows 7
7
1
Windows 2003 (64 bits)
56
2097151

Value: 4

Value: 4

Value: 3221225725
Value: 2147483648
Value: 128
Value: amd64

Value: Windows 2003 R2 (64 bits)


Value: 1

Value: 262148
Value: 31

Value: shx
Value: Windows XP (64 bits)
continued on next page

131

Variables

Name
OS WINDOWS NT
SymExport
THREAD SUSPEND RESUME
SM REMOTESESSION
ARCH POWERPC
COMMON LVB UNDERSCORE
VOS PM16
EXCEPTION FLT INEXACT RESULT
FILE SHARE READ
PROCESSOR SHx SH3
PROCESSOR SHx SH4
VER LESS EQUAL
INHERIT PARENT AFFINITY
FOREGROUND BLACK
PRODUCT ENTERPRISE SERVER
VER SUITE STORAGE SERVER
CREATE NEW CONSOLE
SYMOPT INCLUDE 32BIT MODULES
HEAP ZERO MEMORY
FOREGROUND RED
SM CYKANJIWINDOW
STATUS UNWIND CONSOLIDATE
SM CYVIRTUALSCREEN
PROCESSOR ARM 7TDMI
PROCESSOR INTEL 386
SYMOPT FAIL CRITICAL ERRORS
SM CYMINTRACK
SYMOPT LOAD ANYTHING
SM CYMAXTRACK

Package winappdbg.win32

Description
Value: Windows NT
Value: 4
Value: 2
Value: 4096
Value: ppc
Value: 32768
Value: 2
Value: 3221225615
Value:
Value:
Value:
Value:
Value:

1
103
104
5
65536

Value: 0
Value: 10
Value: 8192
Value: 16
Value: 8192
Value:
Value:
Value:
Value:

8
4
18
2147483689

Value: 79
Value: 70001
Value: 386
Value: 512
Value: 35
Value: 64
Value: 60
continued on next page

132

Variables

Name
OS VISTA 64
OS WINDOWS VISTA 64
THREAD GET CONTEXT
PROCESS NAME NATIVE
LOAD LIBRARY AS DATAFILE
STATUS PRIVILEGED INSTRUCTION
MEM RESET
NTDDI WINXPSP1
EXCEPTION FLT INVALID OPERATION
NTDDI WINXPSP3
NTDDI WINXPSP2
VER SUITE ENTERPRISE
AddrModeReal
PROCESSOR AMD X8664
FILE ATTRIBUTE ARCHIVE
OutputDebugString
VOLUME NAME NT
PROCESS CREATION MITIGATION POLICY DEP ENABLE
PROCESS CREATION MITIGATION POLICY SEHOP ENABLE
SM CYDOUBLECLK
QueryFullProcessImageName
UNDNAME 32 BIT DECODE
SM CYVSCROLL
AddrModeFlat

Package winappdbg.win32

Description
Value: Windows Vista (64 bits)
Value: Windows Vista (64 bits)
Value: 8
Value: 1
Value: 2
Value: 3221225622
Value: 524288
Value: 83951872
Value: 3221225616
Value: 83952384
Value: 83952128
Value: 2
Value: 2
Value: 8664
Value: 32
Value:
GuessStringType(OutputDebugStringA,
OutputDebugStringW)
Value: 2
Value: 1

Value: 4

Value: 37
Value:
GuessStringType(QueryFullProcessImageNameA,
QueryFullProc...
Value: 2048
Value: 20
Value: 3
continued on next page

133

Variables

Name
STD INPUT HANDLE
TH32CS SNAPALL
CREATE DEFAULT ERROR MODE
WAIT FAILED
PRODUCT ULTIMATE
ARCH ARM
ARCH THUMB
FORMAT MESSAGE ALLOCATE BUFFER
PROCESSOR ARCHITECTURE ARM
EXCEPTION PRIV INSTRUCTION
NTDDI VERSION
PRODUCT HOME PREMIUM E
EXCEPTION DATATYPE MISALIGNMENT
LEGACY SAVE AREA LENGTH
HIGH PRIORITY CLASS
SYMOPT ALLOW ABSOLUTE SYMBOLS
ARCH SPARC
PRODUCT HOME PREMIUM
STATUS FLOAT MULTIPLE FAULTS
NORMAL PRIORITY CLASS
SYMOPT IGNORE IMAGEDIR
ARCH AARCH32
SYMOPT NO UNQUALIFIED LOADS
OS VISTA
GetLogicalDriveStrings
PRODUCT DATACENTER SERVER

Package winappdbg.win32

Description
Value: 4294967286
Value: 15
Value: 67108864
Value:
Value:
Value:
Value:
Value:

-1
1
arm
thumb
256

Value: 5
Value: 3221225622
Value: 100729088
Value: 68
Value: 2147483650

Value: 128
Value: 2048
Value: sparc
Value: 3
Value: 3221226164
Value: 32
Value: 2097152
Value: arm
Value: 256
Value: Windows Vista
Value:
GuessStringType(GetLogicalDriveStringsA,
GetLogicalDriveS...
Value: 8
continued on next page

134

Variables

Name
PWOW64 CONTEXT
MEM MAPPED
WOW64 LDT ENTRY
ARCH X86
ARCH X64
SymSetSearchPath
TH32CS SNAPMODULE
VER GREATER EQUAL
GENERIC ALL
GetProcAddress
STATUS SXS EARLY DEACTIVATION
MEM PRIVATE
PRODUCT STANDARDSERVER CORE
SM CXDOUBLECLK
STATUS INVALID HANDLE
BACKGROUND CYAN
ARCH ITANIUM
THREAD PRIORITY TIME CRITICAL
SECTION QUERY
MS VC EXCEPTION
PROCESS CREATE PROCESS
SM MENUDROPALIGNMENT
SEC IMAGE
VOLUME NAME DOS
PRODUCT WEB SERVER
SM CXMENUCHECK
NTDDI LONGHORN
BACKGROUND INTENSITY
CREATE IGNORE SYSTEM DEFAULT
psyco

Package winappdbg.win32

Description
Value: 262144
Value: i386
Value: amd64
Value:
GuessStringType(SymSetSearchPathA,
SymSetSearchPathW)
Value: 8
Value: 3
Value: 268435456
Value: GuessStringType(GetProcAddressA,
GetProcAddressW)
Value: 3222601743
Value: 131072
Value: 13
Value: 36
Value: 3221225480
Value: 48
Value: ia64
Value: 15
Value: 1
Value: 1080890248
Value: 128
Value: 40
Value: 16777216
Value: 0
Value: 17
Value: 71
Value: 100663296
Value: 128
Value: 2147483648

continued on next page

135

Variables

Name
SYMOPT NO PROMPTS
SM MOUSEHORIZONTALWHEELPRESENT
SymNone
STATUS NONCONTINUABLE EXCEPTION
Wow64ResumeThread
UnDecorateSymbolName
PROC THREAD ATTRIBUTE NUMBER
VER SUITE PERSONAL
WAIT OBJECT 0
GENERIC READ
INITIAL MXCSR
OpenEvent
UNDNAME NO MS THISTYPE
SEC NOCACHE
LDT ENTRY HIGHWORD
SM CXMIN
IMAGE FILE MACHINEAMD64
VOS PM32
NTDDI WINXP
BACKGROUND MASK
SymGetModuleInfo64
OS XP 64
PRODUCT ENTERPRISE
VOS WINDOWS32
OS W2K8 64
SymPdb
DBG EXCEPTION NOTHANDLED
PROCESSOR HITACHI SH3E

Package winappdbg.win32

Description
Value: 524288
Value: 91
Value: 0
Value: 3221225509

Value:
GuessStringType(UnDecorateSymbolNameA,
UnDecorateSymbolNa...
Value: 65535
Value: 512
Value: 0
Value: 2147483648
Value: GuessStringType(OpenEventA,
OpenEventW)
Value: 32
Value: 268435456

Value: 28
Value: 34404
Value: 3
Value: 83951616
Value: 240
Value:
GuessStringType(SymGetModuleInfo64A,
SymGetModuleInfo64W)
Value: Windows XP (64 bits)
Value: 4
Value:
Value:
Value:
Value:

4
Windows 2008 (64 bits)
3
2147549185

Value: 10004
continued on next page

136

Variables

Name
SM CXSMICON
MEM IMAGE
UNDNAME NO MEMBER TYPE
THREAD PRIORITY ERROR RETURN
PROC THREAD ATTRIBUTE ADDITIVE
PROCESSOR ARCHITECTURE AMD64
EXCEPTION INVALID HANDLE
FOREGROUND YELLOW
STATUS SINGLE STEP
ContextArchMask
PROCESSOR ARCHITECTURE INTEL
PAGE EXECUTE
CONTROL C EXIT
ABOVE NORMAL PRIORITY CLASS
VFT2 DRV COMM
PRODUCT DATACENTER SERVER CORE V
FILE ATTRIBUTE SYSTEM
VER SUITE TERMINAL
PRODUCT STORAGE EXPRESS SERVER
VER LESS
CONTEXT CONTROL
PAGE EXECUTE WRITECOPY
SM CXSCREEN
CREATE SEPARATE WOW VDM
DBG PRINTEXCEPTIONC
OS NT
CREATE THREAD DEBUG EVENT

Package winappdbg.win32

Description
Value: 49
Value: 16777216
Value: 512
Value: 4294967295
Value: 262144
Value: 9
Value: 3221225480
Value: 6
Value: 2147483652
Value: 268369920
Value: 0
Value: 16
Value: 3221225786
Value: 32768
Value: 10
Value: 39
Value: 4
Value: 16
Value: 20
Value: 4
Value: 65537
Value: 128
Value: 0
Value: 2048
Value: 1073807366
Value: Windows NT
Value: 2
continued on next page

137

Variables

Name
VER GREATER
PRODUCT STANDARDSERVER V
PROCESSOR ARCHITECTURE ALPHA
GlobalFindAtom
CONTEXT i386
STATUS INTEGER OVERFLOW
VFT STATIC LIB
CONTEXT EXCEPTIONREQUEST
SECTION MAP READ
SECTION MAP EXECUTE
EVENT ALL ACCESS
VS FF INFOINFERRED
FILE SHARE DELETE
SM CXFULLSCREEN
CREATE BREAKAWAYFROM JOB
VS FF PATCHED
VFT2 FONT TRUETYPE
CONTEXT EXCEPTIONACTIVE
PROCESS QUERY LIMITED INFORMATION
SM CYCAPTION
STATUS FLOAT INVALID OPERATION
NTDDI WIN8
NTDDI WIN7
OS WINDOWS 2008 R2 64
SM CLEANBOOT
CreateFileMapping
FILE FLAG SEQUENTIAL SCAN

Package winappdbg.win32

Description
Value: 2
Value: 36
Value: 2
Value: GuessStringType(GlobalFindAtomA,
GlobalFindAtomW)
Value: 65536
Value: 3221225621
Value: 7

Value: 4
Value: 8
Value:
Value:
Value:
Value:
Value:

2031619
16
4
16
16777216

Value: 4
Value: 3

Value: 4096
Value: 4
Value: 3221225616
Value: 100794368
Value: 100728832
Value: Windows 2008 R2 (64 bits)
Value: 67
Value:
GuessStringType(CreateFileMappingA,
CreateFileMappingW)
Value: 134217728
continued on next page

138

Variables

Name
ProcThreadAttributeMax
EXCEPTION WX86 BREAKPOINT
SECTION EXTEND SIZE
AddrMode1632
THREAD ALL ACCESS VISTA
PROCESS VM READ
VER SUITE WH SERVER
OS WINDOWS 2003 R2
FOREGROUND CYAN
SymGetModuleInfo
UNDNAME NO ACCESSSPECIFIERS
SM CXICONSPACING
SEMAPHORE ALL ACCESS
PROCESSOR INTEL 486
ARCH UNKNOWN
MEM RELEASE
INHERIT CALLER PRIORITY
CreateFile
VFT2 FONT VECTOR
VFT2 DRV LANGUAGE
PROCESSOR ARM820
VS FF SPECIALBUILD
SM SWAPBUTTON
SM CYMINSPACING
SM XVIRTUALSCREEN
PROCESSOR STRONGARM
VFT2 UNKNOWN
OS WINDOWS 2003 64
THREAD PRIORITY BELOW NORMAL
PROCESSOR ARCHITECTURE PPC

Package winappdbg.win32

Description
Value: 8
Value: 1073741855
Value: 16
Value: 1
Value: 2097151
Value: 16
Value: 32768
Value: Windows 2003 R2
Value: 3
Value:
GuessStringType(SymGetModuleInfoA,
SymGetModuleInfoW)
Value: 128
Value: 38
Value: 2031619
Value:
Value:
Value:
Value:

486
unknown
32768
131072

Value: GuessStringType(CreateFileA,
CreateFileW)
Value: 2
Value: 3
Value: 2080
Value: 32
Value: 23
Value: 48
Value: 76
Value: 2577
Value: 0
Value: Windows 2003 (64 bits)
Value: -1
Value: 3
continued on next page

139

Variables

Name
PRODUCT PROFESSIONAL
EXCEPTION ACCESS VIOLATION
ATTACH PARENT PROCESS
VER SUITE SINGLEUSERTS
EXIT THREAD DEBUGEVENT
VOS OS232
VER OR
hdSym
FOREGROUND GREEN
SM SHUTTINGDOWN
PAGE READWRITE
MAXIMUM SUSPEND COUNT
STATUS TIMEOUT
MEM TOP DOWN
PXMM SAVE AREA32
SYMOPT LOAD LINES
CONTEXT i486
MUTEX MODIFY STATE
THREAD SET LIMITEDINFORMATION
FILE ATTRIBUTE READONLY
MEM COMMIT
PROCESSOR OPTIL
STATUS WX86 BREAKPOINT
SM CXMENUSIZE
ACCESS VIOLATION TYPE WRITE
PAGE EXECUTE READWRITE
CTRL SHUTDOWN EVENT
bits

Package winappdbg.win32

Description
Value: 48
Value: 3221225477
Value: 4294967295
Value: 256
Value: 4
Value:
Value:
Value:
Value:
Value:
Value:
Value:

196608
7
1
2
8192
4
127

Value: 258
Value: 1048576
Value: 16
Value: 65536
Value: 1
Value: 1024
Value: 1
Value: 4096
Value: 18767
Value: 1073741855
Value: 54
Value: 1
Value: 64
Value: 6
Value: 32
continued on next page

140

Variables

Name
CONTEXT MMX REGISTERS
FORMAT MESSAGE FROM SYSTEM
VER SUITE SMALLBUSINESS RESTRICTED
DUPLICATE CLOSE SOURCE
wow64
PROCESSOR ARCHITECTURE SHX
THREAD IMPERSONATE
WOW64 CONTEXT i486
SYMOPT IGNORE NT SYMPATH
VOS WINDOWS16
SM CXEDGE
SymDia
OS W2K3R2
STATUS FLOAT DIVIDE BY ZERO
NTDDI WS03SP2
NTDDI WS03SP1
PROCESS TERMINATE
SM CYMINIMIZED
DBG COMMAND EXCEPTION
PRODUCT SERVER FOR SMALLBUSINESS V
PRODUCT HOME BASIC
SM CYSCREEN
WOW64 FLOATING SAVE AREA
STATUS POSSIBLE DEADLOCK
ACCESS VIOLATION TYPE READ
ProcThreadAttributeIdealProcessor
EXCEPTION INVALID DISPOSITION

Package winappdbg.win32

Description

Value: 4096
Value: 32
Value: 1
Value: True
Value: 4
Value: 256

Value: 4096
Value:
Value:
Value:
Value:
Value:

1
45
7
Windows 2003 R2
3221225614

Value:
Value:
Value:
Value:
Value:

84017664
84017408
1
58
1073807369

Value: 35
Value: 2
Value: 1

Value: 3221225876
Value: 0
Value: 5
Value: 3221225510
continued on next page

141

Variables

Name
SM CYBORDER
PRODUCT ENTERPRISE SERVER CORE V
CREATE UNICODE ENVIRONMENT
STATUS IN PAGE ERROR
VER NT DOMAIN CONTROLLER
OS W2K3R2 64
GlobalGetAtomName
SYMOPT FLAT DIRECTORY
GR GDIOBJECTS
THREAD TERMINATE
WINVER
OPEN EXISTING
WOW64 CONTEXT SEGMENTS
FILE MAP READ
VER PLATFORM WIN32 WINDOWS
GetVersionEx
THREAD QUERY INFORMATION
FOREGROUND GREY
UNDNAME NO CV THISTYPE
MAX SYM NAME
EVENT MODIFY STATE
DEBUG EVENT UNION
PROC THREAD ATTRIBUTE EXTENDED FLAGS
SM CXBORDER
NTDDI WIN2KSP4
TH32CS INHERIT

Package winappdbg.win32

Description
Value: 6
Value: 41
Value: 1024
Value: 3221225478
Value: 2
Value: Windows 2003 R2 (64 bits)
Value:
GuessStringType(GlobalGetAtomNameA,
GlobalGetAtomNameW)
Value: 4194304
Value:
Value:
Value:
Value:

0
1
1537
3

Value: 4
Value: 1
Value: GuessStringType(GetVersionExA,
GetVersionExW)
Value: 64
Value: 7
Value: 64
Value: 2000
Value: 2

Value: 393217

Value: 5
Value: 83887104
Value: 2147483648
continued on next page

142

Variables

Name
NTDDI WIN2KSP2
NTDDI WIN2KSP3
NTDDI WIN2KSP1
LOAD WITH ALTEREDSEARCH PATH
PROCESS ALL ACCESSNT
HEAP NO SERIALIZE
SM MOUSEWHEELPRESENT
SM CXMAXTRACK
STATUS FLOAT INEXACT RESULT
FILE FLAG DELETE ON CLOSE
EXCEPTION FLT STACK CHECK
PRODUCT BUSINESS
LDT ENTRY BITS
SM SERVERR2
VER SERVICEPACKMAJOR
OS SEVEN 64
WOW64 CONTEXT ALL
SM CYMENUSIZE
GENERIC WRITE
VFT RESERVED
HEAP GENERATE EXCEPTIONS
EXCEPTION NONCONTINUABLE EXCEPTION
SM DBCSENABLED
PROC THREAD ATTRIBUTE PARENT PROCESS
UNDNAME NO ALLOCATION LANGUAGE
DBG TERMINATE PROCESS
SM CXPADDEDBORDER

Package winappdbg.win32

Value:
Value:
Value:
Value:

Description
83886592
83886848
83886336
8

Value: 2035711
Value: 1
Value: 75
Value: 59
Value: 3221225615
Value: 67108864
Value: 3221225618
Value: 6
Value: 89
Value: 32
Value: Windows 7 (64 bits)

Value:
Value:
Value:
Value:

55
1073741824
6
4

Value: 3221225509

Value: 42
Value: 131072

Value: 16
Value: 1073807364
Value: 92
continued on next page

143

Variables

Name
SYMOPT UNDNAME
FILE FLAG WRITE THROUGH
CREATE SHARED WOW VDM
GetDllDirectory
EXTENDED STARTUPINFO PRESENT
EXCEPTION READ FAULT
FILE MAP COPY
THREAD PRIORITY ABOVE NORMAL
CREATE FORCEDOS
AddrMode1616
TH32CS SNAPPROCESS
SM CXMINTRACK
FOREGROUND BLUE
DBG APP NOT IDLE
PRODUCT DATACENTER SERVER V
PROC THREAD ATTRIBUTE PREFERRED NODE
VFT UNKNOWN
FILE MAP EXECUTE
SM CXDRAG
EXCEPTION GUARD PAGE
STATUS FLOAT OVERFLOW
CTRL LOGOFF EVENT
SM PENWINDOWS
VER PLATFORM WIN32 NT
SM CYMAXIMIZED
VER NT SERVER
GENERIC EXECUTE
PROCESS DEP ENABLE
hdBase

Package winappdbg.win32

Description
Value: 2
Value: 2147483648
Value: 4096
Value: GuessStringType(GetDllDirectoryA,
GetDllDirectoryW)
Value: 524288
Value: 0
Value: 1
Value: 1
Value:
Value:
Value:
Value:
Value:
Value:
Value:

8192
0
2
34
1
3221291010
37

Value: 131076

Value:
Value:
Value:
Value:

0
32
68
2147483649

Value: 3221225617
Value: 5
Value: 41
Value: 2
Value:
Value:
Value:
Value:

62
3
536870912
1

Value: 0
continued on next page

144

Variables

Name
PROCESSOR ARCHITECTURE MIPS
DBG UNABLE TO PROVIDE HANDLE
SM CYVTHUMB
STATUS DATATYPE MISALIGNMENT
ARCH PPC
CTRL CLOSE EVENT
FILE MAP ALL ACCESS
PRODUCT SMALLBUSINESS SERVER
CREATE NEW
PRODUCT HYPERV
ARCH ARM64
STATUS CONTROL C EXIT
PAGE NOCACHE
SM CYEDGE
VER SUITE COMPUTE SERVER
BELOW NORMAL PRIORITY CLASS
OS WINDOWS VISTA
CONTEXT AMD64
CREATE NEW PROCESS GROUP
UNDNAME NO SPECIAL SYMS
PRODUCT STORAGE WORKGROUP SERVER
SM CYDLGFRAME
STATUS ILLEGAL INSTRUCTION
SYMOPT CASE INSENSITIVE
NTDDI WS03
NTDDI WS08
THREAD BASE PRIORITY MIN
EXCEPTION DEBUG EVENT

Package winappdbg.win32

Description
Value: 1
Value: 1073807362
Value: 9
Value: 2147483650
Value: ppc
Value: 2
Value: 983071
Value: 9
Value:
Value:
Value:
Value:

1
42
arm64
3221225786

Value: 512
Value: 46
Value: 16384
Value: 16384
Value: Windows Vista
Value: 512
Value: 16384
Value: 22
Value: 8
Value: 3221225501
Value: 1
Value: 84017152
Value: 100663552
Value: -2
Value: 1
continued on next page

145

Variables

Name
SM CXSMSIZE
SIZE OF 80387 REGISTERS
CONTEXT ALL
VER SUITE BLADE
VOS OS216 PM16
SM IMMENABLED
STILL ACTIVE
CREATE PROCESS DEBUG EVENT
NTDDI VISTA
PROCESSOR PPC 620
DBG NO STATE CHANGE
NumSymTypes
PROCESS DUP HANDLE
GlobalAddAtom
BACKGROUND GREY
VFT2 DRV KEYBOARD
WOW64 CS32
VOS NT
EXCEPTION FLT DENORMAL OPERAND
SM CYFRAME
COMMON LVB REVERSE VIDEO
NTDDI WIN2K
PROCESSOR ALPHA 21064
CreateEvent
PRODUCT ENTERPRISE SERVER CORE
STATUS ARRAY BOUNDS EXCEEDED
THREAD DIRECT IMPERSONATION
PRODUCT STORAGE ENTERPRISE SERVER
ARCH HITACHI

Package winappdbg.win32

Description
Value: 52
Value: 80
Value:
Value:
Value:
Value:
Value:
Value:

65599
1024
131074
82
259
3

Value: 100663296
Value: 620
Value: 3221291009
Value: 9
Value: 64
Value: GuessStringType(GlobalAddAtomA,
GlobalAddAtomW)
Value: 112
Value: 2
Value: 262144
Value: 3221225613
Value: 33
Value: 16384
Value: 83886080
Value: 21064
Value: GuessStringType(CreateEventA,
CreateEventW)
Value: 14
Value: 3221225612
Value: 512
Value: 23
Value: shx
continued on next page

146

Variables

Name
WOW64 CONTEXT EXTENDED REGISTERS
CONTEXT SEGMENTS
DBG EXCEPTION HANDLED
ARCH ALPHA64
THREAD ALL ACCESS NT
OSVERSION MASK
SM CXFOCUSBORDER
STATUS WAIT 0
ProcThreadAttributeHandleList
EXCEPTION INT DIVIDE BY ZERO
SymEnumerateModules
ProcThreadAttributeExtendedFlags
SUBVERSION MASK
SM CYSMICON
VS FF PRERELEASE
SLE MINORERROR
CONTEXT EXTENDED REGISTERS
THREAD SET THREADTOKEN
SymGetSearchPath
SM RESERVED4
SM RESERVED1
SM RESERVED3
SM RESERVED2
OS WINDOWS 2008 R2
BACKGROUND MAGENTA
PROCESS CREATION MITIGATION POLICY DEP ATL THUNK ENABLE

Package winappdbg.win32

Description

Value: 65540
Value: 65537
Value: alpha64
Value: 2032639
Value:
Value:
Value:
Value:

4294901760
83
0
2

Value: 3221225620
Value:
GuessStringType(SymEnumerateModulesA,
SymEnumerateModulesW)
Value: 1
Value:
Value:
Value:
Value:
Value:

255
50
2
2
65568

Value: 128
Value:
GuessStringType(SymGetSearchPathA,
SymGetSearchPathW)
Value: 27
Value: 24
Value: 26
Value: 25
Value: Windows 2008 R2
Value: 80
Value: 2

continued on next page

147

Variables

Name
EXCEPTION EXECUTEFAULT
FILE ATTRIBUTE DEVICE
VFT2 DRV SYSTEM
FILE ATTRIBUTE HIDDEN
ProcThreadAttributePreferredNode
SM MOUSEPRESENT
EXCEPTION SINGLE STEP
ARCH MIPS
PROCESSOR ARCHITECTURE IA32 ON WIN64
SM CXVSCROLL
PROFILE KERNEL
SM SLOWMACHINE
SECTION MAP WRITE
VOS OS232 PM32
PROCESSOR ARCHITECTURE IA64
STATUS INTEGER DIVIDE BY ZERO
PRODUCT PROFESSIONAL E
PRODUCT PROFESSIONAL N
VOS UNKNOWN
DUPLICATE SAME ACCESS
STATUS FLOAT STACK CHECK
PROC THREAD ATTRIBUTE HANDLE LIST
VFT2 DRV NETWORK
SM CYSMSIZE
STATUS ABANDONED WAIT 0
VER MINORVERSION
PROCESSOR MIPS R4000

Package winappdbg.win32

Description
Value: 8
Value: 64
Value: 7
Value: 2
Value: 4
Value: 19
Value: 2147483652
Value: mips
Value: 10
Value:
Value:
Value:
Value:
Value:
Value:

2
536870912
73
2
196611
6

Value: 3221225620
Value: 69
Value: 49
Value: 0
Value: 2
Value: 3221225618
Value: 131074
Value: 6
Value: 53
Value: 128
Value: 1
Value: 4000
continued on next page

148

Variables

Name
STATUS GUARD PAGEVIOLATION
SM CYSIZEFRAME
CONTEXT SERVICE ACTIVE
SymSym
VER PLATFORMID
VER NT WORKSTATION
MAXIMUM WAIT OBJECTS
COMMON LVB GRID HORIZONTAL
ProcThreadAttributeUmsThread
LOAD LIBRARY AS DATAFILE EXCLUSIVE
TH32CS SNAPTHREAD
CreateProcess
SM REMOTECONTROL
PRODUCT ENTERPRISEN
PRODUCT ENTERPRISEE
CREATE ALWAYS
PROC THREAD ATTRIBUTE MITIGATION POLICY
PROCESS SET QUOTA
VFT2 DRV MOUSE
warnings
PROCESS MODE BACKGROUND BEGIN
MakeSureDirectoryPathExists
FOREGROUND MASK
COMMON LVB MASK
STATUS SEGMENT NOTIFICATION
VFT2 DRV RESERVED

Package winappdbg.win32

Description
Value: 2147483649
Value: 33

Value: 6
Value: 8
Value: 1
Value: 64
Value: 1024
Value: 6
Value: 64
Value: 4
Value: GuessStringType(CreateProcessA,
CreateProcessW)
Value: 8193
Value: 27
Value: 70
Value: 2
Value: 131079

Value: 256
Value: 5
Value: 1048576
Value:
GuessStringType(MakeSureDirectoryPathExistsA,
MakeSureDir...
Value: 15
Value: 65280
Value: 1073741829
Value: 11
continued on next page

149

Variables

Name
SEM NOGPFAULTERRORBOX
SM CXSIZE
OS W7 64
STATUS HEAP CORRUPTION
OS WINDOWS SEVEN
MEM RESERVE
VOS DOS
PROCESS SET SESSIONID
STATUS BREAKPOINT
OPEN ALWAYS
QueryDosDevice
FILE FLAG OVERLAPPED
UNDNAME COMPLETE
PROCESSOR PPC 604
PROCESSOR PPC 601
PROCESSOR PPC 603
SM MIDEASTENABLED
CONTEXT INTEGER
FILE SHARE WRITE
UNDNAME NO MS KEYWORDS
SYMOPT PUBLICS ONLY
SymEnumerateModules64
EXCEPTION NONCONTINUABLE
ARCH MSIL
UNDNAME NO ARGUMENTS
SYMOPT ALLOW ZERO ADDRESS
WOW64 CONTEXT DEBUG REGISTERS
PROC THREAD ATTRIBUTE INPUT

Package winappdbg.win32

Description
Value: 2
Value: 30
Value: Windows 7 (64 bits)
Value: 3221226356
Value:
Value:
Value:
Value:

Windows 7
8192
65536
4

Value: 2147483651
Value: 4
Value: GuessStringType(QueryDosDeviceA,
QueryDosDeviceW)
Value: 1073741824
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

0
604
601
603
74
65538
2
2

Value: 16384
Value:
GuessStringType(SymEnumerateModules64A,
SymEnumerateModul...
Value: 1
Value: msil
Value: 8192
Value: 16777216

Value: 131072
continued on next page

150

Variables

Name
SYMOPT OVERWRITE
TIMER MODIFY STATE
PRODUCT STANDARDSERVER CORE V
VER PLATFORM WIN32s
SM CYDRAG
ARCH IA64
PWOW64 LDT ENTRY
CONTEXT EXCEPTIONREPORTING
XMM SAVE AREA32
THREAD PRIORITY NORMAL
THREAD ALL ACCESS
PRODUCT ULTIMATE N
PRODUCT ULTIMATE E
PROC THREAD ATTRIBUTE GROUP AFFINITY
PROCESSOR ARM920
SM TABLETPC
PROCESS SET INFORMATION
TH32CS SNAPHEAPLIST
SymDeferred
SM CXICON
SM CMONITORS
DBG RIPEXCEPTION
PROCESS ALL ACCESS
DETACHED PROCESS
LoadLibraryEx
SM CYMIN
GetTempPath
PRODUCT ENTERPRISE SERVER IA64

Package winappdbg.win32

Description
Value: 1048576
Value: 2
Value: 40
Value: 0
Value: 69
Value: ia64

Value: 0
Value: 2097151
Value: 28
Value: 71
Value: 196611

Value: 2336
Value: 86
Value: 512
Value: 1
Value: 5
Value: 11
Value: 80
Value: 1073807367
Value: 2097151
Value: 8
Value: GuessStringType(LoadLibraryExA,
LoadLibraryExW)
Value: 29
Value: GuessStringType(GetTempPathA,
GetTempPathW)
Value: 15
continued on next page

151

Variables

Name
GetFinalPathNameByHandle
FILE NAME NORMALIZED
SEC FILE
DBG CONTROL C
UNLOAD DLL DEBUG EVENT
SEC LARGE PAGES
PRODUCT STARTER
EXCEPTION FLT DIVIDE BY ZERO
EXCEPTION INT OVERFLOW
THREAD PRIORITY HIGHEST
WOW64 CONTEXT FULL
SymVirtual
SYMOPT DEBUG
VER EQUAL
STATUS ACCESS VIOLATION
OS WINDOWS SEVEN 64
PAGE GUARD
EXCEPTION WRITE FAULT
DEBUG ONLY THIS PROCESS
SPVERSION MASK
ProcThreadAttributeParentProcess
SM SECURE
ARCH AARCH64
EXIT PROCESS DEBUGEVENT
CREATE PRESERVE CODE AUTHZ LEVEL
COMMON LVB TRAILING BYTE

Package winappdbg.win32

Description
Value:
GuessStringType(GetFinalPathNameByHandleA,
GetFinalPathNa...
Value: 0
Value: 8388608
Value: 1073807365
Value: 7
Value: 2147483648
Value: 11
Value: 3221225614
Value: 3221225621
Value: 2

Value:
Value:
Value:
Value:

8
2147483648
1
3221225477

Value: Windows 7 (64 bits)


Value: 256
Value: 1
Value: 2
Value: 65280
Value: 0
Value: 44
Value: arm64
Value: 5
Value: 33554432
Value: 512
continued on next page

152

Variables

Name
THREAD PRIORITY IDLE
PROCESSOR ARCHITECTURE SPARC
WOW64 CONTEXT i386
WOW64 CONTEXT INTEGER
SYMOPT DISABLE SYMSRV AUTODETECT
EXCEPTION FLT OVERFLOW
VER PRODUCT TYPE
VerQueryValue
STD OUTPUT HANDLE
TIMER ALL ACCESS
WOW64 CONTEXT
Wow64SetThreadContext
PAGE READONLY
EXCEPTION IN PAGE ERROR
PROCESSOR ARCHITECTURE MSIL
SM CYFULLSCREEN
PRODUCT STORAGE STANDARD SERVER
MEM PHYSICAL
SM CYSIZE
SymEnumerateSymbols64
PRODUCT DATACENTER SERVER CORE
STATUS SXS INVALID DEACTIVATION
PROCESS DEP DISABLE ATL THUNK EMULATION
SM CXFRAME
CreateMutex
CONTEXT DEBUG REGISTERS

Package winappdbg.win32

Description
Value: -15
Value: 20

Value: 33554432
Value: 3221225617
Value: 128
Value: GuessStringType(VerQueryValueA,
VerQueryValueW)
Value: 4294967285
Value: 2031619

Value: 2
Value: 3221225478
Value: 8
Value: 17
Value: 21
Value: 4194304
Value: 31
Value:
GuessStringType(SymEnumerateSymbols64A,
SymEnumerateSymbo...
Value: 12
Value: 3222601744
Value: 2

Value: 32
Value: GuessStringType(CreateMutexA,
CreateMutexW)
Value: 65552
continued on next page

153

Variables

Name
SM CXVIRTUALSCREEN
EXCEPTION STACK OVERFLOW
SM STARTER
THREAD BASE PRIORITY IDLE
UNDNAME NO THISTYPE
SM CXHSCROLL
SymSetHomeDirectory
ARCH ARM7
LOAD LIBRARY AS IMAGE RESOURCE
PROCESSOR INTEL IA64
MEM FREE
SymInitialize
PRODUCT MEDIUMBUSINESS SERVER MESSAGING
OS WINDOWS XP
ARCH T32
FILE FLAG NO BUFFERING
VOLUME NAME GUID
DBG TERMINATE THREAD
SEM FAILCRITICALERRORS
SYMOPT NO CPP
PROCESSOR ARCHITECTURE UNKNOWN
BACKGROUND RED
STATUS FLOAT UNDERFLOW
SM CMOUSEBUTTONS
PAGE NOACCESS
BACKGROUND BLUE

Package winappdbg.win32

Description
Value: 78
Value: 3221225725
Value: 88
Value: -15
Value: 96
Value: 21
Value:
GuessStringType(SymSetHomeDirectoryA,
SymSetHomeDirectoryW)
Value: arm
Value: 32
Value: 2200
Value: 65536
Value: GuessStringType(SymInitializeA,
SymInitializeW)
Value: 32

Value: Windows XP
Value: thumb
Value: 536870912
Value: 1
Value: 1073807363
Value: 1
Value: 8
Value: 65535
Value: 64
Value: 3221225619
Value: 43
Value: 1
Value: 16
continued on next page

154

Variables

Name
TIMER QUERY STATE
CONTEXT FLOATING POINT
HEAP CREATE ENABLE EXECUTE
HANDLE FLAG INHERIT
SymCv
IMAGE FILE MACHINEI386
CREATE SUSPENDED
MEM LARGE PAGES
VFT2 DRV INSTALLABLE
MEM WRITE WATCH
FOREGROUND MAGENTA
LOAD DLL DEBUG EVENT
PROFILE SERVER
PROCESSOR ARCHITECTURE ALPHA64
VFT2 DRV SOUND
THREAD QUERY LIMITED INFORMATION
VS FF DEBUG
EXCEPTION MAXIMUM PARAMETERS
DBG CONTROL BREAK
UNDNAME NO FUNCTION RETURNS
SM CYSMCAPTION
SM SAMEDISPLAYFORMAT
SymLoadModule64
NTDDI WINNT4
THREAD PRIORITY LOWEST
VOS DOS WINDOWS32
PROCESS VM WRITE

Package winappdbg.win32

Description
Value: 1
Value: 65544
Value: 262144
Value: 1
Value: 2
Value: 332
Value: 4
Value: 536870912
Value: 8
Value: 2097152
Value: 5
Value: 6
Value: 1073741824
Value: 7
Value: 9
Value: 2048
Value: 1
Value: 15
Value: 1073807368
Value: 4
Value: 51
Value: 81
Value: GuessStringType(SymLoadModule64A,
SymLoadModule64W)
Value: 67108864
Value: -2
Value: 65540
Value: 32
continued on next page

155

Variables

Name
SM CXMAXIMIZED
UNDNAME NO RETURN UDT MODEL
UNDNAME NO LEADING UNDERSCORES
GetCurrentDirectory
PROCESS CREATE THREAD
STATUS STACK BUFFER OVERRUN
OS XP
SM CYCURSOR
FILE FLAG RANDOM ACCESS
STATUS REG NAT CONSUMPTION
VOLUME NAME NONE
OS W2K8
OS W2K3
PROCESSOR ARM720
WOW64 CONTEXT FLOATING POINT
PROCESS VM OPERATION
SM CYFOCUSBORDER
PRODUCT STANDARDSERVER
EXCEPTION POSSIBLEDEADLOCK
PROFILE USER
VER SUITE EMBEDDEDNT
GetTempFileName
GetModuleHandle
PRODUCT HOME PREMIUM N
PAGE WRITECOMBINE

Package winappdbg.win32

Description
Value: 61
Value: 1024
Value: 1
Value:
GuessStringType(GetCurrentDirectoryA,
GetCurrentDirectoryW)
Value: 2
Value: 3221226505
Value: Windows XP
Value: 14
Value: 268435456
Value: 3221226185
Value:
Value:
Value:
Value:

4
Windows 2008
Windows 2003
1824

Value: 8
Value: 84
Value: 7
Value: 3221225876
Value: 268435456
Value: 64
Value: GuessStringType(GetTempFileNameA,
GetTempFileNameW)
Value: GuessStringType(GetModuleHandleA,
GetModuleHandleW)
Value: 26
Value: 1024
continued on next page

156

Variables

Name
SymGetHomeDirectory
PRODUCT ENTERPRISE SERVER V
VER AND
VFT APP
VOS OS216
COMMON LVB GRID LVERTICAL
SM CYFIXEDFRAME
SM NETWORK
PRODUCT SERVER FOR SMALLBUSINESS
INITIAL FPCSR
VS FF PRIVATEBUILD
VFT DLL
ARCH IA32
PRODUCT UNLICENSED
RIP EVENT
SLE WARNING
CREATE NO WINDOW
STATUS INVALID DISPOSITION
FILE MAP WRITE
ARCH I386
OUTPUT DEBUG STRING EVENT
OS W7
ARCH ALPHA
SECTION ALL ACCESS
PROCESSOR HITACHI SH3
PROCESSOR HITACHI SH4
VFT FONT
DONT RESOLVE DLL REFERENCES
SEC RESERVE
MEM DECOMMIT
BACKGROUND YELLOW

Package winappdbg.win32

Description
Value:
GuessStringType(SymGetHomeDirectoryA,
SymGetHomeDirectoryW)
Value: 38
Value:
Value:
Value:
Value:

6
1
131072
2048

Value: 8
Value: 63
Value: 24

Value:
Value:
Value:
Value:

8
2
i386
2882382797

Value:
Value:
Value:
Value:

9
3
134217728
3221225510

Value: 2
Value: i386
Value: 8
Value:
Value:
Value:
Value:

Windows 7
alpha
983071
10003

Value: 10005
Value: 4
Value: 1
Value: 67108864
Value: 16384
Value: 96
continued on next page

157

Variables

Name
SM CXCURSOR
SM DEBUG
SYMOPT EXACT SYMBOLS
SM CYICONSPACING
PROC THREAD ATTRIBUTE THREAD
SM CYICON
SetDllDirectory
REALTIME PRIORITY CLASS
SM CXSIZEFRAME
CTRL C EVENT
MUTEX ALL ACCESS
VER MAJORVERSION
PRODUCT BUSINESS N
SM CXMINSPACING
TRUNCATE EXISTING
SM CXHTHUMB
VER SUITE SMALLBUSINESS
IMAGE FILE MACHINEIA64
PROCESSOR MOTOROLA 821
THREAD ALERT
SYMOPT SECURE
IDLE PRIORITY CLASS
PRODUCT WEB SERVER CORE
SM CMETRICS
THREAD BASE PRIORITY MAX
VFT VXD
FILE ATTRIBUTE TEMPORARY
OS WINDOWS 2008
OS WINDOWS 2003
OS WINDOWS 2000
LOAD IGNORE CODE AUTHZ LEVEL

Package winappdbg.win32

Description
Value: 13
Value: 22
Value: 1024
Value: 39
Value: 65536
Value: 12
Value: GuessStringType(SetDllDirectoryA,
SetDllDirectoryW)
Value: 256
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

32
0
2031617
2
16
47
5
10
1

Value: 512
Value: 821
Value:
Value:
Value:
Value:

4
262144
64
29

Value: 93
Value: 2
Value: 5
Value: 256
Value:
Value:
Value:
Value:

Windows 2008
Windows 2003
Windows 2000
16
continued on next page

158

Variables

Name
STATUS USER APC
THREAD SET CONTEXT
STATUS FLOAT MULTIPLE TRAPS
PROCESS MODE BACKGROUND END
SM CXMINIMIZED
PRODUCT UNDEFINED
PRODUCT STARTER N
PRODUCT STARTER E
CTRL BREAK EVENT
WOW64 MAXIMUM SUPPORTED EXTENSION
FILE ATTRIBUTE NORMAL
HANDLE FLAG PROTECT FROM CLOSE
LDT ENTRY BYTES
SM CYHSCROLL
OS UNKNOWN
SM CYMENUCHECK
WRITE WATCH FLAG RESET
PROCESSOR INTEL PENTIUM
FOREGROUND INTENSITY
ACCESS VIOLATION TYPE DEP
STATUS INVALID INFO CLASS
SYMOPT DEFERRED LOADS
ProcThreadAttributeMitigationPolicy
SYMOPT AUTO PUBLICS
SM SHOWSOUNDS
PRODUCT HOME BASICE

Package winappdbg.win32

Description
Value: 192
Value: 16
Value: 3221226165
Value: 2097152
Value: 57
Value: 0
Value: 47
Value: 66
Value: 1

Value: 128
Value: 2

Value:
Value:
Value:
Value:

3
Unknown
72
1

Value: 586
Value: 8
Value: 8
Value: 3221225475
Value: 4
Value: 7
Value: 65536
Value: 70
Value: 67
continued on next page

159

Variables

Name
SymEnumerateSymbols
PRODUCT HOME BASICN
SM CYMENU
VFT2 DRV VERSIONEDPRINTER
PRODUCT CLUSTER SERVER
ARCH ARM8
DBG CONTINUE
VOS DOS WINDOWS16
COMMON LVB GRID RVERTICAL
OS W2K8R2 64
STATUS NO MEMORY
FILE NAME OPENED
OS W2K8R2
SM MEDIACENTER
VFT2 FONT RASTER
PROCESS QUERY INFORMATION
SECTION MAP EXECUTE EXPLICIT
PRODUCT MEDIUMBUSINESS SERVER MANAGEMENT
GetFileVersionInfo
EXCEPTION ILLEGAL INSTRUCTION
OpenMutex
hdSrc
SM CXFIXEDFRAME
NTDDI VISTASP1
WOW64 SIZE OF 80387 REGISTERS
FILE ATTRIBUTE DIRECTORY

Package winappdbg.win32

Description
Value:
GuessStringType(SymEnumerateSymbolsA,
SymEnumerateSymbolsW)
Value: 5
Value: 15
Value: 12
Value: 18
Value:
Value:
Value:
Value:

arm64
65538
65537
4096

Value:
Value:
Value:
Value:
Value:
Value:
Value:

Windows 2008 R2 (64 bits)


3221225495
8
Windows 2008 R2
87
1
1024

Value: 32
Value: 30

Value:
GuessStringType(GetFileVersionInfoA,
GetFileVersionInfoW)
Value: 3221225501
Value: GuessStringType(OpenMutexA,
OpenMutexW)
Value: 2
Value: 7
Value: 100663552

Value: 16
continued on next page

160

Variables

Name
VER SERVICEPACKMINOR
VFT2 DRV PRINTER
SearchPath
BACKGROUND BLACK
THREAD SET INFORMATION
LoadLibrary
GetFullPathName
STD ERROR HANDLE
STATUS FLOAT DENORMAL OPERAND
SYMOPT IGNORE CVREC
PROCESS SUSPEND RESUME
PROC THREAD ATTRIBUTE IDEAL PROCESSOR
UNDNAME NO THROWSIGNATURES
UNDNAME NAME ONLY
PRODUCT SERVER FOUNDATION
SEM NOALIGNMENTFAULTEXCEPT
VER SUITENAME
UNDNAME NO ALLOCATION MODEL
VER BUILDNUMBER
OS W2K
PROC THREAD ATTRIBUTE UMS THREAD
BACKGROUND GREEN
MAXIMUM SUPPORTED EXTENSION
CREATE PROTECTED PROCESS

Package winappdbg.win32

Description
Value: 16
Value: 1
Value: GuessStringType(SearchPathA,
SearchPathW)
Value: 0
Value: 32
Value: GuessStringType(LoadLibraryA,
LoadLibraryW)
Value: GuessStringType(GetFullPathNameA,
GetFullPathNameW)
Value: 4294967284
Value: 3221225613
Value: 128
Value: 2048
Value: 196613

Value: 256
Value: 4096
Value: 33
Value: 4
Value: 64
Value: 8
Value: 4
Value: Windows 2000
Value: 196614
Value: 32
Value: 512
Value: 262144
continued on next page

161

Variables

Name
ERROR CANNOT DETECT PROCESS ABORT
STANDARD RIGHTS WRITE
ERROR PROC NOT FOUND
ExceptionContinueSearch
ERROR ENVVAR NOT FOUND
FileCompletionInformation
ProcessDebugPort
FLG HEAP VALIDATE PARAMETERS
ERROR CONTROL C EXIT
ERROR DBG REPLY LATER
ERROR CALL NOT IMPLEMENTED
SystemRangeStartInformation
ERROR INVALID PARAMETER
ANYSIZE ARRAY
ImageUsesLargePages
ERROR FILE NOT FOUND
ERROR DBG CONTROL BREAK
ERROR SERVICE NEVER STARTED
ERROR WOW ASSERTION
ProcessTimes
ERROR NOT ENOUGH MEMORY
FileFullDirectoryInformation
FLG HEAP ENABLE TAIL CHECK
ERROR DBG TERMINATE THREAD

Package winappdbg.win32

Description
Value: 1081
Value: 131072
Value: 127
Value: 1
Value: 203
Value: 30
Value: 7
Value: 64
Value: 572
Value: 689
Value: 120
Value: 51
Value: 87
Value: 1
Value: 1
Value: 2
Value: 696
Value: 1077
Value: 670
Value: 4
Value: 8
Value: 2
Value: 16
Value: 691
continued on next page

162

Variables

Name
FLG ENABLE HANDLE TYPE TAGGING
ERROR INSUFFICIENTBUFFER
DbgSafeThunkCall
ERROR HANDLE DISK FULL
ERROR BAD LENGTH
RtlDisableUserStackWalk
ERROR SERVICE DEPENDENCY FAIL
FLG HEAP PAGE ALLOCS
ProcessAccessToken
FLG HEAP ENABLE CALL TRACING
ObjectTypeInformation
FLG POOL ENABLE TAIL CHECK
STANDARD RIGHTS REQUIRED
ThreadPriority
SystemGlobalFlag
ERROR INVALID ADDRESS
ProcessImageFileName
FLG DISABLE PAGE KERNEL STACKS
ERROR SERVICE NOT ACTIVE
SystemDebuggerInformation
FileTrackingInformation
DbgSuppressDebugMsg
ProcessUsingVEH
SystemInfo42
SystemBasicInformation
ProcessBasePriority
ThreadHideFromDebugger
ERROR PARTIAL COPY

Package winappdbg.win32

Description
Value: 16777216
Value: 122
Value: 1
Value: 39
Value: 24
Value: 256
Value: 1068
Value: 33554432
Value: 9
Value: 1048576
Value: 2
Value: 256
Value: 983040
Value: 2
Value: 10
Value: 487
Value: 27
Value: 524288
Value: 1062
Value: 36
Value:
Value:
Value:
Value:
Value:
Value:
Value:

36
128
4
43
1
5
17

Value: 299
continued on next page

163

Variables

Name
ObjectNameInformation
SystemLockInformation
ERROR THREAD NOT IN PROCESS
ProcessVmCounters
ERROR DIR NOT EMPTY
FLG DEBUG INITIAL COMMAND
ProcessUsingFTH
FileModeInformation
ERROR NO RECOVERY PROGRAM
SysDbgWriteMsr
IsImageDynamicallyRelocated
SystemTimeAdjustmentInformation
ProcessWow64Information
ExceptionCollidedUnwind
ThreadIsIoPending
ProcessWx86Information
INFINITE
ThreadSetTlsArrayAddress
ERROR DBG EXCEPTION HANDLED
ThreadBasicInformation
ERROR MOD NOT FOUND
ThreadEnableAlignmentFaultFixup
ERROR SERVICE START HANG
SystemCreateSession
FileQuotaInformation
ERROR BUFFER OVERFLOW
ThreadTimes
FLG ENABLE DBGPRINT BUFFERING

Package winappdbg.win32

Description
Value: 1
Value: 13
Value: 566
Value: 3
Value: 145
Value: 4
Value: 16
Value: 16
Value: 1082
Value: 17
Value: 8
Value: 29
Value: 26
Value:
Value:
Value:
Value:
Value:

3
16
19
-1
15

Value: 766
Value: 0
Value: 126
Value: 7
Value: 1070
Value: 48
Value: 32
Value: 111
Value: 1
Value: 134217728
continued on next page

164

Variables

Name
TRUE
ERROR ALREADY EXISTS
FLG EARLY CRITICALSECTION EVT
ERROR DIFFERENT SERVICE ACCOUNT
SkipPatchingUser32Forwarders
SystemSessionProcessesInformation
ExceptionNestedException
FileAllocationInformation
ProcessLdtInformation
SystemCrashDumpStateInformation
ERROR INVALID HANDLE
ERROR INVALID FUNCTION
SystemInfo10
SystemInfo13
SystemPrioritySeparationInformation
ProcessExecuteFlags
ERROR BAD THREADID ADDR
FLG ENABLE EXCEPTION LOGGING
SystemSetTimeSlipEvent
FileDirectoryInformation
MEM EXECUTE OPTION ENABLE
ERROR INVALID NAME
SystemUnloadImage
DELETE
FilePipeRemoteInformation
ProcessQuotaLimits
MAX MODULE NAME32

Package winappdbg.win32

Description
Value: 1
Value: 183
Value: 268435456
Value: 1079
Value: 16
Value: 54
Value: 2
Value: 19
Value: 10
Value: 35
Value: 6
Value: 1
Value: 11
Value: 14
Value: 40
Value: 34
Value: 159
Value: 8388608
Value: 47
Value: 1
Value: 1
Value: 123
Value: 28
Value: 65536
Value: 25
Value: 1
Value: 255
continued on next page

165

Variables

Name
SystemObjectInformation
FileAlternateNameInformation
ProcessRaisePriority
SystemTimeZoneInformation
SystemLoadDriver
ERROR DBG CONTROLC
SystemAddVerifier
ERROR SERVICE EXISTS
SystemPagedPoolInformation
IsLegacyProcess
ThreadDescriptorTableEntry
SystemProcessorCounters
FileEaInformation
SPECIFIC RIGHTS ALL
FLG VALID BITS
FLG POOL ENABLE TAGGING
ERROR SERVICE LOGON FAILED
ERROR PROCESS ABORTED
MEM EXECUTE OPTION ATL7 THUNK EMULATION
ERROR DATABASE DOES NOT EXIST
ERROR INVALID SERVICE LOCK
ThreadZeroTlsCell
SystemMemoryUsageInformation2
ProcessEnableAlignmentFaultFixup
FileNameInformation
ProcessHandleCount
FALSE

Package winappdbg.win32

Description
Value: 18
Value: 21
Value: 6
Value: 45
Value: 39
Value: 693
Value: 53
Value: 1073
Value: 15
Value: 4
Value: 6
Value:
Value:
Value:
Value:
Value:

9
7
65535
4194303
1024

Value: 1069
Value: 1067
Value: 4

Value: 1065
Value: 1071
Value: 10
Value: 30
Value: 17
Value: 9
Value: 20
Value: 0
continued on next page

166

Variables

Name
ProcessUsingVCH
ExceptionContinueExecution
WinFuncHook
ERROR DISK FULL
ProcessIoPortHandlers
FileMailslotQueryInformation
ERROR ELEVATION REQUIRED
FileAllInformation
SysDbgReadMsr
ERROR SERVICE DEPENDENCY DELETED
ERROR DBG RIPEXCEPTION
ERROR DBG TERMINATE PROCESS
STANDARD RIGHTS EXECUTE
ProcessWorkingSetWatch
ERROR DBG EXCEPTION NOT HANDLED
FLG DISABLE DLL VERIFICATION
READ CONTROL
SystemRegistryQuotaInformation
DbgClonedThread
FLG HEAP ENABLE FREE CHECK
ERROR DBG PRINTEXCEPTION C
ProcessPriorityBoost
FileInternalInformation
ERROR UNHANDLED EXCEPTION
FLG USER STACK TRACE DB
ProcessPriorityClass
ERROR NOT SUPPORTED

Package winappdbg.win32

Description
Value: 8
Value: 0

Value: 112
Value: 13
Value: 26
Value: 740
Value: 18
Value: 16
Value: 1075
Value: 695
Value: 692
Value: 131072
Value: 15
Value: 688
Value: 2147483648
Value: 131072
Value: 38
Value: 64
Value: 32
Value: 694
Value: 22
Value: 6
Value: 574
Value: 4096
Value: 18
Value: 50
continued on next page

167

Variables

Name
FileDispositionInformation
ERROR BAD PATHNAME
SystemCallInformation
ERROR MORE DATA
SystemProcessorInformation
ERROR ACCESS DENIED
SystemMemoryUsageInformation1
STANDARD RIGHTS ALL
STANDARD RIGHTS READ
FileAlignmentInformation
FileInheritContentIndexInformation
SystemNonPagedPoolInformation
DbgInDebugPrint
FileLinkInformation
MAX PATH
MEM EXECUTE OPTION DISABLE
ERROR DBG CONTINUE
FileStreamInformation
FileRenameInformation
ERROR CIRCULAR DEPENDENCY
ThreadPriorityBoost
ProcessIoCounters
FileFullEaInformation
ERROR SERVICE MARKED FOR DELETE
WRITE DAC
SystemDpcInformation
FileOleInformation
SystemTimeInformation
ERROR DUPLICATE SERVICE NAME

Package winappdbg.win32

Description
Value: 13
Value: 161
Value: 7
Value: 234
Value: 2
Value: 5
Value: 26
Value: 2031616
Value: 131072
Value: 17
Value: 37
Value: 16
Value:
Value:
Value:
Value:

2
11
260
2

Value: 767
Value: 22
Value: 10
Value: 1059
Value:
Value:
Value:
Value:

14
2
15
1072

Value:
Value:
Value:
Value:
Value:

262144
25
39
4
1078
continued on next page

168

Variables

Name
ProcessExceptionPort
ERROR FILENAME EXCED RANGE
ERROR BAD ARGUMENTS
WRITE OWNER
WinCallHook
FLG HEAP ENABLE TAGGING
FilePipeLocalInformation
FLG MAINTAIN OBJECT TYPELIST
ProcessUserModeIOPL
ERROR SERVICE CANNOT ACCEPT CTRL
FileMoveClusterInformation
INVALID HANDLE VALUE
FileMailslotSetInformation
ERROR SERVICE DOESNOT EXIST
FileStandardInformation
SystemInfo49
ERROR NO MORE FILES
ERROR SERVICE SPECIFIC ERROR
SystemInfo43
SystemInfo41
SystemInfo40
ERROR HANDLE EOF
RtlExceptionAttached
ProcessInitializing
ProcessBasicInformation
ThreadPerformanceCount
FLG SHOW LDR SNAPS
ObjectAllTypesInformation

Package winappdbg.win32

Description
Value: 8
Value: 206
Value: 160
Value: 524288
Value: 2048
Value: 24
Value: 16384
Value: 16
Value: 1061
Value: 31
Value: 4294967295
Value: 27
Value: 1060
Value: 5
Value: 50
Value: 18
Value: 1066
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

44
42
41
38
512
2
0
11
2

Value: 3
continued on next page

169

Variables

Name
FLG HEAP ENABLE TAG BY DLL
ProcessDefaultHardErrorMode
FileNamesInformation
ERROR CANNOT DETECT DRIVER FAILURE
DbgRanProcessInit
RtlInitialThread
FLG STOP ON HUNG GUI
ERROR PRIVILEGE NOT HELD
ERROR DBG UNABLE TO PROVIDE HANDLE
SystemCrashDumpInformation
SystemPerformanceInformation
FLG KERNEL STACK TRACE DB
SYNCHRONIZE
FLG ENABLE CLOSE EXCEPTION
ThreadQuerySetWin32StartAddress
FileObjectIdInformation
SystemPathInformation
ERROR FAILED SERVICE CONTROLLER CONNECT
ERROR NONE MAPPED
HeapTracingEnabled
FLG STOP ON EXCEPTION
RPC S SERVER UNAVAILABLE
SystemInfo20
ThreadAmILastThread
SystemProcessorStatistics
ERROR FILE EXISTS

Package winappdbg.win32

Description
Value: 32768
Value: 12
Value: 12
Value: 1080
Value: 32
Value: 1024
Value: 8
Value: 1314
Value: 690
Value: 33
Value: 3
Value: 8192
Value: 1048576
Value: 4194304
Value: 9
Value: 35
Value: 5
Value: 1063

Value: 1332
Value: 1
Value: 1
Value: 1722
Value:
Value:
Value:
Value:

21
12
24
80
continued on next page

170

Variables

Name
SystemHandleInformation
SystemDeleteSession
SystemLookasideInformation
ERROR INVALID DRIVE
CritSecTracingEnabled
ERROR SERVICE NOT IN EXE
SystemConfigurationInformation
SystemModuleInformation
ERROR INVALID FLAGNUMBER
ProcessAffinityMask
ERROR SUCCESS
ERROR NOT SAFEBOOT SERVICE
DbgWerInShipAssertCode
FileOleDirectoryInformation
FLG POOL ENABLE FREE CHECK
DbgSkipThreadAttach
ERROR ALREADY RUNNING LKG
SystemInfo30
SystemInfo31
ERROR EXCEPTION INSERVICE
DbgHasFiberData
ERROR DEBUGGER INACTIVE
FilePipeInformation
ERROR PATH NOT FOUND
SystemPoolTagInformation
ERROR ASSERTION FAILURE
os
FLG DEBUG WINLOGON

Package winappdbg.win32

Description
Value: 17
Value: 49
Value: 46
Value: 15
Value: 2
Value: 1083
Value: 8
Value: 12
Value: 186
Value: 21
Value: 0
Value: 1084
Value: 16
Value: 37
Value: 512
Value: 8
Value: 1074
Value: 31
Value: 32
Value: 1064
Value: 4
Value: 1284
Value: 23
Value: 3
Value: 23
Value: 668
Value: Windows 7 (64 bits)
Value: 67108864
continued on next page

171

Variables

Name
ThreadImpersonationToken
FLG ENABLE CSRDEBUG
SystemInstemulInformation
FilePositionInformation
ProcessLdtSize
FLG ENABLE KDEBUGSYMBOL LOAD
ERROR NOACCESS
FLG HEAP DISABLE COALESCING
FileNetworkOpenInformation
ERROR BOOT ALREADY ACCEPTED
FileCopyOnWriteInformation
SystemCacheInformation
FLG HEAP VALIDATE ALL
WinDllHook
FileMaximumInformation
ThreadEventPair
ProcessDebugObjectHandle
ERROR DBG COMMAND EXCEPTION
FileContentIndexInformation
NULL
ThreadBasePriority
ThreadAffinityMask
ERROR SEM TIMEOUT
SystemPagefileInformation
FileReparsePointInformation
ObjectBasicInformation
SystemProcessInformation
ThreadIdealProcessor

Package winappdbg.win32

Description
Value: 5
Value: 131072
Value: 20
Value: 14
Value: 11
Value: 262144
Value: 998
Value: 2097152
Value: 34
Value: 1076
Value: 29
Value: 22
Value: 128

Value: 40
Value: 8
Value: 30
Value: 697
Value: 38
Value:
Value:
Value:
Value:
Value:

None
3
4
121
19

Value: 33
Value: 0
Value: 6
Value: 13
continued on next page

172

Variables

Name
FileAccessInformation
SystemExceptionInformation
SystemLoadImage
FileBasicInformation
FileEndOfFileInformation
SystemThreadSwitchInformation
FileBothDirectoryInformation
SystemVerifierInformation
IsProtectedProcess
ProcessInJob
FileCompressionInformation
WAIT TIMEOUT
ObjectHandleInformation
ERROR NO MORE ITEMS
FLG IGNORE DEBUG PRIV
ProcessPooledUsageAndLimits
MEM EXECUTE OPTION PERMANENT

Package winappdbg.win32

Description
Value: 8
Value: 34
Value:
Value:
Value:
Value:

27
4
20
37

Value: 3
Value:
Value:
Value:
Value:

52
2
1
28

Value: 258
Value: 4
Value: 259
Value: 65536
Value: 14
Value: 8

173

Module winappdbg.win32.advapi32

18

Module winappdbg.win32.advapi32

Wrapper for advapi32.dll in ctypes.


18.1

Classes
LUID (Section 185, p. 817)
PLUID (Section 155, p. 783)
LUID AND ATTRIBUTES (Section 186, p. 818)
TOKEN PRIVILEGES (Section 207, p. 849)
PTOKEN PRIVILEGES (Section 172, p. 800)
TOKEN INFORMATION CLASS (Section 39, p. 331)
TOKEN TYPE (Section 39, p. 331)
PTOKEN TYPE (Section 160, p. 788)
TOKEN ELEVATION TYPE (Section 39, p. 331)
PTOKEN ELEVATION TYPE (Section 160, p. 788)
SECURITY IMPERSONATION LEVEL (Section 39, p. 331)
PSECURITY IMPERSONATION LEVEL (Section 160, p. 788)
SID AND ATTRIBUTES (Section 193, p. 829)
PSID AND ATTRIBUTES (Section 161, p. 789)
TOKEN USER (Section 209, p. 852)
PTOKEN USER (Section 189, p. 821)
TOKEN MANDATORY LABEL (Section 203, p. 845)
PTOKEN MANDATORY LABEL (Section 188, p. 820)
TOKEN OWNER (Section 205, p. 847)
PTOKEN OWNER (Section 170, p. 798)
TOKEN PRIMARY GROUP (Section 206, p. 848)
PTOKEN PRIMARY GROUP (Section 171, p. 799)
TOKEN APPCONTAINER INFORMATION (Section 201, p. 843)
PTOKEN APPCONTAINER INFORMATION (Section 187, p. 819)
TOKEN ORIGIN (Section 204, p. 846)
PTOKEN ORIGIN (Section 169, p. 797)
TOKEN LINKED TOKEN (Section 202, p. 844)
PTOKEN LINKED TOKEN (Section 168, p. 796)
TOKEN STATISTICS (Section 208, p. 850)
PTOKEN STATISTICS (Section 173, p. 801)
HWCT (Section 52, p. 344)
WCT OBJECT TYPE (Section 46, p. 338)
WCT OBJECT STATUS (Section 46, p. 338)
WAITCHAIN NODE INFO (Section 212, p. 859)
PWAITCHAIN NODE INFO (Section 176, p. 804)
WaitChainNodeInfo: Represents a node in the wait chain.
(Section 213, p. 861)
174

Functions

Module winappdbg.win32.advapi32

ThreadWaitChainSessionHandle: Thread wait chain session handle.


(Section 210, p. 853)
SAFER LEVEL HANDLE (Section 52, p. 344)
SAFER POLICY INFO CLASS (Section 46, p. 338)
SC HANDLE (Section 52, p. 344)
SC STATUS TYPE (Section 39, p. 331)
SC ENUM TYPE (Section 39, p. 331)
SERVICE STATUS (Section 191, p. 825)
LPSERVICE STATUS (Section 138, p. 766)
SERVICE STATUS PROCESS (Section 192, p. 827)
LPSERVICE STATUS PROCESS (Section 184, p. 816)
ENUM SERVICE STATUSA (Section 180, p. 808)
ENUM SERVICE STATUSW (Section 181, p. 810)
LPENUM SERVICE STATUSA (Section 129, p. 757)
LPENUM SERVICE STATUSW (Section 130, p. 758)
ENUM SERVICE STATUS PROCESSA (Section 182, p. 812)
ENUM SERVICE STATUS PROCESSW (Section 183, p. 814)
LPENUM SERVICE STATUS PROCESSA (Section 131, p. 759)
LPENUM SERVICE STATUS PROCESSW (Section 132, p. 760)
ServiceStatus: Wrapper for the SERVICE STATUS structure.
(Section 197, p. 839)
ServiceStatusProcess: Wrapper for the SERVICE STATUS PROCESS structure.
(Section 199, p. 841)
ServiceStatusEntry: Service status entry returned by EnumServicesStatus.
(Section 198, p. 840)
ServiceStatusProcessEntry: Service status entry returned by EnumServicesStatusEx.
(Section 200, p. 842)
TokenHandle: Access token handle.
(Section 211, p. 856)
RegistryKeyHandle: Registry key handle.
(Section 190, p. 822)
SaferLevelHandle: Safer level handle.
(Section 194, p. 830)
ServiceHandle: Service handle.
(Section 196, p. 836)
ServiceControlManagerHandle: Service Control Manager (SCM) handle.
(Section 195, p. 833)
PWAITCHAINCALLBACK (Section 175, p. 803)
18.2

Functions
GetUserNameA()

175

Functions

Module winappdbg.win32.advapi32

GetUserNameW()
LookupAccountSidA(lpSystemName, lpSid )
LookupAccountSidW(lpSystemName, lpSid )
ConvertSidToStringSidA(Sid )
ConvertSidToStringSidW(Sid )
ConvertStringSidToSidA(StringSid )
ConvertStringSidToSidW(StringSid )
IsValidSid(pSid )
EqualSid(pSid1, pSid2 )
GetLengthSid(pSid )
CopySid(pSourceSid )
FreeSid(pSid )
OpenProcessToken(ProcessHandle, DesiredAccess=983551)
OpenThreadToken(ThreadHandle, DesiredAccess, OpenAsSelf =True)
DuplicateToken(ExistingTokenHandle, ImpersonationLevel =2)
DuplicateTokenEx(hExistingToken, dwDesiredAccess=983551,
lpTokenAttributes=None, ImpersonationLevel =2, TokenType=1)
IsTokenRestricted(hTokenHandle)
LookupPrivilegeValueA(lpSystemName, lpName)
LookupPrivilegeValueW(lpSystemName, lpName)

176

Functions

Module winappdbg.win32.advapi32

LookupPrivilegeNameA(lpSystemName, lpLuid )
LookupPrivilegeNameW(lpSystemName, lpLuid )
AdjustTokenPrivileges(TokenHandle, NewState=())
GetTokenInformation(hTokenHandle, TokenInformationClass)
CreateProcessWithLogonW(lpUsername=None, lpDomain=None,
lpPassword =None, dwLogonFlags=0, lpApplicationName=None,
lpCommandLine=None, dwCreationFlags=0, lpEnvironment=None,
lpCurrentDirectory=None, lpStartupInfo=None)
CreateProcessWithLogonA(*argv, **argd )
CreateProcessWithTokenW(hToken=None, dwLogonFlags=0,
lpApplicationName=None, lpCommandLine=None, dwCreationFlags=0,
lpEnvironment=None, lpCurrentDirectory=None, lpStartupInfo=None)
CreateProcessWithTokenA(*argv, **argd )
CreateProcessAsUserA(hToken=None, lpApplicationName=None,
lpCommandLine=None, lpProcessAttributes=None, lpThreadAttributes=None,
bInheritHandles=False, dwCreationFlags=0, lpEnvironment=None,
lpCurrentDirectory=None, lpStartupInfo=None)
CreateProcessAsUserW(hToken=None, lpApplicationName=None,
lpCommandLine=None, lpProcessAttributes=None, lpThreadAttributes=None,
bInheritHandles=False, dwCreationFlags=0, lpEnvironment=None,
lpCurrentDirectory=None, lpStartupInfo=None)
OpenThreadWaitChainSession(Flags=0, callback =None)
GetThreadWaitChain(WctHandle, Context=None, Flags=7, ThreadId =-1,
NodeCount=16)
CloseThreadWaitChainSession(WctHandle)
SaferCreateLevel(dwScopeId =2, dwLevelId =131072, OpenFlags=0)

177

Functions

Module winappdbg.win32.advapi32

SaferComputeTokenFromLevel(LevelHandle, InAccessToken=None,
dwFlags=0)
SaferCloseLevel(hLevelHandle)
SaferiIsExecutableFileType(szFullPath, bFromShellExecute=False)
SaferIsExecutableFileType(szFullPath, bFromShellExecute=False)
RegCloseKey(hKey)
RegConnectRegistryA(lpMachineName=None, hKey=2147483650)
RegConnectRegistryW(lpMachineName=None, hKey=2147483650)
RegCreateKeyA(hKey=2147483650, lpSubKey=None)
RegCreateKeyW(hKey=2147483650, lpSubKey=None)
RegOpenKeyA(hKey=2147483650, lpSubKey=None)
RegOpenKeyW(hKey=2147483650, lpSubKey=None)
RegOpenKeyExA(hKey=2147483650, lpSubKey=None,
samDesired =983103)
RegOpenKeyExW(hKey=2147483650, lpSubKey=None,
samDesired =983103)
RegOpenCurrentUser(samDesired =983103)
RegOpenUserClassesRoot(hToken, samDesired =983103)
RegQueryValueA(hKey, lpSubKey=None)
RegQueryValueW(hKey, lpSubKey=None)
RegQueryValueExA(hKey, lpValueName=None, bGetData=True)

178

Functions

Module winappdbg.win32.advapi32

RegQueryValueExW(hKey, lpValueName=None, bGetData=True)


RegSetValueEx(hKey, lpValueName=None, lpData=None, dwType=None)
RegSetValueExW(hKey, lpValueName=None, lpData=None, dwType=None)
RegSetValueExA(hKey, lpValueName=None, lpData=None, dwType=None)
RegEnumKeyA(hKey, dwIndex )
RegEnumKeyW(hKey, dwIndex )
RegEnumValueA(hKey, dwIndex, bGetData=True)
RegEnumValueW(hKey, dwIndex, bGetData=True)
RegDeleteValueA(hKeySrc, lpValueName=None)
RegDeleteValueW(hKeySrc, lpValueName=None)
RegDeleteKeyValueA(hKeySrc, lpSubKey=None, lpValueName=None)
RegDeleteKeyValueW(hKeySrc, lpSubKey=None, lpValueName=None)
RegDeleteKeyA(hKeySrc, lpSubKey=None)
RegDeleteKeyW(hKeySrc, lpSubKey=None)
RegDeleteKeyExA(hKeySrc, lpSubKey=None, samDesired =512)
RegDeleteKeyExW(hKeySrc, lpSubKey=None, samDesired =512)
RegCopyTreeA(hKeySrc, lpSubKey, hKeyDest)
RegCopyTreeW(hKeySrc, lpSubKey, hKeyDest)
RegDeleteTreeA(hKey, lpSubKey=None)
RegDeleteTreeW(hKey, lpSubKey=None)
179

Functions

Module winappdbg.win32.advapi32

RegFlushKey(hKey)
CloseServiceHandle(hSCObject)
OpenSCManagerA(lpMachineName=None, lpDatabaseName=None,
dwDesiredAccess=983103)
OpenSCManagerW(lpMachineName=None, lpDatabaseName=None,
dwDesiredAccess=983103)
OpenServiceA(hSCManager, lpServiceName, dwDesiredAccess=983551)
OpenServiceW(hSCManager, lpServiceName, dwDesiredAccess=983551)
CreateServiceA(hSCManager, lpServiceName, lpDisplayName=None,
dwDesiredAccess=983551, dwServiceType=16, dwStartType=3,
dwErrorControl =1, lpBinaryPathName=None, lpLoadOrderGroup=None,
lpDependencies=None, lpServiceStartName=None, lpPassword =None)
CreateServiceW(hSCManager, lpServiceName, lpDisplayName=None,
dwDesiredAccess=983551, dwServiceType=16, dwStartType=3,
dwErrorControl =1, lpBinaryPathName=None, lpLoadOrderGroup=None,
lpDependencies=None, lpServiceStartName=None, lpPassword =None)
DeleteService(hService)
GetServiceKeyNameA(hSCManager, lpDisplayName)
GetServiceKeyNameW(hSCManager, lpDisplayName)
GetServiceDisplayNameA(hSCManager, lpServiceName)
GetServiceDisplayNameW(hSCManager, lpServiceName)
StartServiceA(hService, ServiceArgVectors=None)
StartServiceW(hService, ServiceArgVectors=None)
ControlService(hService, dwControl )

180

Variables

Module winappdbg.win32.advapi32

QueryServiceStatus(hService)
QueryServiceStatusEx(hService, InfoLevel =0)
EnumServicesStatusA(hSCManager, dwServiceType=59,
dwServiceState=3)
EnumServicesStatusW(hSCManager, dwServiceType=59,
dwServiceState=3)
EnumServicesStatusExA(hSCManager, InfoLevel =0, dwServiceType=59,
dwServiceState=3, pszGroupName=None)
EnumServicesStatusExW(hSCManager, InfoLevel =0, dwServiceType=59,
dwServiceState=3, pszGroupName=None)

18.3

Variables
Name
LDT ENTRY HIGHWORD
WOW64 CS32
CONTEXT EXCEPTIONREQUEST
CONTEXT EXCEPTIONACTIVE
WOW64 CONTEXT EXTENDED REGISTERS
Wow64GetThreadContext
WOW64 CONTEXT i386
WOW64 CONTEXT INTEGER
WOW64 CONTEXT CONTROL
LPXMM SAVE AREA32
Wow64GetThreadSelectorEntry
PWOW64 FLOATING SAVE AREA
WOW64 CONTEXT
WOW64 CONTEXT FLOATING POINT

Description

continued on next page

181

Variables

Module winappdbg.win32.advapi32

Name
PXMM SAVE AREA32
context i386
CONTEXT MMX REGISTERS
CONTEXT SERVICE ACTIVE
WOW64 CONTEXT i486
WinFuncHook
WOW64 LDT ENTRY
warnings
INITIAL FPCSR
LDT ENTRY BITS
WOW64 FLOATING SAVE AREA
WOW64 MAXIMUM SUPPORTED EXTENSION
LEGACY SAVE AREA LENGTH
DEBUG EVENT UNION
LDT ENTRY BYTES
WOW64 CONTEXT SEGMENTS
PWOW64 CONTEXT
WOW64 CONTEXT DEBUG REGISTERS
WinCallHook
WOW64 CONTEXT ALL
CONTEXT EXCEPTIONREPORTING
XMM SAVE AREA32
psyco
context amd64
Wow64ResumeThread
WOW64 CONTEXT FULL
Wow64SetThreadContext
WOW64 SIZE OF 80387 REGISTERS
CONTEXT AMD64
INITIAL MXCSR

Description

continued on next page

182

Variables

Name
PWOW64 LDT ENTRY
WinDllHook
SE ASSIGNPRIMARYTOKEN NAME
SE AUDIT NAME
SE BACKUP NAME
SE CHANGE NOTIFY NAME
SE CREATE GLOBAL NAME
SE CREATE PAGEFILENAME
SE CREATE PERMANENT NAME
SE CREATE SYMBOLIC LINK NAME
SE CREATE TOKEN NAME
SE DEBUG NAME
SE ENABLE DELEGATION NAME
SE IMPERSONATE NAME
SE INC BASE PRIORITY NAME
SE INCREASE QUOTA NAME
SE INC WORKING SETNAME
SE LOAD DRIVER NAME
SE LOCK MEMORY NAME
SE MACHINE ACCOUNT NAME
SE MANAGE VOLUME NAME
SE PROF SINGLE PROCESS NAME
SE RELABEL NAME
SE REMOTE SHUTDOWN NAME

Module winappdbg.win32.advapi32

Description

Value: SeAssignPrimaryTokenPrivilege
Value: SeAuditPrivilege
Value: SeBackupPrivilege
Value: SeChangeNotifyPrivilege
Value: SeCreateGlobalPrivilege
Value: SeCreatePagefilePrivilege
Value: SeCreatePermanentPrivilege
Value: SeCreateSymbolicLinkPrivilege
Value: SeCreateTokenPrivilege
Value: SeDebugPrivilege
Value: SeEnableDelegationPrivilege
Value: SeImpersonatePrivilege
Value: SeIncreaseBasePriorityPrivilege
Value: SeIncreaseQuotaPrivilege
Value: SeIncreaseWorkingSetPrivilege
Value: SeLoadDriverPrivilege
Value: SeLockMemoryPrivilege
Value: SeMachineAccountPrivilege
Value: SeManageVolumePrivilege
Value: SeProfileSingleProcessPrivilege
Value: SeRelabelPrivilege
Value: SeRemoteShutdownPrivilege
continued on next page

183

Variables

Name
SE RESTORE NAME
SE SECURITY NAME
SE SHUTDOWN NAME
SE SYNC AGENT NAME
SE SYSTEM ENVIRONMENT NAME
SE SYSTEM PROFILE NAME
SE SYSTEMTIME NAME
SE TAKE OWNERSHIP NAME
SE TCB NAME
SE TIME ZONE NAME
SE TRUSTED CREDMAN ACCESS NAME
SE UNDOCK NAME
SE UNSOLICITED INPUT NAME
SE PRIVILEGE ENABLED BY DEFAULT
SE PRIVILEGE ENABLED
SE PRIVILEGE REMOVED
SE PRIVILEGE USED FOR ACCESS
LOGON WITH PROFILE
LOGON NETCREDENTIALS ONLY
TOKEN ASSIGN PRIMARY
TOKEN DUPLICATE
TOKEN IMPERSONATE
TOKEN QUERY
TOKEN QUERY SOURCE
TOKEN ADJUST PRIVILEGES

Module winappdbg.win32.advapi32

Value:
Value:
Value:
Value:

Description
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSyncAgentPrivilege

Value: SeSystemEnvironmentPrivilege
Value: SeSystemProfilePrivilege
Value: SeSystemtimePrivilege
Value: SeTakeOwnershipPrivilege
Value: SeTcbPrivilege
Value: SeTimeZonePrivilege
Value: SeTrustedCredManAccessPrivilege
Value: SeUndockPrivilege
Value: SeUnsolicitedInputPrivilege
Value: 1
Value: 2
Value: 4
Value: 2147483648
Value: 1
Value: 2
Value: 1
Value: 2
Value: 4
Value: 8
Value: 16
Value: 32
continued on next page

184

Variables

Name
TOKEN ADJUST GROUPS
TOKEN ADJUST DEFAULT
TOKEN ADJUST SESSIONID
TOKEN READ
TOKEN ALL ACCESS
HKEY CLASSES ROOT
HKEY CURRENT USER
HKEY LOCAL MACHINE
HKEY USERS
HKEY PERFORMANCEDATA
HKEY CURRENT CONFIG
KEY ALL ACCESS
KEY CREATE LINK
KEY CREATE SUB KEY
KEY ENUMERATE SUBKEYS
KEY EXECUTE
KEY NOTIFY
KEY QUERY VALUE
KEY READ
KEY SET VALUE
KEY WOW64 32KEY
KEY WOW64 64KEY
KEY WRITE
REG NONE
REG SZ
REG EXPAND SZ
REG BINARY
REG DWORD
REG DWORD LITTLE ENDIAN
REG DWORD BIG ENDIAN
REG LINK
REG MULTI SZ

Module winappdbg.win32.advapi32

Description
Value: 64
Value: 128
Value: 256
Value:
Value:
Value:
Value:
Value:

131080
983551
2147483648
2147483649
2147483650

Value: 2147483651
Value: 2147483652
Value: 2147483653
Value: 983103
Value: 32
Value: 4
Value: 8
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

131097
16
1
131097
2
512
256
131078
0
1
2
3
4
4

Value: 5
Value: 6
Value: 7
continued on next page

185

Variables

Name
REG RESOURCE LIST
REG FULL RESOURCE DESCRIPTOR
REG RESOURCE REQUIREMENTS LIST
REG QWORD
REG QWORD LITTLE ENDIAN
TokenUser
TokenGroups
TokenPrivileges
TokenOwner
TokenPrimaryGroup
TokenDefaultDacl
TokenSource
TokenType
TokenImpersonationLevel
TokenStatistics
TokenRestrictedSids
TokenSessionId
TokenGroupsAndPrivileges
TokenSessionReference
TokenSandBoxInert
TokenAuditPolicy
TokenOrigin
TokenElevationType
TokenLinkedToken
TokenElevation
TokenHasRestrictions
TokenAccessInformation
TokenVirtualizationAllowed
TokenVirtualizationEnabled
TokenIntegrityLevel
TokenUIAccess
TokenMandatoryPolicy
TokenLogonSid
TokenIsAppContainer
TokenCapabilities
TokenAppContainerSid

Module winappdbg.win32.advapi32

Description
Value: 8
Value: 9
Value: 10
Value: 11
Value: 11
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

1
2
3
4
5
6
7
8
9
10
11
12
13

Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

14
15
16
17
18
19
20
21
22
23

Value: 24
Value:
Value:
Value:
Value:
Value:
Value:
Value:

25
26
27
28
29
30
31
continued on next page

186

Variables

Name
TokenAppContainerNumber
TokenUserClaimAttributes
TokenDeviceClaimAttributes
TokenRestrictedUserClaimAttributes
TokenRestrictedDeviceClaimAttributes
TokenDeviceGroups
TokenRestrictedDeviceGroups
TokenSecurityAttributes
TokenIsRestricted
MaxTokenInfoClass
TokenPrimary
TokenImpersonation
TokenElevationTypeDefault
TokenElevationTypeFull
TokenElevationTypeLimited
SecurityAnonymous
SecurityIdentification
SecurityImpersonation
SecurityDelegation
SidTypeUser
SidTypeGroup
SidTypeDomain
SidTypeAlias
SidTypeWellKnownGroup
SidTypeDeletedAccount
SidTypeInvalid
SidTypeUnknown
SidTypeComputer
SidTypeLabel
WCT MAX NODE COUNT
WCT OBJNAME LENGTH
WCT ASYNC OPEN FLAG

Module winappdbg.win32.advapi32

Description
Value: 32
Value: 33
Value: 34
Value: 35
Value: 36
Value: 37
Value: 38
Value:
Value:
Value:
Value:
Value:
Value:

39
40
41
1
2
1

Value: 2
Value: 3
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

0
1
2
3
1
2
3
4
5
6
7
8
9
10
16

Value: 128
Value: 1
continued on next page

187

Variables

Name
WCTP OPEN ALL FLAGS
WCT OUT OF PROC FLAG
WCT OUT OF PROC COM FLAG
WCT OUT OF PROC CS FLAG
WCTP GETINFO ALL FLAGS
WctCriticalSectionType
WctSendMessageType
WctMutexType
WctAlpcType
WctComType
WctThreadWaitType
WctProcessWaitType
WctThreadType
WctComActivationType
WctUnknownType
WctMaxType
WctStatusNoAccess
WctStatusRunning
WctStatusBlocked
WctStatusPidOnly
WctStatusPidOnlyRpcss
WctStatusOwned
WctStatusNotOwned
WctStatusAbandoned
WctStatusUnknown
WctStatusError
WctStatusMax
SAFER SCOPEID MACHINE
SAFER SCOPEID USER
SAFER LEVEL OPEN
SAFER LEVELID DISALLOWED
SAFER LEVELID UNTRUSTED
SAFER LEVELID CONSTRAINED

Module winappdbg.win32.advapi32

Description
Value: 1
Value: 1
Value: 2
Value: 4
Value: 7
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

1
2
3
4
5
6
7
8
9
10
11
1
2
3
4
5
6
7
8
9
10
11
1

Value: 2
Value: 1
Value: 0
Value: 4096
Value: 65536
continued on next page

188

Variables

Name
SAFER LEVELID NORMALUSER
SAFER LEVELID FULLYTRUSTED
SaferPolicyLevelList
SaferPolicyEnableTransparentEnforcement
SaferPolicyDefaultLevel
SaferPolicyEvaluateUserScope
SaferPolicyScopeFlags
SAFER TOKEN NULL IF EQUAL
SAFER TOKEN COMPARE ONLY
SAFER TOKEN MAKE INERT
SAFER TOKEN WANT FLAGS
SAFER TOKEN MASK
SERVICES ACTIVE DATABASEW
SERVICES FAILED DATABASEW
SERVICES ACTIVE DATABASEA
SERVICES FAILED DATABASEA
SC GROUP IDENTIFIERW
SC GROUP IDENTIFIERA
SERVICE NO CHANGE
SC STATUS PROCESS INFO
SC ENUM PROCESS INFO
SERVICE ALL ACCESS
SERVICE QUERY CONFIG
SERVICE CHANGE CONFIG

Module winappdbg.win32.advapi32

Description
Value: 131072
Value: 262144
Value: 1
Value: 2
Value: 3
Value: 4
Value: 5
Value: 1
Value: 2
Value: 4
Value: 8
Value: 15
Value: uServicesActive
Value: uServicesFailed
Value: ServicesActive
Value: ServicesFailed
Value: u+
Value: +
Value: 4294967295
Value: 0
Value: 0
Value: 983551
Value: 1
Value: 2
continued on next page

189

Variables

Name
SERVICE QUERY STATUS
SERVICE ENUMERATEDEPENDENTS
SERVICE START
SERVICE STOP
SERVICE PAUSE CONTINUE
SERVICE INTERROGATE
SERVICE USER DEFINED CONTROL
SC MANAGER ALL ACCESS
SC MANAGER CONNECT
SC MANAGER CREATESERVICE
SC MANAGER ENUMERATE SERVICE
SC MANAGER LOCK
SC MANAGER QUERY LOCK STATUS
SC MANAGER MODIFYBOOT CONFIG
SERVICE BOOT START
SERVICE SYSTEM START
SERVICE AUTO START
SERVICE DEMAND START
SERVICE DISABLED
SERVICE ERROR IGNORE
SERVICE ERROR NORMAL
SERVICE ERROR SEVERE
SERVICE ERROR CRITICAL

Module winappdbg.win32.advapi32

Description
Value: 4
Value: 8
Value: 16
Value: 32
Value: 64
Value: 128
Value: 256
Value: 983103
Value: 1
Value: 2
Value: 4
Value: 8
Value: 16
Value: 32
Value: 0
Value: 1
Value: 2
Value: 3
Value: 4
Value: 0
Value: 1
Value: 2
Value: 3
continued on next page

190

Variables

Name
SERVICE ACTIVE
SERVICE INACTIVE
SERVICE STATE ALL
SERVICE KERNEL DRIVER
SERVICE FILE SYSTEM DRIVER
SERVICE ADAPTER
SERVICE RECOGNIZER DRIVER
SERVICE WIN32 OWN PROCESS
SERVICE WIN32 SHARE PROCESS
SERVICE INTERACTIVE PROCESS
SERVICE DRIVER
SERVICE WIN32
SERVICE STOPPED
SERVICE START PENDING
SERVICE STOP PENDING
SERVICE RUNNING
SERVICE CONTINUE PENDING
SERVICE PAUSE PENDING
SERVICE PAUSED
SERVICE RUNS IN SYSTEM PROCESS
SERVICE CONTROL STOP
SERVICE CONTROL PAUSE
SERVICE CONTROL CONTINUE
SERVICE CONTROL INTERROGATE
SERVICE CONTROL SHUTDOWN
SERVICE CONTROL PARAMCHANGE

Module winappdbg.win32.advapi32

Description
Value:
Value:
Value:
Value:

1
2
3
1

Value: 2
Value: 4
Value: 8
Value: 16
Value: 32
Value: 256
Value:
Value:
Value:
Value:

11
48
1
2

Value: 3
Value: 4
Value: 5
Value: 6
Value: 7
Value: 1
Value: 1
Value: 2
Value: 3
Value: 4
Value: 5
Value: 6
continued on next page

191

Variables

Name
SERVICE CONTROL NETBINDADD
SERVICE CONTROL NETBINDREMOVE
SERVICE CONTROL NETBINDENABLE
SERVICE CONTROL NETBINDDISABLE
SERVICE CONTROL DEVICEEVENT
SERVICE CONTROL HARDWAREPROFILECHANGE
SERVICE CONTROL POWEREVENT
SERVICE CONTROL SESSIONCHANGE
SERVICE ACCEPT STOP
SERVICE ACCEPT PAUSE CONTINUE
SERVICE ACCEPT SHUTDOWN
SERVICE ACCEPT PARAMCHANGE
SERVICE ACCEPT NETBINDCHANGE
SERVICE ACCEPT HARDWAREPROFILECHANGE
SERVICE ACCEPT POWEREVENT
SERVICE ACCEPT SESSIONCHANGE
SERVICE ACCEPT PRESHUTDOWN
SERVICE ACCEPT TIMECHANGE
SERVICE ACCEPT TRIGGEREVENT
SERVICE ACCEPT USERMODEREBOOT

Module winappdbg.win32.advapi32

Description
Value: 7
Value: 8
Value: 9
Value: 10
Value: 11
Value: 12

Value: 13
Value: 14
Value: 1
Value: 2
Value: 4
Value: 8
Value: 16
Value: 32

Value: 64
Value: 128
Value: 256
Value: 512
Value: 1024
Value: 2048
continued on next page

192

Variables

Name
SC ACTION NONE
SC ACTION RESTART
SC ACTION REBOOT
SC ACTION RUN COMMAND
SERVICE CONFIG DESCRIPTION
SERVICE CONFIG FAILURE ACTIONS
GetUserName
LookupAccountSid
ConvertSidToStringSid
ConvertStringSidToSid
LookupPrivilegeValue
LookupPrivilegeName
CreateProcessWithLogon
CreateProcessWithToken
CreateProcessAsUser
RegConnectRegistry
RegCreateKey
RegOpenKey

Module winappdbg.win32.advapi32

Description
Value:
Value:
Value:
Value:

0
1
2
3

Value: 1
Value: 2
Value: DefaultStringType(GetUserNameA,
GetUserNameW)
Value:
GuessStringType(LookupAccountSidA,
LookupAccountSidW)
Value:
DefaultStringType(ConvertSidToStringSidA,
ConvertSidToStr...
Value:
GuessStringType(ConvertStringSidToSidA,
ConvertStringSidT...
Value:
GuessStringType(LookupPrivilegeValueA,
LookupPrivilegeVal...
Value:
GuessStringType(LookupPrivilegeNameA,
LookupPrivilegeNameW)
Value:
DefaultStringType(CreateProcessWithLogonA,
CreateProcessW...
Value:
DefaultStringType(CreateProcessWithTokenA,
CreateProcessW...
Value:
GuessStringType(CreateProcessAsUserA,
CreateProcessAsUserW)
Value:
GuessStringType(RegConnectRegistryA,
RegConnectRegistryW)
Value: GuessStringType(RegCreateKeyA,
RegCreateKeyW)
Value: GuessStringType(RegOpenKeyA,
RegOpenKeyW)
continued on next page

193

Variables

Name
RegOpenKeyEx
RegQueryValue
RegQueryValueEx
RegEnumKey
RegEnumValue
RegDeleteValue
RegDeleteKeyValue
RegDeleteKey
RegDeleteKeyEx
RegCopyTree
RegDeleteTree
OpenSCManager
OpenService
CreateService
GetServiceKeyName
GetServiceDisplayName
StartService
EnumServicesStatus
EnumServicesStatusEx

Module winappdbg.win32.advapi32

Description
Value: GuessStringType(RegOpenKeyExA,
RegOpenKeyExW)
Value: GuessStringType(RegQueryValueA,
RegQueryValueW)
Value: GuessStringType(RegQueryValueExA,
RegQueryValueExW)
Value: DefaultStringType(RegEnumKeyA,
RegEnumKeyW)
Value: DefaultStringType(RegEnumValueA,
RegEnumValueW)
Value: GuessStringType(RegDeleteValueA,
RegDeleteValueW)
Value:
GuessStringType(RegDeleteKeyValueA,
RegDeleteKeyValueW)
Value: GuessStringType(RegDeleteKeyA,
RegDeleteKeyW)
Value: GuessStringType(RegDeleteKeyExA,
RegDeleteKeyExW)
Value: GuessStringType(RegCopyTreeA,
RegCopyTreeW)
Value: GuessStringType(RegDeleteTreeA,
RegDeleteTreeW)
Value: GuessStringType(OpenSCManagerA,
OpenSCManagerW)
Value: GuessStringType(OpenServiceA,
OpenServiceW)
Value: GuessStringType(CreateServiceA,
CreateServiceW)
Value:
GuessStringType(GetServiceKeyNameA,
GetServiceKeyNameW)
Value:
GuessStringType(GetServiceDisplayNameA,
GetServiceDisplay...
Value: GuessStringType(StartServiceA,
StartServiceW)
Value:
DefaultStringType(EnumServicesStatusA,
EnumServicesStatusW)
Value:
DefaultStringType(EnumServicesStatusExA,
EnumServicesStat...
continued on next page

194

Variables

Module winappdbg.win32.advapi32

Name

Description

195

Module winappdbg.win32.context amd64

19

Module winappdbg.win32.context amd64

CONTEXT structure for amd64.


19.1

19.2

Classes
XMM SAVE AREA32 (Section 226, p. 880)
PXMM SAVE AREA32 (Section 222, p. 872)
LPXMM SAVE AREA32 (Section 222, p. 872)
CONTEXT (Section ??, p. ??)
PCONTEXT (Section 217, p. 867)
LPCONTEXT (Section 217, p. 867)
Context: Register context dictionary for the amd64 architecture.
(Section 215, p. 864)
LDT ENTRY (Section 216, p. 865)
PLDT ENTRY (Section 218, p. 868)
LPLDT ENTRY (Section 218, p. 868)
WOW64 FLOATING SAVE AREA (Section 224, p. 876)
WOW64 CONTEXT (Section 223, p. 873)
WOW64 LDT ENTRY (Section 225, p. 878)
PWOW64 FLOATING SAVE AREA (Section 220, p. 870)
PWOW64 CONTEXT (Section 219, p. 869)
PWOW64 LDT ENTRY (Section 221, p. 871)
Functions
GetThreadSelectorEntry(hThread, dwSelector )
GetThreadContext(hThread, ContextFlags=None, raw =False)
SetThreadContext(hThread, lpContext)
Wow64GetThreadSelectorEntry(hThread, dwSelector )
Wow64ResumeThread(hThread )
Wow64SuspendThread(hThread )
Wow64GetThreadContext(hThread, ContextFlags=None)

196

Variables

Module winappdbg.win32.context amd64

Wow64SetThreadContext(hThread, lpContext)

19.3

Variables
Name
WinCallHook
WinFuncHook
WinDllHook
EXCEPTION READ FAULT
EXCEPTION WRITE FAULT
EXCEPTION EXECUTEFAULT
CONTEXT AMD64
CONTEXT CONTROL
CONTEXT INTEGER
CONTEXT SEGMENTS
CONTEXT FLOATING POINT
CONTEXT DEBUG REGISTERS
CONTEXT MMX REGISTERS
CONTEXT FULL
CONTEXT ALL
CONTEXT EXCEPTIONACTIVE
CONTEXT SERVICE ACTIVE
CONTEXT EXCEPTIONREQUEST
CONTEXT EXCEPTIONREPORTING
INITIAL MXCSR
INITIAL FPCSR
LEGACY SAVE AREA LENGTH
WOW64 CS32
WOW64 CONTEXT i386
WOW64 CONTEXT i486
WOW64 CONTEXT CONTROL

Description

Value: 0
Value: 1
Value: 8
Value:
Value:
Value:
Value:
Value:

1048576
1048577
1048578
1048580
1048584

Value: 1048592
Value: 1048584
Value: 1048587
Value: 1048607
Value: 134217728
Value: 268435456
Value: 1073741824
Value: 2147483648
Value: 8064
Value: 639
Value: 512
Value:
Value:
Value:
Value:

35
65536
65536
65537
continued on next page

197

Variables

Name
WOW64 CONTEXT INTEGER
WOW64 CONTEXT SEGMENTS
WOW64 CONTEXT FLOATING POINT
WOW64 CONTEXT DEBUG REGISTERS
WOW64 CONTEXT EXTENDED REGISTERS
WOW64 CONTEXT FULL
WOW64 CONTEXT ALL
WOW64 SIZE OF 80387 REGISTERS
WOW64 MAXIMUM SUPPORTED EXTENSION

Module winappdbg.win32.context amd64

Description
Value: 65538
Value: 65540
Value: 65544
Value: 65552
Value: 65568
Value: 65543
Value: 65599
Value: 80
Value: 512

198

Module winappdbg.win32.context i386

20

Module winappdbg.win32.context i386

CONTEXT structure for i386.


20.1

Classes

FLOATING SAVE AREA (Section 229, p. 884)


PFLOATING SAVE AREA (Section 293, p. 986)
LPFLOATING SAVE AREA (Section 293, p. 986)
CONTEXT (Section ??, p. ??)
PCONTEXT (Section 231, p. 888)
LPCONTEXT (Section 231, p. 888)
Context: Register context dictionary for the i386 architecture.
(Section 228, p. 883)
LDT ENTRY (Section 230, p. 886)
PLDT ENTRY (Section 232, p. 889)
LPLDT ENTRY (Section 232, p. 889)

20.2

Functions
GetThreadSelectorEntry(hThread, dwSelector )
GetThreadContext(hThread, ContextFlags=None, raw =False)
SetThreadContext(hThread, lpContext)

20.3

Variables
Name
WinCallHook
WinFuncHook
WinDllHook
EXCEPTION READ FAULT
EXCEPTION WRITE FAULT
EXCEPTION EXECUTEFAULT
CONTEXT i386
CONTEXT i486

Description

Value: 0
Value: 1
Value: 8
Value: 65536
Value: 65536
continued on next page

199

Variables

Name
CONTEXT CONTROL
CONTEXT INTEGER
CONTEXT SEGMENTS
CONTEXT FLOATING POINT
CONTEXT DEBUG REGISTERS
CONTEXT EXTENDED REGISTERS
CONTEXT FULL
CONTEXT ALL
SIZE OF 80387 REGISTERS
MAXIMUM SUPPORTED EXTENSION

Module winappdbg.win32.context i386

Description
Value:
Value:
Value:
Value:

65537
65538
65540
65544

Value: 65552
Value: 65568
Value: 65543
Value: 65599
Value: 80
Value: 512

200

Module winappdbg.win32.dbghelp

21

Module winappdbg.win32.dbghelp

Wrapper for dbghelp.dll in ctypes.


21.1

Classes
IMAGEHLP MODULE (Section 235, p. 894)
PIMAGEHLP MODULE (Section 147, p. 775)
IMAGEHLP MODULE64 (Section 236, p. 896)
PIMAGEHLP MODULE64 (Section 148, p. 776)
IMAGEHLP MODULEW (Section 237, p. 898)
PIMAGEHLP MODULEW (Section 149, p. 777)
IMAGEHLP MODULEW64 (Section 238, p. 900)
PIMAGEHLP MODULEW64 (Section 150, p. 778)
PSYM ENUMMODULES CALLBACK (Section 162, p. 790)
PSYM ENUMMODULES CALLBACKW (Section 244, p. 910)
PSYM ENUMMODULES CALLBACK64 (Section 243, p. 909)
PSYM ENUMMODULES CALLBACKW64 (Section 163, p. 791)
PSYM ENUMSYMBOLS CALLBACK (Section 164, p. 792)
PSYM ENUMSYMBOLS CALLBACKW (Section 166, p. 794)
PSYM ENUMSYMBOLS CALLBACK64 (Section 165, p. 793)
PSYM ENUMSYMBOLS CALLBACKW64 (Section 167, p. 795)
SYM INFO (Section 248, p. 915)
PSYM INFO (Section 245, p. 911)
SYM INFOW (Section 249, p. 917)
PSYM INFOW (Section 246, p. 912)
IMAGEHLP SYMBOL64 (Section 239, p. 902)
PIMAGEHLP SYMBOL64 (Section 151, p. 779)
IMAGEHLP SYMBOLW64 (Section 240, p. 904)
PIMAGEHLP SYMBOLW64 (Section 152, p. 780)
API VERSION (Section 234, p. 892)
PAPI VERSION (Section 142, p. 770)
LPAPI VERSION (Section 142, p. 770)
ADDRESS MODE (Section 46, p. 338)
ADDRESS64 (Section 233, p. 890)
LPADDRESS64 (Section 127, p. 755)
KDHELP64 (Section 241, p. 906)
PKDHELP64 (Section 154, p. 782)
STACKFRAME64 (Section 247, p. 913)
LPSTACKFRAME64 (Section 242, p. 908)
PREAD PROCESS MEMORY ROUTINE64 (Section 159, p. 787)
PFUNCTION TABLE ACCESS ROUTINE64 (Section 144, p. 772)
PGET MODULE BASE ROUTINE64 (Section 145, p. 773)
201

Functions

Module winappdbg.win32.dbghelp

PTRANSLATE ADDRESS ROUTINE64 (Section 145, p. 773)


21.2

Functions
MakeSureDirectoryPathExistsA(DirPath)
MakeSureDirectoryPathExistsW(*argv, **argd )
SymInitializeA(hProcess, UserSearchPath=None, fInvadeProcess=False)
SymInitializeW(*argv, **argd )
SymCleanup(hProcess)
SymRefreshModuleList(hProcess)
SymSetParentWindow(hwnd )
SymSetOptions(SymOptions)
SymGetOptions()
SymLoadModuleA(hProcess, hFile=None, ImageName=None,
ModuleName=None, BaseOfDll =None, SizeOfDll =None)
SymLoadModuleW(*argv, **argd )
SymLoadModule64A(hProcess, hFile=None, ImageName=None,
ModuleName=None, BaseOfDll =None, SizeOfDll =None)
SymLoadModule64W(*argv, **argd )
SymUnloadModule(hProcess, BaseOfDll )
SymUnloadModule64(hProcess, BaseOfDll )
SymGetModuleInfoA(hProcess, dwAddr )
SymGetModuleInfoW(hProcess, dwAddr )
202

Functions

Module winappdbg.win32.dbghelp

SymGetModuleInfo64A(hProcess, dwAddr )
SymGetModuleInfo64W(hProcess, dwAddr )
SymEnumerateModulesA(hProcess, EnumModulesCallback,
UserContext=None)
SymEnumerateModulesW(hProcess, EnumModulesCallback,
UserContext=None)
SymEnumerateModules64A(hProcess, EnumModulesCallback,
UserContext=None)
SymEnumerateModules64W(hProcess, EnumModulesCallback,
UserContext=None)
SymEnumerateSymbolsA(hProcess, BaseOfDll, EnumSymbolsCallback,
UserContext=None)
SymEnumerateSymbolsW(hProcess, BaseOfDll, EnumSymbolsCallback,
UserContext=None)
SymEnumerateSymbols64A(hProcess, BaseOfDll, EnumSymbolsCallback,
UserContext=None)
SymEnumerateSymbols64W(hProcess, BaseOfDll, EnumSymbolsCallback,
UserContext=None)
UnDecorateSymbolNameA(DecoratedName, Flags=0)
UnDecorateSymbolNameW(DecoratedName, Flags=0)
SymGetSearchPathA(hProcess)
SymGetSearchPathW(hProcess)
SymSetSearchPathA(hProcess, SearchPath=None)
SymSetSearchPathW(hProcess, SearchPath=None)

203

Variables

Module winappdbg.win32.dbghelp

SymGetHomeDirectoryA(type)
SymGetHomeDirectoryW(type)
SymSetHomeDirectoryA(hProcess, dir =None)
SymSetHomeDirectoryW(hProcess, dir =None)
SymFromName(hProcess, Name)
SymFromNameW(hProcess, Name)
SymFromAddr(hProcess, Address)
SymFromAddrW(hProcess, Address)
SymGetSymFromAddr64(hProcess, Address)
ImagehlpApiVersion()
ImagehlpApiVersionEx(MajorVersion, MinorVersion, Revision)
StackWalk64(MachineType, hProcess, hThread, StackFrame,
ContextRecord =None, ReadMemoryRoutine=None,
FunctionTableAccessRoutine=None, GetModuleBaseRoutine=None,
TranslateAddress=None)

21.3

Variables
Name
LDT ENTRY HIGHWORD
WOW64 CS32
CONTEXT EXCEPTIONREQUEST
CONTEXT EXCEPTIONACTIVE
WOW64 CONTEXT EXTENDED REGISTERS
Wow64GetThreadContext

Description

continued on next page

204

Variables

Module winappdbg.win32.dbghelp

Name
WOW64 CONTEXT i386
WOW64 CONTEXT INTEGER
WOW64 CONTEXT CONTROL
LPXMM SAVE AREA32
Wow64GetThreadSelectorEntry
PWOW64 FLOATING SAVE AREA
WOW64 CONTEXT
WOW64 CONTEXT FLOATING POINT
PXMM SAVE AREA32
context i386
CONTEXT MMX REGISTERS
CONTEXT SERVICE ACTIVE
WOW64 CONTEXT i486
WinFuncHook
WOW64 LDT ENTRY
warnings
INITIAL FPCSR
LDT ENTRY BITS
WOW64 FLOATING SAVE AREA
WOW64 MAXIMUM SUPPORTED EXTENSION
LEGACY SAVE AREA LENGTH
DEBUG EVENT UNION
LDT ENTRY BYTES
WOW64 CONTEXT SEGMENTS
PWOW64 CONTEXT
WOW64 CONTEXT DEBUG REGISTERS
WinCallHook
WOW64 CONTEXT ALL

Description

continued on next page

205

Variables

Name
CONTEXT EXCEPTIONREPORTING
XMM SAVE AREA32
psyco
context amd64
Wow64ResumeThread
WOW64 CONTEXT FULL
Wow64SetThreadContext
WOW64 SIZE OF 80387 REGISTERS
CONTEXT AMD64
INITIAL MXCSR
PWOW64 LDT ENTRY
WinDllHook
hdBase
hdSym
hdSrc
UNDNAME 32 BIT DECODE
UNDNAME COMPLETE
UNDNAME NAME ONLY
UNDNAME NO ACCESSSPECIFIERS
UNDNAME NO ALLOCATION LANGUAGE
UNDNAME NO ALLOCATION MODEL
UNDNAME NO ARGUMENTS
UNDNAME NO CV THISTYPE
UNDNAME NO FUNCTION RETURNS
UNDNAME NO LEADING UNDERSCORES
UNDNAME NO MEMBER TYPE
UNDNAME NO MS KEYWORDS
UNDNAME NO MS THISTYPE

Module winappdbg.win32.dbghelp

Description

Value:
Value:
Value:
Value:

0
1
2
2048

Value: 0
Value: 4096
Value: 128
Value: 16
Value: 8
Value: 8192
Value: 64
Value: 4
Value: 1
Value: 512
Value: 2
Value: 32
continued on next page

206

Variables

Name
UNDNAME NO RETURN UDT MODEL
UNDNAME NO SPECIAL SYMS
UNDNAME NO THISTYPE
UNDNAME NO THROWSIGNATURES
SYMOPT ALLOW ABSOLUTE SYMBOLS
SYMOPT ALLOW ZERO ADDRESS
SYMOPT AUTO PUBLICS
SYMOPT CASE INSENSITIVE
SYMOPT DEBUG
SYMOPT DEFERRED LOADS
SYMOPT DISABLE SYMSRV AUTODETECT
SYMOPT EXACT SYMBOLS
SYMOPT FAIL CRITICAL ERRORS
SYMOPT FAVOR COMPRESSED
SYMOPT FLAT DIRECTORY
SYMOPT IGNORE CVREC
SYMOPT IGNORE IMAGEDIR
SYMOPT IGNORE NT SYMPATH
SYMOPT INCLUDE 32BIT MODULES
SYMOPT LOAD ANYTHING
SYMOPT LOAD LINES
SYMOPT NO CPP

Module winappdbg.win32.dbghelp

Description
Value: 1024
Value: 16384
Value: 96
Value: 256
Value: 2048
Value: 16777216
Value: 65536
Value: 1
Value: 2147483648
Value: 4
Value: 33554432
Value: 1024
Value: 512
Value: 8388608
Value: 4194304
Value: 128
Value: 2097152
Value: 4096
Value: 8192
Value: 64
Value: 16
Value: 8
continued on next page

207

Variables

Name
SYMOPT NO IMAGE SEARCH
SYMOPT NO PROMPTS
SYMOPT NO PUBLICS
SYMOPT NO UNQUALIFIED LOADS
SYMOPT OVERWRITE
SYMOPT PUBLICS ONLY
SYMOPT SECURE
SYMOPT UNDNAME
SymNone
SymCoff
SymCv
SymPdb
SymExport
SymDeferred
SymSym
SymDia
SymVirtual
NumSymTypes
MakeSureDirectoryPathExists
SymInitialize
SymLoadModule
SymLoadModule64
SymGetModuleInfo
SymGetModuleInfo64
SymEnumerateModules
SymEnumerateModules64

Module winappdbg.win32.dbghelp

Description
Value: 131072
Value: 524288
Value: 32768
Value: 256
Value: 1048576
Value: 16384
Value: 262144
Value: 2
Value: 0
Value: 1
Value: 2
Value: 3
Value: 4
Value: 5
Value: 6
Value: 7
Value: 8
Value: 9
Value:
GuessStringType(MakeSureDirectoryPathExistsA,
MakeSureDir...
Value: GuessStringType(SymInitializeA,
SymInitializeW)
Value: GuessStringType(SymLoadModuleA,
SymLoadModuleW)
Value: GuessStringType(SymLoadModule64A,
SymLoadModule64W)
Value:
GuessStringType(SymGetModuleInfoA,
SymGetModuleInfoW)
Value:
GuessStringType(SymGetModuleInfo64A,
SymGetModuleInfo64W)
Value:
GuessStringType(SymEnumerateModulesA,
SymEnumerateModulesW)
Value:
GuessStringType(SymEnumerateModules64A,
SymEnumerateModul...
continued on next page

208

Variables

Name
SymEnumerateSymbols
SymEnumerateSymbols64
UnDecorateSymbolName
SymGetSearchPath
SymSetSearchPath
SymGetHomeDirectory
SymSetHomeDirectory
MAX SYM NAME
AddrMode1616
AddrMode1632
AddrModeReal
AddrModeFlat
IMAGE FILE MACHINEI386
IMAGE FILE MACHINEIA64
IMAGE FILE MACHINEAMD64

Module winappdbg.win32.dbghelp

Description
Value:
GuessStringType(SymEnumerateSymbolsA,
SymEnumerateSymbolsW)
Value:
GuessStringType(SymEnumerateSymbols64A,
SymEnumerateSymbo...
Value:
GuessStringType(UnDecorateSymbolNameA,
UnDecorateSymbolNa...
Value:
GuessStringType(SymGetSearchPathA,
SymGetSearchPathW)
Value:
GuessStringType(SymSetSearchPathA,
SymSetSearchPathW)
Value:
GuessStringType(SymGetHomeDirectoryA,
SymGetHomeDirectoryW)
Value:
GuessStringType(SymSetHomeDirectoryA,
SymSetHomeDirectoryW)
Value: 2000
Value: 0
Value: 1
Value: 2
Value: 3
Value: 332
Value: 512
Value: 34404

209

Module winappdbg.win32.defines

22

Module winappdbg.win32.defines

Common definitions.
22.1

Classes
WinDllHook (Section 260, p. 933)
WinFuncHook (Section 261, p. 934)
WinCallHook (Section 259, p. 932)
GuessStringType: Decorator that guesses the correct version (A or W) to call based
on the types of the strings passed as parameters.
(Section 253, p. 924)
DefaultStringType: Decorator that uses the default version (A or W) to call based
on the configuration of the GuessStringType decorator.
(Section 250, p. 919)
PSIZE T (Section 140, p. 768)
PPVOID (Section 133, p. 761)
LPBYTE (Section 128, p. 756)
LPSBYTE (Section 136, p. 764)
LPWORD (Section 141, p. 769)
LPSWORD (Section 255, p. 927)
LPDWORD (Section 140, p. 768)
LPSDWORD (Section 160, p. 788)
LPULONG (Section 140, p. 768)
LPLONG (Section 160, p. 788)
PDWORD (Section 140, p. 768)
PDWORD PTR (Section 140, p. 768)
PULONG (Section 140, p. 768)
PLONG (Section 160, p. 788)
PBOOL (Section 160, p. 788)
LPBOOL (Section 160, p. 788)
LPDWORD32 (Section 140, p. 768)
LPULONG32 (Section 140, p. 768)
LPDWORD64 (Section 174, p. 802)
LPULONG64 (Section 174, p. 802)
PDWORD32 (Section 140, p. 768)
PULONG32 (Section 140, p. 768)
PDWORD64 (Section 174, p. 802)
PULONG64 (Section 174, p. 802)
PHANDLE (Section 133, p. 761)
LPHANDLE (Section 133, p. 761)
PHKEY (Section 133, p. 761)
PNTSTATUS (Section 160, p. 788)
210

Functions

22.2

Module winappdbg.win32.defines

PACCESS MASK (Section 140, p. 768)


PREGSAM (Section 140, p. 768)
FLOAT128 (Section 251, p. 921)
PFLOAT128 (Section 257, p. 929)
M128A (Section 256, p. 928)
PM128A (Section 156, p. 784)
UNICODE STRING (Section 258, p. 930)
GUID (Section 252, p. 922)
LIST ENTRY (Section 254, p. 926)
Functions
RaiseIfZero(result, func=None, arguments=())
Error checking for most Win32 API calls.
The function is assumed to return an integer, which is 0 on error. In that case
the WindowsError exception is raised.
RaiseIfNotZero(result, func=None, arguments=())
Error checking for some odd Win32 API calls.
The function is assumed to return an integer, which is zero on success. If the
return value is nonzero the WindowsError exception is raised.
This is mostly useful for free() like functions, where the return value is the
pointer to the memory block on failure or a NULL pointer on success.
RaiseIfNotErrorSuccess(result, func=None, arguments=())
Error checking for Win32 Registry API calls.
The function is assumed to return a Win32 error code. If the code is not
ERROR SUCCESS then a WindowsError exception is raised.
MakeANSIVersion(fn)
Decorator that generates an ANSI version of a Unicode (wide) only API call.
Parameters
fn: Unicode (wide) version of the API function to call.
(type=callable)

211

Variables

Module winappdbg.win32.defines

MakeWideVersion(fn)
Decorator that generates a Unicode (wide) version of an ANSI only API call.
Parameters
fn: ANSI version of the API function to call.
(type=callable)

22.3

Variables
Name
revision
WIN32 VERBOSE MODE
windll
NULL
INFINITE
TRUE
FALSE
ANYSIZE ARRAY
INVALID HANDLE VALUE
MAX MODULE NAME32
MAX PATH
ERROR SUCCESS
ERROR INVALID FUNCTION
ERROR FILE NOT FOUND
ERROR PATH NOT FOUND
ERROR ACCESS DENIED
ERROR INVALID HANDLE
ERROR NOT ENOUGH MEMORY
ERROR INVALID DRIVE
ERROR NO MORE FILES
ERROR BAD LENGTH

Description
Value: $Id: defines.py 1299 2013-12-20
09:30:55Z qvasimodo $
Value: False
Value:
Value:
Value:
Value:
Value:
Value:
Value:

WinDllHook()
None
-1
1
0
1
4294967295

Value: 255
Value: 260
Value: 0
Value: 1
Value: 2
Value: 3
Value: 5
Value: 6
Value: 8
Value: 15
Value: 18
Value: 24
continued on next page

212

Variables

Name
ERROR HANDLE EOF
ERROR HANDLE DISK FULL
ERROR NOT SUPPORTED
ERROR FILE EXISTS
ERROR INVALID PARAMETER
ERROR BUFFER OVERFLOW
ERROR DISK FULL
ERROR CALL NOT IMPLEMENTED
ERROR SEM TIMEOUT
ERROR INSUFFICIENTBUFFER
ERROR INVALID NAME
ERROR MOD NOT FOUND
ERROR PROC NOT FOUND
ERROR DIR NOT EMPTY
ERROR BAD THREADID ADDR
ERROR BAD ARGUMENTS
ERROR BAD PATHNAME
ERROR ALREADY EXISTS
ERROR INVALID FLAGNUMBER
ERROR ENVVAR NOT FOUND
ERROR FILENAME EXCED RANGE
ERROR MORE DATA
WAIT TIMEOUT
ERROR NO MORE ITEMS

Module winappdbg.win32.defines

Description
Value: 38
Value: 39
Value: 50
Value: 80
Value: 87
Value: 111
Value: 112
Value: 120
Value: 121
Value: 122
Value: 123
Value: 126
Value: 127
Value: 145
Value: 159
Value: 160
Value: 161
Value: 183
Value: 186
Value: 203
Value: 206
Value: 234
Value: 258
Value: 259
continued on next page

213

Variables

Name
ERROR PARTIAL COPY
ERROR INVALID ADDRESS
ERROR THREAD NOT IN PROCESS
ERROR CONTROL C EXIT
ERROR UNHANDLED EXCEPTION
ERROR ASSERTION FAILURE
ERROR WOW ASSERTION
ERROR DBG EXCEPTION NOT HANDLED
ERROR DBG REPLY LATER
ERROR DBG UNABLE TO PROVIDE HANDLE
ERROR DBG TERMINATE THREAD
ERROR DBG TERMINATE PROCESS
ERROR DBG CONTROLC
ERROR DBG PRINTEXCEPTION C
ERROR DBG RIPEXCEPTION
ERROR DBG CONTROL BREAK
ERROR DBG COMMAND EXCEPTION
ERROR DBG EXCEPTION HANDLED
ERROR DBG CONTINUE
ERROR ELEVATION REQUIRED
ERROR NOACCESS
ERROR CIRCULAR DEPENDENCY

Module winappdbg.win32.defines

Description
Value: 299
Value: 487
Value: 566
Value: 572
Value: 574
Value: 668
Value: 670
Value: 688
Value: 689
Value: 690
Value: 691
Value: 692
Value: 693
Value: 694
Value: 695
Value: 696
Value: 697
Value: 766
Value: 767
Value: 740
Value: 998
Value: 1059
continued on next page

214

Variables

Name
ERROR SERVICE DOESNOT EXIST
ERROR SERVICE CANNOT ACCEPT CTRL
ERROR SERVICE NOT ACTIVE
ERROR FAILED SERVICE CONTROLLER CONNECT
ERROR EXCEPTION INSERVICE
ERROR DATABASE DOES NOT EXIST
ERROR SERVICE SPECIFIC ERROR
ERROR PROCESS ABORTED
ERROR SERVICE DEPENDENCY FAIL
ERROR SERVICE LOGON FAILED
ERROR SERVICE START HANG
ERROR INVALID SERVICE LOCK
ERROR SERVICE MARKED FOR DELETE
ERROR SERVICE EXISTS
ERROR ALREADY RUNNING LKG
ERROR SERVICE DEPENDENCY DELETED
ERROR BOOT ALREADY ACCEPTED
ERROR SERVICE NEVER STARTED
ERROR DUPLICATE SERVICE NAME
ERROR DIFFERENT SERVICE ACCOUNT

Module winappdbg.win32.defines

Description
Value: 1060
Value: 1061
Value: 1062
Value: 1063

Value: 1064
Value: 1065
Value: 1066
Value: 1067
Value: 1068
Value: 1069
Value: 1070
Value: 1071
Value: 1072
Value: 1073
Value: 1074
Value: 1075
Value: 1076
Value: 1077
Value: 1078
Value: 1079
continued on next page

215

Variables

Name
ERROR CANNOT DETECT DRIVER FAILURE
ERROR CANNOT DETECT PROCESS ABORT
ERROR NO RECOVERY PROGRAM
ERROR SERVICE NOT IN EXE
ERROR NOT SAFEBOOT SERVICE
ERROR DEBUGGER INACTIVE
ERROR PRIVILEGE NOT HELD
ERROR NONE MAPPED
RPC S SERVER UNAVAILABLE
DELETE
READ CONTROL
WRITE DAC
WRITE OWNER
SYNCHRONIZE
STANDARD RIGHTS REQUIRED
STANDARD RIGHTS READ
STANDARD RIGHTS WRITE
STANDARD RIGHTS EXECUTE
STANDARD RIGHTS ALL
SPECIFIC RIGHTS ALL
package

Module winappdbg.win32.defines

Description
Value: 1080
Value: 1081
Value: 1082
Value: 1083
Value: 1084
Value: 1284
Value: 1314
Value: 1332
Value: 1722
Value:
Value:
Value:
Value:
Value:
Value:

65536
131072
262144
524288
1048576
983040

Value: 131072
Value: 131072
Value: 131072
Value: 2031616
Value: 65535
Value: winappdbg.win32

216

Module winappdbg.win32.gdi32

23

Module winappdbg.win32.gdi32

Wrapper for gdi32.dll in ctypes.


23.1

23.2

Classes
RECT (Section 267, p. 941)
PRECT (Section 266, p. 940)
LPRECT (Section 266, p. 940)
POINT (Section 264, p. 938)
PPOINT (Section 265, p. 939)
LPPOINT (Section 265, p. 939)
BITMAP (Section 262, p. 935)
PBITMAP (Section 263, p. 937)
LPBITMAP (Section 263, p. 937)
Functions
GetDC(hWnd )
GetWindowDC(hWnd )
ReleaseDC(hWnd, hDC )
SelectObject(hdc, hgdiobj )
GetStockObject(fnObject)
GetObjectType(h)
GetObject(hgdiobj, cbBuffer =None, lpvObject=None)
GetBitmapBits(hbmp)
CreateBitmapIndirect(lpbm)

23.3

Variables

217

Variables

Name
WinCallHook
WinFuncHook
WinDllHook
OBJ PEN
OBJ BRUSH
OBJ DC
OBJ METADC
OBJ PAL
OBJ FONT
OBJ BITMAP
OBJ REGION
OBJ METAFILE
OBJ MEMDC
OBJ EXTPEN
OBJ ENHMETADC
OBJ ENHMETAFILE
OBJ COLORSPACE
GDI OBJ LAST
SRCCOPY
SRCPAINT
SRCAND
SRCINVERT
SRCERASE
NOTSRCCOPY
NOTSRCERASE
MERGECOPY
MERGEPAINT
PATCOPY
PATPAINT
PATINVERT
DSTINVERT
BLACKNESS
WHITENESS
NOMIRRORBITMAP
CAPTUREBLT
ERROR
NULLREGION
SIMPLEREGION
COMPLEXREGION
RGN ERROR
RGN AND
RGN OR

Module winappdbg.win32.gdi32

Description

Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
14
13369376
15597702
8913094
6684742
4457256
3342344
1114278
12583114
12255782
15728673
16452105
5898313
5570569
66
16711778
2147483648
1073741824
0
1
2
3
0
1
2
continued on next page

218

Variables

Name
RGN XOR
RGN DIFF
RGN COPY
RGN MIN
RGN MAX
BLACKONWHITE
WHITEONBLACK
COLORONCOLOR
HALFTONE
MAXSTRETCHBLTMODE
STRETCH ANDSCANS
STRETCH ORSCANS
STRETCH DELETESCANS
STRETCH HALFTONE
ALTERNATE
WINDING
POLYFILL LAST
LAYOUT RTL
LAYOUT BTT
LAYOUT VBH
LAYOUT ORIENTATIONMASK
LAYOUT BITMAPORIENTATIONPRESERVED
WHITE BRUSH
LTGRAY BRUSH
GRAY BRUSH
DKGRAY BRUSH
BLACK BRUSH
NULL BRUSH
HOLLOW BRUSH
WHITE PEN
BLACK PEN
NULL PEN
OEM FIXED FONT
ANSI FIXED FONT
ANSI VAR FONT
SYSTEM FONT
DEVICE DEFAULT FONT

Module winappdbg.win32.gdi32

Description
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

3
4
5
1
5
1
2
3
4
4

Value: 1
Value: 2
Value: 3
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

4
1
2
2
1
2
4
7

Value: 8
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

0
1
2
3
4
5
5
6
7
8
10
11
12
13
14
continued on next page

219

Variables

Name
DEFAULT PALETTE
SYSTEM FIXED FONT
META SETBKCOLOR
META SETBKMODE
META SETMAPMODE
META SETROP2
META SETRELABS
META SETPOLYFILLMODE
META SETSTRETCHBLTMODE
META SETTEXTCHAREXTRA
META SETTEXTCOLOR
META SETTEXTJUSTIFICATION
META SETWINDOWORG
META SETWINDOWEXT
META SETVIEWPORTORG
META SETVIEWPORTEXT
META OFFSETWINDOWORG
META SCALEWINDOWEXT
META OFFSETVIEWPORTORG
META SCALEVIEWPORTEXT
META LINETO
META MOVETO
META EXCLUDECLIPRECT
META INTERSECTCLIPRECT
META ARC
META ELLIPSE
META FLOODFILL

Module winappdbg.win32.gdi32

Description
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

15
16
513
258
259
260
261
262

Value: 263
Value: 264
Value: 521
Value: 522
Value: 523
Value: 524
Value: 525
Value: 526
Value: 527
Value: 1040
Value: 529
Value: 1042
Value: 531
Value: 532
Value: 1045
Value: 1046
Value: 2071
Value: 1048
Value: 1049
continued on next page

220

Variables

META
META
META
META
META
META
META
N
META
META
META
META
META
META
META
META
META
META
META
META
GION
META
META
META
META
AGS
META
META
META
E
META
TE
META
TTE
META
S
META
META
E
META
META
T

Module winappdbg.win32.gdi32

Name
PIE
RECTANGLE
ROUNDRECT
PATBLT
SAVEDC
SETPIXEL
OFFSETCLIPRG-

Value:
Value:
Value:
Value:
Value:
Value:
Value:

2074
1051
1564
1565
30
1055
544

Description

TEXTOUT
BITBLT
STRETCHBLT
POLYGON
POLYLINE
ESCAPE
RESTOREDC
FILLREGION
FRAMEREGION
INVERTREGION
PAINTREGION
SELECTCLIPRE-

Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

1313
2338
2851
804
805
1574
295
552
1065
298
299
300

SELECTOBJECT
SETTEXTALIGN
CHORD
SETMAPPERFL-

Value:
Value:
Value:
Value:

301
302
2096
561

EXTTEXTOUT
SETDIBTODEV
SELECTPALETT-

Value: 2610
Value: 3379
Value: 564

REALIZEPALET-

Value: 53

ANIMATEPALE-

Value: 1078

SETPALENTRIE-

Value: 55

POLYPOLYGON
RESIZEPALETT-

Value: 1336
Value: 313

DIBBITBLT
DIBSTRETCHBL-

Value: 2368
Value: 2881
continued on next page

221

Variables

Name
META DIBCREATEPATTERNBRUSH
META STRETCHDIB
META EXTFLOODFILL
META SETLAYOUT
META DELETEOBJECT
META CREATEPALETTE
META CREATEPATTERNBRUSH
META CREATEPENINDIRECT
META CREATEFONTINDIRECT
META CREATEBRUSHINDIRECT
META CREATEREGION
NEWFRAME
ABORTDOC
NEXTBAND
SETCOLORTABLE
GETCOLORTABLE
FLUSHOUTPUT
DRAFTMODE
QUERYESCSUPPORT
SETABORTPROC
STARTDOC
ENDDOC
GETPHYSPAGESIZE
GETPRINTINGOFFSET
GETSCALINGFACTOR
MFCOMMENT
GETPENWIDTH
SETCOPYCOUNT
SELECTPAPERSOURCE
DEVICEDATA
PASSTHROUGH
GETTECHNOLGY
GETTECHNOLOGY

Module winappdbg.win32.gdi32

Description
Value: 322
Value:
Value:
Value:
Value:

3907
1352
329
496

Value: 247
Value: 505
Value: 762
Value: 763
Value: 764
Value: 1791
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

Value:
Value:
Value:
Value:

19
19
20
20
continued on next page

222

Variables

Name
SETLINECAP
SETLINEJOIN
SETMITERLIMIT
BANDINFO
DRAWPATTERNRECT
GETVECTORPENSIZE
GETVECTORBRUSHSIZE
ENABLEDUPLEX
GETSETPAPERBINS
GETSETPRINTORIENT
ENUMPAPERBINS
SETDIBSCALING
EPSPRINTING
ENUMPAPERMETRICS
GETSETPAPERMETRICS
POSTSCRIPT DATA
POSTSCRIPT IGNORE
MOUSETRAILS
GETDEVICEUNITS
GETEXTENDEDTEXTMETRICS
GETEXTENTTABLE
GETPAIRKERNTABLE
GETTRACKKERNTABLE
EXTTEXTOUT
GETFACENAME
DOWNLOADFACE
ENABLERELATIVEWIDTHS
ENABLEPAIRKERNING
SETKERNTRACK
SETALLJUSTVALUES
SETCHARSET
STRETCHBLT
METAFILE DRIVER
GETSETSCREENPARAMS
QUERYDIBSUPPORT
BEGIN PATH

Module winappdbg.win32.gdi32

Description
Value:
Value:
Value:
Value:
Value:
Value:
Value:

21
22
23
24
25
26
27

Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

28
29
30
31
32
33
34
35

Value:
Value:
Value:
Value:
Value:

37
38
39
42
256

Value: 257
Value: 258
Value: 259
Value:
Value:
Value:
Value:

512
513
514
768

Value:
Value:
Value:
Value:
Value:
Value:
Value:

769
770
771
772
2048
2049
3072

Value: 3073
Value: 4096
continued on next page

223

Variables

Name
CLIP TO PATH
END PATH
EXT DEVICE CAPS
RESTORE CTM
SAVE CTM
SET ARC DIRECTION
SET BACKGROUND COLOR
SET POLY MODE
SET SCREEN ANGLE
SET SPREAD
TRANSFORM CTM
SET CLIP BOX
SET BOUNDS
SET MIRROR MODE
OPENCHANNEL
DOWNLOADHEADER
CLOSECHANNEL
POSTSCRIPT PASSTHROUGH
ENCAPSULATED POSTSCRIPT
POSTSCRIPT IDENTIFY
POSTSCRIPT INJECTION
CHECKJPEGFORMAT
CHECKPNGFORMAT
GET PS FEATURESETTING
GDIPLUS TS QUERYVER
GDIPLUS TS RECORD
SPCLPASSTHROUGH2

Module winappdbg.win32.gdi32

Description
Value:
Value:
Value:
Value:
Value:
Value:
Value:

4097
4098
4099
4100
4101
4102
4103

Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

4104
4105
4106
4107
4108
4109
4110
4110
4111
4112
4115

Value: 4116
Value: 4117
Value: 4118
Value: 4119
Value: 4120
Value: 4121
Value: 4122
Value: 4123
Value: 4568

224

Module winappdbg.win32.kernel32

24

Module winappdbg.win32.kernel32

Wrapper for kernel32.dll in ctypes.


24.1

Classes
SYSTEM INFO (Section 391, p. 1152)
LPVS FIXEDFILEINFO (Section 325, p. 1029)
OSVERSIONINFOW (Section 390, p. 1150)
OSVERSIONINFOA (Section 387, p. 1144)
POSVERSIONINFOEXA (Section 321, p. 1023)
POSVERSIONINFOEXW (Section 157, p. 785)
PVS FIXEDFILEINFO (Section 325, p. 1029)
LPSYSTEM INFO (Section 139, p. 767)
POSVERSIONINFOA (Section 157, p. 785)
POSVERSIONINFOW (Section 158, p. 786)
LPOSVERSIONINFOA (Section 157, p. 785)
LPOSVERSIONINFOW (Section 158, p. 786)
LPOSVERSIONINFOEXW (Section 297, p. 990)
LPOSVERSIONINFOEXA (Section 321, p. 1023)
OSVERSIONINFOEXW (Section 389, p. 1148)
OSVERSIONINFOEXA (Section 388, p. 1146)
FLOATING SAVE AREA (Section 229, p. 884)
PCONTEXT (Section 231, p. 888)
CONTEXT (Section ??, p. ??)
LDT ENTRY (Section 230, p. 886)
LPCONTEXT (Section 231, p. 888)
PFLOATING SAVE AREA (Section 293, p. 986)
PLDT ENTRY (Section 232, p. 889)
LPFLOATING SAVE AREA (Section 293, p. 986)
Context: Register context dictionary for the i386 architecture.
(Section 228, p. 883)
LPLDT ENTRY (Section 232, p. 889)
Handle: Encapsulates Win32 handles to avoid leaking them.
(Section 287, p. 976)
UserModeHandle: Base class for non-kernel handles.
(Section 342, p. 1060)
ProcessHandle: Win32 process handle.
(Section 327, p. 1032)
ThreadHandle: Win32 thread handle.
(Section 340, p. 1056)
FileHandle: Win32 file handle.
(Section 283, p. 966)
225

Classes

Module winappdbg.win32.kernel32

FileMappingHandle: File mapping handle.


(Section 284, p. 969)
SnapshotHandle: Toolhelp32 snapshot handle.
(Section 337, p. 1049)
ProcessInformation: Process information object returned by CreateProcess.
(Section 328, p. 1035)
MemoryBasicInformation: Memory information object returned by VirtualQueryEx.
(Section 311, p. 1008)
ProcThreadAttributeList: Extended process and thread attribute support.
(Section 326, p. 1030)
OVERLAPPED (Section 313, p. 1014)
LPOVERLAPPED (Section 298, p. 991)
SECURITY ATTRIBUTES (Section 330, p. 1037)
LPSECURITY ATTRIBUTES (Section 137, p. 765)
PPROC THREAD ATTRIBUTE LIST (Section 52, p. 344)
LPPROC THREAD ATTRIBUTE LIST (Section 52, p. 344)
VS FIXEDFILEINFO (Section 343, p. 1063)
THREADNAME INFO (Section 339, p. 1054)
MEMORY BASIC INFORMATION32 (Section 308, p. 1002)
MEMORY BASIC INFORMATION64 (Section 309, p. 1004)
MEMORY BASIC INFORMATION (Section 307, p. 1000)
PMEMORY BASIC INFORMATION (Section 320, p. 1022)
FILETIME (Section 281, p. 964)
LPFILETIME (Section 292, p. 985)
SYSTEMTIME (Section 336, p. 1047)
LPSYSTEMTIME (Section 305, p. 998)
BY HANDLE FILE INFORMATION (Section 268, p. 943)
LPBY HANDLE FILE INFORMATION (Section 290, p. 983)
FILE INFO BY HANDLE CLASS (Section 282, p. 965)
PROCESS INFORMATION (Section 323, p. 1026)
LPPROCESS INFORMATION (Section 300, p. 993)
STARTUPINFO (Section 332, p. 1041)
LPSTARTUPINFO (Section 301, p. 994)
STARTUPINFOEX (Section 333, p. 1043)
LPSTARTUPINFOEX (Section 302, p. 995)
STARTUPINFOW (Section 335, p. 1045)
LPSTARTUPINFOW (Section 304, p. 997)
STARTUPINFOEXW (Section 334, p. 1044)
LPSTARTUPINFOEXW (Section 303, p. 996)
JIT DEBUG INFO (Section 288, p. 979)
JIT DEBUG INFO32 (Section 288, p. 979)
JIT DEBUG INFO64 (Section 288, p. 979)
LPJIT DEBUG INFO (Section 296, p. 989)
LPJIT DEBUG INFO32 (Section 296, p. 989)
226

Functions

24.2

Module winappdbg.win32.kernel32

LPJIT DEBUG INFO64 (Section 296, p. 989)


EXCEPTION RECORD32 (Section 277, p. 958)
PEXCEPTION RECORD32 (Section 317, p. 1019)
EXCEPTION RECORD64 (Section 278, p. 960)
PEXCEPTION RECORD64 (Section 318, p. 1020)
EXCEPTION RECORD (Section 276, p. 956)
PEXCEPTION RECORD (Section 316, p. 1018)
EXCEPTION DEBUG INFO (Section 275, p. 955)
CREATE THREAD DEBUG INFO (Section 273, p. 951)
CREATE PROCESS DEBUG INFO (Section 272, p. 949)
EXIT THREAD DEBUG INFO (Section 280, p. 963)
EXIT PROCESS DEBUG INFO (Section 279, p. 962)
LOAD DLL DEBUG INFO (Section 289, p. 981)
UNLOAD DLL DEBUG INFO (Section 341, p. 1059)
OUTPUT DEBUG STRING INFO (Section 312, p. 1012)
RIP INFO (Section 329, p. 1036)
DEBUG EVENT (Section 274, p. 953)
LPDEBUG EVENT (Section 291, p. 984)
CHAR INFO (Section 269, p. 945)
PCHAR INFO (Section 143, p. 771)
COORD (Section 271, p. 948)
PCOORD (Section 315, p. 1017)
SMALL RECT (Section 331, p. 1039)
PSMALL RECT (Section 324, p. 1028)
CONSOLE SCREEN BUFFER INFO (Section 270, p. 946)
PCONSOLE SCREEN BUFFER INFO (Section 314, p. 1016)
THREADENTRY32 (Section 338, p. 1052)
LPTHREADENTRY32 (Section 306, p. 999)
PROCESSENTRY32 (Section 322, p. 1024)
LPPROCESSENTRY32 (Section 299, p. 992)
MODULEENTRY32 (Section 310, p. 1006)
LPMODULEENTRY32 (Section 134, p. 762)
HEAPENTRY32 (Section 285, p. 972)
LPHEAPENTRY32 (Section 294, p. 987)
HEAPLIST32 (Section 286, p. 974)
LPHEAPLIST32 (Section 295, p. 988)
PHANDLER ROUTINE (Section 319, p. 1021)
Functions
VerQueryValueW(pBlock, lpSubBlock )
VerQueryValueA(pBlock, lpSubBlock )
227

Functions

Module winappdbg.win32.kernel32

GetSystemInfo()
GetCurrentThread()
VerifyVersionInfoA(lpVersionInfo, dwTypeMask, dwlConditionMask )
VerifyVersionInfo(lpVersionInfo, dwTypeMask, dwlConditionMask )
VerifyVersionInfoW(lpVersionInfo, dwTypeMask, dwlConditionMask )
GetSystemMetrics(nIndex )
GetNativeSystemInfo()
GetFileVersionInfoW(lptstrFilename)
GetLargePageMinimum()
IsWow64Process(hProcess)
VerSetConditionMask(dwlConditionMask, dwTypeBitMask,
dwConditionMask )
GetCurrentProcess()
GetVersion()
GetVersionExW()
GetVersionExA()
GetFileVersionInfoA(lptstrFilename)
GetProductInfo(dwOSMajorVersion, dwOSMinorVersion,
dwSpMajorVersion, dwSpMinorVersion)

228

Functions

Module winappdbg.win32.kernel32

RaiseIfLastError(result, func=None, arguments=())


Error checking for Win32 API calls with no error-specific return value.
Regardless of the return value, the function calls GetLastError(). If the code is
not ERROR SUCCESS then a WindowsError exception is raised.
For this to work, the user MUST call SetLastError(ERROR SUCCESS) prior
to calling the API. Otherwise an exception may be raised even on success,
since most API calls dont clear the error status code.
GetThreadContext(hThread, ContextFlags=None, raw =False)
SetThreadContext(hThread, lpContext)
GetThreadSelectorEntry(hThread, dwSelector )
GetLastError()
SetLastError(dwErrCode)
GetErrorMode()
SetErrorMode(uMode)
GetThreadErrorMode()
SetThreadErrorMode(dwNewMode)
CloseHandle(hHandle)
DuplicateHandle(hSourceHandle, hSourceProcessHandle=None,
hTargetProcessHandle=None, dwDesiredAccess=2031616,
bInheritHandle=False, dwOptions=2)
LocalFree(hMem)
GetStdHandle(nStdHandle)
GetConsoleCP()

229

Functions

Module winappdbg.win32.kernel32

GetConsoleOutputCP()
SetConsoleCP(wCodePageID)
SetConsoleOutputCP(wCodePageID)
SetConsoleActiveScreenBuffer(hConsoleOutput=None)
GetConsoleScreenBufferInfo(hConsoleOutput=None)
SetConsoleWindowInfo(hConsoleOutput, bAbsolute, lpConsoleWindow )
SetConsoleTextAttribute(hConsoleOutput=None, wAttributes=0)
AllocConsole()
AttachConsole(dwProcessId =4294967295)
FreeConsole()
GetDllDirectoryA()
GetDllDirectoryW()
SetDllDirectoryA(lpPathName=None)
SetDllDirectoryW(lpPathName)
LoadLibraryA(pszLibrary)
LoadLibraryW(pszLibrary)
LoadLibraryExA(pszLibrary, dwFlags=0)
LoadLibraryExW(pszLibrary, dwFlags=0)
GetModuleHandleA(lpModuleName)
GetModuleHandleW(lpModuleName)
230

Functions

Module winappdbg.win32.kernel32

GetProcAddressA(hModule, lpProcName)
GetProcAddressW(*argv, **argd )
FreeLibrary(hModule)
RtlPcToFileHeader(PcValue)
GetHandleInformation(hObject)
SetHandleInformation(hObject, dwMask, dwFlags)
QueryFullProcessImageNameA(hProcess, dwFlags=0)
QueryFullProcessImageNameW(hProcess, dwFlags=0)
GetLogicalDriveStringsA()
GetLogicalDriveStringsW()
QueryDosDeviceA(lpDeviceName=None)
QueryDosDeviceW(lpDeviceName)
MapViewOfFile(hFileMappingObject, dwDesiredAccess=983103,
dwFileOffsetHigh=0, dwFileOffsetLow =0, dwNumberOfBytesToMap=0)
UnmapViewOfFile(lpBaseAddress)
OpenFileMappingA(dwDesiredAccess, bInheritHandle, lpName)
OpenFileMappingW(dwDesiredAccess, bInheritHandle, lpName)
CreateFileMappingA(hFile, lpAttributes=None, flProtect=64,
dwMaximumSizeHigh=0, dwMaximumSizeLow =0, lpName=None)
CreateFileMappingW(hFile, lpAttributes=None, flProtect=64,
dwMaximumSizeHigh=0, dwMaximumSizeLow =0, lpName=None)

231

Functions

Module winappdbg.win32.kernel32

CreateFileA(lpFileName, dwDesiredAccess=268435456, dwShareMode=0,


lpSecurityAttributes=None, dwCreationDisposition=4,
dwFlagsAndAttributes=128, hTemplateFile=None)
CreateFileW(lpFileName, dwDesiredAccess=268435456, dwShareMode=0,
lpSecurityAttributes=None, dwCreationDisposition=4,
dwFlagsAndAttributes=128, hTemplateFile=None)
FlushFileBuffers(hFile)
FlushViewOfFile(lpBaseAddress, dwNumberOfBytesToFlush=0)
SearchPathA(lpPath, lpFileName, lpExtension)
SearchPathW(lpPath, lpFileName, lpExtension)
SetSearchPathMode(Flags)
DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize,
lpOutBuffer, nOutBufferSize, lpOverlapped )
GetFileInformationByHandle(hFile)
GetFileInformationByHandleEx(hFile, FileInformationClass,
lpFileInformation, dwBufferSize)
GetFinalPathNameByHandleA(hFile, dwFlags=0)
GetFinalPathNameByHandleW(hFile, dwFlags=0)
GetFullPathNameA(lpFileName)
GetFullPathNameW(lpFileName)
GetTempPathA()
GetTempPathW()

232

Functions

Module winappdbg.win32.kernel32

GetTempFileNameA(lpPathName=None, lpPrefixString=TMP,
uUnique=0)
GetTempFileNameW(lpPathName=None, lpPrefixString=uTMP,
uUnique=0)
GetCurrentDirectoryA()
GetCurrentDirectoryW()
SetConsoleCtrlHandler(HandlerRoutine=None, Add =True)
GenerateConsoleCtrlEvent(dwCtrlEvent, dwProcessGroupId )
WaitForSingleObject(hHandle, dwMilliseconds=-1)
WaitForSingleObjectEx(hHandle, dwMilliseconds=-1, bAlertable=True)
WaitForMultipleObjects(handles, bWaitAll =False, dwMilliseconds=-1)
WaitForMultipleObjectsEx(handles, bWaitAll =False, dwMilliseconds=-1,
bAlertable=True)
CreateMutexA(lpMutexAttributes=None, bInitialOwner =True,
lpName=None)
CreateMutexW(lpMutexAttributes=None, bInitialOwner =True,
lpName=None)
OpenMutexA(dwDesiredAccess=2031617, bInitialOwner =True,
lpName=None)
OpenMutexW(dwDesiredAccess=2031617, bInitialOwner =True,
lpName=None)
CreateEventA(lpMutexAttributes=None, bManualReset=False,
bInitialState=False, lpName=None)
CreateEventW(lpMutexAttributes=None, bManualReset=False,
bInitialState=False, lpName=None)
233

Functions

Module winappdbg.win32.kernel32

OpenEventA(dwDesiredAccess=2031619, bInheritHandle=False,
lpName=None)
OpenEventW(dwDesiredAccess=2031619, bInheritHandle=False,
lpName=None)
ReleaseMutex(hMutex )
SetEvent(hEvent)
ResetEvent(hEvent)
PulseEvent(hEvent)
WaitForDebugEvent(dwMilliseconds=-1)
ContinueDebugEvent(dwProcessId, dwThreadId,
dwContinueStatus=2147549185)
FlushInstructionCache(hProcess, lpBaseAddress=None, dwSize=0)
DebugActiveProcess(dwProcessId )
DebugActiveProcessStop(dwProcessId )
CheckRemoteDebuggerPresent(hProcess)
DebugSetProcessKillOnExit(KillOnExit)
DebugBreakProcess(hProcess)
OutputDebugStringA(lpOutputString)
OutputDebugStringW(lpOutputString)
ReadProcessMemory(hProcess, lpBaseAddress, nSize)
WriteProcessMemory(hProcess, lpBaseAddress, lpBuffer )

234

Functions

Module winappdbg.win32.kernel32

VirtualAllocEx(hProcess, lpAddress=0, dwSize=4096,


flAllocationType=12288, flProtect=64)
VirtualQueryEx(hProcess, lpAddress)
VirtualProtectEx(hProcess, lpAddress, dwSize, flNewProtect=64)
VirtualFreeEx(hProcess, lpAddress, dwSize=0, dwFreeType=32768)
CreateRemoteThread(hProcess, lpThreadAttributes, dwStackSize,
lpStartAddress, lpParameter, dwCreationFlags)
CreateProcessA(lpApplicationName, lpCommandLine=None,
lpProcessAttributes=None, lpThreadAttributes=None, bInheritHandles=False,
dwCreationFlags=0, lpEnvironment=None, lpCurrentDirectory=None,
lpStartupInfo=None)
CreateProcessW(lpApplicationName, lpCommandLine=None,
lpProcessAttributes=None, lpThreadAttributes=None, bInheritHandles=False,
dwCreationFlags=0, lpEnvironment=None, lpCurrentDirectory=None,
lpStartupInfo=None)
InitializeProcThreadAttributeList(dwAttributeCount)
UpdateProcThreadAttribute(lpAttributeList, Attribute, Value,
cbSize=None)
DeleteProcThreadAttributeList(lpAttributeList)
OpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId )
OpenThread(dwDesiredAccess, bInheritHandle, dwThreadId )
SuspendThread(hThread )
ResumeThread(hThread )
TerminateThread(hThread, dwExitCode=0)
TerminateProcess(hProcess, dwExitCode=0)
235

Functions

Module winappdbg.win32.kernel32

GetCurrentProcessId()
GetCurrentThreadId()
GetProcessId(hProcess)
GetThreadId(hThread )
GetProcessIdOfThread(hThread )
GetExitCodeProcess(hProcess)
GetExitCodeThread(hThread )
GetProcessVersion(ProcessId )
GetPriorityClass(hProcess)
SetPriorityClass(hProcess, dwPriorityClass=32)
GetProcessPriorityBoost(hProcess)
SetProcessPriorityBoost(hProcess, DisablePriorityBoost)
GetProcessAffinityMask(hProcess)
SetProcessAffinityMask(hProcess, dwProcessAffinityMask )
CreateToolhelp32Snapshot(dwFlags=15, th32ProcessID=0)
Process32First(hSnapshot)
Process32Next(hSnapshot, pe=None)
Thread32First(hSnapshot)
Thread32Next(hSnapshot, te=None)
Module32First(hSnapshot)
236

Functions

Module winappdbg.win32.kernel32

Module32Next(hSnapshot, me=None)
Heap32First(th32ProcessID, th32HeapID)
Heap32Next(he)
Heap32ListFirst(hSnapshot)
Heap32ListNext(hSnapshot, hl =None)
Toolhelp32ReadProcessMemory(th32ProcessID, lpBaseAddress, cbRead )
GetProcessDEPPolicy(hProcess)
GetCurrentProcessorNumber()
FlushProcessWriteBuffers()
GetGuiResources(hProcess, uiFlags=0)
GetProcessHandleCount(hProcess)
GetProcessTimes(hProcess=None)
FileTimeToSystemTime(lpFileTime)
GetSystemTimeAsFileTime()
GlobalAddAtomA(lpString)
GlobalAddAtomW(lpString)
GlobalFindAtomA(lpString)
GlobalFindAtomW(lpString)
GlobalGetAtomNameA(nAtom)
GlobalGetAtomNameW(nAtom)
237

Variables

Module winappdbg.win32.kernel32

GlobalDeleteAtom(nAtom)
Wow64SuspendThread(hThread )
Wow64EnableWow64FsRedirection(Wow64FsEnableRedirection)
This function may not work reliably when there are nested calls. Therefore,
this function has been replaced by the Wow64DisableWow64FsRedirection
and Wow64RevertWow64FsRedirection functions.
See Also:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa365744(v=vs.85).aspx
Wow64DisableWow64FsRedirection()
Wow64RevertWow64FsRedirection(OldValue)

24.3

Variables
Name
SM CXVIRTUALSCREEN
SM CXSCREEN
VER LESS
VOS DOS WINDOWS16
SM STARTER
SM IMMENABLED
VER SUITE BLADE
PROCESSOR MOTOROLA 821
OS NT
OS W7
VER GREATER
PROCESSOR PPC 620
SM CXHSCROLL
PROCESSOR ARCHITECTURE ALPHA
OS WINDOWS 2008 64
VFT DRV
VOS PM32
VFT2 DRV KEYBOARD
NTDDI WIN7SP1
VOS NT

Description
Value: 78
Value:
Value:
Value:
Value:
Value:
Value:
Value:

0
4
65537
88
82
1024
821

Value:
Value:
Value:
Value:
Value:
Value:

Windows NT
Windows 7
2
620
21
2

Value:
Value:
Value:
Value:
Value:
Value:

Windows 2008 (64 bits)


3
3
2
100729088
262144
continued on next page

238

Variables

Name
VFT2 DRV NETWORK
SM CYFRAME
PROCESSOR INTEL IA64
SM CARETBLINKINGENABLED
SM CXMINIMIZED
NTDDI WIN2K
OS WINDOWS XP
VS FF INFOINFERRED
PROCESSOR ALPHA 21064
SM CXFULLSCREEN
SM YVIRTUALSCREEN
VOS OS216
VFT2 FONT TRUETYPE
ARCH HITACHI
VOS DOS
PROCESSOR ARCHITECTURE UNKNOWN
SM CYCAPTION
ARCH ALPHA64
NTDDI WIN8
NTDDI WIN7
OSVERSION MASK
SM CXFOCUSBORDER
OS WINDOWS 2008 R2 64
SM MEDIACENTER
SUBVERSION MASK
SM CMOUSEBUTTONS
SM CYSMICON
OS W2K3R2 64
OS SEVEN
SM CXDLGFRAME
OS W2K3 64
SM ARRANGE
ARCH ARM64
VS FF PRERELEASE
VFT2 DRV DISPLAY
SM DBCSENABLED

Module winappdbg.win32.kernel32

Description
Value: 6
Value: 33
Value: 2200
Value: 8194
Value:
Value:
Value:
Value:
Value:

57
83886080
Windows XP
16
21064

Value:
Value:
Value:
Value:

16
77
131072
3

Value: shx
Value: 65536
Value: 65535
Value:
Value:
Value:
Value:
Value:
Value:
Value:

4
alpha64
100794368
100728832
4294901760
83
Windows 2008 R2 (64 bits)

Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

87
255
43
50
Windows 2003 R2 (64 bits)
Windows 7
7
Windows 2003 (64 bits)
56
arm64
2
4
42
continued on next page

239

Variables

Name
SM SWAPBUTTON
SM TABLETPC
VER SUITE BACKOFFICE
VFT2 DRV INSTALLABLE
VER SUITE WH SERVER
PROCESSOR ARCHITECTURE ALPHA64
OS WINDOWS 2003 R2
VFT2 DRV SOUND
SM RESERVED4
SM RESERVED1
SM RESERVED3
SM RESERVED2
OS WINDOWS 2008 R2
VS FF DEBUG
VFT UNKNOWN
SM CXICONSPACING
VER SUITE DATACENTER
arch
PROCESSOR INTEL 486
ARCH UNKNOWN
VFT2 FONT VECTOR
SM CYSMCAPTION
SM SAMEDISPLAYFORMAT
ARCH SHX
OS WINDOWS XP 64
VFT2 DRV LANGUAGE
SM CYMINIMIZED
PROCESSOR ARM820
OS WINDOWS NT
VS FF SPECIALBUILD
SM REMOTESESSION
ARCH POWERPC
VOS DOS WINDOWS32
SM CXMAXIMIZED
PROCESSOR SHx SH3
PROCESSOR SHx SH4

Module winappdbg.win32.kernel32

Description
Value: 23
Value: 86
Value: 4
Value: 8
Value: 32768
Value: 7
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

Windows 2003 R2
9
27
24
26
25
Windows 2008 R2
1
0
38
128

Value:
Value:
Value:
Value:
Value:
Value:

amd64
486
unknown
2
51
81

Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

shx
Windows XP (64 bits)
3
58
2080
Windows NT
32
4096
ppc
65540
61
103
104
continued on next page

240

Variables

Name
VER LESS EQUAL
WINVER
VFT2 UNKNOWN
OS WINDOWS 2003 64
SM MOUSEPRESENT
OS XP
ARCH MIPS
PROCESSOR ARCHITECTURE IA32 ON WIN64
SM CYCURSOR
VER SUITE SINGLEUSERTS
SM CYKANJIWINDOW
SM CXVSCROLL
VER OR
SM CYVIRTUALSCREEN
PROCESSOR ARM 7TDMI
SM SLOWMACHINE
SM CYMINTRACK
OS W2K8
SM SHUTTINGDOWN
VOS OS232 PM32
OS W2K3
SM CYMAXTRACK
PROCESSOR ARCHITECTURE IA64
PROCESSOR ARM720
VOS UNKNOWN
OS VISTA 64
OS WINDOWS VISTA 64
SM CYFOCUSBORDER
VFT2 DRV SYSTEM
NTDDI WINXPSP1
NTDDI WINXPSP3
NTDDI WINXPSP2
PROCESSOR HITACHI SH3
PROCESSOR OPTIL
PROCESSOR AMD X8664

Module winappdbg.win32.kernel32

Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

Description
5
1537
0
Windows 2003 (64 bits)
19
Windows XP
mips
10

Value: 14
Value: 256
Value:
Value:
Value:
Value:

18
2
7
79

Value: 70001
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

73
35
Windows 2008
8192
196611
Windows 2003
60
6

Value:
Value:
Value:
Value:

1824
0
Windows Vista (64 bits)
Windows Vista (64 bits)

Value:
Value:
Value:
Value:
Value:
Value:

84
7
83951872
83952384
83952128
10003

Value: 18767
Value: 8664
continued on next page

241

Variables

Name
SM CXMENUSIZE
VFT STATIC LIB
VER MINORVERSION
bits
PROCESSOR MIPS R4000
VER SUITE SMALLBUSINESS RESTRICTED
SM CYSIZEFRAME
SM CYDOUBLECLK
PROCESSOR ARCHITECTURE SHX
wow64
VER PLATFORMID
VER NT WORKSTATION
SM CYVSCROLL
VER AND
SM CXEDGE
VFT APP
NTDDI WS03SP2
NTDDI WS03SP1
OS WINDOWS 2003 R2 64
ARCH ARM
SM REMOTECONTROL
SM CYFIXEDFRAME
SM CXMENUCHECK
SM NETWORK
PROCESSOR ARCHITECTURE ARM
VFT2 DRV MOUSE
VS FF PRIVATEBUILD
SM CYSCREEN
VFT DLL
ARCH IA32
SM CYBORDER
NTDDI VERSION
SM CXSIZE
OS W7 64
ARCH SPARC

Module winappdbg.win32.kernel32

Description
Value:
Value:
Value:
Value:
Value:

54
7
1
32
4000

Value: 32
Value: 33
Value: 37
Value: 4
Value: True
Value: 8
Value: 1
Value:
Value:
Value:
Value:
Value:
Value:
Value:

20
6
45
1
84017664
84017408
Windows 2003 R2 (64 bits)

Value:
Value:
Value:
Value:
Value:
Value:

arm
8193
8
71
63
5

Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

5
8
1
2
i386
6
100729088
30
Windows 7 (64 bits)
sparc
continued on next page

242

Variables

Name
VER NT DOMAIN CONTROLLER
ARCH AARCH32
ARCH T32
ARCH ALPHA
OS VISTA
VER PLATFORM WIN32 WINDOWS
SM CLEANBOOT
VOS PM16
VOS WINDOWS16
PROCESSOR PPC 604
PROCESSOR HITACHI SH4
PROCESSOR PPC 601
PROCESSOR PPC 603
VFT FONT
GetVersionEx
SM MIDEASTENABLED
SM CXCURSOR
SM DEBUG
SM CYSMSIZE
ARCH X86
ARCH MSIL
SM CXBORDER
SM CYICONSPACING
NTDDI WIN2KSP2
NTDDI WIN2KSP3
NTDDI WIN2KSP1
ARCH X64
NTDDI WIN2KSP4
SM MOUSEWHEELPRESENT
VER GREATER EQUAL
VER PLATFORM WIN32s
SM CYICON
SM CYDRAG
SM CYMINSPACING
SM CXMINSPACING
OS W2K3R2

Module winappdbg.win32.kernel32

Description
Value: 2
Value:
Value:
Value:
Value:
Value:

arm
thumb
alpha
Windows Vista
1

Value:
Value:
Value:
Value:
Value:

67
2
1
604
10005

Value: 601
Value: 603
Value: 4
Value: GuessStringType(GetVersionExA,
GetVersionExW)
Value: 74
Value: 13
Value: 22
Value: 53
Value: i386
Value: msil
Value: 5
Value: 39
Value: 83886592
Value: 83886848
Value: 83886336
Value: amd64
Value: 83887104
Value: 75
Value: 3
Value: 0
Value:
Value:
Value:
Value:
Value:

12
69
48
47
Windows 2003 R2
continued on next page

243

Variables

Name
SM SERVERR2
SM CXHTHUMB
ARCH AARCH64
VER SERVICEPACKMAJOR
SM CYMENUSIZE
SM CXDOUBLECLK
VFT RESERVED
SM CMETRICS
ARCH ITANIUM
PROCESSOR STRONGARM
PROCESSOR ARM920
VER EQUAL
VFT VXD
VER SUITE EMBEDDEDNT
SM CXICON
SM CMONITORS
OS WINDOWS 2008
SM CXPADDEDBORDER
OS WINDOWS 2003
OS WINDOWS 2000
VS FF PATCHED
SM MENUDROPALIGNMENT
SM CYMIN
VER SUITE ENTERPRISE
VOS OS216 PM16
NTDDI VISTA
SM CXSIZEFRAME
NTDDI LONGHORN
ARCH THUMB
OS WINDOWS SEVEN
SM CYHSCROLL
OS UNKNOWN
SM CXMAXTRACK
SM CXMINTRACK
SM CYMENUCHECK
SM MOUSEHORIZONTALWHEELPRESENT

Module winappdbg.win32.kernel32

Description
Value:
Value:
Value:
Value:

89
10
arm64
32

Value:
Value:
Value:
Value:
Value:
Value:

55
36
6
93
ia64
2577

Value:
Value:
Value:
Value:

2336
1
5
64

Value:
Value:
Value:
Value:

11
80
Windows 2008
92

Value:
Value:
Value:
Value:

Windows 2003
Windows 2000
4
40

Value: 29
Value: 2
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

131074
100663296
32
100663296
thumb
Windows 7
3
Unknown
59
34
72
91
continued on next page

244

Variables

Name
PROCESSOR INTEL PENTIUM
SM CXDRAG
VER SUITE PERSONAL
SM PENWINDOWS
VER BUILDNUMBER
OS WINDOWS SEVEN 64
VER MAJORVERSION
VER PLATFORM WIN32 NT
SM SHOWSOUNDS
SM CYMAXIMIZED
VER NT SERVER
SM CYMENU
SM SECURE
VFT2 DRV VERSIONEDPRINTER
PROCESSOR ARCHITECTURE MIPS
ARCH ARM8
SM CYVTHUMB
SM CXMIN
ARCH ARM7
NTDDI WINXP
VFT2 DRV COMM
ARCH PPC
VER SUITE STORAGE SERVER
OS W2K8R2 64
PROCESSOR ARCHITECTURE SPARC
OS XP 64
VFT2 FONT RASTER
PROCESSOR INTEL 386
VOS WINDOWS32
OS W2K8 64
VER PRODUCT TYPE
os
VerQueryValue

Module winappdbg.win32.kernel32

Description
Value: 586
Value:
Value:
Value:
Value:
Value:

68
512
41
4
Windows 7 (64 bits)

Value: 2
Value: 2
Value:
Value:
Value:
Value:
Value:
Value:

70
62
3
15
44
12

Value: 1
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

arm64
9
28
arm
83951616
10
ppc
8192

Value: Windows 2008 R2 (64 bits)


Value: 20
Value: Windows XP (64 bits)
Value: 1
Value: 386
Value: 4
Value: Windows 2008 (64 bits)
Value: 128
Value: Windows 7 (64 bits)
Value: GuessStringType(VerQueryValueA,
VerQueryValueW)
continued on next page

245

Variables

Name
GetFileVersionInfo
PROCESSOR HITACHI SH3E
PROCESSOR ARCHITECTURE PPC
SM CXSMICON
VOS OS232
SM CXFIXEDFRAME
SM CYEDGE
VER SUITE COMPUTE SERVER
NTDDI VISTASP1
PROCESSOR ARCHITECTURE MSIL
OS WINDOWS VISTA
VER SERVICEPACKMINOR
VFT2 DRV PRINTER
NTDDI WINNT4
ARCH IA64
SM CYFULLSCREEN
PROCESSOR ARCHITECTURE AMD64
OS W2K8R2
SM CYDLGFRAME
VOS NT WINDOWS32
SM CYSIZE
PROCESSOR ARCHITECTURE INTEL
OS SEVEN 64
NTDDI WS03
NTDDI WS08
VER SUITENAME
VER SUITE TERMINAL
SM XVIRTUALSCREEN
SM CXSMSIZE
OS W2K
SM CXFRAME
VFT2 DRV RESERVED
VER SUITE SMALLBUSINESS

Module winappdbg.win32.kernel32

Description
Value:
GuessStringType(GetFileVersionInfoA,
GetFileVersionInfoW)
Value: 10004
Value: 3
Value:
Value:
Value:
Value:
Value:

49
196608
7
46
16384

Value: 100663552
Value: 8
Value: Windows Vista
Value: 16
Value:
Value:
Value:
Value:
Value:

1
67108864
ia64
17
9

Value:
Value:
Value:
Value:
Value:

Windows 2008 R2
8
262148
31
0

Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

Windows 7 (64 bits)


84017152
100663552
64
16
76
52
Windows 2000
32
11
1
continued on next page

246

Variables

Name
SPVERSION MASK
ContextArchMask
CONTEXT EXCEPTIONACTIVE
WOW64 CONTEXT CONTROL
WOW64 MAXIMUM SUPPORTED EXTENSION
WOW64 CONTEXT EXTENDED REGISTERS
Wow64ResumeThread
CONTEXT EXCEPTIONREPORTING
WOW64 CONTEXT FULL
ARCH AMD64
PXMM SAVE AREA32
PWOW64 FLOATING SAVE AREA
WOW64 CS32
WOW64 CONTEXT ALL
CONTEXT EXCEPTIONREQUEST
Wow64GetThreadSelectorEntry
WOW64 CONTEXT FLOATING POINT
WOW64 CONTEXT DEBUG REGISTERS
WOW64 CONTEXT INTEGER
PWOW64 CONTEXT
WOW64 CONTEXT
Wow64SetThreadContext
WOW64 SIZE OF 80387 REGISTERS
CONTEXT AMD64
WOW64 CONTEXT i386
Wow64GetThreadContext
INITIAL MXCSR
PWOW64 LDT ENTRY

Module winappdbg.win32.kernel32

Description
Value: 65280
Value: 268369920

Value: amd64

continued on next page

247

Variables

Name
WOW64 CONTEXT i486
XMM SAVE AREA32
CONTEXT MMX REGISTERS
LPXMM SAVE AREA32
LEGACY SAVE AREA LENGTH
WOW64 LDT ENTRY
INITIAL FPCSR
CONTEXT SERVICE ACTIVE
WOW64 CONTEXT SEGMENTS
WOW64 FLOATING SAVE AREA
CONTEXT CONTROL
CONTEXT DEBUG REGISTERS
ARCH I386
LDT ENTRY HIGHWORD
CONTEXT FULL
WinDllHook
EXCEPTION WRITE FAULT
CONTEXT SEGMENTS
CONTEXT i486
LDT ENTRY BYTES
LDT ENTRY BITS
WinCallHook
CONTEXT i386
WinFuncHook
CONTEXT INTEGER
CONTEXT EXTENDED REGISTERS
CONTEXT FLOATING POINT
CONTEXT ALL
MAXIMUM SUPPORTED EXTENSION
SIZE OF 80387 REGISTERS

Module winappdbg.win32.kernel32

Description

Value: 65537
Value: 65552
Value: i386

Value: 65543
Value: 1
Value: 65540
Value: 65536

Value: 65536
Value: 65538
Value: 65568
Value: 65544
Value: 65599
Value: 512
Value: 80
continued on next page

248

Variables

Name
EXCEPTION EXECUTEFAULT
EXCEPTION READ FAULT
STILL ACTIVE
WAIT FAILED
WAIT OBJECT 0
EXCEPTION NONCONTINUABLE
EXCEPTION MAXIMUM PARAMETERS
MAXIMUM WAIT OBJECTS
MAXIMUM SUSPEND COUNT
FORMAT MESSAGE ALLOCATE BUFFER
FORMAT MESSAGE FROM SYSTEM
GR GDIOBJECTS
GR USEROBJECTS
PROCESS NAME NATIVE
MAXINTATOM
STD INPUT HANDLE
STD OUTPUT HANDLE
STD ERROR HANDLE
ATTACH PARENT PROCESS
DONT RESOLVE DLL REFERENCES
LOAD LIBRARY AS DATAFILE
LOAD WITH ALTEREDSEARCH PATH
LOAD IGNORE CODE AUTHZ LEVEL
LOAD LIBRARY AS IMAGE RESOURCE
LOAD LIBRARY AS DATAFILE EXCLUSIVE
CTRL C EVENT

Module winappdbg.win32.kernel32

Description
Value: 8
Value: 0
Value:
Value:
Value:
Value:

259
-1
0
1

Value: 15
Value: 64
Value: 127
Value: 256
Value: 4096
Value: 0
Value: 1
Value: 1
Value:
Value:
Value:
Value:
Value:

49152
4294967286
4294967285
4294967284
4294967295

Value: 1
Value: 2
Value: 8
Value: 16
Value: 32
Value: 64
Value: 0
continued on next page

249

Variables

Name
CTRL BREAK EVENT
CTRL CLOSE EVENT
CTRL LOGOFF EVENT
CTRL SHUTDOWN EVENT
HEAP NO SERIALIZE
HEAP GENERATE EXCEPTIONS
HEAP ZERO MEMORY
HEAP CREATE ENABLE EXECUTE
MUTEX ALL ACCESS
MUTEX MODIFY STATE
EVENT ALL ACCESS
EVENT MODIFY STATE
SEMAPHORE ALL ACCESS
SEMAPHORE MODIFY STATE
TIMER ALL ACCESS
TIMER MODIFY STATE
TIMER QUERY STATE
PROCESS TERMINATE
PROCESS CREATE THREAD
PROCESS SET SESSIONID
PROCESS VM OPERATION
PROCESS VM READ
PROCESS VM WRITE
PROCESS DUP HANDLE
PROCESS CREATE PROCESS
PROCESS SET QUOTA
PROCESS SET INFORMATION
PROCESS QUERY INFORMATION

Module winappdbg.win32.kernel32

Description
Value:
Value:
Value:
Value:

1
2
5
6

Value: 1
Value: 4
Value: 8
Value: 262144
Value: 2031617
Value: 1
Value: 2031619
Value: 2
Value: 2031619
Value: 2
Value: 2031619
Value: 2
Value: 1
Value: 1
Value: 2
Value: 4
Value: 8
Value: 16
Value: 32
Value: 64
Value: 128
Value: 256
Value: 512
Value: 1024
continued on next page

250

Variables

Name
PROCESS SUSPEND RESUME
PROCESS QUERY LIMITED INFORMATION
THREAD TERMINATE
THREAD SUSPEND RESUME
THREAD ALERT
THREAD GET CONTEXT
THREAD SET CONTEXT
THREAD SET INFORMATION
THREAD QUERY INFORMATION
THREAD SET THREADTOKEN
THREAD IMPERSONATE
THREAD DIRECT IMPERSONATION
THREAD SET LIMITEDINFORMATION
THREAD QUERY LIMITED INFORMATION
PROCESS ALL ACCESSNT
PROCESS ALL ACCESSVISTA
THREAD ALL ACCESS NT
THREAD ALL ACCESS VISTA
PROCESS ALL ACCESS
THREAD ALL ACCESS
DEBUG PROCESS
DEBUG ONLY THIS PROCESS
CREATE SUSPENDED
DETACHED PROCESS

Module winappdbg.win32.kernel32

Description
Value: 2048
Value: 4096
Value: 1
Value: 2
Value: 4
Value: 8
Value: 16
Value: 32
Value: 64
Value: 128
Value: 256
Value: 512
Value: 1024
Value: 2048
Value: 2035711
Value: 2097151
Value: 2032639
Value: 2097151
Value:
Value:
Value:
Value:

2097151
2097151
1
2

Value: 4
Value: 8
continued on next page

251

Variables

Name
CREATE NEW CONSOLE
NORMAL PRIORITY CLASS
IDLE PRIORITY CLASS
HIGH PRIORITY CLASS
REALTIME PRIORITY CLASS
CREATE NEW PROCESS GROUP
CREATE UNICODE ENVIRONMENT
CREATE SEPARATE WOW VDM
CREATE SHARED WOW VDM
CREATE FORCEDOS
BELOW NORMAL PRIORITY CLASS
ABOVE NORMAL PRIORITY CLASS
INHERIT PARENT AFFINITY
STACK SIZE PARAM ISA RESERVATION
INHERIT CALLER PRIORITY
CREATE PROTECTED PROCESS
EXTENDED STARTUPINFO PRESENT
PROCESS MODE BACKGROUND BEGIN
PROCESS MODE BACKGROUND END
CREATE BREAKAWAYFROM JOB
CREATE PRESERVE CODE AUTHZ LEVEL
CREATE DEFAULT ERROR MODE

Module winappdbg.win32.kernel32

Description
Value: 16
Value: 32
Value: 64
Value: 128
Value: 256
Value: 512
Value: 1024
Value: 2048
Value: 4096
Value: 8192
Value: 16384
Value: 32768
Value: 65536
Value: 65536
Value: 131072
Value: 262144
Value: 524288
Value: 1048576
Value: 2097152
Value: 16777216
Value: 33554432
Value: 67108864
continued on next page

252

Variables

Name
CREATE NO WINDOW
PROFILE USER
PROFILE KERNEL
PROFILE SERVER
CREATE IGNORE SYSTEM DEFAULT
THREAD BASE PRIORITY LOWRT
THREAD BASE PRIORITY MAX
THREAD BASE PRIORITY MIN
THREAD BASE PRIORITY IDLE
THREAD PRIORITY LOWEST
THREAD PRIORITY BELOW NORMAL
THREAD PRIORITY NORMAL
THREAD PRIORITY HIGHEST
THREAD PRIORITY ABOVE NORMAL
THREAD PRIORITY ERROR RETURN
THREAD PRIORITY TIME CRITICAL
THREAD PRIORITY IDLE
PAGE NOACCESS
PAGE READONLY
PAGE READWRITE
PAGE WRITECOPY
PAGE EXECUTE
PAGE EXECUTE READ
PAGE EXECUTE READWRITE
PAGE EXECUTE WRITECOPY
PAGE GUARD
PAGE NOCACHE

Module winappdbg.win32.kernel32

Value:
Value:
Value:
Value:
Value:

Description
134217728
268435456
536870912
1073741824
2147483648

Value: 15
Value: 2
Value: -2
Value: -15
Value: -2
Value: -1
Value: 0
Value: 2
Value: 1
Value: 4294967295
Value: 15
Value: -15
Value:
Value:
Value:
Value:
Value:
Value:
Value:

1
2
4
8
16
32
64

Value: 128
Value: 256
Value: 512
continued on next page

253

Variables

Name
PAGE WRITECOMBINE
MEM COMMIT
MEM RESERVE
MEM DECOMMIT
MEM RELEASE
MEM FREE
MEM PRIVATE
MEM MAPPED
MEM RESET
MEM TOP DOWN
MEM WRITE WATCH
MEM PHYSICAL
MEM LARGE PAGES
MEM 4MB PAGES
SEC FILE
SEC IMAGE
SEC RESERVE
SEC COMMIT
SEC NOCACHE
SEC LARGE PAGES
MEM IMAGE
WRITE WATCH FLAG RESET
SECTION QUERY
SECTION MAP WRITE
SECTION MAP READ
SECTION MAP EXECUTE
SECTION EXTEND SIZE
SECTION MAP EXECUTE EXPLICIT
SECTION ALL ACCESS
FILE MAP COPY
FILE MAP WRITE
FILE MAP READ
FILE MAP ALL ACCESS
FILE MAP EXECUTE
GENERIC READ
GENERIC WRITE

Module winappdbg.win32.kernel32

Description
Value: 1024
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

4096
8192
16384
32768
65536
131072
262144
524288
1048576
2097152
4194304
536870912
2147483648
8388608
16777216
67108864
134217728
268435456
2147483648
16777216
1

Value:
Value:
Value:
Value:

1
2
4
8

Value: 16
Value: 32
Value:
Value:
Value:
Value:
Value:

983071
1
2
4
983071

Value: 32
Value: 2147483648
Value: 1073741824
continued on next page

254

Variables

Name
GENERIC EXECUTE
GENERIC ALL
FILE SHARE READ
FILE SHARE WRITE
FILE SHARE DELETE
CREATE NEW
CREATE ALWAYS
OPEN EXISTING
OPEN ALWAYS
TRUNCATE EXISTING
FILE FLAG WRITE THROUGH
FILE FLAG NO BUFFERING
FILE FLAG RANDOM ACCESS
FILE FLAG SEQUENTIAL SCAN
FILE FLAG DELETE ON CLOSE
FILE FLAG OVERLAPPED
FILE ATTRIBUTE READONLY
FILE ATTRIBUTE HIDDEN
FILE ATTRIBUTE SYSTEM
FILE ATTRIBUTE DIRECTORY
FILE ATTRIBUTE ARCHIVE
FILE ATTRIBUTE DEVICE
FILE ATTRIBUTE NORMAL
FILE ATTRIBUTE TEMPORARY
EXCEPTION DEBUG EVENT
CREATE THREAD DEBUG EVENT

Module winappdbg.win32.kernel32

Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

Description
536870912
268435456
1
2
4
1
2
3
4
5
2147483648

Value: 536870912
Value: 268435456
Value: 134217728
Value: 67108864
Value: 1073741824
Value: 1
Value: 2
Value: 4
Value: 16
Value: 32
Value: 64
Value: 128
Value: 256
Value: 1
Value: 2
continued on next page

255

Variables

Name
CREATE PROCESS DEBUG EVENT
EXIT THREAD DEBUGEVENT
EXIT PROCESS DEBUGEVENT
LOAD DLL DEBUG EVENT
UNLOAD DLL DEBUG EVENT
OUTPUT DEBUG STRING EVENT
RIP EVENT
DBG EXCEPTION HANDLED
DBG CONTINUE
DBG REPLY LATER
DBG UNABLE TO PROVIDE HANDLE
DBG TERMINATE THREAD
DBG TERMINATE PROCESS
DBG PRINTEXCEPTIONC
DBG RIPEXCEPTION
DBG CONTROL BREAK
DBG COMMAND EXCEPTION
DBG EXCEPTION NOTHANDLED
DBG NO STATE CHANGE
DBG APP NOT IDLE
STATUS WAIT 0
STATUS ABANDONED WAIT 0
STATUS USER APC
STATUS TIMEOUT
STATUS PENDING
STATUS SEGMENT NOTIFICATION

Module winappdbg.win32.kernel32

Description
Value: 3
Value: 4
Value: 5
Value: 6
Value: 7
Value: 8
Value: 9
Value: 65537
Value: 65538
Value: 1073807361
Value: 1073807362
Value: 1073807363
Value: 1073807364
Value: 1073807366
Value: 1073807367
Value: 1073807368
Value: 1073807369
Value: 2147549185
Value: 3221291009
Value: 3221291010
Value: 0
Value: 128
Value:
Value:
Value:
Value:

192
258
259
1073741829
continued on next page

256

Variables

Name
STATUS GUARD PAGEVIOLATION
STATUS DATATYPE MISALIGNMENT
STATUS BREAKPOINT
STATUS SINGLE STEP
STATUS INVALID INFO CLASS
STATUS ACCESS VIOLATION
STATUS IN PAGE ERROR
STATUS INVALID HANDLE
STATUS NO MEMORY
STATUS ILLEGAL INSTRUCTION
STATUS NONCONTINUABLE EXCEPTION
STATUS INVALID DISPOSITION
STATUS ARRAY BOUNDS EXCEEDED
STATUS FLOAT DENORMAL OPERAND
STATUS FLOAT DIVIDE BY ZERO
STATUS FLOAT INEXACT RESULT
STATUS FLOAT INVALID OPERATION
STATUS FLOAT OVERFLOW
STATUS FLOAT STACK CHECK
STATUS FLOAT UNDERFLOW
STATUS INTEGER DIVIDE BY ZERO
STATUS INTEGER OVERFLOW

Module winappdbg.win32.kernel32

Description
Value: 2147483649
Value: 2147483650
Value: 2147483651
Value: 2147483652
Value: 3221225475
Value: 3221225477
Value: 3221225478
Value: 3221225480
Value: 3221225495
Value: 3221225501
Value: 3221225509
Value: 3221225510
Value: 3221225612
Value: 3221225613
Value: 3221225614
Value: 3221225615
Value: 3221225616
Value: 3221225617
Value: 3221225618
Value: 3221225619
Value: 3221225620
Value: 3221225621
continued on next page

257

Variables

Name
STATUS PRIVILEGED INSTRUCTION
STATUS STACK OVERFLOW
STATUS CONTROL C EXIT
STATUS FLOAT MULTIPLE FAULTS
STATUS FLOAT MULTIPLE TRAPS
STATUS REG NAT CONSUMPTION
STATUS SXS EARLY DEACTIVATION
STATUS SXS INVALID DEACTIVATION
STATUS STACK BUFFER OVERRUN
STATUS WX86 BREAKPOINT
STATUS HEAP CORRUPTION
STATUS POSSIBLE DEADLOCK
STATUS UNWIND CONSOLIDATE
EXCEPTION ACCESS VIOLATION
EXCEPTION ARRAY BOUNDS EXCEEDED
EXCEPTION BREAKPOINT
EXCEPTION DATATYPE MISALIGNMENT
EXCEPTION FLT DENORMAL OPERAND
EXCEPTION FLT DIVIDE BY ZERO
EXCEPTION FLT INEXACT RESULT
EXCEPTION FLT INVALID OPERATION

Module winappdbg.win32.kernel32

Description
Value: 3221225622
Value: 3221225725
Value: 3221225786
Value: 3221226164
Value: 3221226165
Value: 3221226185
Value: 3222601743
Value: 3222601744
Value: 3221226505
Value: 1073741855
Value: 3221226356
Value: 3221225876
Value: 2147483689
Value: 3221225477
Value: 3221225612
Value: 2147483651
Value: 2147483650
Value: 3221225613
Value: 3221225614
Value: 3221225615
Value: 3221225616
continued on next page

258

Variables

Name
EXCEPTION FLT OVERFLOW
EXCEPTION FLT STACK CHECK
EXCEPTION FLT UNDERFLOW
EXCEPTION ILLEGAL INSTRUCTION
EXCEPTION IN PAGE ERROR
EXCEPTION INT DIVIDE BY ZERO
EXCEPTION INT OVERFLOW
EXCEPTION INVALID DISPOSITION
EXCEPTION NONCONTINUABLE EXCEPTION
EXCEPTION PRIV INSTRUCTION
EXCEPTION SINGLE STEP
EXCEPTION STACK OVERFLOW
EXCEPTION GUARD PAGE
EXCEPTION INVALID HANDLE
EXCEPTION POSSIBLEDEADLOCK
EXCEPTION WX86 BREAKPOINT
CONTROL C EXIT
DBG CONTROL C
MS VC EXCEPTION
ACCESS VIOLATION TYPE READ
ACCESS VIOLATION TYPE WRITE
ACCESS VIOLATION TYPE DEP

Module winappdbg.win32.kernel32

Description
Value: 3221225617
Value: 3221225618
Value: 3221225619
Value: 3221225501
Value: 3221225478
Value: 3221225620
Value: 3221225621
Value: 3221225510
Value: 3221225509

Value: 3221225622
Value: 2147483652
Value: 3221225725
Value: 2147483649
Value: 3221225480
Value: 3221225876
Value: 1073741855
Value:
Value:
Value:
Value:

3221225786
1073807365
1080890248
0

Value: 1
Value: 8
continued on next page

259

Variables

Name
SLE ERROR
SLE MINORERROR
SLE WARNING
DUPLICATE CLOSE SOURCE
DUPLICATE SAME ACCESS
FILE NAME NORMALIZED
FILE NAME OPENED
VOLUME NAME DOS
VOLUME NAME GUID
VOLUME NAME NONE
VOLUME NAME NT
PRODUCT BUSINESS
PRODUCT BUSINESS N
PRODUCT CLUSTER SERVER
PRODUCT DATACENTER SERVER
PRODUCT DATACENTER SERVER CORE
PRODUCT DATACENTER SERVER CORE V
PRODUCT DATACENTER SERVER V
PRODUCT ENTERPRISE
PRODUCT ENTERPRISEE
PRODUCT ENTERPRISEN
PRODUCT ENTERPRISE SERVER
PRODUCT ENTERPRISE SERVER CORE
PRODUCT ENTERPRISE SERVER CORE V
PRODUCT ENTERPRISE SERVER IA64
PRODUCT ENTERPRISE SERVER V

Module winappdbg.win32.kernel32

Description
Value:
Value:
Value:
Value:

1
2
3
1

Value: 2
Value: 0
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

8
0
1
4
2
6
16
18

Value: 8
Value: 12
Value: 39
Value: 37
Value: 4
Value: 70
Value: 27
Value: 10
Value: 14
Value: 41
Value: 15
Value: 38
continued on next page

260

Variables

Name
PRODUCT HOME BASIC
PRODUCT HOME BASICE
PRODUCT HOME BASICN
PRODUCT HOME PREMIUM
PRODUCT HOME PREMIUM E
PRODUCT HOME PREMIUM N
PRODUCT HYPERV
PRODUCT MEDIUMBUSINESS SERVER MANAGEMENT
PRODUCT MEDIUMBUSINESS SERVER MESSAGING
PRODUCT MEDIUMBUSINESS SERVER SECURITY
PRODUCT PROFESSIONAL
PRODUCT PROFESSIONAL E
PRODUCT PROFESSIONAL N
PRODUCT SERVER FOR SMALLBUSINESS
PRODUCT SERVER FOR SMALLBUSINESS V
PRODUCT SERVER FOUNDATION
PRODUCT SMALLBUSINESS SERVER
PRODUCT STANDARDSERVER
PRODUCT STANDARDSERVER CORE
PRODUCT STANDARDSERVER CORE V

Module winappdbg.win32.kernel32

Description
Value: 2
Value: 67
Value: 5
Value: 3
Value: 68
Value: 26
Value: 42
Value: 30

Value: 32

Value: 31

Value: 48
Value: 69
Value: 49
Value: 24
Value: 35
Value: 33
Value: 9
Value: 7
Value: 13
Value: 40
continued on next page

261

Variables

Name
PRODUCT STANDARDSERVER V
PRODUCT STARTER
PRODUCT STARTER E
PRODUCT STARTER N
PRODUCT STORAGE ENTERPRISE SERVER
PRODUCT STORAGE EXPRESS SERVER
PRODUCT STORAGE STANDARD SERVER
PRODUCT STORAGE WORKGROUP SERVER
PRODUCT UNDEFINED
PRODUCT UNLICENSED
PRODUCT ULTIMATE
PRODUCT ULTIMATE E
PRODUCT ULTIMATE N
PRODUCT WEB SERVER
PRODUCT WEB SERVER CORE
PROCESS DEP ENABLE
PROCESS DEP DISABLE ATL THUNK EMULATION
SEM FAILCRITICALERRORS
SEM NOGPFAULTERRORBOX
SEM NOALIGNMENTFAULTEXCEPT
SEM NOOPENFILEERRORBOX
HANDLE FLAG INHERIT
HANDLE FLAG PROTECT FROM CLOSE

Module winappdbg.win32.kernel32

Description
Value: 36
Value:
Value:
Value:
Value:

11
66
47
23

Value: 20
Value: 21
Value: 22
Value: 0
Value: 2882382797
Value: 1
Value: 71
Value: 28
Value: 17
Value: 29
Value: 1
Value: 2

Value: 1
Value: 2
Value: 4
Value: 2048
Value: 1
Value: 2
continued on next page

262

Variables

Name
PROC THREAD ATTRIBUTE NUMBER
PROC THREAD ATTRIBUTE THREAD
PROC THREAD ATTRIBUTE INPUT
PROC THREAD ATTRIBUTE ADDITIVE
ProcThreadAttributeParentProcess
ProcThreadAttributeExtendedFlags
ProcThreadAttributeHandleList
ProcThreadAttributeGroupAffinity
ProcThreadAttributePreferredNode
ProcThreadAttributeIdealProcessor
ProcThreadAttributeUmsThread
ProcThreadAttributeMitigationPolicy
ProcThreadAttributeMax
PROC THREAD ATTRIBUTE PARENT PROCESS
PROC THREAD ATTRIBUTE EXTENDED FLAGS
PROC THREAD ATTRIBUTE HANDLE LIST
PROC THREAD ATTRIBUTE GROUP AFFINITY
PROC THREAD ATTRIBUTE PREFERRED NODE
PROC THREAD ATTRIBUTE IDEAL PROCESSOR

Module winappdbg.win32.kernel32

Description
Value: 65535
Value: 65536
Value: 131072
Value: 262144
Value: 0
Value: 1
Value: 2
Value: 3
Value: 4
Value: 5
Value: 6
Value: 7
Value: 8
Value: 131072

Value: 393217

Value: 131074
Value: 196611

Value: 131076

Value: 196613

continued on next page

263

Variables

Name
PROC THREAD ATTRIBUTE UMS THREAD
PROC THREAD ATTRIBUTE MITIGATION POLICY
PROCESS CREATION MITIGATION POLICY DEP ENABLE
PROCESS CREATION MITIGATION POLICY DEP ATL THUNK ENABLE
PROCESS CREATION MITIGATION POLICY SEHOP ENABLE
FOREGROUND MASK
BACKGROUND MASK
COMMON LVB MASK
FOREGROUND BLACK
FOREGROUND BLUE
FOREGROUND GREEN
FOREGROUND CYAN
FOREGROUND RED
FOREGROUND MAGENTA
FOREGROUND YELLOW
FOREGROUND GREY
FOREGROUND INTENSITY
BACKGROUND BLACK
BACKGROUND BLUE
BACKGROUND GREEN
BACKGROUND CYAN
BACKGROUND RED
BACKGROUND MAGENTA
BACKGROUND YELLOW
BACKGROUND GREY
BACKGROUND INTENSITY

Module winappdbg.win32.kernel32

Description
Value: 196614
Value: 131079

Value: 1

Value: 2

Value: 4

Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

15
240
65280
0
1
2
3
4
5

Value: 6
Value: 7
Value: 8
Value:
Value:
Value:
Value:
Value:
Value:

0
16
32
48
64
80

Value: 96
Value: 112
Value: 128
continued on next page

264

Variables

Name
COMMON LVB LEADING BYTE
COMMON LVB TRAILING BYTE
COMMON LVB GRID HORIZONTAL
COMMON LVB GRID LVERTICAL
COMMON LVB GRID RVERTICAL
COMMON LVB REVERSE VIDEO
COMMON LVB UNDERSCORE
TH32CS SNAPHEAPLIST
TH32CS SNAPPROCESS
TH32CS SNAPTHREAD
TH32CS SNAPMODULE
TH32CS INHERIT
TH32CS SNAPALL
GetDllDirectory
SetDllDirectory
LoadLibrary
LoadLibraryEx
GetModuleHandle
GetProcAddress
QueryFullProcessImageName
GetLogicalDriveStrings
QueryDosDevice
OpenFileMapping

Module winappdbg.win32.kernel32

Description
Value: 256
Value: 512
Value: 1024
Value: 2048
Value: 4096
Value: 16384
Value: 32768
Value: 1
Value: 2
Value: 4
Value: 8
Value: 2147483648
Value: 15
Value: GuessStringType(GetDllDirectoryA,
GetDllDirectoryW)
Value: GuessStringType(SetDllDirectoryA,
SetDllDirectoryW)
Value: GuessStringType(LoadLibraryA,
LoadLibraryW)
Value: GuessStringType(LoadLibraryExA,
LoadLibraryExW)
Value: GuessStringType(GetModuleHandleA,
GetModuleHandleW)
Value: GuessStringType(GetProcAddressA,
GetProcAddressW)
Value:
GuessStringType(QueryFullProcessImageNameA,
QueryFullProc...
Value:
GuessStringType(GetLogicalDriveStringsA,
GetLogicalDriveS...
Value: GuessStringType(QueryDosDeviceA,
QueryDosDeviceW)
Value: GuessStringType(OpenFileMappingA,
OpenFileMappingW)
continued on next page

265

Variables

Name
CreateFileMapping
CreateFile
SearchPath
GetFinalPathNameByHandle
GetFullPathName
GetTempPath
GetTempFileName
GetCurrentDirectory
CreateMutex
OpenMutex
CreateEvent
OpenEvent
OutputDebugString
CreateProcess
GlobalAddAtom
GlobalFindAtom
GlobalGetAtomName

Module winappdbg.win32.kernel32

Description
Value:
GuessStringType(CreateFileMappingA,
CreateFileMappingW)
Value: GuessStringType(CreateFileA,
CreateFileW)
Value: GuessStringType(SearchPathA,
SearchPathW)
Value:
GuessStringType(GetFinalPathNameByHandleA,
GetFinalPathNa...
Value: GuessStringType(GetFullPathNameA,
GetFullPathNameW)
Value: GuessStringType(GetTempPathA,
GetTempPathW)
Value: GuessStringType(GetTempFileNameA,
GetTempFileNameW)
Value:
GuessStringType(GetCurrentDirectoryA,
GetCurrentDirectoryW)
Value: GuessStringType(CreateMutexA,
CreateMutexW)
Value: GuessStringType(OpenMutexA,
OpenMutexW)
Value: GuessStringType(CreateEventA,
CreateEventW)
Value: GuessStringType(OpenEventA,
OpenEventW)
Value:
GuessStringType(OutputDebugStringA,
OutputDebugStringW)
Value: GuessStringType(CreateProcessA,
CreateProcessW)
Value: GuessStringType(GlobalAddAtomA,
GlobalAddAtomW)
Value: GuessStringType(GlobalFindAtomA,
GlobalFindAtomW)
Value:
GuessStringType(GlobalGetAtomNameA,
GlobalGetAtomNameW)

psyco

266

Module winappdbg.win32.ntdll

25

Module winappdbg.win32.ntdll

Wrapper for ntdll.dll in ctypes.


25.1

Classes
CURDIR (Section 351, p. 1076)
PTEB (Section 366, p. 1104)
PEXCEPTION REGISTRATION RECORD (Section 52, p. 344)
RTL ACTIVATION CONTEXT STACK FRAME (Section 369, p. 1107)
PTEB ACTIVE FRAME (Section 367, p. 1105)
GDI TEB BATCH (Section 353, p. 1078)
Wx86ThreadState (Section 377, p. 1126)
PRTL CRITICAL SECTION (Section 363, p. 1101)
PPEBLOCKROUTINE (Section 52, p. 344)
PNTTIB (Section 360, p. 1097)
PPEB FREE BLOCK (Section 52, p. 344)
PRTL USER PROCESS PARAMETERS (Section 365, p. 1103)
RTL CRITICAL SECTION (Section 370, p. 1109)
EXCEPTION DISPOSITION (Section 46, p. 338)
TEB ACTIVE FRAME CONTEXT (Section 376, p. 1125)
PTEB ACTIVE FRAME CONTEXT (Section 368, p. 1106)
PEB FREE BLOCK (Section 358, p. 1094)
CLIENT ID (Section 350, p. 1075)
RTL CRITICAL SECTION DEBUG (Section 371, p. 1111)
PPEB (Section 52, p. 344)
RTL DRIVE LETTER CURDIR (Section 372, p. 1113)
TEB ACTIVE FRAME (Section 375, p. 1123)
NT TIB (Section 355, p. 1082)
PPS POST PROCESS INIT ROUTINE (Section 52, p. 344)
PEB (Section 356, p. 1084)
PRTL CRITICAL SECTION DEBUG (Section 364, p. 1102)
PEB 32 (Section 357, p. 1089)
EXCEPTION REGISTRATION RECORD (Section 352, p. 1077)
PPEB LDR DATA (Section 361, p. 1098)
PROCESSOR NUMBER (Section 362, p. 1099)
PEB LDR DATA (Section 359, p. 1095)
ACTIVATION CONTEXT STACK (Section 349, p. 1073)
PEXCEPTION DISPOSITION (Section 52, p. 344)
LDR MODULE (Section 354, p. 1080)
TEB (Section 374, p. 1117)
RTL USER PROCESS PARAMETERS (Section 373, p. 1115)
SYSDBG COMMAND (Section 46, p. 338)
267

Functions

25.2

Module winappdbg.win32.ntdll

PROCESSINFOCLASS (Section 46, p. 338)


THREADINFOCLASS (Section 46, p. 338)
FILE INFORMATION CLASS (Section 46, p. 338)
PROCESS BASIC INFORMATION (Section 346, p. 1068)
THREAD BASIC INFORMATION (Section 348, p. 1071)
FILE NAME INFORMATION (Section 344, p. 1065)
SYSDBG MSR (Section 347, p. 1070)
IO STATUS BLOCK (Section 345, p. 1066)
PIO STATUS BLOCK (Section 153, p. 781)
Functions
RtlNtStatusToDosError(Status)
NtSystemDebugControl(Command, InputBuffer =None,
InputBufferLength=None, OutputBuffer =None, OutputBufferLength=None)
ZwSystemDebugControl(Command, InputBuffer =None,
InputBufferLength=None, OutputBuffer =None, OutputBufferLength=None)
NtQueryInformationProcess(ProcessHandle, ProcessInformationClass,
ProcessInformationLength=None)
ZwQueryInformationProcess(ProcessHandle, ProcessInformationClass,
ProcessInformationLength=None)
NtQueryInformationThread(ThreadHandle, ThreadInformationClass,
ThreadInformationLength=None)
ZwQueryInformationThread(ThreadHandle, ThreadInformationClass,
ThreadInformationLength=None)
NtQueryInformationFile(FileHandle, FileInformationClass,
FileInformation, Length)
ZwQueryInformationFile(FileHandle, FileInformationClass,
FileInformation, Length)
CsrGetProcessId()

268

Variables

25.3

Module winappdbg.win32.ntdll

Variables
Name
FLG HEAP VALIDATE PARAMETERS
ImageUsesLargePages
FLG HEAP ENABLE TAIL CHECK
FLG ENABLE HANDLE TYPE TAGGING
DbgSafeThunkCall
RtlDisableUserStackWalk
FLG HEAP PAGE ALLOCS
FLG HEAP ENABLE CALL TRACING
FLG POOL ENABLE TAIL CHECK
FLG DISABLE PAGE KERNEL STACKS
DbgSuppressDebugMsg
ProcessUsingVEH
FLG DEBUG INITIAL COMMAND
ProcessUsingFTH
IsImageDynamicallyRelocated
FLG ENABLE DBGPRINT BUFFERING
DbgWerInShipAssertCode
FLG EARLY CRITICALSECTION EVT
FLG ENABLE EXCEPTION LOGGING
IsLegacyProcess
FLG VALID BITS
FLG POOL ENABLE TAGGING
ProcessUsingVCH
WinFuncHook
FLG DISABLE DLL VERIFICATION
DbgClonedThread

Description
Value: 64
Value: 1
Value: 16
Value: 16777216
Value: 1
Value: 256
Value: 33554432
Value: 1048576
Value: 256
Value: 524288
Value: 128
Value: 4
Value: 4
Value: 16
Value: 8
Value: 134217728
Value: 16
Value: 268435456
Value: 8388608
Value: 4
Value: 4194303
Value: 1024
Value: 8
Value: 2147483648
Value: 64
continued on next page

269

Variables

Name
FLG HEAP ENABLE FREE CHECK
FLG USER STACK TRACE DB
DbgInDebugPrint
WinCallHook
FLG HEAP ENABLE TAGGING
FLG MAINTAIN OBJECT TYPELIST
RtlExceptionAttached
ProcessInitializing
FLG SHOW LDR SNAPS
FLG HEAP ENABLE TAG BY DLL
DbgRanProcessInit
RtlInitialThread
FLG STOP ON HUNG GUI
FLG KERNEL STACK TRACE DB
FLG ENABLE CLOSE EXCEPTION
HeapTracingEnabled
FLG STOP ON EXCEPTION
CritSecTracingEnabled
FLG POOL ENABLE FREE CHECK
SkipPatchingUser32Forwarders
DbgSkipThreadAttach
DbgHasFiberData
os
FLG DEBUG WINLOGON
FLG ENABLE CSRDEBUG
FLG ENABLE KDEBUGSYMBOL LOAD
FLG HEAP DISABLE COALESCING

Module winappdbg.win32.ntdll

Description
Value: 32
Value: 4096
Value: 2
Value: 2048
Value: 16384
Value: 512
Value: 2
Value: 2
Value: 32768
Value: 32
Value: 1024
Value: 8
Value: 8192
Value: 4194304
Value: 1
Value: 1
Value: 2
Value: 512
Value: 16
Value: 8
Value: 4
Value: 67108864
Value: 131072
Value: 262144
Value: 2097152
continued on next page

270

Variables

Name
FLG HEAP VALIDATE ALL
WinDllHook
IsProtectedProcess
ProcessInJob
FLG IGNORE DEBUG PRIV
MEM EXECUTE OPTION ENABLE
MEM EXECUTE OPTION DISABLE
MEM EXECUTE OPTION ATL7 THUNK EMULATION
MEM EXECUTE OPTION PERMANENT
SystemBasicInformation
SystemProcessorInformation
SystemPerformanceInformation
SystemTimeInformation
SystemPathInformation
SystemProcessInformation
SystemCallInformation
SystemConfigurationInformation
SystemProcessorCounters
SystemGlobalFlag
SystemInfo10
SystemModuleInformation
SystemLockInformation
SystemInfo13
SystemPagedPoolInformation
SystemNonPagedPoolInformation
SystemHandleInformation
SystemObjectInformation
SystemPagefileInformation

Module winappdbg.win32.ntdll

Description
Value: 128

Value: 2
Value: 1
Value: 65536
Value: 1
Value: 2
Value: 4

Value: 8
Value: 1
Value: 2
Value: 3
Value:
Value:
Value:
Value:
Value:

4
5
6
7
8

Value:
Value:
Value:
Value:
Value:
Value:
Value:

9
10
11
12
13
14
15

Value: 16
Value: 17
Value: 18
Value: 19
continued on next page

271

Variables

Name
SystemInstemulInformation
SystemInfo20
SystemCacheInformation
SystemPoolTagInformation
SystemProcessorStatistics
SystemDpcInformation
SystemMemoryUsageInformation1
SystemLoadImage
SystemUnloadImage
SystemTimeAdjustmentInformation
SystemMemoryUsageInformation2
SystemInfo30
SystemInfo31
SystemCrashDumpInformation
SystemExceptionInformation
SystemCrashDumpStateInformation
SystemDebuggerInformation
SystemThreadSwitchInformation
SystemRegistryQuotaInformation
SystemLoadDriver
SystemPrioritySeparationInformation
SystemInfo40
SystemInfo41
SystemInfo42
SystemInfo43
SystemTimeZoneInformation
SystemLookasideInformation
SystemSetTimeSlipEvent

Module winappdbg.win32.ntdll

Description
Value: 20
Value: 21
Value: 22
Value: 23
Value: 24
Value: 25
Value: 26
Value: 27
Value: 28
Value: 29
Value: 30
Value: 31
Value: 32
Value: 33
Value: 34
Value: 35
Value: 36
Value: 37
Value: 38
Value: 39
Value: 40
Value:
Value:
Value:
Value:
Value:

41
42
43
44
45

Value: 46
Value: 47
continued on next page

272

Variables

Name
SystemCreateSession
SystemDeleteSession
SystemInfo49
SystemRangeStartInformation
SystemVerifierInformation
SystemAddVerifier
SystemSessionProcessesInformation
ProcessBasicInformation
ProcessQuotaLimits
ProcessIoCounters
ProcessVmCounters
ProcessTimes
ProcessBasePriority
ProcessRaisePriority
ProcessDebugPort
ProcessExceptionPort
ProcessAccessToken
ProcessLdtInformation
ProcessLdtSize
ProcessDefaultHardErrorMode
ProcessIoPortHandlers
ProcessPooledUsageAndLimits
ProcessWorkingSetWatch
ProcessUserModeIOPL
ProcessEnableAlignmentFaultFixup
ProcessPriorityClass
ProcessWx86Information
ProcessHandleCount
ProcessAffinityMask
ProcessPriorityBoost
ProcessWow64Information
ProcessImageFileName
ProcessDebugObjectHandle
ProcessExecuteFlags
ThreadBasicInformation

Module winappdbg.win32.ntdll

Description
Value:
Value:
Value:
Value:

48
49
50
51

Value: 52
Value: 53
Value: 54
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

0
1
2
3
4
5
6
7
8
9
10
11
12

Value: 13
Value: 14
Value: 15
Value: 16
Value: 17
Value:
Value:
Value:
Value:
Value:
Value:

18
19
20
21
22
26

Value: 27
Value: 30
Value: 34
Value: 0
continued on next page

273

Variables

Name
ThreadTimes
ThreadPriority
ThreadBasePriority
ThreadAffinityMask
ThreadImpersonationToken
ThreadDescriptorTableEntry
ThreadEnableAlignmentFaultFixup
ThreadEventPair
ThreadQuerySetWin32StartAddress
ThreadZeroTlsCell
ThreadPerformanceCount
ThreadAmILastThread
ThreadIdealProcessor
ThreadPriorityBoost
ThreadSetTlsArrayAddress
ThreadIsIoPending
ThreadHideFromDebugger
ObjectBasicInformation
ObjectNameInformation
ObjectTypeInformation
ObjectAllTypesInformation
ObjectHandleInformation
FileDirectoryInformation
FileFullDirectoryInformation
FileBothDirectoryInformation
FileBasicInformation
FileStandardInformation
FileInternalInformation
FileEaInformation
FileAccessInformation
FileNameInformation
FileRenameInformation
FileLinkInformation

Module winappdbg.win32.ntdll

Description
Value:
Value:
Value:
Value:
Value:

1
2
3
4
5

Value: 6
Value: 7
Value: 8
Value: 9
Value:
Value:
Value:
Value:
Value:
Value:

10
11
12
13
14
15

Value: 16
Value: 17
Value:
Value:
Value:
Value:

0
1
2
3

Value: 4
Value: 1
Value: 2
Value: 3
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

4
5
6
7
8
9
10
11
continued on next page

274

Variables

Name
FileNamesInformation
FileDispositionInformation
FilePositionInformation
FileFullEaInformation
FileModeInformation
FileAlignmentInformation
FileAllInformation
FileAllocationInformation
FileEndOfFileInformation
FileAlternateNameInformation
FileStreamInformation
FilePipeInformation
FilePipeLocalInformation
FilePipeRemoteInformation
FileMailslotQueryInformation
FileMailslotSetInformation
FileCompressionInformation
FileCopyOnWriteInformation
FileCompletionInformation
FileMoveClusterInformation
FileQuotaInformation
FileReparsePointInformation
FileNetworkOpenInformation
FileObjectIdInformation
FileTrackingInformation
FileOleDirectoryInformation
FileContentIndexInformation
FileInheritContentIndexInformation

Module winappdbg.win32.ntdll

Description
Value: 12
Value: 13
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

14
15
16
17
18
19
20
21

Value:
Value:
Value:
Value:

22
23
24
25

Value: 26
Value: 27
Value: 28
Value: 29
Value: 30
Value: 31
Value: 32
Value: 33
Value: 34
Value: 35
Value: 36
Value: 37
Value: 38
Value: 37
continued on next page

275

Variables

Name
FileOleInformation
FileMaximumInformation
ExceptionContinueExecution
ExceptionContinueSearch
ExceptionNestedException
ExceptionCollidedUnwind
SysDbgReadMsr
SysDbgWriteMsr

Module winappdbg.win32.ntdll

Description
Value: 39
Value: 40
Value: 0
Value: 1
Value: 2
Value: 3
Value: 16
Value: 17

276

Module winappdbg.win32.peb teb

26

Module winappdbg.win32.peb teb

PEB and TEB structures, constants and data types.


26.1

Classes
CLIENT ID (Section 350, p. 1075)
RTL USER PROCESS PARAMETERS (Section 373, p. 1115)
PPS POST PROCESS INIT ROUTINE (Section 52, p. 344)
LDR MODULE (Section 354, p. 1080)
PEB LDR DATA (Section 359, p. 1095)
PEB FREE BLOCK (Section 358, p. 1094)
PPEB FREE BLOCK (Section 52, p. 344)
RTL DRIVE LETTER CURDIR (Section 372, p. 1113)
CURDIR (Section 351, p. 1076)
RTL CRITICAL SECTION (Section 370, p. 1109)
RTL CRITICAL SECTION DEBUG (Section 371, p. 1111)
PRTL CRITICAL SECTION (Section 363, p. 1101)
PRTL CRITICAL SECTION DEBUG (Section 364, p. 1102)
PPEB LDR DATA (Section 361, p. 1098)
PRTL USER PROCESS PARAMETERS (Section 365, p. 1103)
PPEBLOCKROUTINE (Section 52, p. 344)
PEB (Section 356, p. 1084)
PEB 32 (Section 357, p. 1089)
Wx86ThreadState (Section 377, p. 1126)
RTL ACTIVATION CONTEXT STACK FRAME (Section 369, p. 1107)
ACTIVATION CONTEXT STACK (Section 349, p. 1073)
PROCESSOR NUMBER (Section 362, p. 1099)
NT TIB (Section 355, p. 1082)
PNTTIB (Section 360, p. 1097)
EXCEPTION REGISTRATION RECORD (Section 352, p. 1077)
EXCEPTION DISPOSITION (Section 46, p. 338)
PEXCEPTION DISPOSITION (Section 52, p. 344)
PEXCEPTION REGISTRATION RECORD (Section 52, p. 344)
PPEB (Section 52, p. 344)
GDI TEB BATCH (Section 353, p. 1078)
TEB ACTIVE FRAME CONTEXT (Section 376, p. 1125)
PTEB ACTIVE FRAME CONTEXT (Section 368, p. 1106)
TEB ACTIVE FRAME (Section 375, p. 1123)
PTEB ACTIVE FRAME (Section 367, p. 1105)
TEB (Section 374, p. 1117)
PTEB (Section 366, p. 1104)

277

Variables

26.2

Module winappdbg.win32.peb teb

Variables
Name
WinCallHook
WinFuncHook
WinDllHook
ImageUsesLargePages
IsProtectedProcess
IsLegacyProcess
IsImageDynamicallyRelocated
SkipPatchingUser32Forwarders
ProcessInJob
ProcessInitializing
ProcessUsingVEH
ProcessUsingVCH
ProcessUsingFTH
HeapTracingEnabled
CritSecTracingEnabled
FLG VALID BITS
FLG STOP ON EXCEPTION
FLG SHOW LDR SNAPS
FLG DEBUG INITIAL COMMAND
FLG STOP ON HUNG GUI
FLG HEAP ENABLE TAIL CHECK
FLG HEAP ENABLE FREE CHECK
FLG HEAP VALIDATE PARAMETERS
FLG HEAP VALIDATE ALL
FLG POOL ENABLE TAIL CHECK
FLG POOL ENABLE FREE CHECK
FLG POOL ENABLE TAGGING

Description

Value:
Value:
Value:
Value:

1
2
4
8

Value: 16
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

1
2
4
8
16
1
2
4194303
1

Value: 2
Value: 4
Value: 8
Value: 16
Value: 32
Value: 64
Value: 128
Value: 256
Value: 512
Value: 1024
continued on next page

278

Variables

Name
FLG HEAP ENABLE TAGGING
FLG USER STACK TRACE DB
FLG KERNEL STACK TRACE DB
FLG MAINTAIN OBJECT TYPELIST
FLG HEAP ENABLE TAG BY DLL
FLG IGNORE DEBUG PRIV
FLG ENABLE CSRDEBUG
FLG ENABLE KDEBUGSYMBOL LOAD
FLG DISABLE PAGE KERNEL STACKS
FLG HEAP ENABLE CALL TRACING
FLG HEAP DISABLE COALESCING
FLG ENABLE CLOSE EXCEPTION
FLG ENABLE EXCEPTION LOGGING
FLG ENABLE HANDLE TYPE TAGGING
FLG HEAP PAGE ALLOCS
FLG DEBUG WINLOGON
FLG ENABLE DBGPRINT BUFFERING
FLG EARLY CRITICALSECTION EVT
FLG DISABLE DLL VERIFICATION
DbgSafeThunkCall
DbgInDebugPrint
DbgHasFiberData
DbgSkipThreadAttach

Module winappdbg.win32.peb teb

Description
Value: 2048
Value: 4096
Value: 8192
Value: 16384
Value: 32768
Value: 65536
Value: 131072
Value: 262144
Value: 524288
Value: 1048576
Value: 2097152
Value: 4194304
Value: 8388608
Value: 16777216
Value: 33554432
Value: 67108864
Value: 134217728
Value: 268435456
Value: 2147483648
Value:
Value:
Value:
Value:

1
2
4
8
continued on next page

279

Variables

Name
DbgWerInShipAssertCode
DbgRanProcessInit
DbgClonedThread
DbgSuppressDebugMsg
RtlDisableUserStackWalk
RtlExceptionAttached
RtlInitialThread

Module winappdbg.win32.peb teb

Description
Value:
Value:
Value:
Value:
Value:
Value:
Value:

16
32
64
128
256
512
1024

280

Module winappdbg.win32.psapi

27

Module winappdbg.win32.psapi

Wrapper for psapi.dll in ctypes.


27.1

Classes

MODULEINFO (Section 378, p. 1128)


LPMODULEINFO (Section 135, p. 763)
27.2

Functions
EnumDeviceDrivers()
EnumProcesses()
EnumProcessModules(hProcess)
EnumProcessModulesEx(hProcess, dwFilterFlag=0)
GetDeviceDriverBaseNameA(ImageBase)
GetDeviceDriverBaseNameW(ImageBase)
GetDeviceDriverFileNameA(ImageBase)
GetDeviceDriverFileNameW(ImageBase)
GetMappedFileNameA(hProcess, lpv )
GetMappedFileNameW(hProcess, lpv )
GetModuleFileNameExA(hProcess, hModule=None)
GetModuleFileNameExW(hProcess, hModule=None)
GetModuleInformation(hProcess, hModule, lpmodinfo=None)
GetProcessImageFileNameA(hProcess)

281

Variables

Module winappdbg.win32.psapi

GetProcessImageFileNameW(hProcess)

27.3

Variables
Name
WinCallHook
WinFuncHook
WinDllHook
LIST MODULES DEFAULT
LIST MODULES 32BIT
LIST MODULES 64BIT
LIST MODULES ALL
GetDeviceDriverBaseName
GetDeviceDriverFileName
GetMappedFileName
GetModuleFileNameEx
GetProcessImageFileName

Description

Value: 0
Value: 1
Value: 2
Value: 3
Value:
GuessStringType(GetDeviceDriverBaseNameA,
GetDeviceDriver...
Value:
GuessStringType(GetDeviceDriverFileNameA,
GetDeviceDriver...
Value:
GuessStringType(GetMappedFileNameA,
GetMappedFileNameW)
Value:
GuessStringType(GetModuleFileNameExA,
GetModuleFileNameExW)
Value:
GuessStringType(GetProcessImageFileNameA,
GetProcessImage...

282

Module winappdbg.win32.shell32

28

Module winappdbg.win32.shell32

Wrapper for shell32.dll in ctypes.


28.1

Classes

SHELLEXECUTEINFO (Section 380, p. 1131)


LPSHELLEXECUTEINFO (Section 379, p. 1130)
28.2

Functions
CommandLineToArgvW(lpCmdLine)
CommandLineToArgvA(lpCmdLine)
ShellExecuteA(hwnd =None, lpOperation=None, lpFile=None,
lpParameters=None, lpDirectory=None, nShowCmd =None)
ShellExecuteW(hwnd =None, lpOperation=None, lpFile=None,
lpParameters=None, lpDirectory=None, nShowCmd =None)
ShellExecuteEx(lpExecInfo)
ShellExecuteExA(lpExecInfo)
ShellExecuteExW(lpExecInfo)
FindExecutableA(lpFile, lpDirectory=None)
FindExecutableW(lpFile, lpDirectory=None)
SHGetFolderPathA(nFolder, hToken=None, dwFlags=0)
SHGetFolderPathW(nFolder, hToken=None, dwFlags=0)
IsUserAnAdmin()

28.3

Variables

283

Variables

Name
WinCallHook
WinFuncHook
WinDllHook
SEE MASK DEFAULT
SEE MASK CLASSNAME
SEE MASK CLASSKEY
SEE MASK IDLIST
SEE MASK INVOKEIDLIST
SEE MASK ICON
SEE MASK HOTKEY
SEE MASK NOCLOSEPROCESS
SEE MASK CONNECTNETDRV
SEE MASK NOASYNC
SEE MASK DOENVSUBST
SEE MASK FLAG NO UI
SEE MASK UNICODE
SEE MASK NO CONSOLE
SEE MASK ASYNCOK
SEE MASK HMONITOR
SEE MASK NOZONECHECKS
SEE MASK WAITFORINPUTIDLE
SEE MASK FLAG LOG USAGE
SE ERR FNF
SE ERR PNF
SE ERR ACCESSDENIED
SE ERR OOM
SE ERR DLLNOTFOUND
SE ERR SHARE
SE ERR ASSOCINCOMPLETE

Module winappdbg.win32.shell32

Description

Value: 0
Value: 1
Value: 3
Value: 4
Value: 12
Value: 16
Value: 32
Value: 64
Value: 128
Value: 256
Value: 512
Value: 1024
Value: 16384
Value: 32768
Value: 1048576
Value: 2097152
Value: 8388608
Value: 33554432
Value: 67108864
Value: 2
Value: 3
Value: 5
Value: 8
Value: 32
Value: 26
Value: 27
continued on next page

284

Variables

Name
SE ERR DDETIMEOUT
SE ERR DDEFAIL
SE ERR DDEBUSY
SE ERR NOASSOC
SHGFP TYPE CURRENT
SHGFP TYPE DEFAULT
CSIDL DESKTOP
CSIDL INTERNET
CSIDL PROGRAMS
CSIDL CONTROLS
CSIDL PRINTERS
CSIDL PERSONAL
CSIDL FAVORITES
CSIDL STARTUP
CSIDL RECENT
CSIDL SENDTO
CSIDL BITBUCKET
CSIDL STARTMENU
CSIDL MYDOCUMENTS
CSIDL MYMUSIC
CSIDL MYVIDEO
CSIDL DESKTOPDIRECTORY
CSIDL DRIVES
CSIDL NETWORK
CSIDL NETHOOD
CSIDL FONTS
CSIDL TEMPLATES
CSIDL COMMON STARTMENU
CSIDL COMMON PROGRAMS
CSIDL COMMON STARTUP
CSIDL COMMON DESKTOPDIRECTORY
CSIDL APPDATA
CSIDL PRINTHOOD
CSIDL LOCAL APPDATA

Module winappdbg.win32.shell32

Description
Value:
Value:
Value:
Value:
Value:

28
29
30
31
0

Value: 1
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

0
1
2
3
4
5
6
7
8
9
10
11
5

Value: 13
Value: 14
Value: 16
Value:
Value:
Value:
Value:
Value:
Value:

17
18
19
20
21
22

Value: 23
Value: 24
Value: 25
Value: 26
Value: 27
Value: 28
continued on next page

285

Variables

Name
CSIDL ALTSTARTUP
CSIDL COMMON ALTSTARTUP
CSIDL COMMON FAVORITES
CSIDL INTERNET CACHE
CSIDL COOKIES
CSIDL HISTORY
CSIDL COMMON APPDATA
CSIDL WINDOWS
CSIDL SYSTEM
CSIDL PROGRAM FILES
CSIDL MYPICTURES
CSIDL PROFILE
CSIDL SYSTEMX86
CSIDL PROGRAM FILESX86
CSIDL PROGRAM FILES COMMON
CSIDL PROGRAM FILES COMMONX86
CSIDL COMMON TEMPLATES
CSIDL COMMON DOCUMENTS
CSIDL COMMON ADMINTOOLS
CSIDL ADMINTOOLS
CSIDL CONNECTIONS
CSIDL COMMON MUSIC
CSIDL COMMON PICTURES
CSIDL COMMON VIDEO
CSIDL RESOURCES
CSIDL RESOURCES LOCALIZED

Module winappdbg.win32.shell32

Description
Value: 29
Value: 30
Value: 31
Value: 32
Value: 33
Value: 34
Value: 35
Value: 36
Value: 37
Value: 38
Value:
Value:
Value:
Value:

39
40
41
42

Value: 43
Value: 44
Value: 45
Value: 46
Value: 47
Value: 48
Value: 49
Value: 53
Value: 54
Value: 55
Value: 56
Value: 57
continued on next page

286

Variables

Name
CSIDL COMMON OEM LINKS
CSIDL CDBURN AREA
CSIDL COMPUTERSNEARME
CSIDL PROFILES
CSIDL FOLDER MASK
CSIDL FLAG PER USER INIT
CSIDL FLAG NO ALIAS
CSIDL FLAG DONT VERIFY
CSIDL FLAG CREATE
CSIDL FLAG MASK
CommandLineToArgv
ShellExecute
FindExecutable
SHGetFolderPath

Module winappdbg.win32.shell32

Description
Value: 58
Value: 59
Value: 61
Value: 62
Value: 255
Value: 2048
Value: 4096
Value: 16384
Value: 32768
Value: 65280
Value:
GuessStringType(CommandLineToArgvA,
CommandLineToArgvW)
Value: GuessStringType(ShellExecuteA,
ShellExecuteW)
Value: GuessStringType(FindExecutableA,
FindExecutableW)
Value:
DefaultStringType(SHGetFolderPathA,
SHGetFolderPathW)

287

Module winappdbg.win32.shlwapi

29

Module winappdbg.win32.shlwapi

Wrapper for shlwapi.dll in ctypes.


29.1

Functions
IsOS(dwOS )
PathAddBackslashA(lpszPath)
PathAddBackslashW(lpszPath)
PathAddExtensionA(lpszPath, pszExtension=None)
PathAddExtensionW(lpszPath, pszExtension=None)
PathAppendA(lpszPath, pszMore=None)
PathAppendW(lpszPath, pszMore=None)
PathCombineA(lpszDir, lpszFile)
PathCombineW(lpszDir, lpszFile)
PathCanonicalizeA(lpszSrc)
PathCanonicalizeW(lpszSrc)
PathRelativePathToA(pszFrom=None, dwAttrFrom=16, pszTo=None,
dwAttrTo=16)
PathRelativePathToW(pszFrom=None, dwAttrFrom=16, pszTo=None,
dwAttrTo=16)
PathFileExistsA(pszPath)
PathFileExistsW(pszPath)

288

Functions

Module winappdbg.win32.shlwapi

PathFindExtensionA(pszPath)
PathFindExtensionW(pszPath)
PathFindFileNameA(pszPath)
PathFindFileNameW(pszPath)
PathFindNextComponentA(pszPath)
PathFindNextComponentW(pszPath)
PathFindOnPathA(pszFile, ppszOtherDirs=None)
PathFindOnPathW(pszFile, ppszOtherDirs=None)
PathGetArgsA(pszPath)
PathGetArgsW(pszPath)
PathIsContentTypeA(pszPath, pszContentType)
PathIsContentTypeW(pszPath, pszContentType)
PathIsDirectoryA(pszPath)
PathIsDirectoryW(pszPath)
PathIsDirectoryEmptyA(pszPath)
PathIsDirectoryEmptyW(pszPath)
PathIsNetworkPathA(pszPath)
PathIsNetworkPathW(pszPath)
PathIsRelativeA(pszPath)
PathIsRelativeW(pszPath)
289

Functions

Module winappdbg.win32.shlwapi

PathIsRootA(pszPath)
PathIsRootW(pszPath)
PathIsSameRootA(pszPath1, pszPath2 )
PathIsSameRootW(pszPath1, pszPath2 )
PathIsUNCA(pszPath)
PathIsUNCW(pszPath)
PathMakePrettyA(pszPath)
PathMakePrettyW(pszPath)
PathRemoveArgsA(pszPath)
PathRemoveArgsW(pszPath)
PathRemoveBackslashA(pszPath)
PathRemoveBackslashW(pszPath)
PathRemoveExtensionA(pszPath)
PathRemoveExtensionW(pszPath)
PathRemoveFileSpecA(pszPath)
PathRemoveFileSpecW(pszPath)
PathRenameExtensionA(pszPath, pszExt)
PathRenameExtensionW(pszPath, pszExt)
PathUnExpandEnvStringsA(pszPath)
PathUnExpandEnvStringsW(pszPath)
290

Variables

29.2

Module winappdbg.win32.shlwapi

Variables
Name
LDT ENTRY HIGHWORD
WOW64 CS32
CONTEXT EXCEPTIONREQUEST
CONTEXT EXCEPTIONACTIVE
WOW64 CONTEXT EXTENDED REGISTERS
Wow64GetThreadContext
WOW64 CONTEXT i386
WOW64 CONTEXT INTEGER
WOW64 CONTEXT CONTROL
LPXMM SAVE AREA32
Wow64GetThreadSelectorEntry
PWOW64 FLOATING SAVE AREA
WOW64 CONTEXT
WOW64 CONTEXT FLOATING POINT
PXMM SAVE AREA32
context i386
CONTEXT MMX REGISTERS
CONTEXT SERVICE ACTIVE
WOW64 CONTEXT i486
WinFuncHook
WOW64 LDT ENTRY
warnings
INITIAL FPCSR
LDT ENTRY BITS
WOW64 FLOATING SAVE AREA
WOW64 MAXIMUM SUPPORTED EXTENSION
LEGACY SAVE AREA LENGTH

Description

continued on next page

291

Variables

Name
DEBUG EVENT UNION
LDT ENTRY BYTES
WOW64 CONTEXT SEGMENTS
PWOW64 CONTEXT
WOW64 CONTEXT DEBUG REGISTERS
WinCallHook
WOW64 CONTEXT ALL
CONTEXT EXCEPTIONREPORTING
XMM SAVE AREA32
psyco
context amd64
Wow64ResumeThread
WOW64 CONTEXT FULL
Wow64SetThreadContext
WOW64 SIZE OF 80387 REGISTERS
CONTEXT AMD64
INITIAL MXCSR
PWOW64 LDT ENTRY
WinDllHook
OS WINDOWS
OS WIN95ORGREATER
OS NT4ORGREATER
OS WIN98ORGREATER
OS WIN98 GOLD
OS WIN2000ORGREATER
OS WIN2000PRO
OS WIN2000SERVER
OS WIN2000ADVSERVER
OS WIN2000DATACENTER
OS WIN2000TERMINAL
OS EMBEDDED
OS TERMINALCLIENT

Module winappdbg.win32.shlwapi

Description

Value:
Value:
Value:
Value:
Value:
Value:

0
2
3
5
6
7

Value: 8
Value: 9
Value: 10
Value: 11
Value: 12
Value: 13
Value: 14
continued on next page

292

Variables

Name
OS TERMINALREMOTEADMIN
OS WIN95 GOLD
OS MEORGREATER
OS XPORGREATER
OS HOME
OS PROFESSIONAL
OS DATACENTER
OS ADVSERVER
OS SERVER
OS TERMINALSERVER
OS PERSONALTERMINALSERVER
OS FASTUSERSWITCHING
OS WELCOMELOGONUI
OS DOMAINMEMBER
OS ANYSERVER
OS WOW6432
OS WEBSERVER
OS SMALLBUSINESSSERVER
OS TABLETPC
OS SERVERADMINUI
OS MEDIACENTER
OS APPLIANCE
PathAddBackslash
PathAddExtension
PathAppend
PathCombine
PathCanonicalize
PathRelativePathTo

Module winappdbg.win32.shlwapi

Description
Value: 15
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

16
17
18
19
20
21
22
23
24
25

Value: 26
Value: 27
Value:
Value:
Value:
Value:
Value:

28
29
30
31
32

Value: 33
Value: 34
Value: 35
Value: 36
Value:
GuessStringType(PathAddBackslashA,
PathAddBackslashW)
Value:
GuessStringType(PathAddExtensionA,
PathAddExtensionW)
Value: GuessStringType(PathAppendA,
PathAppendW)
Value: GuessStringType(PathCombineA,
PathCombineW)
Value:
GuessStringType(PathCanonicalizeA,
PathCanonicalizeW)
Value:
GuessStringType(PathRelativePathToA,
PathRelativePathToW)
continued on next page

293

Variables

Name
PathFileExists
PathFindExtension
PathFindFileName
PathFindNextComponent
PathFindOnPath
PathGetArgs
PathIsContentType
PathIsDirectory
PathIsDirectoryEmpty
PathIsNetworkPath
PathIsRelative
PathIsRoot
PathIsSameRoot
PathIsUNC
PathMakePretty
PathRemoveArgs
PathRemoveBackslash

Module winappdbg.win32.shlwapi

Description
Value: GuessStringType(PathFileExistsA,
PathFileExistsW)
Value:
GuessStringType(PathFindExtensionA,
PathFindExtensionW)
Value:
GuessStringType(PathFindFileNameA,
PathFindFileNameW)
Value:
GuessStringType(PathFindNextComponentA,
PathFindNextCompo...
Value: GuessStringType(PathFindOnPathA,
PathFindOnPathW)
Value: GuessStringType(PathGetArgsA,
PathGetArgsW)
Value:
GuessStringType(PathIsContentTypeA,
PathIsContentTypeW)
Value: GuessStringType(PathIsDirectoryA,
PathIsDirectoryW)
Value:
GuessStringType(PathIsDirectoryEmptyA,
PathIsDirectoryEmp...
Value:
GuessStringType(PathIsNetworkPathA,
PathIsNetworkPathW)
Value: GuessStringType(PathIsRelativeA,
PathIsRelativeW)
Value: GuessStringType(PathIsRootA,
PathIsRootW)
Value: GuessStringType(PathIsSameRootA,
PathIsSameRootW)
Value: GuessStringType(PathIsUNCA,
PathIsUNCW)
Value: GuessStringType(PathMakePrettyA,
PathMakePrettyW)
Value: GuessStringType(PathRemoveArgsA,
PathRemoveArgsW)
Value:
GuessStringType(PathRemoveBackslashA,
PathRemoveBackslashW)
continued on next page

294

Variables

Name
PathRemoveExtension
PathRemoveFileSpec
PathRenameExtension
PathUnExpandEnvStrings

Module winappdbg.win32.shlwapi

Description
Value:
GuessStringType(PathRemoveExtensionA,
PathRemoveExtensionW)
Value:
GuessStringType(PathRemoveFileSpecA,
PathRemoveFileSpecW)
Value:
GuessStringType(PathRenameExtensionA,
PathRenameExtensionW)
Value:
GuessStringType(PathUnExpandEnvStringsA,
PathUnExpandEnvS...

295

Module winappdbg.win32.user32

30

Module winappdbg.win32.user32

Wrapper for user32.dll in ctypes.


30.1

Classes

WNDENUMPROC (Section 179, p. 807)


WINDOWPLACEMENT (Section ??, p. ??)
PWINDOWPLACEMENT (Section 382, p. 1135)
LPWINDOWPLACEMENT (Section 382, p. 1135)
GUITHREADINFO (Section 381, p. 1133)
PGUITHREADINFO (Section 146, p. 774)
LPGUITHREADINFO (Section 146, p. 774)
Point: Python wrapper over the POINT class.
(Section 383, p. 1136)
Rect: Python wrapper over the RECT class.
(Section 384, p. 1139)
WindowPlacement: Python wrapper over the WINDOWPLACEMENT class.
(Section 386, p. 1143)

30.2

Functions
MAKE WPARAM(wParam)
Convert arguments to the WPARAM type. Used automatically by
SendMessage, PostMessage, etc. You shouldnt need to call this function.
MAKE LPARAM(lParam)
Convert arguments to the LPARAM type. Used automatically by
SendMessage, PostMessage, etc. You shouldnt need to call this function.
SetLastErrorEx(dwErrCode, dwType=0)
FindWindowA(lpClassName=None, lpWindowName=None)
FindWindowW(lpClassName=None, lpWindowName=None)
FindWindowExA(hwndParent=None, hwndChildAfter =None,
lpClassName=None, lpWindowName=None)

296

Functions

Module winappdbg.win32.user32

FindWindowExW(hwndParent=None, hwndChildAfter =None,


lpClassName=None, lpWindowName=None)
GetClassNameA(hWnd )
GetClassNameW(hWnd )
GetWindowTextA(hWnd )
GetWindowTextW(hWnd )
SetWindowTextA(hWnd, lpString=None)
SetWindowTextW(hWnd, lpString=None)
GetWindowLongA(hWnd, nIndex =0)
GetWindowLongW(hWnd, nIndex =0)
GetWindowLongPtrA(hWnd, nIndex =0)
GetWindowLongPtrW(hWnd, nIndex =0)
SetWindowLongA(hWnd, nIndex, dwNewLong)
SetWindowLongW(hWnd, nIndex, dwNewLong)
SetWindowLongPtrA(hWnd, nIndex, dwNewLong)
SetWindowLongPtrW(hWnd, nIndex, dwNewLong)
GetShellWindow()
GetWindowThreadProcessId(hWnd )
GetWindow(hWnd, uCmd )
GetParent(hWnd )

297

Functions

Module winappdbg.win32.user32

GetAncestor(hWnd, gaFlags=1)
EnableWindow(hWnd, bEnable=True)
ShowWindow(hWnd, nCmdShow =5)
ShowWindowAsync(hWnd, nCmdShow =5)
GetDesktopWindow()
GetForegroundWindow()
IsWindow(hWnd )
IsWindowVisible(hWnd )
IsWindowEnabled(hWnd )
IsZoomed(hWnd )
IsIconic(hWnd )
IsChild(hWnd )
WindowFromPoint(point)
ChildWindowFromPoint(hWndParent, point)
RealChildWindowFromPoint(hWndParent, ptParentClientCoords)
ScreenToClient(hWnd, lpPoint)
ClientToScreen(hWnd, lpPoint)
MapWindowPoints(hWndFrom, hWndTo, lpPoints)
SetForegroundWindow(hWnd )
GetWindowPlacement(hWnd )
298

Functions

Module winappdbg.win32.user32

SetWindowPlacement(hWnd, lpwndpl )
GetWindowRect(hWnd )
GetClientRect(hWnd )
MoveWindow(hWnd, X, Y, nWidth, nHeight, bRepaint=True)
GetGUIThreadInfo(idThread )
EnumWindows()
EnumThreadWindows(dwThreadId )
EnumChildWindows(hWndParent=None)
SendMessageA(hWnd, Msg, wParam=0, lParam=0)
SendMessageW(hWnd, Msg, wParam=0, lParam=0)
PostMessageA(hWnd, Msg, wParam=0, lParam=0)
PostMessageW(hWnd, Msg, wParam=0, lParam=0)
PostThreadMessageA(idThread, Msg, wParam=0, lParam=0)
PostThreadMessageW(idThread, Msg, wParam=0, lParam=0)
SendMessageTimeoutA(hWnd, Msg, wParam=0, lParam=0, fuFlags=0,
uTimeout=0)
SendMessageTimeoutW(hWnd, Msg, wParam=0, lParam=0)
SendNotifyMessageA(hWnd, Msg, wParam=0, lParam=0)
SendNotifyMessageW(hWnd, Msg, wParam=0, lParam=0)
SendDlgItemMessageA(hDlg, nIDDlgItem, Msg, wParam=0, lParam=0)

299

Variables

Module winappdbg.win32.user32

SendDlgItemMessageW(hDlg, nIDDlgItem, Msg, wParam=0, lParam=0)


WaitForInputIdle(hProcess, dwMilliseconds=-1)
RegisterWindowMessageA(lpString)
RegisterWindowMessageW(lpString)
RegisterClipboardFormatA(lpString)
RegisterClipboardFormatW(lpString)
GetPropA(hWnd, lpString)
GetPropW(hWnd, lpString)
SetPropA(hWnd, lpString, hData)
SetPropW(hWnd, lpString, hData)
RemovePropA(hWnd, lpString)
RemovePropW(hWnd, lpString)

30.3

Variables
Name
WinCallHook
WinFuncHook
WinDllHook
HWND DESKTOP
HWND TOP
HWND BOTTOM
HWND TOPMOST
HWND NOTOPMOST
HWND MESSAGE
GWL WNDPROC
GWL HINSTANCE
GWL HWNDPARENT
GWL ID

Description

Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

0
1
1
-1
-2
-3
-4
-6
-8
-12
continued on next page

300

Variables

Name
GWL STYLE
GWL EXSTYLE
GWL USERDATA
GWLP WNDPROC
GWLP HINSTANCE
GWLP HWNDPARENT
GWLP STYLE
GWLP EXSTYLE
GWLP USERDATA
GWLP ID
SW HIDE
SW SHOWNORMAL
SW NORMAL
SW SHOWMINIMIZED
SW SHOWMAXIMIZED
SW MAXIMIZE
SW SHOWNOACTIVATE
SW SHOW
SW MINIMIZE
SW SHOWMINNOACTIVE
SW SHOWNA
SW RESTORE
SW SHOWDEFAULT
SW FORCEMINIMIZE
SMTO NORMAL
SMTO BLOCK
SMTO ABORTIFHUNG
SMTO NOTIMEOUTIFNOTHUNG
SMTO ERRORONEXIT
WPF SETMINPOSITION
WPF RESTORETOMAXIMIZED
WPF ASYNCWINDOWPLACEMENT
GA PARENT
GA ROOT
GA ROOTOWNER
GW HWNDFIRST

Module winappdbg.win32.user32

Description
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

-16
-20
-21
-4
-6
-8
-16
-20
-21
-12
0
1
1
2
3
3
4

Value: 5
Value: 6
Value: 7
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

8
9
10
11
0
1
2
8

Value: 32
Value: 1
Value: 2
Value: 4
Value:
Value:
Value:
Value:

1
2
3
0
continued on next page

301

Variables

Name
GW HWNDLAST
GW HWNDNEXT
GW HWNDPREV
GW OWNER
GW CHILD
GW ENABLEDPOPUP
WM USER
WM APP
WM NULL
WM CREATE
WM DESTROY
WM MOVE
WM SIZE
WM ACTIVATE
WA INACTIVE
WA ACTIVE
WA CLICKACTIVE
WM SETFOCUS
WM KILLFOCUS
WM ENABLE
WM SETREDRAW
WM SETTEXT
WM GETTEXT
WM GETTEXTLENGTH
WM PAINT
WM CLOSE
WM QUERYENDSESSION
WM QUIT
WM QUERYOPEN
WM ERASEBKGND
WM SYSCOLORCHANGE
WM ENDSESSION
WM SHOWWINDOW
WM WININICHANGE
WM SETTINGCHANGE
WM DEVMODECHANGE
WM ACTIVATEAPP
WM FONTCHANGE

Module winappdbg.win32.user32

Description
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

1
2
3
4
5
6
1024
2048
0
1
2
3
5
6
0
1
2
7
8
10
11
12
13
14

Value: 15
Value: 16
Value: 17
Value:
Value:
Value:
Value:

18
19
20
21

Value:
Value:
Value:
Value:
Value:

22
24
26
26
27

Value: 28
Value: 29
continued on next page

302

Variables

Name
WM TIMECHANGE
WM CANCELMODE
WM SETCURSOR
WM MOUSEACTIVATE
WM CHILDACTIVATE
WM QUEUESYNC
WM GETMINMAXINFO
WM PAINTICON
WM ICONERASEBKGND
WM NEXTDLGCTL
WM SPOOLERSTATUS
WM DRAWITEM
WM MEASUREITEM
WM DELETEITEM
WM VKEYTOITEM
WM CHARTOITEM
WM SETFONT
WM GETFONT
WM SETHOTKEY
WM GETHOTKEY
WM QUERYDRAGICON
WM COMPAREITEM
WM GETOBJECT
WM COMPACTING
WM OTHERWINDOWCREATED
WM OTHERWINDOWDESTROYED
WM COMMNOTIFY
CN RECEIVE
CN TRANSMIT
CN EVENT
WM WINDOWPOSCHANGING
WM WINDOWPOSCHANGED
WM POWER
PWR OK
PWR FAIL
PWR SUSPENDREQUEST

Module winappdbg.win32.user32

Description
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

30
31
32
33
34
35
36
38
39

Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

40
42
43
44
45
46
47
48
49
50
51
55
57
61
65
66

Value: 67
Value:
Value:
Value:
Value:
Value:

68
1
2
4
70

Value: 71
Value:
Value:
Value:
Value:

72
1
-1
1
continued on next page

303

Variables

Name
PWR SUSPENDRESUME
PWR CRITICALRESUME
WM COPYDATA
WM CANCELJOURNAL
WM NOTIFY
WM INPUTLANGCHANGEREQUEST
WM INPUTLANGCHANGE
WM TCARD
WM HELP
WM USERCHANGED
WM NOTIFYFORMAT
WM CONTEXTMENU
WM STYLECHANGING
WM STYLECHANGED
WM DISPLAYCHANGE
WM GETICON
WM SETICON
WM NCCREATE
WM NCDESTROY
WM NCCALCSIZE
WM NCHITTEST
WM NCPAINT
WM NCACTIVATE
WM GETDLGCODE
WM SYNCPAINT
WM NCMOUSEMOVE
WM NCLBUTTONDOWN
WM NCLBUTTONUP
WM NCLBUTTONDBLCLK
WM NCRBUTTONDOWN
WM NCRBUTTONUP
WM NCRBUTTONDBLCLK
WM NCMBUTTONDOWN

Module winappdbg.win32.user32

Description
Value: 2
Value: 3
Value:
Value:
Value:
Value:

74
75
78
80

Value: 81
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

82
83
84
85
123
124
125
126
127
128
129
130
131
132
133
134
135
136
160
161

Value: 162
Value: 163
Value: 164
Value: 165
Value: 166
Value: 167
continued on next page

304

Variables

Name
WM NCMBUTTONUP
WM NCMBUTTONDBLCLK
WM KEYFIRST
WM KEYDOWN
WM KEYUP
WM CHAR
WM DEADCHAR
WM SYSKEYDOWN
WM SYSKEYUP
WM SYSCHAR
WM SYSDEADCHAR
WM KEYLAST
WM INITDIALOG
WM COMMAND
WM SYSCOMMAND
WM TIMER
WM HSCROLL
WM VSCROLL
WM INITMENU
WM INITMENUPOPUP
WM MENUSELECT
WM MENUCHAR
WM ENTERIDLE
WM CTLCOLORMSGBOX
WM CTLCOLOREDIT
WM CTLCOLORLISTBOX
WM CTLCOLORBTN
WM CTLCOLORDLG
WM CTLCOLORSCROLLBAR
WM CTLCOLORSTATIC
WM MOUSEFIRST
WM MOUSEMOVE
WM LBUTTONDOWN
WM LBUTTONUP
WM LBUTTONDBLCLK
WM RBUTTONDOWN
WM RBUTTONUP

Module winappdbg.win32.user32

Description
Value: 168
Value: 169
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

256
256
257
258
259
260
261
262
263
264
272
273
274
275
276
277
278
279
287
288
289
306

Value: 307
Value: 308
Value: 309
Value: 310
Value: 311
Value: 312
Value:
Value:
Value:
Value:
Value:
Value:
Value:

512
512
513
514
515
516
517
continued on next page

305

Variables

Name
WM RBUTTONDBLCLK
WM MBUTTONDOWN
WM MBUTTONUP
WM MBUTTONDBLCLK
WM MOUSELAST
WM PARENTNOTIFY
WM ENTERMENULOOP
WM EXITMENULOOP
WM MDICREATE
WM MDIDESTROY
WM MDIACTIVATE
WM MDIRESTORE
WM MDINEXT
WM MDIMAXIMIZE
WM MDITILE
WM MDICASCADE
WM MDIICONARRANGE
WM MDIGETACTIVE
WM MDISETMENU
WM DROPFILES
WM MDIREFRESHMENU
WM CUT
WM COPY
WM PASTE
WM CLEAR
WM UNDO
WM RENDERFORMAT
WM RENDERALLFORMATS
WM DESTROYCLIPBOARD
WM DRAWCLIPBOARD
WM PAINTCLIPBOARD
WM VSCROLLCLIPBOARD

Module winappdbg.win32.user32

Description
Value: 518
Value: 519
Value: 520
Value: 521
Value: 521
Value: 528
Value: 529
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

530
544
545
546
547
548
549
550
551
552

Value:
Value:
Value:
Value:

553
560
563
564

Value:
Value:
Value:
Value:
Value:
Value:
Value:

768
769
770
771
772
773
774

Value: 775
Value: 776
Value: 777
Value: 778
continued on next page

306

Variables

Name
WM SIZECLIPBOARD
WM ASKCBFORMATNAME
WM CHANGECBCHAIN
WM HSCROLLCLIPBOARD
WM QUERYNEWPALETTE
WM PALETTEISCHANGING
WM PALETTECHANGED
WM HOTKEY
WM PRINT
WM PRINTCLIENT
WM PENWINFIRST
WM PENWINLAST
FindWindow
FindWindowEx
GetClassName
GetWindowText
SetWindowText
GetWindowLong
GetWindowLongPtr
SetWindowLong
SetWindowLongPtr
SendMessage
PostMessage
PostThreadMessage

Module winappdbg.win32.user32

Description
Value: 779
Value: 780
Value: 781
Value: 782
Value: 783
Value: 784
Value: 785
Value: 786
Value: 791
Value: 792
Value: 896
Value: 911
Value: GuessStringType(FindWindowA,
FindWindowW)
Value: GuessStringType(FindWindowExA,
FindWindowExW)
Value: GuessStringType(GetClassNameA,
GetClassNameW)
Value: GuessStringType(GetWindowTextA,
GetWindowTextW)
Value: GuessStringType(SetWindowTextA,
SetWindowTextW)
Value: DefaultStringType(GetWindowLongA,
GetWindowLongW)
Value: DefaultStringType(GetWindowLongA,
GetWindowLongW)
Value: DefaultStringType(SetWindowLongA,
SetWindowLongW)
Value: DefaultStringType(SetWindowLongA,
SetWindowLongW)
Value: GuessStringType(SendMessageA,
SendMessageW)
Value: GuessStringType(PostMessageA,
PostMessageW)
Value:
GuessStringType(PostThreadMessageA,
PostThreadMessageW)
continued on next page

307

Variables

Name
SendMessageTimeout
SendNotifyMessage
SendDlgItemMessage
RegisterWindowMessage
RegisterClipboardFormat
GetProp
SetProp
RemoveProp

Module winappdbg.win32.user32

Description
Value:
GuessStringType(SendMessageTimeoutA,
SendMessageTimeoutW)
Value:
GuessStringType(SendNotifyMessageA,
SendNotifyMessageW)
Value:
GuessStringType(SendDlgItemMessageA,
SendDlgItemMessageW)
Value:
GuessStringType(RegisterWindowMessageA,
RegisterWindowMes...
Value:
GuessStringType(RegisterClipboardFormatA,
RegisterClipboa...
Value: GuessStringType(GetPropA,
GetPropW)
Value: GuessStringType(SetPropA,
SetPropW)
Value: GuessStringType(RemovePropA,
RemovePropW)

308

Module winappdbg.win32.version

31

Module winappdbg.win32.version

Detect the current architecture and operating system.


Some functions here are really from kernel32.dll, others from version.dll.
31.1

31.2

Classes
OSVERSIONINFOA (Section 387, p. 1144)
OSVERSIONINFOW (Section 390, p. 1150)
OSVERSIONINFOEXA (Section 388, p. 1146)
OSVERSIONINFOEXW (Section 389, p. 1148)
LPOSVERSIONINFOA (Section 157, p. 785)
LPOSVERSIONINFOW (Section 158, p. 786)
LPOSVERSIONINFOEXA (Section 321, p. 1023)
LPOSVERSIONINFOEXW (Section 297, p. 990)
POSVERSIONINFOA (Section 157, p. 785)
POSVERSIONINFOW (Section 158, p. 786)
POSVERSIONINFOEXA (Section 321, p. 1023)
POSVERSIONINFOEXW (Section 157, p. 785)
SYSTEM INFO (Section 391, p. 1152)
LPSYSTEM INFO (Section 139, p. 767)
VS FIXEDFILEINFO (Section 392, p. 1154)
PVS FIXEDFILEINFO (Section 325, p. 1029)
LPVS FIXEDFILEINFO (Section 325, p. 1029)
Functions
GetSystemInfo()
GetNativeSystemInfo()
GetSystemMetrics(nIndex )
GetLargePageMinimum()
GetCurrentProcess()
GetCurrentThread()
IsWow64Process(hProcess)
309

Variables

Module winappdbg.win32.version

GetVersion()
GetVersionExA()
GetVersionExW()
GetProductInfo(dwOSMajorVersion, dwOSMinorVersion,
dwSpMajorVersion, dwSpMinorVersion)
VerifyVersionInfo(lpVersionInfo, dwTypeMask, dwlConditionMask )
VerifyVersionInfoA(lpVersionInfo, dwTypeMask, dwlConditionMask )
VerifyVersionInfoW(lpVersionInfo, dwTypeMask, dwlConditionMask )
VerSetConditionMask(dwlConditionMask, dwTypeBitMask,
dwConditionMask )
GetFileVersionInfoA(lptstrFilename)
GetFileVersionInfoW(lptstrFilename)
VerQueryValueA(pBlock, lpSubBlock )
VerQueryValueW(pBlock, lpSubBlock )

31.3

Variables
Name
WinCallHook
WinFuncHook
WinDllHook
NTDDI WIN8
NTDDI WIN7SP1
NTDDI WIN7
NTDDI WS08
NTDDI VISTASP1
NTDDI VISTA
NTDDI LONGHORN
NTDDI WS03SP2

Description

Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

100794368
100729088
100728832
100663552
100663552
100663296
100663296
84017664
continued on next page

310

Variables

Name
NTDDI WS03SP1
NTDDI WS03
NTDDI WINXPSP3
NTDDI WINXPSP2
NTDDI WINXPSP1
NTDDI WINXP
NTDDI WIN2KSP4
NTDDI WIN2KSP3
NTDDI WIN2KSP2
NTDDI WIN2KSP1
NTDDI WIN2K
NTDDI WINNT4
OSVERSION MASK
SPVERSION MASK
SUBVERSION MASK
VER PLATFORM WIN32s
VER PLATFORM WIN32 WINDOWS
VER PLATFORM WIN32 NT
VER SUITE BACKOFFICE
VER SUITE BLADE
VER SUITE COMPUTE SERVER
VER SUITE DATACENTER
VER SUITE ENTERPRISE
VER SUITE EMBEDDEDNT
VER SUITE PERSONAL
VER SUITE SINGLEUSERTS
VER SUITE SMALLBUSINESS
VER SUITE SMALLBUSINESS RESTRICTED
VER SUITE STORAGE SERVER
VER SUITE TERMINAL

Module winappdbg.win32.version

Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

Description
84017408
84017152
83952384
83952128
83951872
83951616
83887104
83886848
83886592
83886336
83886080
67108864
4294901760
65280
255
0

Value: 1
Value: 2
Value: 4
Value: 1024
Value: 16384
Value: 128
Value: 2
Value: 64
Value: 512
Value: 256
Value: 1
Value: 32
Value: 8192
Value: 16
continued on next page

311

Variables

Name
VER SUITE WH SERVER
VER NT DOMAIN CONTROLLER
VER NT SERVER
VER NT WORKSTATION
VER BUILDNUMBER
VER MAJORVERSION
VER MINORVERSION
VER PLATFORMID
VER PRODUCT TYPE
VER SERVICEPACKMAJOR
VER SERVICEPACKMINOR
VER SUITENAME
VER EQUAL
VER GREATER
VER GREATER EQUAL
VER LESS
VER LESS EQUAL
VER AND
VER OR
SM CXSCREEN
SM CYSCREEN
SM CXVSCROLL
SM CYHSCROLL
SM CYCAPTION
SM CXBORDER
SM CYBORDER
SM CXDLGFRAME
SM CYDLGFRAME
SM CYVTHUMB
SM CXHTHUMB
SM CXICON
SM CYICON
SM CXCURSOR
SM CYCURSOR
SM CYMENU
SM CXFULLSCREEN
SM CYFULLSCREEN

Module winappdbg.win32.version

Description
Value: 32768
Value: 2
Value: 3
Value: 1
Value:
Value:
Value:
Value:
Value:
Value:

4
2
1
8
128
32

Value: 16
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

64
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
continued on next page

312

Variables

Name
SM CYKANJIWINDOW
SM MOUSEPRESENT
SM CYVSCROLL
SM CXHSCROLL
SM DEBUG
SM SWAPBUTTON
SM RESERVED1
SM RESERVED2
SM RESERVED3
SM RESERVED4
SM CXMIN
SM CYMIN
SM CXSIZE
SM CYSIZE
SM CXFRAME
SM CYFRAME
SM CXMINTRACK
SM CYMINTRACK
SM CXDOUBLECLK
SM CYDOUBLECLK
SM CXICONSPACING
SM CYICONSPACING
SM MENUDROPALIGNMENT
SM PENWINDOWS
SM DBCSENABLED
SM CMOUSEBUTTONS
SM CXFIXEDFRAME
SM CYFIXEDFRAME
SM CXSIZEFRAME
SM CYSIZEFRAME
SM SECURE
SM CXEDGE
SM CYEDGE
SM CXMINSPACING
SM CYMINSPACING
SM CXSMICON
SM CYSMICON
SM CYSMCAPTION
SM CXSMSIZE
SM CYSMSIZE
SM CXMENUSIZE

Module winappdbg.win32.version

Description
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

41
42
43
7
8
32
33
44
45
46
47
48
49
50
51
52
53
54
continued on next page

313

Variables

Name
SM CYMENUSIZE
SM ARRANGE
SM CXMINIMIZED
SM CYMINIMIZED
SM CXMAXTRACK
SM CYMAXTRACK
SM CXMAXIMIZED
SM CYMAXIMIZED
SM NETWORK
SM CLEANBOOT
SM CXDRAG
SM CYDRAG
SM SHOWSOUNDS
SM CXMENUCHECK
SM CYMENUCHECK
SM SLOWMACHINE
SM MIDEASTENABLED
SM MOUSEWHEELPRESENT
SM XVIRTUALSCREEN
SM YVIRTUALSCREEN
SM CXVIRTUALSCREEN
SM CYVIRTUALSCREEN
SM CMONITORS
SM SAMEDISPLAYFORMAT
SM IMMENABLED
SM CXFOCUSBORDER
SM CYFOCUSBORDER
SM TABLETPC
SM MEDIACENTER
SM STARTER
SM SERVERR2
SM MOUSEHORIZONTALWHEELPRESENT
SM CXPADDEDBORDER
SM CMETRICS
SM REMOTESESSION
SM SHUTTINGDOWN

Module winappdbg.win32.version

Description
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

55
56
57
58
59
60
61
62
63
67
68
69
70
71
72
73
74
75

Value: 76
Value: 77
Value: 78
Value: 79
Value: 80
Value: 81
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

82
83
84
86
87
88
89
91

Value: 92
Value: 93
Value: 4096
Value: 8192
continued on next page

314

Variables

Name
SM REMOTECONTROL
SM CARETBLINKINGENABLED
PROCESSOR ARCHITECTURE UNKNOWN
PROCESSOR ARCHITECTURE INTEL
PROCESSOR ARCHITECTURE MIPS
PROCESSOR ARCHITECTURE ALPHA
PROCESSOR ARCHITECTURE PPC
PROCESSOR ARCHITECTURE SHX
PROCESSOR ARCHITECTURE ARM
PROCESSOR ARCHITECTURE IA64
PROCESSOR ARCHITECTURE ALPHA64
PROCESSOR ARCHITECTURE MSIL
PROCESSOR ARCHITECTURE AMD64
PROCESSOR ARCHITECTURE IA32 ON WIN64
PROCESSOR ARCHITECTURE SPARC
PROCESSOR INTEL 386
PROCESSOR INTEL 486
PROCESSOR INTEL PENTIUM
PROCESSOR INTEL IA64
PROCESSOR AMD X8664
PROCESSOR MIPS R4000
PROCESSOR ALPHA 21064
PROCESSOR PPC 601

Module winappdbg.win32.version

Description
Value: 8193
Value: 8194
Value: 65535
Value: 0
Value: 1
Value: 2
Value: 3
Value: 4
Value: 5
Value: 6
Value: 7
Value: 8
Value: 9
Value: 10
Value: 20
Value: 386
Value: 486
Value: 586
Value: 2200
Value: 8664
Value: 4000
Value: 21064
Value: 601
continued on next page

315

Variables

Module winappdbg.win32.version

Name
PROCESSOR PPC 603
PROCESSOR PPC 604
PROCESSOR PPC 620
PROCESSOR HITACHI SH3
PROCESSOR HITACHI SH3E
PROCESSOR HITACHI SH4
PROCESSOR MOTOROLA 821
PROCESSOR SHx SH3
PROCESSOR SHx SH4
PROCESSOR STRONGARM
PROCESSOR ARM720
PROCESSOR ARM820
PROCESSOR ARM920
PROCESSOR ARM 7TDMI
PROCESSOR OPTIL
GetVersionEx
ARCH
ARCH
ARCH
ARCH
ARCH
ARCH
ARCH
ARCH
ARCH
ARCH
ARCH
ARCH
ARCH
ARCH
ARCH
ARCH
ARCH
ARCH
ARCH

UNKNOWN
I386
MIPS
ALPHA
PPC
SHX
ARM
ARM64
THUMB
IA64
ALPHA64
MSIL
AMD64
SPARC
IA32
X86
X64
ARM7
ARM8

Description
Value:
Value:
Value:
Value:

603
604
620
10003

Value: 10004
Value: 10005
Value: 821
Value: 103
Value: 104
Value: 2577
Value:
Value:
Value:
Value:

1824
2080
2336
70001

Value: 18767
Value: GuessStringType(GetVersionExA,
GetVersionExW)
Value: unknown
Value: i386
Value: mips
Value: alpha
Value: ppc
Value: shx
Value: arm
Value: arm64
Value: thumb
Value: ia64
Value: alpha64
Value: msil
Value: amd64
Value: sparc
Value: i386
Value: i386
Value: amd64
Value: arm
Value: arm64
continued on next page

316

Variables

Name
ARCH T32
ARCH AARCH32
ARCH AARCH64
ARCH POWERPC
ARCH HITACHI
ARCH ITANIUM
OS UNKNOWN
OS NT
OS W2K
OS XP
OS XP 64
OS W2K3
OS W2K3 64
OS W2K3R2
OS W2K3R2 64
OS W2K8
OS W2K8 64
OS W2K8R2
OS W2K8R2 64
OS VISTA
OS VISTA 64
OS W7
OS W7 64
OS SEVEN
OS SEVEN 64
OS WINDOWS NT
OS WINDOWS 2000
OS WINDOWS XP
OS WINDOWS XP 64
OS WINDOWS 2003
OS WINDOWS 2003 64
OS WINDOWS 2003 R2
OS WINDOWS 2003 R2 64
OS WINDOWS 2008
OS WINDOWS 2008 64
OS WINDOWS 2008 R2
OS WINDOWS 2008 R2 64
OS WINDOWS VISTA
OS WINDOWS VISTA 64

Module winappdbg.win32.version

Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

Description
thumb
arm
arm64
ppc
shx
ia64
Unknown
Windows NT
Windows 2000
Windows XP
Windows XP (64 bits)
Windows 2003
Windows 2003 (64 bits)
Windows 2003 R2
Windows 2003 R2 (64 bits)
Windows 2008
Windows 2008 (64 bits)
Windows 2008 R2
Windows 2008 R2 (64 bits)
Windows Vista
Windows Vista (64 bits)
Windows 7
Windows 7 (64 bits)
Windows 7
Windows 7 (64 bits)
Windows NT
Windows 2000
Windows XP
Windows XP (64 bits)
Windows 2003
Windows 2003 (64 bits)
Windows 2003 R2
Windows 2003 R2 (64 bits)

Value:
Value:
Value:
Value:

Windows
Windows
Windows
Windows

2008
2008 (64 bits)
2008 R2
2008 R2 (64 bits)

Value: Windows Vista


Value: Windows Vista (64 bits)
continued on next page

317

Variables

Name
OS WINDOWS SEVEN
OS WINDOWS SEVEN 64
bits
arch
wow64
os
NTDDI VERSION
WINVER
VS FF DEBUG
VS FF PRERELEASE
VS FF PATCHED
VS FF PRIVATEBUILD
VS FF INFOINFERRED
VS FF SPECIALBUILD
VOS UNKNOWN
VOS WINDOWS16
VOS PM16
VOS PM32
VOS WINDOWS32
VOS DOS
VOS OS216
VOS OS232
VOS NT
VOS DOS WINDOWS16
VOS DOS WINDOWS32
VOS NT WINDOWS32
VOS OS216 PM16
VOS OS232 PM32
VFT UNKNOWN
VFT APP
VFT DLL
VFT DRV
VFT FONT
VFT VXD
VFT RESERVED
VFT STATIC LIB
VFT2 UNKNOWN
VFT2 DRV PRINTER
VFT2 DRV KEYBOARD
VFT2 DRV LANGUAGE
VFT2 DRV DISPLAY

Module winappdbg.win32.version

Description
Value: Windows 7
Value: Windows 7 (64 bits)
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:
Value:

32
amd64
True
Windows 7 (64 bits)
100729088
1537
1
2
4
8
16
32
0
1
2
3
4
65536
131072
196608
262144
65537
65540
262148
131074
196611
0
1
2
3
4
5
6
7
0
1
2
3
4
continued on next page

318

Variables

Name
VFT2 DRV MOUSE
VFT2 DRV NETWORK
VFT2 DRV SYSTEM
VFT2 DRV INSTALLABLE
VFT2 DRV SOUND
VFT2 DRV COMM
VFT2 DRV RESERVED
VFT2 DRV VERSIONEDPRINTER
VFT2 FONT RASTER
VFT2 FONT VECTOR
VFT2 FONT TRUETYPE
GetFileVersionInfo
VerQueryValue

Module winappdbg.win32.version

Description
Value:
Value:
Value:
Value:

5
6
7
8

Value:
Value:
Value:
Value:

9
10
11
12

Value: 1
Value: 2
Value: 3
Value:
GuessStringType(GetFileVersionInfoA,
GetFileVersionInfoW)
Value: GuessStringType(VerQueryValueA,
VerQueryValueW)

319

Module winappdbg.win32.wtsapi32

32

Module winappdbg.win32.wtsapi32

Wrapper for wtsapi32.dll in ctypes.


32.1

32.2

Classes
WTS PROCESS INFOA (Section 395, p. 1159)
PWTS PROCESS INFOA (Section 393, p. 1156)
WTS PROCESS INFOW (Section 396, p. 1161)
PWTS PROCESS INFOW (Section 178, p. 806)
WTS INFO CLASS (Section 39, p. 331)
WTS CONNECTSTATE CLASS (Section 39, p. 331)
WTS CLIENT DISPLAY (Section 394, p. 1157)
PWTS CLIENT DISPLAY (Section 177, p. 805)
Functions
WTSFreeMemory(pMemory)
WTSEnumerateProcessesA(hServer =0)
WTSEnumerateProcessesW(hServer =0)
WTSTerminateProcess(hServer, ProcessId, ExitCode)
ProcessIdToSessionId(dwProcessId )
WTSGetActiveConsoleSessionId()

32.3

Variables
Name
SLE ERROR
THREAD BASE PRIORITY LOWRT
WaitForSingleObject
DBG REPLY LATER
GetGuiResources
CONTEXT FULL

Description

continued on next page

320

Variables

Module winappdbg.win32.wtsapi32

Name
EXCEPTION FLT UNDERFLOW
OpenFileMapping
ReleaseMutex
STATUS PENDING
ARCH AMD64
OS WINDOWS 2008 64
GetProcessAffinityMask
VFT DRV
FreeConsole
PAGE EXECUTE READ
SEC COMMIT
NTDDI WIN7SP1
VerQueryValueW
SetConsoleActiveScreenBuffer
VerQueryValueA
ProcThreadAttributeGroupAffinity
OSVERSIONINFOW
LPSECURITY ATTRIBUTES
OSVERSIONINFOA
EXCEPTION ARRAY BOUNDS EXCEEDED
VOS OS216
SEMAPHORE MODIFY STATE
SetHandleInformation
PAGE WRITECOPY
RIP INFO
EXCEPTION BREAKPOINT
STACK SIZE PARAM ISA RESERVATION
SEM NOOPENFILEERRORBOX
OpenProcess
SetProcessPriorityBoost
MAXINTATOM
Wow64GetThreadContext
COMMON LVB LEADING BYTE

Description

continued on next page

321

Variables

Module winappdbg.win32.wtsapi32

Name
OS SEVEN
SM CXDLGFRAME
DEBUG PROCESS
OS W2K3 64
GetFileInformationByHandleEx
SM ARRANGE
THREADNAME INFO
STARTUPINFOEXW
PROCESS ALL ACCESSVISTA
VFT2 DRV DISPLAY
WOW64 CONTEXT CONTROL
VirtualAllocEx
VER SUITE BACKOFFICE
LPXMM SAVE AREA32
STATUS STACK OVERFLOW
ContinueDebugEvent
MEM 4MB PAGES
PCHAR INFO
VER SUITE DATACENTER
arch
Wow64GetThreadSelectorEntry
MS VC EXCEPTION
OS WINDOWS 2003 R2 64
GR USEROBJECTS
FILE INFO BY HANDLE CLASS
PWOW64 FLOATING SAVE AREA
VOS NT WINDOWS32
PRODUCT MEDIUMBUSINESS SERVER SECURITY
ARCH SHX
OS WINDOWS XP 64

Description

continued on next page

322

Variables

Module winappdbg.win32.wtsapi32

Name
OS WINDOWS NT
THREAD SUSPEND RESUME
TH32CS INHERIT
ARCH POWERPC
COMMON LVB UNDERSCORE
GetThreadContext
VOS PM16
EXCEPTION FLT INEXACT RESULT
FILE SHARE READ
PROCESSOR SHx SH3
PROCESSOR SHx SH4
VER LESS EQUAL
INHERIT PARENT AFFINITY
FOREGROUND BLACK
PRODUCT ENTERPRISE SERVER
GetLogicalDriveStringsA
VER SUITE STORAGE SERVER
GetLogicalDriveStringsW
CREATE NEW CONSOLE
HEAP ZERO MEMORY
FOREGROUND RED
OpenMutexA
SM CYKANJIWINDOW
STATUS UNWIND CONSOLIDATE
SM CYVIRTUALSCREEN
PROCESSOR ARM 7TDMI
PROCESSOR INTEL 386
SM CYMINTRACK
SM CYMAXTRACK
CreateMutexA
STARTUPINFO
CreateMutexW

Description

continued on next page

323

Variables

Module winappdbg.win32.wtsapi32

Name
SetDllDirectoryA
OS VISTA 64
OS WINDOWS VISTA 64
THREAD GET CONTEXT
SearchPathW
PROCESS NAME NATIVE
SearchPathA
VirtualQueryEx
LOAD LIBRARY AS DATAFILE
THREADENTRY32
STATUS PRIVILEGED INSTRUCTION
VFT2 DRV SYSTEM
NTDDI WINXPSP1
EXCEPTION FLT INVALID OPERATION
NTDDI WINXPSP3
NTDDI WINXPSP2
SetDllDirectoryW
PROCESSOR AMD X8664
GetSystemMetrics
FILE ATTRIBUTE ARCHIVE
OutputDebugString
VOLUME NAME NT
VirtualProtectEx
PROCESS CREATION MITIGATION POLICY DEP ENABLE
PROCESS CREATION MITIGATION POLICY SEHOP ENABLE
SM CYDOUBLECLK
QueryFullProcessImageName
CreateFileW
SM CYVSCROLL

Description

continued on next page

324

Variables

Module winappdbg.win32.wtsapi32

Name
CreateFileA
STD INPUT HANDLE
TH32CS SNAPALL
POSVERSIONINFOA
CREATE DEFAULT ERROR MODE
WAIT FAILED
PRODUCT ULTIMATE
POSVERSIONINFOW
ARCH ARM
ARCH THUMB
SM CXMENUCHECK
FORMAT MESSAGE ALLOCATE BUFFER
PROCESSOR ARCHITECTURE ARM
LPMODULEENTRY32
EXCEPTION PRIV INSTRUCTION
NTDDI VERSION
GetProcessDEPPolicy
EXCEPTION DATATYPE MISALIGNMENT
LEGACY SAVE AREA LENGTH
HIGH PRIORITY CLASS
ARCH SPARC
PRODUCT HOME PREMIUM
STATUS FLOAT MULTIPLE FAULTS
NORMAL PRIORITY CLASS
MEMORY BASIC INFORMATION64
ARCH AARCH32
SEC FILE
OS VISTA
GetLogicalDriveStrings
PRODUCT DATACENTER SERVER

Description

continued on next page

325

Variables

Module winappdbg.win32.wtsapi32

Name
SetLastError
PWOW64 CONTEXT
MEM MAPPED
WOW64 LDT ENTRY
VerSetConditionMask
GetThreadErrorMode
ARCH X86
ProcessHandle
GetProcAddressW
GetProcAddressA
ARCH X64
SetThreadContext
GetVersion
GetCurrentThreadId
TH32CS SNAPMODULE
VER GREATER EQUAL
OUTPUT DEBUG STRING INFO
GENERIC ALL
WinCallHook
GetProcAddress
STATUS SXS EARLY DEACTIVATION
GetCurrentProcessorNumber
MEM PRIVATE
PRODUCT STANDARDSERVER CORE
SM CXDOUBLECLK
STATUS INVALID HANDLE
BACKGROUND CYAN
ARCH ITANIUM
THREAD PRIORITY TIME CRITICAL
SECTION QUERY
VER SUITE EMBEDDEDNT
PROCESS CREATE PROCESS
MEMORY BASIC INFORMATION

Description

continued on next page

326

Variables

Module winappdbg.win32.wtsapi32

Name
SM MENUDROPALIGNMENT
MapViewOfFile
PPROC THREAD ATTRIBUTE LIST
GetModuleHandleA
SEC IMAGE
Wow64RevertWow64FsRedirection
VER SUITE ENTERPRISE
VOLUME NAME DOS
GetModuleHandleW
GetFileVersionInfoA
PRODUCT WEB SERVER
GetFileVersionInfoW
NTDDI LONGHORN
BACKGROUND INTENSITY
QueryFullProcessImageNameA
CREATE IGNORE SYSTEM DEFAULT
psyco
EXCEPTION RECORD
QueryFullProcessImageNameW
SM MOUSEHORIZONTALWHEELPRESENT
SetErrorMode
STATUS NONCONTINUABLE EXCEPTION
Wow64ResumeThread
GetSystemTimeAsFileTime
PROC THREAD ATTRIBUTE NUMBER
VER SUITE PERSONAL
SnapshotHandle
WAIT OBJECT 0
GENERIC READ

Description

continued on next page

327

Variables

Module winappdbg.win32.wtsapi32

Name
INITIAL MXCSR
OpenEvent
SEC NOCACHE
LDT ENTRY HIGHWORD
SM CXMIN
VOS PM32
NTDDI WINXP
BACKGROUND MASK
OS XP 64
PRODUCT ENTERPRISE
TerminateProcess
VOS WINDOWS32
OS W2K8 64
LPJIT DEBUG INFO64
DBG EXCEPTION NOTHANDLED
FreeLibrary
PROCESSOR HITACHI SH3E
SM CXSMICON
MEM IMAGE
PRODUCT HOME PREMIUM E
THREAD QUERY LIMITED INFORMATION
PROC THREAD ATTRIBUTE ADDITIVE
PROCESSOR ARCHITECTURE AMD64
EXCEPTION INVALID HANDLE
WaitForMultipleObjects
FOREGROUND YELLOW
THREAD TERMINATE
ContextArchMask
PROCESSOR ARCHITECTURE INTEL
PAGE EXECUTE
OS SEVEN 64

Description

continued on next page

328

Variables

Module winappdbg.win32.wtsapi32

Name
CONTROL C EXIT
Handle
ABOVE NORMAL PRIORITY CLASS
Heap32ListNext
VFT2 DRV COMM
EXIT PROCESS DEBUGINFO
PRODUCT DATACENTER SERVER CORE V
LPLDT ENTRY
FILE ATTRIBUTE SYSTEM
VER SUITE TERMINAL
PRODUCT STORAGE EXPRESS SERVER
VER LESS
CONTEXT CONTROL
PAGE EXECUTE WRITECOPY
SM CXSCREEN
GetHandleInformation
CREATE SEPARATE WOW VDM
DBG PRINTEXCEPTIONC
OpenFileMappingW
OpenFileMappingA
OS NT
CREATE THREAD DEBUG EVENT
VER GREATER
PRODUCT STANDARDSERVER V
CheckRemoteDebuggerPresent
PROCESSOR ARCHITECTURE ALPHA
GlobalFindAtom
CONTEXT i386
STATUS INTEGER OVERFLOW

Description

continued on next page

329

Variables

Module winappdbg.win32.wtsapi32

Name
SetConsoleCP
CreateFileMapping
VFT STATIC LIB
CONTEXT EXCEPTIONREQUEST
LPJIT DEBUG INFO
SECTION MAP READ
SECTION MAP EXECUTE
EVENT ALL ACCESS
STARTUPINFOEX
VS FF INFOINFERRED
FILE SHARE DELETE
SM CXFULLSCREEN
CREATE BREAKAWAYFROM JOB
VS FF PATCHED
VFT2 FONT TRUETYPE
CONTEXT EXCEPTIONACTIVE
PROCESS QUERY LIMITED INFORMATION
SM CYCAPTION
STATUS FLOAT INVALID OPERATION
NTDDI WIN8
NTDDI WIN7
HEAPENTRY32
SECURITY ATTRIBUTES
JIT DEBUG INFO32
OS WINDOWS 2008 R2 64
SM CLEANBOOT
FILE FLAG SEQUENTIAL SCAN
LPFILETIME
ProcThreadAttributeMax
EXCEPTION WX86 BREAKPOINT
GlobalGetAtomNameW

Description

continued on next page

330

Variables

Module winappdbg.win32.wtsapi32

Name
SECTION EXTEND SIZE
GetSystemInfo
GlobalGetAtomNameA
THREAD ALL ACCESS VISTA
PROCESS VM READ
VER SUITE WH SERVER
OS WINDOWS 2003 R2
LPTHREADENTRY32
FOREGROUND CYAN
LPFLOATING SAVE AREA
SM CXICONSPACING
SEMAPHORE ALL ACCESS
PROCESSOR INTEL 486
ARCH UNKNOWN
MEM RELEASE
AllocConsole
CreateProcessA
INHERIT CALLER PRIORITY
CreateFile
CreateProcessW
VFT2 FONT VECTOR
VerifyVersionInfoA
FileTimeToSystemTime
VFT2 DRV LANGUAGE
PROCESSOR ARM820
VS FF SPECIALBUILD
SM CXCURSOR
VerifyVersionInfoW
SM CYMINSPACING
SM XVIRTUALSCREEN
PROCESSOR STRONGARM
VFT2 UNKNOWN
OS WINDOWS 2003 64
LocalFree
PROCESSENTRY32

Description

continued on next page

331

Variables

Module winappdbg.win32.wtsapi32

Name
THREAD PRIORITY BELOW NORMAL
WOW64 CONTEXT
PRODUCT PROFESSIONAL
EXCEPTION ACCESS VIOLATION
ATTACH PARENT PROCESS
OpenThread
VER SUITE SINGLEUSERTS
EXIT THREAD DEBUGEVENT
SetConsoleOutputCP
PAGE READONLY
VER OR
FOREGROUND GREEN
SM SHUTTINGDOWN
PAGE READWRITE
MAXIMUM SUSPEND COUNT
STATUS TIMEOUT
MEM TOP DOWN
SM YVIRTUALSCREEN
PXMM SAVE AREA32
CONTEXT i486
MUTEX MODIFY STATE
OVERLAPPED
THREAD SET LIMITEDINFORMATION
FILE ATTRIBUTE READONLY
ThreadHandle
MEM COMMIT
SetConsoleTextAttribute
FlushFileBuffers
PROCESSOR OPTIL
STATUS WX86 BREAKPOINT
SM CXMENUSIZE

Description

continued on next page

332

Variables

Module winappdbg.win32.wtsapi32

Name
ACCESS VIOLATION TYPE WRITE
PAGE EXECUTE READWRITE
LPSYSTEM INFO
CTRL SHUTDOWN EVENT
bits
CONTEXT MMX REGISTERS
FORMAT MESSAGE FROM SYSTEM
VER SUITE SMALLBUSINESS RESTRICTED
DUPLICATE CLOSE SOURCE
ResetEvent
wow64
PROCESSOR ARCHITECTURE SHX
THREAD IMPERSONATE
WOW64 CONTEXT i486
VOS WINDOWS16
SMALL RECT
WinFuncHook
SM CXEDGE
OS W2K3R2
STATUS FLOAT DIVIDE BY ZERO
NTDDI WS03SP2
NTDDI WS03SP1
PROCESS TERMINATE
SM CYFULLSCREEN
LPOVERLAPPED
DBG COMMAND EXCEPTION
PRODUCT SERVER FOR SMALLBUSINESS V
PRODUCT HOME BASIC
SM CYSCREEN

Description

continued on next page

333

Variables

Module winappdbg.win32.wtsapi32

Name
WOW64 FLOATING SAVE AREA
STATUS POSSIBLE DEADLOCK
ACCESS VIOLATION TYPE READ
ProcThreadAttributeIdealProcessor
EXCEPTION INVALID DISPOSITION
SM CYBORDER
PRODUCT ENTERPRISE SERVER CORE V
CREATE UNICODE ENVIRONMENT
STATUS IN PAGE ERROR
VER NT DOMAIN CONTROLLER
GetFileInformationByHandle
OS W2K3R2 64
GlobalGetAtomName
GR GDIOBJECTS
STATUS SINGLE STEP
WINVER
OPEN EXISTING
WOW64 CONTEXT SEGMENTS
FILE MAP READ
VER PLATFORM WIN32 WINDOWS
GetVersionEx
THREAD QUERY INFORMATION
FOREGROUND GREY
EVENT MODIFY STATE
DEBUG EVENT UNION
JIT DEBUG INFO

Description

continued on next page

334

Variables

Module winappdbg.win32.wtsapi32

Name
PROC THREAD ATTRIBUTE EXTENDED FLAGS
SM CXBORDER
NTDDI WIN2KSP4
SM REMOTESESSION
NTDDI WIN2KSP2
NTDDI WIN2KSP3
NTDDI WIN2KSP1
LOAD WITH ALTEREDSEARCH PATH
PROCESS ALL ACCESSNT
HEAP NO SERIALIZE
SM MOUSEWHEELPRESENT
SM CXMAXTRACK
GetErrorMode
STATUS FLOAT INEXACT RESULT
FILE FLAG DELETE ON CLOSE
EXCEPTION FLT STACK CHECK
PRODUCT BUSINESS
LDT ENTRY BITS
SM SERVERR2
DEBUG EVENT
VER SERVICEPACKMAJOR
GetConsoleCP
WOW64 CONTEXT ALL
SM CYMENUSIZE
GENERIC WRITE
VFT RESERVED
HEAP GENERATE EXCEPTIONS
EXCEPTION NONCONTINUABLE EXCEPTION
SM DBCSENABLED

Description

continued on next page

335

Variables

Module winappdbg.win32.wtsapi32

Name
PROC THREAD ATTRIBUTE PARENT PROCESS
DBG TERMINATE PROCESS
Wow64DisableWow64FsRedirection
SM CXPADDEDBORDER
FILE FLAG WRITE THROUGH
CREATE SHARED WOW VDM
GetDllDirectory
SM CYSMSIZE
EXCEPTION READ FAULT
FILE MAP COPY
GetProcessVersion
THREAD PRIORITY ABOVE NORMAL
CREATE FORCEDOS
LPPROCESSENTRY32
TH32CS SNAPPROCESS
SM CXMINTRACK
GetExitCodeProcess
GetProcessId
FOREGROUND BLUE
DBG APP NOT IDLE
PRODUCT DATACENTER SERVER V
PROC THREAD ATTRIBUTE PREFERRED NODE
VFT UNKNOWN
FILE MAP EXECUTE
Thread32First
SM CXDRAG
EXCEPTION GUARD PAGE
STATUS FLOAT OVERFLOW

Description

continued on next page

336

Variables

Module winappdbg.win32.wtsapi32

Name
CTRL LOGOFF EVENT
SM PENWINDOWS
PEXCEPTION RECORD
GlobalFindAtomW
VER PLATFORM WIN32 NT
GlobalFindAtomA
SM CYMAXIMIZED
VER NT SERVER
GENERIC EXECUTE
PROCESS DEP ENABLE
LPHEAPLIST32
Heap32First
PROCESSOR ARCHITECTURE MIPS
Process32Next
SM CYVTHUMB
STATUS DATATYPE MISALIGNMENT
LPVS FIXEDFILEINFO
ARCH PPC
MEM FREE
CTRL CLOSE EVENT
FILE MAP ALL ACCESS
PRODUCT SMALLBUSINESS SERVER
CREATE NEW
UNLOAD DLL DEBUG INFO
ARCH ARM64
os
PHANDLER ROUTINE
LoadLibraryW
STATUS CONTROL C EXIT
PAGE NOCACHE
LoadLibraryA
SM CYEDGE
VER SUITE COMPUTE SERVER

Description

continued on next page

337

Variables

Module winappdbg.win32.wtsapi32

Name
BELOW NORMAL PRIORITY CLASS
OS WINDOWS VISTA
CONTEXT AMD64
LPOSVERSIONINFOEXW
ReadProcessMemory
GetConsoleScreenBufferInfo
LPOSVERSIONINFOEXA
CREATE NEW PROCESS GROUP
ProcThreadAttributeList
PRODUCT STORAGE WORKGROUP SERVER
EXCEPTION RECORD32
SM CYDLGFRAME
DuplicateHandle
PLDT ENTRY
WinDllHook
STATUS ILLEGAL INSTRUCTION
NTDDI WS03
EXTENDED STARTUPINFO PRESENT
NTDDI WS08
LPPROC THREAD ATTRIBUTE LIST
THREAD BASE PRIORITY MIN
EXCEPTION DEBUG EVENT
SM CXSMSIZE
SIZE OF 80387 REGISTERS
CONTEXT ALL
FileHandle
JIT DEBUG INFO64
GetStdHandle
VER SUITE BLADE

Description

continued on next page

338

Variables

Module winappdbg.win32.wtsapi32

Name
VOS OS216 PM16
SM IMMENABLED
STILL ACTIVE
MemoryBasicInformation
SYSTEM INFO
CREATE PROCESS DEBUG EVENT
NTDDI VISTA
PROCESSOR PPC 620
LPHEAPENTRY32
DBG NO STATE CHANGE
PROCESS DUP HANDLE
GlobalAddAtom
BACKGROUND GREY
VFT2 DRV KEYBOARD
WOW64 CS32
VOS NT
EXCEPTION FLT DENORMAL OPERAND
LoadLibraryExA
SM CYFRAME
COMMON LVB REVERSE VIDEO
NTDDI WIN2K
LoadLibraryExW
PROCESSOR ALPHA 21064
CreateEvent
PRODUCT ENTERPRISE SERVER CORE
STATUS ARRAY BOUNDS EXCEEDED
THREAD DIRECT IMPERSONATION
PRODUCT STORAGE ENTERPRISE SERVER
ARCH HITACHI
CreateToolhelp32Snapshot
WOW64 CONTEXT EXTENDED REGISTERS

Description

continued on next page

339

Variables

Module winappdbg.win32.wtsapi32

Name
CONTEXT SEGMENTS
DBG EXCEPTION HANDLED
ARCH ALPHA64
THREAD ALL ACCESS NT
OSVERSION MASK
SM CXFOCUSBORDER
ProcessInformation
STATUS WAIT 0
ProcThreadAttributeHandleList
EXCEPTION INT DIVIDE BY ZERO
ProcThreadAttributeExtendedFlags
SUBVERSION MASK
SM CYSMICON
VS FF PRERELEASE
UpdateProcThreadAttribute
SLE MINORERROR
CONTEXT EXTENDED REGISTERS
PCOORD
THREAD SET THREADTOKEN
LPSYSTEMTIME
GetCurrentThread
SM RESERVED4
SM RESERVED1
SM RESERVED3
SM RESERVED2
OS WINDOWS 2008 R2
BACKGROUND MAGENTA
PROCESS CREATION MITIGATION POLICY DEP ATL THUNK ENABLE
EXIT THREAD DEBUGINFO

Description

continued on next page

340

Variables

Module winappdbg.win32.wtsapi32

Name
EXCEPTION EXECUTEFAULT
DeleteProcThreadAttributeList
FILE ATTRIBUTE DEVICE
VerifyVersionInfo
LPSTARTUPINFOEX
GetCurrentProcess
MEM RESET
FlushProcessWriteBuffers
FILE ATTRIBUTE HIDDEN
LPJIT DEBUG INFO32
ProcThreadAttributePreferredNode
FLOATING SAVE AREA
SM MOUSEPRESENT
EXCEPTION SINGLE STEP
ARCH MIPS
PROCESSOR ARCHITECTURE IA32 ON WIN64
CREATE THREAD DEBUG INFO
SM CXVSCROLL
PROFILE KERNEL
SM SLOWMACHINE
SECTION MAP WRITE
LOAD DLL DEBUG INFO
VOS OS232 PM32
FlushInstructionCache
PROCESSOR ARCHITECTURE IA64
STATUS INTEGER DIVIDE BY ZERO
PRODUCT PROFESSIONAL E
PRODUCT PROFESSIONAL N

Description

continued on next page

341

Variables

Module winappdbg.win32.wtsapi32

Name
VOS UNKNOWN
DUPLICATE SAME ACCESS
STATUS FLOAT STACK CHECK
PROC THREAD ATTRIBUTE HANDLE LIST
VFT2 DRV NETWORK
PFLOATING SAVE AREA
STATUS ABANDONED WAIT 0
VER MINORVERSION
GetTempFileNameW
PROCESSOR MIPS R4000
STATUS GUARD PAGEVIOLATION
SM CYSIZEFRAME
EXCEPTION RECORD64
CONTEXT SERVICE ACTIVE
Thread32Next
VER PLATFORMID
VER NT WORKSTATION
MAXIMUM WAIT OBJECTS
COMMON LVB GRID HORIZONTAL
ProcThreadAttributeUmsThread
LOAD LIBRARY AS DATAFILE EXCLUSIVE
GetProcessTimes
TH32CS SNAPTHREAD
FileMappingHandle
CreateProcess
SM REMOTECONTROL
PRODUCT ENTERPRISEN

Description

continued on next page

342

Variables

Module winappdbg.win32.wtsapi32

Name
PRODUCT ENTERPRISEE
CREATE ALWAYS
PROC THREAD ATTRIBUTE MITIGATION POLICY
THREAD PRIORITY ERROR RETURN
PROCESS SET QUOTA
VFT2 DRV MOUSE
warnings
PROCESS MODE BACKGROUND BEGIN
PulseEvent
FOREGROUND MASK
UnmapViewOfFile
COMMON LVB MASK
STATUS SEGMENT NOTIFICATION
VFT2 DRV RESERVED
SEM NOGPFAULTERRORBOX
SM CXSIZE
LPSTARTUPINFOW
GetTempFileNameA
GetConsoleOutputCP
OS W7 64
STATUS HEAP CORRUPTION
Wow64SuspendThread
OS WINDOWS SEVEN
MEM RESERVE
VOS DOS
PROCESS SET SESSIONID
STATUS BREAKPOINT
OPEN ALWAYS
QueryDosDevice
FILE FLAG OVERLAPPED
PROCESSOR PPC 604
DeviceIoControl

Description

continued on next page

343

Variables

Module winappdbg.win32.wtsapi32

Name
PROCESSOR PPC 601
PROCESSOR PPC 603
SM MIDEASTENABLED
CONTEXT INTEGER
FILE SHARE WRITE
SetProcessAffinityMask
EXCEPTION NONCONTINUABLE
PEXCEPTION RECORD64
ARCH MSIL
LPSTARTUPINFO
WOW64 CONTEXT DEBUG REGISTERS
GlobalAddAtomA
GetThreadSelectorEntry
PROC THREAD ATTRIBUTE INPUT
TIMER MODIFY STATE
PRODUCT STANDARDSERVER CORE V
GetVersionExW
VER PLATFORM WIN32s
GetVersionExA
SM CYDRAG
Process32First
UserModeHandle
ARCH IA64
PWOW64 LDT ENTRY
CONTEXT EXCEPTIONREPORTING
XMM SAVE AREA32
HEAPLIST32
THREAD PRIORITY NORMAL
CreateEventW
THREAD ALL ACCESS
CreateEventA
PRODUCT ULTIMATE N

Description

continued on next page

344

Variables

Module winappdbg.win32.wtsapi32

Name
PRODUCT ULTIMATE E
PROC THREAD ATTRIBUTE GROUP AFFINITY
PROCESSOR ARM920
SM TABLETPC
PROCESS SET INFORMATION
TH32CS SNAPHEAPLIST
SM CXICON
SM CMONITORS
DBG RIPEXCEPTION
PROCESS ALL ACCESS
DETACHED PROCESS
LoadLibraryEx
SM CYMIN
GetTempPath
COORD
OpenMutexW
PRODUCT ENTERPRISE SERVER IA64
GetFinalPathNameByHandle
FILE NAME NORMALIZED
Toolhelp32ReadProcessMemory
DBG CONTROL C
UNLOAD DLL DEBUG EVENT
SEC LARGE PAGES
PRODUCT STARTER
Heap32Next
EXCEPTION FLT DIVIDE BY ZERO
EXCEPTION INT OVERFLOW
THREAD PRIORITY HIGHEST
WOW64 CONTEXT FULL

Description

continued on next page

345

Variables

Module winappdbg.win32.wtsapi32

Name
WaitForDebugEvent
ResumeThread
VS FIXEDFILEINFO
VER EQUAL
STATUS ACCESS VIOLATION
OS WINDOWS SEVEN 64
LPBY HANDLE FILE INFORMATION
PAGE GUARD
EXCEPTION WRITE FAULT
DEBUG ONLY THIS PROCESS
ProcThreadAttributeParentProcess
SM SECURE
EXIT PROCESS DEBUGEVENT
CREATE PRESERVE CODE AUTHZ LEVEL
SearchPath
COMMON LVB TRAILING BYTE
THREAD PRIORITY IDLE
GetProcessPriorityBoost
PROCESSOR ARCHITECTURE SPARC
WOW64 CONTEXT i386
WaitForMultipleObjectsEx
WOW64 CONTEXT INTEGER
EXCEPTION FLT OVERFLOW
VER PRODUCT TYPE
LPCONTEXT
VerQueryValue
STD OUTPUT HANDLE
SYSTEMTIME

Description

continued on next page

346

Variables

Module winappdbg.win32.wtsapi32

Name
TIMER ALL ACCESS
PROCESSOR ARCHITECTURE PPC
Wow64SetThreadContext
VOS OS232
EXCEPTION IN PAGE ERROR
PROCESSOR ARCHITECTURE MSIL
CreateFileMappingW
SM CYMINIMIZED
PRODUCT STORAGE STANDARD SERVER
CreateFileMappingA
MEM PHYSICAL
SM CYSIZE
PRODUCT DATACENTER SERVER CORE
GetLastError
STATUS SXS INVALID DEACTIVATION
SuspendThread
PROCESS DEP DISABLE ATL THUNK EMULATION
SM CXFRAME
CreateMutex
CloseHandle
GetProcessHandleCount
GetThreadId
CONTEXT DEBUG REGISTERS
OpenEventW
OpenEventA
SM CXVIRTUALSCREEN
EXCEPTION STACK OVERFLOW
SM STARTER
THREAD BASE PRIORITY IDLE
GetTempPathA

Description

continued on next page

347

Variables

Module winappdbg.win32.wtsapi32

Name
SM CXHSCROLL
GetTempPathW
LOAD LIBRARY AS IMAGE RESOURCE
OutputDebugStringW
OutputDebugStringA
WriteProcessMemory
FlushViewOfFile
PROCESSOR INTEL IA64
SetThreadErrorMode
SM CXMINIMIZED
InitializeProcThreadAttributeList
PRODUCT MEDIUMBUSINESS SERVER MESSAGING
OS WINDOWS XP
ARCH T32
FILE FLAG NO BUFFERING
VOLUME NAME GUID
PCONSOLE SCREEN BUFFER INFO
GlobalAddAtomW
DBG TERMINATE THREAD
SEM FAILCRITICALERRORS
LDT ENTRY
SetPriorityClass
PROCESSOR ARCHITECTURE UNKNOWN
PRODUCT HYPERV
BACKGROUND RED
CreateRemoteThread
POSVERSIONINFOEXA
STATUS FLOAT UNDERFLOW
MEMORY BASIC INFORMATION32
POSVERSIONINFOEXW

Description

continued on next page

348

Variables

Module winappdbg.win32.wtsapi32

Name
LPDEBUG EVENT
GetDllDirectoryW
SM CMOUSEBUTTONS
PAGE NOACCESS
BACKGROUND BLUE
TIMER QUERY STATE
CONTEXT FLOATING POINT
HEAP CREATE ENABLE EXECUTE
HANDLE FLAG INHERIT
CREATE SUSPENDED
MEM LARGE PAGES
PVS FIXEDFILEINFO
VFT2 DRV INSTALLABLE
MEM WRITE WATCH
FOREGROUND MAGENTA
GetCurrentDirectoryW
VirtualFreeEx
LOAD DLL DEBUG EVENT
PROFILE SERVER
GetCurrentDirectoryA
PROCESSOR ARCHITECTURE ALPHA64
VFT2 DRV SOUND
VS FF DEBUG
EXCEPTION MAXIMUM PARAMETERS
DBG CONTROL BREAK
PMEMORY BASIC INFORMATION
SM CYSMCAPTION
SM SAMEDISPLAYFORMAT
THREAD PRIORITY LOWEST
EXCEPTION DEBUG INFO

Description

continued on next page

349

Variables

Module winappdbg.win32.wtsapi32

Name
VOS DOS WINDOWS32
PROCESS VM WRITE
SM CXMAXIMIZED
GetCurrentDirectory
PROCESS CREATE THREAD
STATUS STACK BUFFER OVERRUN
OS XP
SM CARETBLINKINGENABLED
LPSTARTUPINFOEXW
RaiseIfLastError
SM CYCURSOR
FILETIME
CONTEXT
FILE FLAG RANDOM ACCESS
STATUS REG NAT CONSUMPTION
VOLUME NAME NONE
OS W2K8
OS W2K3
PROCESSOR ARM720
WOW64 CONTEXT FLOATING POINT
PROCESS VM OPERATION
context i386
SM CYFOCUSBORDER
CONSOLE SCREEN BUFFER INFO
PRODUCT STANDARDSERVER
GenerateConsoleCtrlEvent
PEXCEPTION RECORD32
EXCEPTION POSSIBLEDEADLOCK
PROFILE USER
GetTempFileName

Description

continued on next page

350

Variables

Module winappdbg.win32.wtsapi32

Name
GetModuleHandle
PRODUCT HOME PREMIUM N
PAGE WRITECOMBINE
PRODUCT ENTERPRISE SERVER V
GetDllDirectoryA
BY HANDLE FILE INFORMATION
VER AND
GetNativeSystemInfo
VFT APP
Heap32ListFirst
COMMON LVB GRID LVERTICAL
GetFinalPathNameByHandleW
SM CYFIXEDFRAME
SM NETWORK
GetFinalPathNameByHandleA
PRODUCT SERVER FOR SMALLBUSINESS
INITIAL FPCSR
VS FF PRIVATEBUILD
VFT DLL
ARCH IA32
PRODUCT UNLICENSED
RIP EVENT
GetLargePageMinimum
SLE WARNING
CREATE NO WINDOW
STATUS INVALID DISPOSITION
CHAR INFO
FILE MAP WRITE
DebugActiveProcessStop
CREATE PROCESS DEBUG INFO
ARCH I386

Description

continued on next page

351

Variables

Module winappdbg.win32.wtsapi32

Name
OUTPUT DEBUG STRING EVENT
OS W7
ARCH ALPHA
IsWow64Process
SECTION ALL ACCESS
PROCESSOR HITACHI SH3
PROCESSOR HITACHI SH4
VFT FONT
DONT RESOLVE DLL REFERENCES
SEC RESERVE
MEM DECOMMIT
BACKGROUND YELLOW
SM SWAPBUTTON
SM DEBUG
SetConsoleCtrlHandler
PROCESS INFORMATION
Module32First
SM CYICONSPACING
GetExitCodeThread
PROC THREAD ATTRIBUTE THREAD
Module32Next
SM CYICON
SetDllDirectory
DebugActiveProcess
REALTIME PRIORITY CLASS
SM CXSIZEFRAME
CTRL C EVENT
MUTEX ALL ACCESS
VER MAJORVERSION
DBG UNABLE TO PROVIDE HANDLE
RtlPcToFileHeader
PRODUCT BUSINESS N
SM CXMINSPACING

Description

continued on next page

352

Variables

Module winappdbg.win32.wtsapi32

Name
TRUNCATE EXISTING
SM CXHTHUMB
DebugBreakProcess
ARCH AARCH64
VER SUITE SMALLBUSINESS
PROCESSOR MOTOROLA 821
THREAD ALERT
IDLE PRIORITY CLASS
PRODUCT WEB SERVER CORE
SM CMETRICS
AttachConsole
GlobalDeleteAtom
THREAD BASE PRIORITY MAX
WaitForSingleObjectEx
VFT VXD
MODULEENTRY32
FILE ATTRIBUTE TEMPORARY
OS WINDOWS 2008
OS WINDOWS 2003
OS WINDOWS 2000
LOAD IGNORE CODE AUTHZ LEVEL
STATUS USER APC
SetSearchPathMode
THREAD SET CONTEXT
STATUS FLOAT MULTIPLE TRAPS
PROCESS MODE BACKGROUND END
PRODUCT UNDEFINED
PRODUCT STARTER N
PRODUCT STARTER E
CTRL BREAK EVENT
WOW64 MAXIMUM SUPPORTED EXTENSION

Description

continued on next page

353

Variables

Module winappdbg.win32.wtsapi32

Name
FILE ATTRIBUTE NORMAL
HANDLE FLAG PROTECT FROM CLOSE
SM CYHSCROLL
OS UNKNOWN
SM CYMENUCHECK
WRITE WATCH FLAG RESET
context amd64
PROCESSOR INTEL PENTIUM
FOREGROUND INTENSITY
ACCESS VIOLATION TYPE DEP
STATUS INVALID INFO CLASS
DBG CONTINUE
GetCurrentProcessId
GetFullPathNameA
SetEvent
QueryDosDeviceA
PCONTEXT
LPOSVERSIONINFOA
QueryDosDeviceW
GetFullPathNameW
LPOSVERSIONINFOW
ProcThreadAttributeMitigationPolicy
SM SHOWSOUNDS
PRODUCT HOME BASICE
PRODUCT HOME BASICN
LPPROCESS INFORMATION
GetPriorityClass
SM CYMENU
VFT2 DRV VERSIONEDPRINTER
PRODUCT CLUSTER SERVER

Description

continued on next page

354

Variables

Module winappdbg.win32.wtsapi32

Name
ARCH ARM8
ARCH ARM7
VOS DOS WINDOWS16
COMMON LVB GRID RVERTICAL
DebugSetProcessKillOnExit
OS W2K8R2 64
STATUS NO MEMORY
FILE NAME OPENED
OS W2K8R2
SM MEDIACENTER
VFT2 FONT RASTER
PROCESS QUERY INFORMATION
SECTION MAP EXECUTE EXPLICIT
PSMALL RECT
SetConsoleWindowInfo
PRODUCT MEDIUMBUSINESS SERVER MANAGEMENT
GetFileVersionInfo
EXCEPTION ILLEGAL INSTRUCTION
TerminateThread
OpenMutex
SM CXFIXEDFRAME
NTDDI VISTASP1
LDT ENTRY BYTES
WOW64 SIZE OF 80387 REGISTERS
FILE ATTRIBUTE DIRECTORY
VER SERVICEPACKMINOR
VFT2 DRV PRINTER
NTDDI WINNT4
BACKGROUND BLACK
THREAD SET INFORMATION
STARTUPINFOW

Description

continued on next page

355

Variables

Name
LoadLibrary
GetFullPathName
GetProductInfo
STD ERROR HANDLE
STATUS FLOAT DENORMAL OPERAND
PROCESS SUSPEND RESUME
PROC THREAD ATTRIBUTE IDEAL PROCESSOR
OSVERSIONINFOEXW
GetProcessIdOfThread
OSVERSIONINFOEXA
PRODUCT SERVER FOUNDATION
SEM NOALIGNMENTFAULTEXCEPT
VER SUITENAME
Wow64EnableWow64FsRedirection
MAXIMUM SUPPORTED EXTENSION
VER BUILDNUMBER
OS W2K
PROC THREAD ATTRIBUTE UMS THREAD
Context
BACKGROUND GREEN
SPVERSION MASK
CREATE PROTECTED PROCESS
WTS CURRENT SERVER HANDLE
WTS CURRENT SESSION
WTSInitialProgram
WTSApplicationName
WTSWorkingDirectory
WTSOEMId
WTSSessionId
WTSUserName

Module winappdbg.win32.wtsapi32

Description

Value: 0
Value: 1
Value:
Value:
Value:
Value:
Value:
Value:

0
1
2
3
4
5
continued on next page

356

Variables

Name
WTSWinStationName
WTSDomainName
WTSConnectState
WTSClientBuildNumber
WTSClientName
WTSClientDirectory
WTSClientProductId
WTSClientHardwareId
WTSClientAddress
WTSClientDisplay
WTSClientProtocolType
WTSIdleTime
WTSLogonTime
WTSIncomingBytes
WTSOutgoingBytes
WTSIncomingFrames
WTSOutgoingFrames
WTSClientInfo
WTSSessionInfo
WTSSessionInfoEx
WTSConfigInfo
WTSValidationInfo
WTSSessionAddressV4
WTSIsRemoteSession
WTSActive
WTSConnected
WTSConnectQuery
WTSShadow
WTSDisconnected
WTSIdle
WTSListen
WTSReset
WTSDown
WTSInit
WTSEnumerateProcesses

Module winappdbg.win32.wtsapi32

Description
Value: 6
Value: 7
Value: 8
Value: 9
Value: 10
Value: 11
Value: 12
Value: 13
Value: 14
Value: 15
Value: 16
Value: 17
Value: 18
Value: 19
Value: 20
Value: 21
Value: 22
Value: 23
Value: 24
Value: 25
Value: 26
Value: 27
Value: 28
Value: 29
Value: 0
Value: 1
Value: 2
Value: 3
Value: 4
Value: 5
Value: 6
Value: 7
Value: 8
Value: 9
Value:
DefaultStringType(WTSEnumerateProcessesA,
WTSEnumeratePro...

357

Module winappdbg.window

33

Module winappdbg.window

Window instrumentation.
33.1

Classes

Instrumentation
Window: Interface to an open window in the current desktop.
(Section 397, p. 1163)

358

Class Variables

34

Class ctypes.c byte

Class ctypes.c byte

object
??. CData
ctypes. SimpleCData
ctypes.c byte
34.1

Methods

Inherited from ctypes. SimpleCData


ctypes from outparam (),

init (),

new (),

nonzero (),

repr ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
34.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

34.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
Name
type

Description
Value: b

359

Class Variables

35

Class ctypes.c char

Class ctypes.c char

object
??. CData
ctypes. SimpleCData
ctypes.c char
35.1

Methods

Inherited from ctypes. SimpleCData


ctypes from outparam (),

init (),

new (),

nonzero (),

repr ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
35.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

35.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
Name
type

Description
Value: c

360

Class Variables

36

Class ctypes.c char p

Class ctypes.c char p

object
??. CData
ctypes. SimpleCData
ctypes.c char p
36.1

Methods
repr (self )
repr(x)
Overrides: object. repr

extit(inherited documentation)

from param(...)
Inherited from ctypes. SimpleCData
ctypes from outparam (),

init (),

new (),

nonzero ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
36.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

36.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
361

Class Variables

Class ctypes.c char p

Name
type

Description
Value: z

362

Class Variables

37

Class ctypes.c float

Class ctypes.c float

object
??. CData
ctypes. SimpleCData
ctypes.c float
37.1

Methods

Inherited from ctypes. SimpleCData


ctypes from outparam (),

init (),

new (),

nonzero (),

repr ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
37.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

37.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
Name
type

Description
Value: f

363

Class Variables

38

Class ctypes.c float. ctype be

Class ctypes.c float. ctype be

object
??. CData
ctypes. SimpleCData
ctypes.c float. ctype be
38.1

Methods

Inherited from ctypes. SimpleCData


ctypes from outparam (),

init (),

new (),

nonzero (),

repr ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
38.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

38.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
Name
type

Description
Value: f

364

Class Variables

39

Class ctypes.c long

Class ctypes.c long

object
??. CData
ctypes. SimpleCData
ctypes.c long
39.1

Methods

Inherited from ctypes. SimpleCData


ctypes from outparam (),

init (),

new (),

nonzero (),

repr ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
39.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

39.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
Name
type

Description
Value: l

365

Class Variables

40

Class ctypes.c long. ctype be

Class ctypes.c long. ctype be

object
??. CData
ctypes. SimpleCData
ctypes.c long. ctype be
40.1

Methods

Inherited from ctypes. SimpleCData


ctypes from outparam (),

init (),

new (),

nonzero (),

repr ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
40.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

40.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
Name
type

Description
Value: l

366

Class Variables

41

Class ctypes.c longlong

Class ctypes.c longlong

object
??. CData
ctypes. SimpleCData
ctypes.c longlong
41.1

Methods

Inherited from ctypes. SimpleCData


ctypes from outparam (),

init (),

new (),

nonzero (),

repr ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
41.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

41.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
Name
type

Description
Value: q

367

Class Variables

42

Class ctypes.c longlong. ctype be

Class ctypes.c longlong. ctype be

object
??. CData
ctypes. SimpleCData
ctypes.c longlong. ctype be
42.1

Methods

Inherited from ctypes. SimpleCData


ctypes from outparam (),

init (),

new (),

nonzero (),

repr ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
42.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

42.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
Name
type

Description
Value: q

368

Class Variables

43

Class ctypes.c short

Class ctypes.c short

object
??. CData
ctypes. SimpleCData
ctypes.c short
43.1

Methods

Inherited from ctypes. SimpleCData


ctypes from outparam (),

init (),

new (),

nonzero (),

repr ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
43.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

43.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
Name
type

Description
Value: h

369

Class Variables

44

Class ctypes.c short. ctype be

Class ctypes.c short. ctype be

object
??. CData
ctypes. SimpleCData
ctypes.c short. ctype be
44.1

Methods

Inherited from ctypes. SimpleCData


ctypes from outparam (),

init (),

new (),

nonzero (),

repr ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
44.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

44.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
Name
type

Description
Value: h

370

Class Variables

45

Class ctypes.c ubyte

Class ctypes.c ubyte

object
??. CData
ctypes. SimpleCData
ctypes.c ubyte
45.1

Methods

Inherited from ctypes. SimpleCData


ctypes from outparam (),

init (),

new (),

nonzero (),

repr ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
45.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

45.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
Name
type

Description
Value: B

371

Class Variables

46

Class ctypes.c ulong

Class ctypes.c ulong

object
??. CData
ctypes. SimpleCData
ctypes.c ulong
46.1

Methods

Inherited from ctypes. SimpleCData


ctypes from outparam (),

init (),

new (),

nonzero (),

repr ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
46.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

46.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
Name
type

Description
Value: L

372

Class Variables

47

Class ctypes.c ulong. ctype be

Class ctypes.c ulong. ctype be

object
??. CData
ctypes. SimpleCData
ctypes.c ulong. ctype be
47.1

Methods

Inherited from ctypes. SimpleCData


ctypes from outparam (),

init (),

new (),

nonzero (),

repr ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
47.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

47.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
Name
type

Description
Value: L

373

Class Variables

48

Class ctypes.c ulonglong

Class ctypes.c ulonglong

object
??. CData
ctypes. SimpleCData
ctypes.c ulonglong
48.1

Methods

Inherited from ctypes. SimpleCData


ctypes from outparam (),

init (),

new (),

nonzero (),

repr ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
48.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

48.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
Name
type

Description
Value: Q

374

Class Variables

49

Class ctypes.c ulonglong. ctype be

Class ctypes.c ulonglong. ctype be

object
??. CData
ctypes. SimpleCData
ctypes.c ulonglong. ctype be
49.1

Methods

Inherited from ctypes. SimpleCData


ctypes from outparam (),

init (),

new (),

nonzero (),

repr ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
49.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

49.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
Name
type

Description
Value: Q

375

Class Variables

50

Class ctypes.c ushort

Class ctypes.c ushort

object
??. CData
ctypes. SimpleCData
ctypes.c ushort
50.1

Methods

Inherited from ctypes. SimpleCData


ctypes from outparam (),

init (),

new (),

nonzero (),

repr ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
50.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

50.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
Name
type

Description
Value: H

376

Class Variables

51

Class ctypes.c ushort. ctype be

Class ctypes.c ushort. ctype be

object
??. CData
ctypes. SimpleCData
ctypes.c ushort. ctype be
51.1

Methods

Inherited from ctypes. SimpleCData


ctypes from outparam (),

init (),

new (),

nonzero (),

repr ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
51.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

51.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
Name
type

Description
Value: H

377

Class Variables

52

Class ctypes.c void p

Class ctypes.c void p

object
??. CData
ctypes. SimpleCData
ctypes.c void p
52.1

Methods
from param(...)

Inherited from ctypes. SimpleCData


ctypes from outparam (),

init (),

new (),

nonzero (),

repr ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
52.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

52.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
Name
type

Description
Value: P

378

Class Variables

53

Class ctypes.c wchar

Class ctypes.c wchar

object
??. CData
ctypes. SimpleCData
ctypes.c wchar
53.1

Methods

Inherited from ctypes. SimpleCData


ctypes from outparam (),

init (),

new (),

nonzero (),

repr ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
53.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

53.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
Name
type

Description
Value: u

379

Class Variables

54

Class ctypes.c wchar p

Class ctypes.c wchar p

object
??. CData
ctypes. SimpleCData
ctypes.c wchar p
54.1

Methods
from param(...)

Inherited from ctypes. SimpleCData


ctypes from outparam (),

init (),

new (),

nonzero (),

repr ()

Inherited from ??. CData


hash (),

reduce (),

setstate ()

Inherited from object


delattr (), format (), getattribute (), reduce ex (), setattr (), sizeof (),
str (), subclasshook ()
54.2

Properties
Inherited
value
Inherited
b base ,
Inherited
class

54.3

Name
from ctypes. SimpleCData

Description

from ??. CData


b needsfree
from object

Class Variables
Name
type

Description
Value: Z

380

Class str

55

Class str

object
basestring
str
str(object=) -> string
Return a nice string representation of the object. If the argument is a string, the return
value is the same object.
55.1

Methods
add (x, y)
x+y
contains (x, y)
y in x
eq (x, y)
x==y
format (S, format spec)
Return a formatted version of S as described by format spec.
Return Value
string
Overrides: object. format
ge (x, y)
x>=y
getattribute (...)
x. getattribute (name) <==> x.name
Overrides: object. getattribute

381

Methods

Class str

getitem (x, y)
x[y]
getnewargs (...)
getslice (x, i, j )
x[i:j]
Use of negative indices is not supported.
gt (x, y)
x>y
hash (x )
hash(x)
Overrides: object. hash
le (x, y)
x<=y
len (x )
len(x)
lt (x, y)
x<y
mod (x, y)
x%y
mul (x, n)
x*n
ne (x, y)
x!=y

382

Methods

Class str

new (T, S, ...)


Return Value
a new object with type S, a subtype of T
Overrides: object. new
repr (x )
repr(x)
Overrides: object. repr
rmod (x, y)
y%x
rmul (x, n)
n*x
sizeof (S )
size of object in memory, in bytes
Return Value
size of S in memory, in bytes
Overrides: object. sizeof
str (x )
str(x)
Overrides: object. str
capitalize(S )
Return a copy of the string S with only its first character capitalized.
Return Value
string
center(S, width, fillchar =...)
Return S centered in a string of length width. Padding is done using the
specified fill character (default is a space)
Return Value
string

383

Methods

Class str

count(S, sub, start=..., end =...)


Return the number of non-overlapping occurrences of substring sub in string
S[start:end]. Optional arguments start and end are interpreted as in slice
notation.
Return Value
int
decode(S, encoding=..., errors=...)
Decodes S using the codec registered for encoding. encoding defaults to the
default encoding. errors may be given to set a different error handling scheme.
Default is strict meaning that encoding errors raise a UnicodeDecodeError.
Other possible values are ignore and replace as well as any other name
registered with codecs.register error that is able to handle
UnicodeDecodeErrors.
Return Value
object
encode(S, encoding=..., errors=...)
Encodes S using the codec registered for encoding. encoding defaults to the
default encoding. errors may be given to set a different error handling scheme.
Default is strict meaning that encoding errors raise a UnicodeEncodeError.
Other possible values are ignore, replace and xmlcharrefreplace as well as
any other name registered with codecs.register error that is able to handle
UnicodeEncodeErrors.
Return Value
object
endswith(S, suffix, start=..., end =...)
Return True if S ends with the specified suffix, False otherwise. With optional
start, test S beginning at that position. With optional end, stop comparing S
at that position. suffix can also be a tuple of strings to try.
Return Value
bool
expandtabs(S, tabsize=...)
Return a copy of S where all tab characters are expanded using spaces. If
tabsize is not given, a tab size of 8 characters is assumed.
Return Value
string

384

Methods

find(S, sub, start=...

Class str

, end =...)

Return the lowest index in S where substring sub is found, such that sub is
contained within S[start:end]. Optional arguments start and end are
interpreted as in slice notation.
Return -1 on failure.
Return Value
int
format(S, *args, **kwargs)
Return a formatted version of S, using substitutions from args and kwargs.
The substitutions are identified by braces ({ and }).
Return Value
string
index(S, sub, start=...

, end =...)

Like S.find() but raise ValueError when the substring is not found.
Return Value
int
isalnum(S )
Return True if all characters in S are alphanumeric and there is at least one
character in S, False otherwise.
Return Value
bool
isalpha(S )
Return True if all characters in S are alphabetic and there is at least one
character in S, False otherwise.
Return Value
bool
isdigit(S )
Return True if all characters in S are digits and there is at least one character
in S, False otherwise.
Return Value
bool

385

Methods

Class str

islower(S )
Return True if all cased characters in S are lowercase and there is at least one
cased character in S, False otherwise.
Return Value
bool
isspace(S )
Return True if all characters in S are whitespace and there is at least one
character in S, False otherwise.
Return Value
bool
istitle(S )
Return True if S is a titlecased string and there is at least one character in S,
i.e. uppercase characters may only follow uncased characters and lowercase
characters only cased ones. Return False otherwise.
Return Value
bool
isupper(S )
Return True if all cased characters in S are uppercase and there is at least one
cased character in S, False otherwise.
Return Value
bool
join(S, iterable)
Return a string which is the concatenation of the strings in the iterable. The
separator between elements is S.
Return Value
string
ljust(S, width, fillchar =...)
Return S left-justified in a string of length width. Padding is done using the
specified fill character (default is a space).
Return Value
string

386

Methods

Class str

lower(S )
Return a copy of the string S converted to lowercase.
Return Value
string
lstrip(S, chars=...)
Return a copy of the string S with leading whitespace removed. If chars is
given and not None, remove characters in chars instead. If chars is unicode, S
will be converted to unicode before stripping
Return Value
string or unicode
partition(S, sep)
Search for the separator sep in S, and return the part before it, the separator
itself, and the part after it. If the separator is not found, return S and two
empty strings.
Return Value
(head, sep, tail)
replace(S, old, new, count=...)
Return a copy of string S with all occurrences of substring old replaced by
new. If the optional argument count is given, only the first count occurrences
are replaced.
Return Value
string
rfind(S, sub, start=...

, end =...)

Return the highest index in S where substring sub is found, such that sub is
contained within S[start:end]. Optional arguments start and end are
interpreted as in slice notation.
Return -1 on failure.
Return Value
int

387

Methods

Class str

rindex(S, sub, start=...

, end =...)

Like S.rfind() but raise ValueError when the substring is not found.
Return Value
int
rjust(S, width, fillchar =...)
Return S right-justified in a string of length width. Padding is done using the
specified fill character (default is a space)
Return Value
string
rpartition(S, sep)
Search for the separator sep in S, starting at the end of S, and return the part
before it, the separator itself, and the part after it. If the separator is not
found, return two empty strings and S.
Return Value
(head, sep, tail)
rsplit(S, sep=...

, maxsplit=...)

Return a list of the words in the string S, using sep as the delimiter string,
starting at the end of the string and working to the front. If maxsplit is given,
at most maxsplit splits are done. If sep is not specified or is None, any
whitespace string is a separator.
Return Value
list of strings
rstrip(S, chars=...)
Return a copy of the string S with trailing whitespace removed. If chars is
given and not None, remove characters in chars instead. If chars is unicode, S
will be converted to unicode before stripping
Return Value
string or unicode

388

Methods

split(S, sep=...

Class str

, maxsplit=...)

Return a list of the words in the string S, using sep as the delimiter string. If
maxsplit is given, at most maxsplit splits are done. If sep is not specified or is
None, any whitespace string is a separator and empty strings are removed
from the result.
Return Value
list of strings
splitlines(S, keepends=False)
Return a list of the lines in S, breaking at line boundaries. Line breaks are not
included in the resulting list unless keepends is given and true.
Return Value
list of strings
startswith(S, prefix, start=..., end =...)
Return True if S starts with the specified prefix, False otherwise. With
optional start, test S beginning at that position. With optional end, stop
comparing S at that position. prefix can also be a tuple of strings to try.
Return Value
bool
strip(S, chars=...)
Return a copy of the string S with leading and trailing whitespace removed. If
chars is given and not None, remove characters in chars instead. If chars is
unicode, S will be converted to unicode before stripping
Return Value
string or unicode
swapcase(S )
Return a copy of the string S with uppercase characters converted to lowercase
and vice versa.
Return Value
string

389

Properties

Class str

title(S )
Return a titlecased version of S, i.e. words start with uppercase characters, all
remaining cased characters have lowercase.
Return Value
string
translate(S, table, deletechars=...)
Return a copy of the string S, where all characters occurring in the optional
argument deletechars are removed, and the remaining characters have been
mapped through the given translation table, which must be a string of length
256 or None. If the table argument is None, no translation is applied and the
operation simply removes the characters in deletechars.
Return Value
string
upper(S )
Return a copy of the string S converted to uppercase.
Return Value
string
zfill(S, width)
Pad a numeric string S with zeros on the left, to fill a field of the specified
width. The string S is never truncated.
Return Value
string
Inherited from object
delattr (), init (), reduce (), reduce ex (), setattr (), subclasshook ()
55.2

Properties
Name
Inherited from object
class

Description

390

Class unicode

56

Class unicode

object
basestring
unicode
unicode(object=) -> unicode object unicode(string[, encoding[, errors]]) -> unicode object
Create a new Unicode object from the given encoded string. encoding defaults to the current
default string encoding. errors can be strict, replace or ignore and defaults to strict.
56.1

Methods
add (x, y)
x+y
contains (x, y)
y in x
eq (x, y)
x==y
format (S, format spec)
Return a formatted version of S as described by format spec.
Return Value
unicode
Overrides: object. format
ge (x, y)
x>=y
getattribute (...)
x. getattribute (name) <==> x.name
Overrides: object. getattribute

391

Methods

Class unicode

getitem (x, y)
x[y]
getnewargs (...)
getslice (x, i, j )
x[i:j]
Use of negative indices is not supported.
gt (x, y)
x>y
hash (x )
hash(x)
Overrides: object. hash
le (x, y)
x<=y
len (x )
len(x)
lt (x, y)
x<y
mod (x, y)
x%y
mul (x, n)
x*n
ne (x, y)
x!=y

392

Methods

Class unicode

new (T, S, ...)


Return Value
a new object with type S, a subtype of T
Overrides: object. new
repr (x )
repr(x)
Overrides: object. repr
rmod (x, y)
y%x
rmul (x, n)
n*x
sizeof (S )
size of object in memory, in bytes
Return Value
size of S in memory, in bytes
Overrides: object. sizeof
str (x )
str(x)
Overrides: object. str
capitalize(S )
Return a capitalized version of S, i.e. make the first character have upper case
and the rest lower case.
Return Value
unicode
center(S, width, fillchar =...)
Return S centered in a Unicode string of length width. Padding is done using
the specified fill character (default is a space)
Return Value
unicode

393

Methods

Class unicode

count(S, sub, start=..., end =...)


Return the number of non-overlapping occurrences of substring sub in Unicode
string S[start:end]. Optional arguments start and end are interpreted as in
slice notation.
Return Value
int
decode(S, encoding=..., errors=...)
Decodes S using the codec registered for encoding. encoding defaults to the
default encoding. errors may be given to set a different error handling scheme.
Default is strict meaning that encoding errors raise a UnicodeDecodeError.
Other possible values are ignore and replace as well as any other name
registered with codecs.register error that is able to handle
UnicodeDecodeErrors.
Return Value
string or unicode
encode(S, encoding=..., errors=...)
Encodes S using the codec registered for encoding. encoding defaults to the
default encoding. errors may be given to set a different error handling scheme.
Default is strict meaning that encoding errors raise a UnicodeEncodeError.
Other possible values are ignore, replace and xmlcharrefreplace as well as
any other name registered with codecs.register error that can handle
UnicodeEncodeErrors.
Return Value
string or unicode
endswith(S, suffix, start=..., end =...)
Return True if S ends with the specified suffix, False otherwise. With optional
start, test S beginning at that position. With optional end, stop comparing S
at that position. suffix can also be a tuple of strings to try.
Return Value
bool
expandtabs(S, tabsize=...)
Return a copy of S where all tab characters are expanded using spaces. If
tabsize is not given, a tab size of 8 characters is assumed.
Return Value
unicode

394

Methods

find(S, sub, start=...

Class unicode

, end =...)

Return the lowest index in S where substring sub is found, such that sub is
contained within S[start:end]. Optional arguments start and end are
interpreted as in slice notation.
Return -1 on failure.
Return Value
int
format(S, *args, **kwargs)
Return a formatted version of S, using substitutions from args and kwargs.
The substitutions are identified by braces ({ and }).
Return Value
unicode
index(S, sub, start=...

, end =...)

Like S.find() but raise ValueError when the substring is not found.
Return Value
int
isalnum(S )
Return True if all characters in S are alphanumeric and there is at least one
character in S, False otherwise.
Return Value
bool
isalpha(S )
Return True if all characters in S are alphabetic and there is at least one
character in S, False otherwise.
Return Value
bool
isdecimal(S )
Return True if there are only decimal characters in S, False otherwise.
Return Value
bool

395

Methods

Class unicode

isdigit(S )
Return True if all characters in S are digits and there is at least one character
in S, False otherwise.
Return Value
bool
islower(S )
Return True if all cased characters in S are lowercase and there is at least one
cased character in S, False otherwise.
Return Value
bool
isnumeric(S )
Return True if there are only numeric characters in S, False otherwise.
Return Value
bool
isspace(S )
Return True if all characters in S are whitespace and there is at least one
character in S, False otherwise.
Return Value
bool
istitle(S )
Return True if S is a titlecased string and there is at least one character in S,
i.e. upper- and titlecase characters may only follow uncased characters and
lowercase characters only cased ones. Return False otherwise.
Return Value
bool
isupper(S )
Return True if all cased characters in S are uppercase and there is at least one
cased character in S, False otherwise.
Return Value
bool

396

Methods

Class unicode

join(S, iterable)
Return a string which is the concatenation of the strings in the iterable. The
separator between elements is S.
Return Value
unicode
ljust(S, width, fillchar =...)
Return S left-justified in a Unicode string of length width. Padding is done
using the specified fill character (default is a space).
Return Value
int
lower(S )
Return a copy of the string S converted to lowercase.
Return Value
unicode
lstrip(S, chars=...)
Return a copy of the string S with leading whitespace removed. If chars is
given and not None, remove characters in chars instead. If chars is a str, it will
be converted to unicode before stripping
Return Value
unicode
partition(S, sep)
Search for the separator sep in S, and return the part before it, the separator
itself, and the part after it. If the separator is not found, return S and two
empty strings.
Return Value
(head, sep, tail)
replace(S, old, new, count=...)
Return a copy of S with all occurrences of substring old replaced by new. If the
optional argument count is given, only the first count occurrences are replaced.
Return Value
unicode

397

Methods

Class unicode

rfind(S, sub, start=...

, end =...)

Return the highest index in S where substring sub is found, such that sub is
contained within S[start:end]. Optional arguments start and end are
interpreted as in slice notation.
Return -1 on failure.
Return Value
int
rindex(S, sub, start=...

, end =...)

Like S.rfind() but raise ValueError when the substring is not found.
Return Value
int
rjust(S, width, fillchar =...)
Return S right-justified in a Unicode string of length width. Padding is done
using the specified fill character (default is a space).
Return Value
unicode
rpartition(S, sep)
Search for the separator sep in S, starting at the end of S, and return the part
before it, the separator itself, and the part after it. If the separator is not
found, return two empty strings and S.
Return Value
(head, sep, tail)
rsplit(S, sep=...

, maxsplit=...)

Return a list of the words in S, using sep as the delimiter string, starting at
the end of the string and working to the front. If maxsplit is given, at most
maxsplit splits are done. If sep is not specified, any whitespace string is a
separator.
Return Value
list of strings

398

Methods

Class unicode

rstrip(S, chars=...)
Return a copy of the string S with trailing whitespace removed. If chars is
given and not None, remove characters in chars instead. If chars is a str, it will
be converted to unicode before stripping
Return Value
unicode
split(S, sep=...

, maxsplit=...)

Return a list of the words in S, using sep as the delimiter string. If maxsplit is
given, at most maxsplit splits are done. If sep is not specified or is None, any
whitespace string is a separator and empty strings are removed from the result.
Return Value
list of strings
splitlines(S, keepends=False)
Return a list of the lines in S, breaking at line boundaries. Line breaks are not
included in the resulting list unless keepends is given and true.
Return Value
list of strings
startswith(S, prefix, start=..., end =...)
Return True if S starts with the specified prefix, False otherwise. With
optional start, test S beginning at that position. With optional end, stop
comparing S at that position. prefix can also be a tuple of strings to try.
Return Value
bool
strip(S, chars=...)
Return a copy of the string S with leading and trailing whitespace removed. If
chars is given and not None, remove characters in chars instead. If chars is a
str, it will be converted to unicode before stripping
Return Value
unicode

399

Properties

Class unicode

swapcase(S )
Return a copy of S with uppercase characters converted to lowercase and vice
versa.
Return Value
unicode
title(S )
Return a titlecased version of S, i.e. words start with title case characters, all
remaining cased characters have lower case.
Return Value
unicode
translate(S, table)
Return a copy of the string S, where all characters have been mapped through
the given translation table, which must be a mapping of Unicode ordinals to
Unicode ordinals, Unicode strings or None. Unmapped characters are left
untouched. Characters mapped to None are deleted.
Return Value
unicode
upper(S )
Return a copy of S converted to uppercase.
Return Value
unicode
zfill(S, width)
Pad a numeric string S with zeros on the left, to fill a field of the specified
width. The string S is never truncated.
Return Value
unicode
Inherited from object
delattr (), init (), reduce (), reduce ex (), setattr (), subclasshook ()
56.2

Properties
Name
Inherited from object
class

Description

continued on next page

400

Properties

Class unicode

Name

Description

401

Class winappdbg.breakpoint.ApiHook

57

Class winappdbg.breakpoint.ApiHook

object
winappdbg.breakpoint.ApiHook
Used by EventHandler.
This class acts as an action callback for code breakpoints set at the beginning of a function.
It automatically retrieves the parameters from the stack, sets a breakpoint at the return
address and retrieves the return value from the function call.
See Also: EventHandler.apiHooks

402

Class winappdbg.breakpoint.ApiHook

403

Methods

57.1

Class winappdbg.breakpoint.ApiHook

Methods
init (self, eventHandler, modName, procName, paramCount=None,
signature=None)
x. init (...) initializes x; see help(type(x)) for signature
Parameters
eventHandler: Event handler instance. This is where the hook
callbacks are to be defined (see below).
(type=EventHandler)
modName:

Module name.
(type=str)

procName:

Procedure name. The pre and post callbacks will be


deduced from it.
For example, if the procedure is LoadLibraryEx
the callback routines will be pre LoadLibraryEx
and post LoadLibraryEx.
The signature for the callbacks should be something
like this:

def pre LoadLibraryEx(self, event, ra, lpFilename, hFile, dwFla


# return address
ra = params[0]
# function arguments start from here...
szFilename = event.get process().peek string(lpFilename)
# (...)
def post LoadLibraryEx(self, event, return value):
# (...)
Note that all pointer types are treated like void
pointers, so your callback wont get the string or
structure pointed to by it, but the remote memory
address instead. This is so to prevent the ctypes
library from being too helpful and trying to
dereference the pointer. To get the actual data being
pointed to, use one of the Process.read methods.
(type=str)
paramCount:

(Optional) Number of parameters for the preCB


callback, not counting the return address.
404 from the stack and assumed to
Parameters are read
be DWORDs in 32 bits and QWORDs in 64.
This is a faster way to pull stack parameters in 32
bits, but in 64 bits (or with some odd APIs in 32

Properties

Class winappdbg.breakpoint.ApiHook

call (self, event)


Handles the breakpoint event on entry of the function.
Parameters
event: Breakpoint hit event.
(type=ExceptionEvent)
Raises
WindowsError An error occured.
hook(self, debug, pid )
Installs the API hook on a given process and module.
Parameters
debug: Debug object.
(type=Debug)
pid:

Process ID.
(type=int)

Warning: Do not call from an API hook callback.


unhook(self, debug, pid )
Removes the API hook from the given process and module.
Parameters
debug: Debug object.
(type=Debug)
pid:

Process ID.
(type=int)

Warning: Do not call from an API hook callback.


Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
57.2

Properties
Name
Inherited from object
class

Description

405

Instance Variables

57.3

Class winappdbg.breakpoint.ApiHook

Instance Variables
Name

Description

modName
procName

406

Class winappdbg.breakpoint.Breakpoint

58

Class winappdbg.breakpoint.Breakpoint

object
winappdbg.breakpoint.Breakpoint

Known Subclasses: winappdbg.breakpoint.CodeBreakpoint, winappdbg.breakpoint.HardwareBreakpoin


winappdbg.breakpoint.PageBreakpoint
Base class for breakpoints. Heres the breakpoints state machine.
See Also: CodeBreakpoint, PageBreakpoint, HardwareBreakpoint

407

Methods

58.1

Class winappdbg.breakpoint.Breakpoint

Methods
init (self, address, size=1, condition=True, action=None)
Breakpoint object.
Parameters
address:

Memory address for breakpoint.


(type=int)

size:

Size of breakpoint in bytes (defaults to 1).


(type=int)

condition: (Optional) Condition callback function.


The callback signature is:
def condition callback(event):
return True
# returns True or False
Where event is an Event object, and the return value
is a boolean (True to dispatch the event, False
otherwise).
(type=function)
action:

(Optional) Action callback function. If specified, the


event is handled by this callback instead of being
dispatched normally.
The callback signature is:
def action callback(event):
pass
# no return value
Where event is an Event object.
(type=function)

Overrides: object. init


repr (self )
repr(x)
Overrides: object. repr

extit(inherited documentation)

Inherited from object


delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
setattr (), sizeof (), str (), subclasshook ()
State machine

408

Methods

Class winappdbg.breakpoint.Breakpoint

is disabled(self )
Return Value
True if the breakpoint is in DISABLED state.
(type=bool)
is enabled(self )
Return Value
True if the breakpoint is in ENABLED state.
(type=bool)
is one shot(self )
Return Value
True if the breakpoint is in ONESHOT state.
(type=bool)
is running(self )
Return Value
True if the breakpoint is in RUNNING state.
(type=bool)
get state(self )
Return Value
The current state of the breakpoint (DISABLED, ENABLED, ONESHOT,
RUNNING).
(type=int)
get state name(self )
Return Value
The name of the current state of the breakpoint.
(type=str)

409

Methods

Class winappdbg.breakpoint.Breakpoint

disable(self, aProcess, aThread )


Transition to DISABLED state.
When hit: OneShot Disabled
Forced by user: Enabled, OneShot, Running Disabled
Transition from running state may require special handling by the
breakpoint implementation class.
Parameters
aProcess: Process object.
(type=Process)
aThread: Thread object.
(type=Thread)
enable(self, aProcess, aThread )
Transition to ENABLED state.
When hit: Running Enabled
Forced by user: Disabled, Running Enabled
Transition from running state may require special handling by the
breakpoint implementation class.
Parameters
aProcess: Process object.
(type=Process)
aThread: Thread object.
(type=Thread)
one shot(self, aProcess, aThread )
Transition to ONESHOT state.
Forced by user: Disabled OneShot
Parameters
aProcess: Process object.
(type=Process)
aThread: Thread object.
(type=Thread)

410

Methods

Class winappdbg.breakpoint.Breakpoint

running(self, aProcess, aThread )


Transition to RUNNING state.
When hit: Enabled Running
Parameters
aProcess: Process object.
(type=Process)
aThread: Thread object.
(type=Thread)
hit(self, event)
Notify a breakpoint that its been hit.
This triggers the corresponding state transition and sets the breakpoint
property of the given Event object.
Parameters
event: Debug event to handle (depends on the breakpoint type).
(type=Event)
Raises
AssertionError Disabled breakpoints cant be hit.
See Also: disable, enable, one shot, running
Information
is here(self, address)
Return Value
True if the address is within the range of the breakpoint.
(type=bool)
get address(self )
Return Value
The target memory address for the breakpoint.
(type=int)

411

Methods

Class winappdbg.breakpoint.Breakpoint

get size(self )
Return Value
The size in bytes of the breakpoint.
(type=int)
get span(self )
Return Value
Starting and ending address of the memory range covered by the
breakpoint.
(type=tuple( int, int ))
Conditional breakpoints
is conditional(self )
Return Value
True if the breakpoint has a condition callback defined.
(type=bool)
See Also:

init

is unconditional(self )
Return Value
True if the breakpoint doesnt have a condition callback defined.
(type=bool)
get condition(self )
Return Value
Returns the condition callback for conditional breakpoints. Returns
True for unconditional breakpoints.
(type=bool, function)
set condition(self, condition=True)
Sets a new condition callback for the breakpoint.
Parameters
condition: (Optional) Condition callback function.
(type=function)
See Also:

init

412

Methods

Class winappdbg.breakpoint.Breakpoint

eval condition(self, event)


Evaluates the breakpoint condition, if any was set.
Parameters
event: Debug event triggered by the breakpoint.
(type=Event)
Return Value
True to dispatch the event, False otherwise.
(type=bool)
Automatic breakpoints
is automatic(self )
Return Value
True if the breakpoint has an action callback defined.
(type=bool)
is interactive(self )
Return Value
True if the breakpoint doesnt have an action callback defined.
(type=bool)
get action(self )
Return Value
Returns the action callback for automatic breakpoints. Returns None
for interactive breakpoints.
(type=bool, function)
set action(self, action=None)
Sets a new action callback for the breakpoint.
Parameters
action: (Optional) Action callback function.
(type=function)

413

Class Variables

Class winappdbg.breakpoint.Breakpoint

run action(self, event)


Executes the breakpoint action callback, if any was set.
Parameters
event: Debug event triggered by the breakpoint.
(type=Event)

58.2

Properties
Name
Inherited from object
class

58.3

Description

Class Variables
Name
typeName
stateNames

Breakpoint states
DISABLED
ENABLED
ONESHOT
RUNNING

Description
User friendly breakpoint type string.
Value: breakpoint (type=str)
User-friendly names for each breakpoint state.
Value: {0: disabled, 1: enabled,
2: one shot, 3: running} (type=dict
{ int str })
Disabled Enabled, OneShot
Value: 0 (type=int)
Enabled Running, Disabled
Value: 1 (type=int)
OneShot Disabled
Value: 2 (type=int)
Running Enabled, Disabled
Value: 3 (type=int)

414

Properties

59

Class winappdbg.breakpoint.BreakpointCallbackWarning

Class winappdbg.breakpoint.BreakpointCallbackWarning

object
exceptions.BaseException
exceptions.Exception
exceptions.Warning
exceptions.RuntimeWarning
winappdbg.breakpoint.BreakpointCallbackWarning
This warning is issued when an uncaught exception was raised by a breakpoints user-defined
callback.
59.1

Methods

Inherited from exceptions.RuntimeWarning


init (),

new ()

Inherited from exceptions.BaseException


delattr (), getattribute (), getitem (), getslice (),
setattr (), setstate (), str (), unicode ()

reduce (),

Inherited from object


format (),
59.2

hash (),

reduce ex (),

sizeof (),

subclasshook ()

Properties
Name
Inherited from exceptions.BaseException
args, message
Inherited from object
class

415

Description

repr (),

Properties

60

Class winappdbg.breakpoint.BreakpointWarning

Class winappdbg.breakpoint.BreakpointWarning

object
exceptions.BaseException
exceptions.Exception
exceptions.Warning
exceptions.UserWarning
winappdbg.breakpoint.BreakpointWarning
This warning is issued when a non-fatal error occurs thats related to breakpoints.
60.1

Methods

Inherited from exceptions.UserWarning


init (),

new ()

Inherited from exceptions.BaseException


delattr (), getattribute (), getitem (), getslice (),
setattr (), setstate (), str (), unicode ()

reduce (),

Inherited from object


format (),
60.2

hash (),

reduce ex (),

sizeof (),

subclasshook ()

Properties
Name
Inherited from exceptions.BaseException
args, message
Inherited from object
class

416

Description

repr (),

Instance Variables

61

Class winappdbg.breakpoint.BufferWatch

Class winappdbg.breakpoint.BufferWatch

object
winappdbg.breakpoint.BufferWatch
Returned by Debug.watch buffer.
This object uniquely references a buffer being watched, even if there are multiple watches
set on the exact memory region.
61.1

Methods
init (self, pid, start, end, action=None, oneshot=False)
x. init (...) initializes x; see help(type(x)) for signature
Overrides: object. init

extit(inherited documentation)

match(self, address)
Determine if the given memory address lies within the watched buffer.
Return Value
True if the given memory address lies within the watched buffer,
False otherwise.
(type=bool)
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
61.2

Properties
Name
Inherited from object
class

61.3

Description

Instance Variables
Name

Description

pid
continued on next page

417

Instance Variables

Class winappdbg.breakpoint.BufferWatch

Name

Description

start
end
action
oneshot

418

Class winappdbg.breakpoint.CodeBreakpoint

62

Class winappdbg.breakpoint.CodeBreakpoint

object
winappdbg.breakpoint.Breakpoint
winappdbg.breakpoint.CodeBreakpoint
Code execution breakpoints (using an int3 opcode).
See Also: Debug.break at
62.1

Methods
init (self, address, condition=True, action=None)
Code breakpoint object.
Parameters
address:

Memory address for breakpoint.


(type=int)

condition: (Optional) Condition callback function.


(type=function)
action:

(Optional) Action callback function.


(type=function)

Overrides: object. init


See Also: Breakpoint. init
repr (self )
repr(x)
Overrides: object. repr

extit(inherited documentation)

Inherited from object


delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
setattr (), sizeof (), str (), subclasshook ()
State machine

419

Methods

Class winappdbg.breakpoint.CodeBreakpoint

disable(self, aProcess, aThread )


Transition to DISABLED state.
When hit: OneShot Disabled
Forced by user: Enabled, OneShot, Running Disabled
Transition from running state may require special handling by the
breakpoint implementation class.
Parameters
aProcess: Process object.
aThread: Thread object.
Overrides: winappdbg.breakpoint.Breakpoint.disable extit(inherited
documentation)
enable(self, aProcess, aThread )
Transition to ENABLED state.
When hit: Running Enabled
Forced by user: Disabled, Running Enabled
Transition from running state may require special handling by the
breakpoint implementation class.
Parameters
aProcess: Process object.
aThread: Thread object.
Overrides: winappdbg.breakpoint.Breakpoint.enable extit(inherited
documentation)
one shot(self, aProcess, aThread )
Transition to ONESHOT state.
Forced by user: Disabled OneShot
Parameters
aProcess: Process object.
aThread: Thread object.
Overrides: winappdbg.breakpoint.Breakpoint.one shot extit(inherited
documentation)

420

Methods

Class winappdbg.breakpoint.CodeBreakpoint

running(self, aProcess, aThread )


Transition to RUNNING state.
When hit: Enabled Running
Parameters
aProcess: Process object.
aThread: Thread object.
Overrides: winappdbg.breakpoint.Breakpoint.running extit(inherited
documentation)
get state(self )
Return Value
The current state of the breakpoint (DISABLED, ENABLED, ONESHOT,
RUNNING).
(type=int)
get state name(self )
Return Value
The name of the current state of the breakpoint.
(type=str)
hit(self, event)
Notify a breakpoint that its been hit.
This triggers the corresponding state transition and sets the breakpoint
property of the given Event object.
Parameters
event: Debug event to handle (depends on the breakpoint type).
(type=Event)
Raises
AssertionError Disabled breakpoints cant be hit.
See Also: disable, enable, one shot, running
is disabled(self )
Return Value
True if the breakpoint is in DISABLED state.
(type=bool)
421

Methods

Class winappdbg.breakpoint.CodeBreakpoint

is enabled(self )
Return Value
True if the breakpoint is in ENABLED state.
(type=bool)
is one shot(self )
Return Value
True if the breakpoint is in ONESHOT state.
(type=bool)
is running(self )
Return Value
True if the breakpoint is in RUNNING state.
(type=bool)
Information
get address(self )
Return Value
The target memory address for the breakpoint.
(type=int)
get size(self )
Return Value
The size in bytes of the breakpoint.
(type=int)
get span(self )
Return Value
Starting and ending address of the memory range covered by the
breakpoint.
(type=tuple( int, int ))
is here(self, address)
Return Value
True if the address is within the range of the breakpoint.
(type=bool)
422

Methods

Class winappdbg.breakpoint.CodeBreakpoint

Conditional breakpoints
eval condition(self, event)
Evaluates the breakpoint condition, if any was set.
Parameters
event: Debug event triggered by the breakpoint.
(type=Event)
Return Value
True to dispatch the event, False otherwise.
(type=bool)
get condition(self )
Return Value
Returns the condition callback for conditional breakpoints. Returns
True for unconditional breakpoints.
(type=bool, function)
is conditional(self )
Return Value
True if the breakpoint has a condition callback defined.
(type=bool)
See Also:

init

is unconditional(self )
Return Value
True if the breakpoint doesnt have a condition callback defined.
(type=bool)
set condition(self, condition=True)
Sets a new condition callback for the breakpoint.
Parameters
condition: (Optional) Condition callback function.
(type=function)
See Also:

init

Automatic breakpoints

423

Class Variables

Class winappdbg.breakpoint.CodeBreakpoint

get action(self )
Return Value
Returns the action callback for automatic breakpoints. Returns None
for interactive breakpoints.
(type=bool, function)
is automatic(self )
Return Value
True if the breakpoint has an action callback defined.
(type=bool)
is interactive(self )
Return Value
True if the breakpoint doesnt have an action callback defined.
(type=bool)
run action(self, event)
Executes the breakpoint action callback, if any was set.
Parameters
event: Debug event triggered by the breakpoint.
(type=Event)
set action(self, action=None)
Sets a new action callback for the breakpoint.
Parameters
action: (Optional) Action callback function.
(type=function)

62.2

Properties
Name
Inherited from object
class

62.3

Description

Class Variables

424

Class Variables

Class winappdbg.breakpoint.CodeBreakpoint

Name
typeName
bpInstruction
stateNames

Breakpoint states
DISABLED
ENABLED
ONESHOT
RUNNING

Description
User friendly breakpoint type string.
Value: code breakpoint (type=str)
Breakpoint instruction for the current
processor.
Value: \xcc (type=str)
User-friendly names for each breakpoint state.
Value: {0: disabled, 1: enabled,
2: one shot, 3: running} (type=dict
{ int str })
Disabled Enabled, OneShot
Value: 0 (type=int)
Enabled Running, Disabled
Value: 1 (type=int)
OneShot Disabled
Value: 2 (type=int)
Running Enabled, Disabled
Value: 3 (type=int)

425

Class winappdbg.breakpoint.HardwareBreakpoint

63

Class winappdbg.breakpoint.HardwareBreakpoint

object
winappdbg.breakpoint.Breakpoint
winappdbg.breakpoint.HardwareBreakpoint
Hardware breakpoint (using debug registers).
See Also: Debug.watch variable

426

Methods

63.1

Class winappdbg.breakpoint.HardwareBreakpoint

Methods
init (self, address, triggerFlag=3, sizeFlag=3, condition=True,
action=None)
Hardware breakpoint object.
Parameters
address:

Memory address for breakpoint.


(type=int)

triggerFlag: Trigger of breakpoint. Must be one of the following:


BREAK ON EXECUTION
Break on code execution.
BREAK ON WRITE
Break on memory read or write.
BREAK ON ACCESS
Break on memory write.
(type=int)
sizeFlag:

Size of breakpoint. Must be one of the following:


WATCH BYTE
One (1) byte in size.
WATCH WORD
Two (2) bytes in size.
WATCH DWORD
Four (4) bytes in size.
WATCH QWORD
Eight (8) bytes in size.
(type=int)

condition:

(Optional) Condition callback function.


(type=function)

action:

(Optional) Action callback function.


(type=function)

Overrides: object. init


See Also: Breakpoint. init

427

Methods

Class winappdbg.breakpoint.HardwareBreakpoint

repr (self )
repr(x)
Overrides: object. repr

extit(inherited documentation)

Inherited from object


delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
setattr (), sizeof (), str (), subclasshook ()
Information
get slot(self )
Return Value
The debug register number used by this breakpoint, or None if the
breakpoint is not active.
(type=int)
get trigger(self )
Return Value
The breakpoint trigger flag.
(type=int)
See Also: validTriggers
get watch(self )
Return Value
The breakpoint watch flag.
(type=int)
See Also: validWatchSizes
get address(self )
Return Value
The target memory address for the breakpoint.
(type=int)
get size(self )
Return Value
The size in bytes of the breakpoint.
(type=int)
428

Methods

Class winappdbg.breakpoint.HardwareBreakpoint

get span(self )
Return Value
Starting and ending address of the memory range covered by the
breakpoint.
(type=tuple( int, int ))
is here(self, address)
Return Value
True if the address is within the range of the breakpoint.
(type=bool)
State machine
disable(self, aProcess, aThread )
Transition to DISABLED state.
When hit: OneShot Disabled
Forced by user: Enabled, OneShot, Running Disabled
Transition from running state may require special handling by the
breakpoint implementation class.
Parameters
aProcess: Process object.
aThread: Thread object.
Overrides: winappdbg.breakpoint.Breakpoint.disable extit(inherited
documentation)
enable(self, aProcess, aThread )
Transition to ENABLED state.
When hit: Running Enabled
Forced by user: Disabled, Running Enabled
Transition from running state may require special handling by the
breakpoint implementation class.
Parameters
aProcess: Process object.
aThread: Thread object.
Overrides: winappdbg.breakpoint.Breakpoint.enable extit(inherited
documentation)
429

Methods

Class winappdbg.breakpoint.HardwareBreakpoint

one shot(self, aProcess, aThread )


Transition to ONESHOT state.
Forced by user: Disabled OneShot
Parameters
aProcess: Process object.
aThread: Thread object.
Overrides: winappdbg.breakpoint.Breakpoint.one shot extit(inherited
documentation)
running(self, aProcess, aThread )
Transition to RUNNING state.
When hit: Enabled Running
Parameters
aProcess: Process object.
aThread: Thread object.
Overrides: winappdbg.breakpoint.Breakpoint.running extit(inherited
documentation)
get state(self )
Return Value
The current state of the breakpoint (DISABLED, ENABLED, ONESHOT,
RUNNING).
(type=int)
get state name(self )
Return Value
The name of the current state of the breakpoint.
(type=str)

430

Methods

Class winappdbg.breakpoint.HardwareBreakpoint

hit(self, event)
Notify a breakpoint that its been hit.
This triggers the corresponding state transition and sets the breakpoint
property of the given Event object.
Parameters
event: Debug event to handle (depends on the breakpoint type).
(type=Event)
Raises
AssertionError Disabled breakpoints cant be hit.
See Also: disable, enable, one shot, running
is disabled(self )
Return Value
True if the breakpoint is in DISABLED state.
(type=bool)
is enabled(self )
Return Value
True if the breakpoint is in ENABLED state.
(type=bool)
is one shot(self )
Return Value
True if the breakpoint is in ONESHOT state.
(type=bool)
is running(self )
Return Value
True if the breakpoint is in RUNNING state.
(type=bool)
Conditional breakpoints

431

Methods

Class winappdbg.breakpoint.HardwareBreakpoint

eval condition(self, event)


Evaluates the breakpoint condition, if any was set.
Parameters
event: Debug event triggered by the breakpoint.
(type=Event)
Return Value
True to dispatch the event, False otherwise.
(type=bool)
get condition(self )
Return Value
Returns the condition callback for conditional breakpoints. Returns
True for unconditional breakpoints.
(type=bool, function)
is conditional(self )
Return Value
True if the breakpoint has a condition callback defined.
(type=bool)
See Also:

init

is unconditional(self )
Return Value
True if the breakpoint doesnt have a condition callback defined.
(type=bool)
set condition(self, condition=True)
Sets a new condition callback for the breakpoint.
Parameters
condition: (Optional) Condition callback function.
(type=function)
See Also:

init

Automatic breakpoints

432

Class Variables

Class winappdbg.breakpoint.HardwareBreakpoint

get action(self )
Return Value
Returns the action callback for automatic breakpoints. Returns None
for interactive breakpoints.
(type=bool, function)
is automatic(self )
Return Value
True if the breakpoint has an action callback defined.
(type=bool)
is interactive(self )
Return Value
True if the breakpoint doesnt have an action callback defined.
(type=bool)
run action(self, event)
Executes the breakpoint action callback, if any was set.
Parameters
event: Debug event triggered by the breakpoint.
(type=Event)
set action(self, action=None)
Sets a new action callback for the breakpoint.
Parameters
action: (Optional) Action callback function.
(type=function)

63.2

Properties
Name
Inherited from object
class

63.3

Description

Class Variables

433

Class Variables

Class winappdbg.breakpoint.HardwareBreakpoint

Name
typeName
validTriggers
validWatchSizes
stateNames

Trigger flags
BREAK ON EXECUTION
BREAK ON WRITE
BREAK ON ACCESS
Watch size flags
WATCH BYTE
WATCH WORD
WATCH DWORD
WATCH QWORD
Breakpoint states
DISABLED
ENABLED
ONESHOT
RUNNING

Description
User friendly breakpoint type string.
Value: hardware breakpoint (type=str)
Valid trigger flag values.
Value: (0, 1, 3) (type=tuple)
Valid watch flag values.
Value: (0, 1, 3, 2) (type=tuple)
User-friendly names for each breakpoint state.
Value: {0: disabled, 1: enabled,
2: one shot, 3: running} (type=dict
{ int str })
Break on execution.
Value: 0 (type=int)
Break on write.
Value: 1 (type=int)
Break on read or write.
Value: 3 (type=int)
Watch a byte.
Value: 0 (type=int)
Watch a word (2 bytes).
Value: 1 (type=int)
Watch a double word (4 bytes).
Value: 3 (type=int)
Watch one quad word (8 bytes).
Value: 2 (type=int)
Disabled Enabled, OneShot
Value: 0 (type=int)
Enabled Running, Disabled
Value: 1 (type=int)
OneShot Disabled
Value: 2 (type=int)
Running Enabled, Disabled
Value: 3 (type=int)

434

Class winappdbg.breakpoint.Hook

64

Class winappdbg.breakpoint.Hook

object
winappdbg.breakpoint.Hook
Known Subclasses: winappdbg.breakpoint. Hook amd64, winappdbg.breakpoint. Hook i386
Factory class to produce hook objects. Used by Debug.hook function and Debug.stalk function.
When you try to instance this class, one of the architecture specific implementations is
returned instead.
Instances act as an action callback for code breakpoints set at the beginning of a function.
It automatically retrieves the parameters from the stack, sets a breakpoint at the return
address and retrieves the return value from the function call.
See Also: Hook i386, Hook amd64
64.1

Methods
new (cls, *argv, **argd )
Return Value
a new object with type S, a subtype of T
Overrides: object. new

extit(inherited documentation)

435

Methods

Class winappdbg.breakpoint.Hook

init (self, preCB =None, postCB =None, paramCount=None,


signature=None, arch=None)
x. init (...) initializes x; see help(type(x)) for signature
Parameters
preCB:

(Optional) Callback triggered on function entry.


The signature for the callback should be something
like this:
def pre LoadLibraryEx(event, ra, lpFilename, hFile, dwFlags):
# return address
ra = params[0]
# function arguments start from here...
szFilename = event.get process().peek string(lpFilename)
# (...)
Note that all pointer types are treated like void
pointers, so your callback wont get the string or
structure pointed to by it, but the remote memory
address instead. This is so to prevent the ctypes
library from being too helpful and trying to
dereference the pointer. To get the actual data being
pointed to, use one of the Process.read methods.
(type=function)

postCB:

(Optional) Callback triggered on function exit.


The signature for the callback should be something
like this:
def post LoadLibraryEx(event, return value):
# (...)
(type=function)

paramCount: (Optional) Number of parameters for the preCB


callback, not counting the return address. Parameters
are read from the stack and assumed to be DWORDs
in 32 bits and QWORDs in 64.
This is a faster way to pull stack parameters in 32
bits, but in 64 bits (or with some odd APIs in 32 bits)
it wont be useful, since not all arguments to the
hooked function will be of the same size.
For a more reliable and cross-platform way of hooking
use the signature argument instead.
(type=int)

436

signature: (Optional) Tuple of ctypes data types that constitute


the hooked function signature. When the function is

Methods

Class winappdbg.breakpoint.Hook

call (self, event)


Handles the breakpoint event on entry of the function.
Parameters
event: Breakpoint hit event.
(type=ExceptionEvent)
Raises
WindowsError An error occured.
get params(self, tid )
Returns the parameters found in the stack when the hooked function was last
called by this thread.
Parameters
tid: Thread global ID.
(type=int)
Return Value
Tuple of arguments.
(type=tuple( arg, arg, arg... ))
get params stack(self, tid )
Returns the parameters found in the stack each time the hooked function was
called by this thread and hasnt returned yet.
Parameters
tid: Thread global ID.
(type=int)
Return Value
List of argument tuples.
(type=list of tuple( arg, arg, arg... ))

437

Class Variables

Class winappdbg.breakpoint.Hook

hook(self, debug, pid, address)


Installs the function hook at a given process and address.
Parameters
debug:

Debug object.
(type=Debug)

pid:

Process ID.
(type=int)

address: Function address.


(type=int)
See Also: unhook
Warning: Do not call from an function hook callback.
unhook(self, debug, pid, address)
Removes the function hook at a given process and address.
Parameters
debug:

Debug object.
(type=Debug)

pid:

Process ID.
(type=int)

address: Function address.


(type=int)
See Also: hook
Warning: Do not call from an function hook callback.
Inherited from object
delattr (), format (), getattribute (), hash (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
64.2

Properties
Name
Inherited from object
class

64.3

Description

Class Variables
438

Class Variables

Name
useHardwareBreakpoints

Class winappdbg.breakpoint.Hook

Description
True to try to use hardware breakpoints, False
otherwise.
Value: False (type=bool)

439

Class winappdbg.breakpoint.PageBreakpoint

65

Class winappdbg.breakpoint.PageBreakpoint

object
winappdbg.breakpoint.Breakpoint
winappdbg.breakpoint.PageBreakpoint
Page access breakpoint (using guard pages).
See Also: Debug.watch buffer
65.1

Methods
init (self, address, pages=1, condition=True, action=None)
Page breakpoint object.
Parameters
address:

Memory address for breakpoint.


(type=int)

address:

Size of breakpoint in pages.


(type=int)

condition: (Optional) Condition callback function.


(type=function)
action:

(Optional) Action callback function.


(type=function)

pages:

(type=int)

Overrides: object. init


See Also: Breakpoint. init
repr (self )
repr(x)
Overrides: object. repr

extit(inherited documentation)

Inherited from object


delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
setattr (), sizeof (), str (), subclasshook ()

440

Methods

Class winappdbg.breakpoint.PageBreakpoint

Information
get size in pages(self )
Return Value
The size in pages of the breakpoint.
(type=int)
get address(self )
Return Value
The target memory address for the breakpoint.
(type=int)
get size(self )
Return Value
The size in bytes of the breakpoint.
(type=int)
get span(self )
Return Value
Starting and ending address of the memory range covered by the
breakpoint.
(type=tuple( int, int ))
is here(self, address)
Return Value
True if the address is within the range of the breakpoint.
(type=bool)
State machine

441

Methods

Class winappdbg.breakpoint.PageBreakpoint

disable(self, aProcess, aThread )


Transition to DISABLED state.
When hit: OneShot Disabled
Forced by user: Enabled, OneShot, Running Disabled
Transition from running state may require special handling by the
breakpoint implementation class.
Parameters
aProcess: Process object.
aThread: Thread object.
Overrides: winappdbg.breakpoint.Breakpoint.disable extit(inherited
documentation)
enable(self, aProcess, aThread )
Transition to ENABLED state.
When hit: Running Enabled
Forced by user: Disabled, Running Enabled
Transition from running state may require special handling by the
breakpoint implementation class.
Parameters
aProcess: Process object.
aThread: Thread object.
Overrides: winappdbg.breakpoint.Breakpoint.enable extit(inherited
documentation)
one shot(self, aProcess, aThread )
Transition to ONESHOT state.
Forced by user: Disabled OneShot
Parameters
aProcess: Process object.
aThread: Thread object.
Overrides: winappdbg.breakpoint.Breakpoint.one shot extit(inherited
documentation)

442

Methods

Class winappdbg.breakpoint.PageBreakpoint

running(self, aProcess, aThread )


Transition to RUNNING state.
When hit: Enabled Running
Parameters
aProcess: Process object.
aThread: Thread object.
Overrides: winappdbg.breakpoint.Breakpoint.running extit(inherited
documentation)
get state(self )
Return Value
The current state of the breakpoint (DISABLED, ENABLED, ONESHOT,
RUNNING).
(type=int)
get state name(self )
Return Value
The name of the current state of the breakpoint.
(type=str)
hit(self, event)
Notify a breakpoint that its been hit.
This triggers the corresponding state transition and sets the breakpoint
property of the given Event object.
Parameters
event: Debug event to handle (depends on the breakpoint type).
(type=Event)
Raises
AssertionError Disabled breakpoints cant be hit.
See Also: disable, enable, one shot, running
is disabled(self )
Return Value
True if the breakpoint is in DISABLED state.
(type=bool)
443

Methods

Class winappdbg.breakpoint.PageBreakpoint

is enabled(self )
Return Value
True if the breakpoint is in ENABLED state.
(type=bool)
is one shot(self )
Return Value
True if the breakpoint is in ONESHOT state.
(type=bool)
is running(self )
Return Value
True if the breakpoint is in RUNNING state.
(type=bool)
Conditional breakpoints
eval condition(self, event)
Evaluates the breakpoint condition, if any was set.
Parameters
event: Debug event triggered by the breakpoint.
(type=Event)
Return Value
True to dispatch the event, False otherwise.
(type=bool)
get condition(self )
Return Value
Returns the condition callback for conditional breakpoints. Returns
True for unconditional breakpoints.
(type=bool, function)
is conditional(self )
Return Value
True if the breakpoint has a condition callback defined.
(type=bool)
See Also:

init
444

Methods

Class winappdbg.breakpoint.PageBreakpoint

is unconditional(self )
Return Value
True if the breakpoint doesnt have a condition callback defined.
(type=bool)
set condition(self, condition=True)
Sets a new condition callback for the breakpoint.
Parameters
condition: (Optional) Condition callback function.
(type=function)
See Also:

init

Automatic breakpoints
get action(self )
Return Value
Returns the action callback for automatic breakpoints. Returns None
for interactive breakpoints.
(type=bool, function)
is automatic(self )
Return Value
True if the breakpoint has an action callback defined.
(type=bool)
is interactive(self )
Return Value
True if the breakpoint doesnt have an action callback defined.
(type=bool)
run action(self, event)
Executes the breakpoint action callback, if any was set.
Parameters
event: Debug event triggered by the breakpoint.
(type=Event)

445

Class Variables

Class winappdbg.breakpoint.PageBreakpoint

set action(self, action=None)


Sets a new action callback for the breakpoint.
Parameters
action: (Optional) Action callback function.
(type=function)

65.2

Properties
Name
Inherited from object
class

65.3

Description

Class Variables
Name
typeName
stateNames

Breakpoint states
DISABLED
ENABLED
ONESHOT
RUNNING

Description
User friendly breakpoint type string.
Value: page breakpoint (type=str)
User-friendly names for each breakpoint state.
Value: {0: disabled, 1: enabled,
2: one shot, 3: running} (type=dict
{ int str })
Disabled Enabled, OneShot
Value: 0 (type=int)
Enabled Running, Disabled
Value: 1 (type=int)
OneShot Disabled
Value: 2 (type=int)
Running Enabled, Disabled
Value: 3 (type=int)

446

Class winappdbg.crash.Crash

66

Class winappdbg.crash.Crash

object
winappdbg.crash.Crash
Represents a crash, bug, or another interesting event in the debugee.
66.1

Methods
init (self, event)
x. init (...) initializes x; see help(type(x)) for signature
Parameters
event: Event object for crash.
(type=Event)
Overrides: object. init
str (self )
str(x)
Overrides: object. str

extit(inherited documentation)

key(self )
Alias of signature. Deprecated since WinAppDbg 1.5.
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), subclasshook ()
Report

447

Methods

Class winappdbg.crash.Crash

isExploitable(self )
Guess how likely is it that the bug causing the crash can be leveraged into an
exploitable vulnerability.
Return Value
The first element of the tuple is the result of the analysis, being one
of the following:

Not an exception
Not exploitable
Not likely exploitable
Unknown
Probably exploitable
Exploitable

The second element of the tuple is a code to identify the matched


heuristic rule.
The third element of the tuple is a description string of the reason
behind the result.
(type=tuple( str, str, str ))
Note: Dont take this as an equivalent of a real exploitability analysis, that
can only be done by a human being! This is only a guideline, useful for
example to sort crashes - placing the most interesting ones at the top.
See Also: The heuristics are similar to those of the !exploitable extension
for WinDBG, which can be downloaded from here:
http://www.codeplex.com/msecdbg
briefReport(self )
Return Value
Short description of the event.
(type=str)
fullReport(self, bShowNotes=True)
Parameters
bShowNotes: True to show the user notes, False otherwise.
(type=bool)
Return Value
Long description of the event.
(type=str)

448

Methods

Class winappdbg.crash.Crash

environmentReport(self )
Return Value
The process environment variables, merged and formatted for a
report.
(type=str)
notesReport(self )
Return Value
All notes, merged and formatted for a report.
(type=str)
Notes
addNote(self, msg)
Add a note to the crash event.
Parameters
msg: Note text.
(type=str)
clearNotes(self )
Clear the notes of this crash event.
getNotes(self )
Get the list of notes of this crash event.
Return Value
List of notes.
(type=list( str ))
iterNotes(self )
Iterate the notes of this crash event.
Return Value
Iterator of the list of notes.
(type=listiterator)

449

Properties

Class winappdbg.crash.Crash

hasNotes(self )
Return Value
True if there are notes for this crash event.
(type=bool)
Miscellaneous
fetch extra data(self, event, takeMemorySnapshot=0)
Fetch extra data from the Event object.
Parameters
event:

Event object for crash.


(type=Event)

takeMemorySnapshot: Memory snapshot behavior:


0 to take no memory information
(default).
1 to take only the memory map. See
Process.get memory map.
2 to take a full memory snapshot. See
Process.take memory snapshot.
3 to take a live memory snapshot. See
Process.generate memory snapshot.
(type=int)
Note: Since this method may take a little longer to run, its best to call it
only after youve determined the crash is interesting and you want to save it.
66.2

Properties
Name
Inherited from object
class
Basic information
pc
sp
fp

Description

Value of the program counter register.


(type=int)
Value of the stack pointer register.
(type=int)
Value of the frame pointer register.
(type=int)

450

Instance Variables

66.3

Class winappdbg.crash.Crash

Instance Variables
Name
Basic information
signature
arch
bits
eventCode
eventName
labelPC

os

pid
registers
tid
timeStamp
Optional information
debugString
exceptionAddress
exceptionCode
exceptionDescription

Description

Processor architecture.
(type=str)
32 or 64 bits.
(type=int)
Event code as defined by the Win32 API.
(type=int)
Event code user-friendly name.
(type=str)
Label pointing to the program counter.
None or invalid if unapplicable or unable to
retrieve.
(type=None or str)
Operating system version.
May indicate a 64 bit version even if arch and
bits indicate 32 bits. This means the crash
occurred inside a WOW64 process.
(type=str)
Process global ID.
(type=int)
Dictionary mapping register names to their
values.
(type=dict( str int ))
Thread global ID.
(type=int)
Timestamp as returned by time.time().
(type=float)
Debug string sent by the debugee.
None if unapplicable or unable to retrieve.
(type=None or str)
Memory address where the exception occured.
None if unapplicable or unable to retrieve.
(type=None or int)
Exception code as defined by the Win32 API.
None if unapplicable or unable to retrieve.
(type=None or int)
Exception description.
None if unapplicable or unable to retrieve.
(type=None or str)
continued on next page

451

Instance Variables

Name
exceptionLabel

exceptionName
faultAddress

faultLabel

faultType

firstChance

isOurBreakpoint

isSystemBreakpoint

lpBaseOfDll

Class winappdbg.crash.Crash

Description
Label pointing to the exception address.
None or invalid if unapplicable or unable to
retrieve.
(type=None or str)
Exception code user-friendly name.
None if unapplicable or unable to retrieve.
(type=None or str)
Access violation memory address. Only
applicable to memory faults.
None if unapplicable or unable to retrieve.
(type=None or int)
Label pointing to the access violation memory
address. Only applicable to memory faults.
None if unapplicable or unable to retrieve.
(type=None or str)
Access violation type. Only applicable to
memory faults. Should be one of the following
constants:
win32.ACCESS VIOLATION TYPE READ
win32.ACCESS VIOLATION TYPE WRITE
win32.ACCESS VIOLATION TYPE DEP
None if unapplicable or unable to retrieve.
(type=None or int)
True for first chance exceptions, False for
second chance.
None if unapplicable or unable to retrieve.
(type=None or bool)
True for breakpoints defined by the Debug
class, False otherwise.
None if unapplicable.
(type=bool)
True for known system-defined breakpoints,
False otherwise.
None if unapplicable.
(type=bool)
Base of module where the program counter
points to.
None if unapplicable or unable to retrieve.
(type=None or int)
continued on next page

452

Instance Variables

Name
modFileName

stackTrace

stackTraceLabels

stackTracePC

stackTracePretty

Extra information
commandLine
environment
environmentData
faultCode

Class winappdbg.crash.Crash

Description
File name of module where the program
counter points to.
None or invalid if unapplicable or unable to
retrieve.
(type=None or str)
Stack trace of the current thread as a tuple of (
frame pointer, return address, module filename
).
None or empty if unapplicable or unable to
retrieve.
(type=None or tuple of tuple( int, int, str ))
Tuple of labels pointing to the return addresses
in the stack trace.
None or empty if unapplicable or unable to
retrieve.
(type=None or tuple( str... ))
Tuple of return addresses in the stack trace.
None or empty if unapplicable or unable to
retrieve.
(type=None or tuple( int... ))
Stack trace of the current thread as a tuple of (
frame pointer, return location ).
None or empty if unapplicable or unable to
retrieve.
(type=None or tuple of tuple( int, str ))
Command line for the target process.
None if unapplicable or unable to retrieve.
(type=None or str)
Environment variables for the target process.
None if unapplicable or unable to retrieve.
(type=None or dict( str str ))
Environment data for the target process.
None if unapplicable or unable to retrieve.
(type=None or list of str)
Data pointed to by the program counter.
None or empty if unapplicable or unable to
retrieve.
(type=None or str)
continued on next page

453

Instance Variables

Name
faultDisasm

faultMem

faultPeek

memoryMap

registersPeek

stackFrame

stackPeek

stackRange

Notes
notes

Class winappdbg.crash.Crash

Description
Dissassembly around the program counter.
None or empty if unapplicable or unable to
retrieve.
(type=None or tuple of tuple( long, int, str, str
))
Data pointed to by the exception address.
None or empty if unapplicable or unable to
retrieve.
(type=None or str)
Dictionary mapping guessed pointers at
faultMem to the data they point to.
None or empty if unapplicable or unable to
retrieve.
(type=None or dict( int str ))
Memory snapshot of the program. May contain
the actual data from the entire process memory
if requested. See fetch extra data for more
details.
None or empty if unapplicable or unable to
retrieve.
(type=None or list of
win32.MemoryBasicInformation objects.)
Dictionary mapping register names to the data
they point to.
None if unapplicable or unable to retrieve.
(type=None or dict( str str ))
Data pointed to by the stack pointer.
None or empty if unapplicable or unable to
retrieve.
(type=None or str)
Dictionary mapping stack offsets to the data
they point to.
None or empty if unapplicable or unable to
retrieve.
(type=None or dict( int str ))
Stack beginning and end pointers, in memory
addresses order.
None if unapplicable or unable to retrieve.
(type=tuple( int, int ))
List of strings, each string is a note.
(type=list( str ))

454

Class winappdbg.crash.CrashContainer

67

Class winappdbg.crash.CrashContainer

object
winappdbg.crash.CrashContainer
Old crash dump persistencer using a DBM database. Doesnt support duplicate crashes.
Warning: DBM database support is provided for backwards compatibility with older versions of WinAppDbg. New applications should not use this class. Also, DBM databases
in Python suffer from multiple problems that can easily be avoided by switching to a SQL
database.
See Also: If you really must use a DBM database, try the standard shelve module instead:
http://docs.python.org/library/shelve.html
67.1

Methods
init (self, filename=None, allowRepeatedKeys=False)
x. init (...) initializes x; see help(type(x)) for signature
Parameters
filename:

(Optional) File name for crash database. If no


filename is specified, the container is volatile.
Volatile containers are stored only in memory
and destroyed when they go out of scope.
(type=str)

allowRepeatedKeys: Currently not supported, always use False.


(type=bool)
Overrides: object. init
remove key(self, key)
Removes the given key from the set of known keys.
Parameters
key: Key to remove.
(type=Crash key.)

455

Methods

Class winappdbg.crash.CrashContainer

marshall key(self, key)


Marshalls a Crash key to be used in the database.
Parameters
key: Key to convert.
(type=Crash key.)
Return Value
Converted key.
(type=str or buffer)
See Also:

init

unmarshall key(self, key)


Unmarshalls a Crash key read from the database.
Parameters
key: Key to convert.
(type=str or buffer)
Return Value
Converted key.
(type=Crash key.)
marshall value(self, value, storeMemoryMap=False)
Marshalls a Crash object to be used in the database. By default the
memoryMap member is NOT stored here.
Parameters
value:

Object to convert.
(type=Crash)

storeMemoryMap: True to store the memory map, False otherwise.


(type=bool)
Return Value
Converted object.
(type=str)
Warning: Setting the storeMemoryMap argument to True can lead to a severe
performance penalty!

456

Methods

Class winappdbg.crash.CrashContainer

unmarshall value(self, value)


Unmarshalls a Crash object read from the database.
Parameters
value: Object to convert.
(type=str)
Return Value
Converted object.
(type=Crash)
len (self )
Return Value
Count of known keys.
(type=int)
bool (self )
Return Value
False if there are no known keys.
(type=bool)
contains (self, crash)
Parameters
crash: Crash object.
(type=Crash)
Return Value
True if a Crash object with the same key is in the container.
(type=bool)
has key(self, key)
Parameters
key: Key to find.
(type=Crash key.)
Return Value
True if the key is present in the set of known keys.
(type=bool)

457

Methods

Class winappdbg.crash.CrashContainer

iterkeys(self )
Return Value
Iterator of known Crash keys.
(type=iterator)
del (self )
Class destructor. Closes the database when this object is destroyed.
iter (self )
Return Value
Iterator of the contained Crash objects.
(type=iterator)
See Also: itervalues
itervalues(self )
Return Value
Iterator of the contained Crash objects.
(type=iterator)
Warning: A copy of each object is returned, so any changes made to them
will be lost.
To preserve changes do the following:
1. Keep a reference to the object.
2. Delete the object from the set.
3. Modify the object and add it again.
add(self, crash)
Adds a new crash to the container. If the crash appears to be already known,
its ignored.
Parameters
crash: Crash object to add.
(type=Crash)
See Also: Crash.key

458

Methods

Class winappdbg.crash.CrashContainer

delitem (self, key)


Removes a crash from the container.
Parameters
key: Key of the crash to get.
(type=Crash unique key.)
remove(self, crash)
Removes a crash from the container.
Parameters
crash: Crash object to remove.
(type=Crash)
get(self, key)
Retrieves a crash from the container.
Parameters
key: Key of the crash to get.
(type=Crash unique key.)
Return Value
Crash matching the given key.
(type=Crash object.)
See Also: iterkeys
Warning: A copy of each object is returned, so any changes made to them
will be lost.
To preserve changes do the following:
1. Keep a reference to the object.
2. Delete the object from the set.
3. Modify the object and add it again.

459

Class Variables

Class winappdbg.crash.CrashContainer

getitem (self, key)


Retrieves a crash from the container.
Parameters
key: Key of the crash to get.
(type=Crash unique key.)
Return Value
Crash matching the given key.
(type=Crash object.)
See Also: iterkeys
Warning: A copy of each object is returned, so any changes made to them
will be lost.
To preserve changes do the following:
1. Keep a reference to the object.
2. Delete the object from the set.
3. Modify the object and add it again.
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
67.2

Properties
Name
Inherited from object
class

67.3

Description

Class Variables
Name
Marshalling configuration

Description
continued on next page

460

Class Variables

Name
optimizeKeys

optimizeValues

compressKeys
compressValues
escapeKeys
escapeValues
binaryKeys

binaryValues

Class winappdbg.crash.CrashContainer

Description
Ignored by the current implementation.
Up to WinAppDbg 1.4 this setting caused the
database keys to be optimized when pickled
with the standard pickle module.
But with a DBM database backend that causes
inconsistencies, since the same key can be
serialized into multiple optimized pickles, thus
losing uniqueness.
Value: False (type=bool)
True to optimize the marshalling of keys, False
otherwise. Only used with the pickle module,
ignored when using the more secure
cerealizer module.
Value: True (type=bool)
True to compress keys when marshalling, False
to leave them uncompressed.
Value: False (type=bool)
True to compress values when marshalling,
False to leave them uncompressed.
Value: True (type=bool)
True to escape keys when marshalling, False
to leave them uncompressed.
Value: False (type=bool)
True to escape values when marshalling, False
to leave them uncompressed.
Value: False (type=bool)
True to marshall keys to binary format (the
Python buffer type), False to use text
marshalled keys (str type).
Value: False (type=bool)
True to marshall values to binary format (the
Python buffer type), False to use text
marshalled values (str type).
Value: False (type=bool)

461

Class winappdbg.crash.CrashDictionary

68

Class winappdbg.crash.CrashDictionary

object
winappdbg.crash.CrashDictionary
Known Subclasses: winappdbg.crash.CrashTable, winappdbg.crash.CrashTableMSSQL
Dictionary-like persistence interface for Crash objects.
Currently the only implementation is through sql.CrashDAO.
68.1

Methods
init (self, url, creator =None, allowRepeatedKeys=True)
x. init (...) initializes x; see help(type(x)) for signature
Parameters
url:

Connection URL of the crash database. See


sql.CrashDAO. init for more details.
(type=str)

creator:

(Optional) Callback function that creates the


SQL database connection.
Normally its not necessary to use this
argument. However in some odd cases you
may need to customize the database
connection, for example when using the
integrated authentication in MSSQL.
(type=callable)

allowRepeatedKeys: If True all Crash objects are stored.


If False any Crash object with the same
signature as a previously existing object will
be ignored.
(type=bool)
Overrides: object. init

462

Methods

Class winappdbg.crash.CrashDictionary

add(self, crash)
Adds a new crash to the container.
Parameters
crash: Crash object to add.
(type=Crash)
Note: When the allowRepeatedKeys parameter of the constructor is set to
False, duplicated crashes are ignored.
See Also: Crash.key
get(self, key)
Retrieves a crash from the container.
Parameters
key: Heuristic signature of the crash to get.
(type=Crash signature.)
Return Value
Crash matching the given signature. If more than one is found,
retrieve the newest one.
(type=Crash object.)
See Also: iterkeys
Warning: A copy of each object is returned, so any changes made to them
will be lost.
To preserve changes do the following:
1. Keep a reference to the object.
2. Delete the object from the set.
3. Modify the object and add it again.
iter (self )
Return Value
Iterator of the contained Crash objects.
(type=iterator)
itervalues(self )
Return Value
Iterator of the contained Crash objects.
(type=iterator)

463

Properties

Class winappdbg.crash.CrashDictionary

iterkeys(self )
Return Value
Iterator of the contained Crash heuristic signatures.
(type=iterator)
contains (self, crash)
Parameters
crash: Crash object.
(type=Crash)
Return Value
True if the Crash object is in the container.
(type=bool)
has key(self, key)
Parameters
key: Heuristic signature of the crash to get.
(type=Crash signature.)
Return Value
True if a matching Crash object is in the container.
(type=bool)
len (self )
Return Value
Count of Crash elements in the container.
(type=int)
bool (self )
Return Value
False if the container is empty.
(type=bool)
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
68.2

Properties
464

Properties

Class winappdbg.crash.CrashDictionary

Name
Inherited from object
class

Description

465

Class winappdbg.crash.CrashTable

69

Class winappdbg.crash.CrashTable

object
winappdbg.crash.CrashDictionary
winappdbg.crash.CrashTable
Known Subclasses: winappdbg.crash.VolatileCrashContainer
Old crash dump persistencer using a SQLite database.
Warning: Superceded by CrashDictionary since WinAppDbg 1.5.
should not use this class.
69.1

New applications

Methods
init (self, location=None, allowRepeatedKeys=True)
x. init (...) initializes x; see help(type(x)) for signature
Parameters
location:

(Optional) Location of the crash database. If


the location is a filename, its an SQLite
database file.
If no location is specified, the container is
volatile. Volatile containers are stored only in
memory and destroyed when they go out of
scope.
(type=str)

allowRepeatedKeys: If True all Crash objects are stored.


If False any Crash object with the same
signature as a previously existing object will
be ignored.
(type=bool)
Overrides: object. init
bool (self )
Return Value
False if the container is empty.
(type=bool)

466

Methods

Class winappdbg.crash.CrashTable

contains (self, crash)


Parameters
crash: Crash object.
(type=Crash)
Return Value
True if the Crash object is in the container.
(type=bool)
iter (self )
Return Value
Iterator of the contained Crash objects.
(type=iterator)
len (self )
Return Value
Count of Crash elements in the container.
(type=int)
add(self, crash)
Adds a new crash to the container.
Parameters
crash: Crash object to add.
(type=Crash)
Note: When the allowRepeatedKeys parameter of the constructor is set to
False, duplicated crashes are ignored.
See Also: Crash.key

467

Methods

Class winappdbg.crash.CrashTable

get(self, key)
Retrieves a crash from the container.
Parameters
key: Heuristic signature of the crash to get.
(type=Crash signature.)
Return Value
Crash matching the given signature. If more than one is found,
retrieve the newest one.
(type=Crash object.)
See Also: iterkeys
Warning: A copy of each object is returned, so any changes made to them
will be lost.
To preserve changes do the following:
1. Keep a reference to the object.
2. Delete the object from the set.
3. Modify the object and add it again.
has key(self, key)
Parameters
key: Heuristic signature of the crash to get.
(type=Crash signature.)
Return Value
True if a matching Crash object is in the container.
(type=bool)
iterkeys(self )
Return Value
Iterator of the contained Crash heuristic signatures.
(type=iterator)
itervalues(self )
Return Value
Iterator of the contained Crash objects.
(type=iterator)
Inherited from object

468

Properties

Class winappdbg.crash.CrashTable

delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
69.2

Properties
Name
Inherited from object
class

Description

469

Class winappdbg.crash.CrashTableMSSQL

70

Class winappdbg.crash.CrashTableMSSQL

object
winappdbg.crash.CrashDictionary
winappdbg.crash.CrashTableMSSQL
Old crash dump persistencer using a Microsoft SQL Server database.
Warning: Superceded by CrashDictionary since WinAppDbg 1.5.
should not use this class.
70.1

New applications

Methods
init (self, location=None, allowRepeatedKeys=True)
x. init (...) initializes x; see help(type(x)) for signature
Parameters
location:

Location of the crash database. It must be an


ODBC connection string.
(type=str)

allowRepeatedKeys: If True all Crash objects are stored.


If False any Crash object with the same
signature as a previously existing object will
be ignored.
(type=bool)
Overrides: object. init
bool (self )
Return Value
False if the container is empty.
(type=bool)

470

Methods

Class winappdbg.crash.CrashTableMSSQL

contains (self, crash)


Parameters
crash: Crash object.
(type=Crash)
Return Value
True if the Crash object is in the container.
(type=bool)
iter (self )
Return Value
Iterator of the contained Crash objects.
(type=iterator)
len (self )
Return Value
Count of Crash elements in the container.
(type=int)
add(self, crash)
Adds a new crash to the container.
Parameters
crash: Crash object to add.
(type=Crash)
Note: When the allowRepeatedKeys parameter of the constructor is set to
False, duplicated crashes are ignored.
See Also: Crash.key

471

Methods

Class winappdbg.crash.CrashTableMSSQL

get(self, key)
Retrieves a crash from the container.
Parameters
key: Heuristic signature of the crash to get.
(type=Crash signature.)
Return Value
Crash matching the given signature. If more than one is found,
retrieve the newest one.
(type=Crash object.)
See Also: iterkeys
Warning: A copy of each object is returned, so any changes made to them
will be lost.
To preserve changes do the following:
1. Keep a reference to the object.
2. Delete the object from the set.
3. Modify the object and add it again.
has key(self, key)
Parameters
key: Heuristic signature of the crash to get.
(type=Crash signature.)
Return Value
True if a matching Crash object is in the container.
(type=bool)
iterkeys(self )
Return Value
Iterator of the contained Crash heuristic signatures.
(type=iterator)
itervalues(self )
Return Value
Iterator of the contained Crash objects.
(type=iterator)
Inherited from object

472

Properties

Class winappdbg.crash.CrashTableMSSQL

delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
70.2

Properties
Name
Inherited from object
class

Description

473

Properties

71

Class winappdbg.crash.CrashWarning

Class winappdbg.crash.CrashWarning

object
exceptions.BaseException
exceptions.Exception
exceptions.Warning
winappdbg.crash.CrashWarning
An error occurred while gathering crash data. Some data may be incomplete or missing.
71.1

Methods

Inherited from exceptions.Warning


init (),

new ()

Inherited from exceptions.BaseException


delattr (), getattribute (), getitem (), getslice (),
setattr (), setstate (), str (), unicode ()

reduce (),

Inherited from object


format (),
71.2

hash (),

reduce ex (),

sizeof (),

subclasshook ()

Properties
Name
Inherited from exceptions.BaseException
args, message
Inherited from object
class

474

Description

repr (),

Class winappdbg.crash.DummyCrashContainer

72

Class winappdbg.crash.DummyCrashContainer

object
winappdbg.crash.DummyCrashContainer
Fakes a database of volatile Crash objects, trying to mimic part of its interface, but doesnt
actually store anything.
Normally applications dont need to use this.
See Also: CrashDictionary
72.1

Methods
init (self, allowRepeatedKeys=True)
Fake containers dont store Crash objects, but they implement the interface
properly.
Parameters
allowRepeatedKeys: Mimics the duplicate filter behavior found in
real containers.
(type=bool)
Overrides: object. init
contains (self, crash)
Parameters
crash: Crash object.
(type=Crash)
Return Value
True if the Crash object is in the container.
(type=bool)
len (self )
Return Value
Count of Crash elements in the container.
(type=int)

475

Methods

Class winappdbg.crash.DummyCrashContainer

bool (self )
Return Value
False if the container is empty.
(type=bool)
add(self, crash)
Adds a new crash to the container.
Parameters
crash: Crash object to add.
(type=Crash)
Note: When the allowRepeatedKeys parameter of the constructor is set to
False, duplicated crashes are ignored.
See Also: Crash.key
get(self, key)
This method is not supported.
has key(self, key)
Parameters
key: Heuristic signature of the crash to get.
(type=Crash signature.)
Return Value
True if a matching Crash object is in the container.
(type=bool)

476

Properties

Class winappdbg.crash.DummyCrashContainer

iterkeys(self )
Return Value
Iterator of the contained Crash object keys.
(type=iterator)
See Also: get
Warning: A copy of each object is returned, so any changes made to them
will be lost.
To preserve changes do the following:
1. Keep a reference to the object.
2. Delete the object from the set.
3. Modify the object and add it again.
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
72.2

Properties
Name
Inherited from object
class

Description

477

Class winappdbg.crash.VolatileCrashContainer

73

Class winappdbg.crash.VolatileCrashContainer

object
winappdbg.crash.CrashDictionary
winappdbg.crash.CrashTable
winappdbg.crash.VolatileCrashContainer
Old in-memory crash dump storage.
Warning: Superceded by CrashDictionary since WinAppDbg 1.5.
should not use this class.
73.1

New applications

Methods
init (self, allowRepeatedKeys=True)
Volatile containers are stored only in memory and destroyed when they go out
of scope.
Parameters
allowRepeatedKeys: If True all Crash objects are stored.
If False any Crash object with the same key
as a previously existing object will be ignored.
(type=bool)
Overrides: object. init
bool (self )
Return Value
False if the container is empty.
(type=bool)

478

Methods

Class winappdbg.crash.VolatileCrashContainer

contains (self, crash)


Parameters
crash: Crash object.
(type=Crash)
Return Value
True if the Crash object is in the container.
(type=bool)
iter (self )
Return Value
Iterator of the contained Crash objects.
(type=iterator)
len (self )
Return Value
Count of Crash elements in the container.
(type=int)
add(self, crash)
Adds a new crash to the container.
Parameters
crash: Crash object to add.
(type=Crash)
Note: When the allowRepeatedKeys parameter of the constructor is set to
False, duplicated crashes are ignored.
See Also: Crash.key

479

Methods

Class winappdbg.crash.VolatileCrashContainer

get(self, key)
Retrieves a crash from the container.
Parameters
key: Heuristic signature of the crash to get.
(type=Crash signature.)
Return Value
Crash matching the given signature. If more than one is found,
retrieve the newest one.
(type=Crash object.)
See Also: iterkeys
Warning: A copy of each object is returned, so any changes made to them
will be lost.
To preserve changes do the following:
1. Keep a reference to the object.
2. Delete the object from the set.
3. Modify the object and add it again.
has key(self, key)
Parameters
key: Heuristic signature of the crash to get.
(type=Crash signature.)
Return Value
True if a matching Crash object is in the container.
(type=bool)
iterkeys(self )
Return Value
Iterator of the contained Crash heuristic signatures.
(type=iterator)
itervalues(self )
Return Value
Iterator of the contained Crash objects.
(type=iterator)
Inherited from object

480

Properties

Class winappdbg.crash.VolatileCrashContainer

delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
73.2

Properties
Name
Inherited from object
class

Description

481

Class winappdbg.debug.Debug

74

Class winappdbg.debug.Debug

object
winappdbg.event.EventDispatcher
object
winappdbg.breakpoint. BreakpointContainer
winappdbg.debug.Debug
The main debugger class.

482

Methods

74.1

Class winappdbg.debug.Debug

Methods
init (self, eventHandler =None, bKillOnExit=False, bHostileCode=False)
Debugger object.
Parameters
eventHandler: (Optional, recommended) Custom event handler
object.
(type=EventHandler)
bKillOnExit: (Optional) Kill on exit mode. If True debugged
processes are killed when the debugger is stopped. If
False when the debugger stops it detaches from all
debugged processes and leaves them running
(default).
(type=bool)
bHostileCode: (Optional) Hostile code mode. Set to True to take
some basic precautions against anti-debug tricks.
Disabled by default.
(type=bool)
Raises
WindowsError Raises an exception on error.
Overrides: object. init
Warning: When hostile mode is enabled, some things may not work as
expected! This is because the anti-anti debug tricks may disrupt the behavior
of the Win32 debugging APIs or WinAppDbg itself.
Note: The eventHandler parameter may be any callable Python object (for
example a function, or an instance method). However youll probably find it
more convenient to use an instance of a subclass of EventHandler here.
enter (self )
Compatibility with the with Python statement.
exit (self, type, value, traceback )
Compatibility with the with Python statement.

483

Methods

Class winappdbg.debug.Debug

len (self )
Return Value
Number of processes being debugged.
(type=int)
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
Debugging
attach(self, dwProcessId )
Attaches to an existing process for debugging.
Parameters
dwProcessId: Global ID of a process to attach to.
(type=int)
Return Value
A new Process object. Normally you dont need to use it now, its
best to interact with the process from the event handler.
(type=Process)
Raises
WindowsError Raises an exception on error. Depending on the
circumstances, the debugger may or may not have attached to
the target process.
See Also: detach, execv, execl

484

Methods

Class winappdbg.debug.Debug

execv(self, argv, **kwargs)


Starts a new process for debugging.
This method uses a list of arguments. To use a command line string instead,
use execl.
Parameters
argv:

List of command line arguments to pass to


the debugee. The first element must be the
debugee executable filename.
(type=list( str... ))

bBreakOnEntryPoint: True to automatically set a breakpoint at


the program entry point.
(type=bool)
bConsole:

True to inherit the console of the debugger.


Defaults to False.
(type=bool)

bFollow:

True to automatically attach to child


processes. Defaults to False.
(type=bool)

bInheritHandles:

True if the new process should inherit its


parent process handles. Defaults to False.
(type=bool)

bSuspended:

True to suspend the main thread before any


code is executed in the debugee. Defaults to
False.
(type=bool)

dwParentProcessId: None or 0 if the debugger process should be


the parent process (default), or a process ID
to forcefully set as the debugees parent (only
available for Windows Vista and above).
In hostile mode, the default is not the
debugger process but the process ID for
explorer.exe.
iTrustLevel:

Trust level. Must be one of the following


values:
0: No trust. May not access certain
resources, such as cryptographic keys and
credentials. Only available since
Windows XP and 2003, desktop editions.
This is the default in hostile mode.
485
1: Normal trust. Run with the same
privileges as a normal user, that is, one
that doesnt have the Administrator or
Power User user rights. Only available

Methods

Class winappdbg.debug.Debug

execl(self, lpCmdLine, **kwargs)


Starts a new process for debugging.
This method uses a command line string. To use a list of arguments instead,
use execv.
Parameters
lpCmdLine:

Command line string to execute. The first


token must be the debugee executable
filename. Tokens with spaces must be
enclosed in double quotes. Tokens including
double quote characters must be escaped
with a backslash.
(type=str)

bBreakOnEntryPoint: True to automatically set a breakpoint at


the program entry point. Defaults to False.
(type=bool)
bConsole:

True to inherit the console of the debugger.


Defaults to False.
(type=bool)

bFollow:

True to automatically attach to child


processes. Defaults to False.
(type=bool)

bInheritHandles:

True if the new process should inherit its


parent process handles. Defaults to False.
(type=bool)

bSuspended:

True to suspend the main thread before any


code is executed in the debugee. Defaults to
False.
(type=bool)

dwParentProcessId: None or 0 if the debugger process should be


the parent process (default), or a process ID
to forcefully set as the debugees parent (only
available for Windows Vista and above).
In hostile mode, the default is not the
debugger process but the process ID for
explorer.exe.
(type=int or None)
iTrustLevel:

Trust level. Must be one of the following


values:
0: No 486
trust. May not access certain
resources, such as cryptographic keys and
credentials. Only available since
Windows XP and 2003, desktop editions.
This is the default in hostile mode.

Methods

Class winappdbg.debug.Debug

add existing session(self, dwProcessId, bStarted =False)


Use this method only when for some reason the debuggers been attached to
the target outside of WinAppDbg (for example when integrating with other
tools).
You dont normally need to call this method. Most users should call attach,
execv or execl instead.
Parameters
dwProcessId: Global process ID.
(type=int)
bStarted:

True if the process was started by the debugger, or


False if the process was attached to instead.
(type=bool)

Raises
WindowsError The target process does not exist, is not attached to
the debugger anymore.
kill(self, dwProcessId, bIgnoreExceptions=False)
Kills a process currently being debugged.
Parameters
dwProcessId:

Global ID of a process to kill.


(type=int)

bIgnoreExceptions: True to ignore any exceptions that may be


raised when killing the process.
(type=bool)
Raises
WindowsError Raises an exception on error, unless
bIgnoreExceptions is True.
See Also: detach

487

Methods

Class winappdbg.debug.Debug

kill all(self, bIgnoreExceptions=False)


Kills from all processes currently being debugged.
Parameters
bIgnoreExceptions: True to ignore any exceptions that may be
raised when killing each process. False to
stop and raise an exception when
encountering an error.
(type=bool)
Raises
WindowsError Raises an exception on error, unless
bIgnoreExceptions is True.
detach(self, dwProcessId, bIgnoreExceptions=False)
Detaches from a process currently being debugged.
Parameters
dwProcessId:

Global ID of a process to detach from.


(type=int)

bIgnoreExceptions: True to ignore any exceptions that may be


raised when detaching. False to stop and
raise an exception when encountering an error.
(type=bool)
Raises
WindowsError Raises an exception on error, unless
bIgnoreExceptions is True.
Note: On Windows 2000 and below the process is killed.
See Also: attach, detach from all
detach from all(self, bIgnoreExceptions=False)
Detaches from all processes currently being debugged.
Parameters
bIgnoreExceptions: True to ignore any exceptions that may be
raised when detaching.
(type=bool)
Raises
WindowsError Raises an exception on error, unless
bIgnoreExceptions is True.
Note: To better handle last debugging event, call stop instead.
488

Methods

Class winappdbg.debug.Debug

get debugee count(self )


Return Value
Number of processes being debugged.
(type=int)
get debugee pids(self )
Return Value
Global IDs of processes being debugged.
(type=list( int... ))
is debugee(self, dwProcessId )
Determine if the debugger is debugging the given process.
Parameters
dwProcessId: Process global ID.
(type=int)
Return Value
True if the given process is being debugged by this Debug instance.
(type=bool)
See Also: is debugee attached, is debugee started
is debugee started(self, dwProcessId )
Determine if the given process was started by the debugger.
Parameters
dwProcessId: Process global ID.
(type=int)
Return Value
True if the given process was started for debugging by this Debug
instance.
(type=bool)
See Also: is debugee, is debugee attached

489

Methods

Class winappdbg.debug.Debug

is debugee attached(self, dwProcessId )


Determine if the debugger is attached to the given process.
Parameters
dwProcessId: Process global ID.
(type=int)
Return Value
True if the given process is attached to this Debug instance.
(type=bool)
See Also: is debugee, is debugee started
in hostile mode(self )
Determine if were in hostile mode (anti-anti-debug).
Return Value
True if this Debug instance was started in hostile mode, False
otherwise.
(type=bool)
interactive(self, bConfirmQuit=True, bShowBanner =True)
Start an interactive debugging session.
Parameters
bConfirmQuit: Set to True to ask the user for confirmation before
closing the session, False otherwise.
(type=bool)
bShowBanner: Set to True to show a banner before entering the
session and after leaving it, False otherwise.
(type=bool)
Warning: This will temporarily disable the user-defined event handler!
This method returns when the user closes the session.
Debugging loop

490

Methods

Class winappdbg.debug.Debug

wait(self, dwMilliseconds=None)
Waits for the next debug event.
Parameters
dwMilliseconds: (Optional) Timeout in milliseconds. Use
INFINITE or None for no timeout.
(type=int)
Return Value
An event that occured in one of the debugees.
(type=Event)
Raises
WindowsError Raises an exception on error. If no target processes
are left to debug, the error code is
win32.ERROR INVALID HANDLE.
See Also: cont, dispatch, loop
dispatch(self, event=None)
Calls the debug event notify callbacks.
Parameters
event: (Optional) Event object returned by wait.
(type=Event)
Raises
WindowsError Raises an exception on error.
Overrides: winappdbg.event.EventDispatcher.dispatch
See Also: cont, loop, wait
cont(self, event=None)
Resumes execution after processing a debug event.
Parameters
event: (Optional) Event object returned by wait.
(type=Event)
Raises
WindowsError Raises an exception on error.
See Also: dispatch(), loop(), wait()

491

Methods

Class winappdbg.debug.Debug

stop(self, bIgnoreExceptions=True)
Stops debugging all processes.
If the kill on exit mode is on, debugged processes are killed when the debugger
is stopped. Otherwise when the debugger stops it detaches from all debugged
processes and leaves them running (default). For more details see: init
Parameters
bIgnoreExceptions: True to ignore any exceptions that may be
raised when detaching.
(type=bool)
Note: This method is better than detach from all because it can gracefully
handle the last debugging event before detaching.
next(self )
Handles the next debug event.
Raises
WindowsError Raises an exception on error.
If the wait operation causes an error, debugging is stopped
(meaning all debugees are either killed or detached from).
If the event dispatching causes an error, the event is still
continued before returning. This may happen, for example, if
the event handler raises an exception nobody catches.
See Also: cont, dispatch, wait, stop

492

Methods

Class winappdbg.debug.Debug

loop(self )
Simple debugging loop.
This debugging loop is meant to be useful for most simple scripts. It iterates
as long as there is at least one debugee, or an exception is raised. Multiple
calls are allowed.
This is a trivial example script:
import sys
debug = Debug()
try:
debug.execv( sys.argv [ 1 : ] )
debug.loop()
finally:
debug.stop()
Raises
WindowsError Raises an exception on error.
If the wait operation causes an error, debugging is stopped
(meaning all debugees are either killed or detached from).
If the event dispatching causes an error, the event is still
continued before returning. This may happen, for example, if
the event handler raises an exception nobody catches.
See Also: next, stop
http://msdn.microsoft.com/en-us/library/ms681675(VS.85).aspx
Debugging events
get event handler(self )
Get the event handler.
Return Value
Current event handler object, or None.
(type=EventHandler)
See Also: set event handler

493

Methods

Class winappdbg.debug.Debug

get handler method(eventHandler, event, fallback =None)


Retrieves the appropriate callback method from an EventHandler instance for
the given Event object.
Parameters
eventHandler: Event handler object whose methods we are
examining.
(type=EventHandler)
event:

Debugging event to be handled.


(type=Event)

fallback:

(Optional) If no suitable method is found in the


EventHandler instance, return this value.
(type=callable)

Return Value
Bound method that will handle the debugging event. Returns None
if no such method is defined.
(type=callable)
set event handler(self, eventHandler )
Set the event handler.
Parameters
eventHandler: New event handler object, or None.
(type=EventHandler)
Return Value
Previous event handler object, or None.
(type=EventHandler)
Raises
TypeError The event handler is of an incorrect type.
Warning: This is normally not needed. Use with care!
Note: The eventHandler parameter may be any callable Python object (for
example a function, or an instance method). However youll probably find it
more convenient to use an instance of a subclass of EventHandler here.
Breakpoints
Inherited from winappdbg.breakpoint. BreakpointContainer
break at(), break on error(), dont break at(), dont break on error(), dont hook function(),
dont watch buffer(), dont watch variable(), hook function(), unhook function(), watch buffer(),

494

Methods

Class winappdbg.debug.Debug

watch variable()
Stalking
Inherited from winappdbg.breakpoint. BreakpointContainer
dont stalk at(), dont stalk buffer(), dont stalk function(), dont stalk variable(), stalk at(),
stalk buffer(), stalk function(), stalk variable()
Tracing
Inherited from winappdbg.breakpoint. BreakpointContainer
get traced tids(), is tracing(), start tracing(), start tracing all(), start tracing process(),
stop tracing(), stop tracing all(), stop tracing process()
Symbols
Inherited from winappdbg.breakpoint. BreakpointContainer
resolve exported function(), resolve label()
Advanced breakpoint use
Inherited from winappdbg.breakpoint. BreakpointContainer

define code breakpoint(), define hardware breakpoint(), define page breakpoint(),


disable code breakpoint(), disable hardware breakpoint(), disable page breakpoint(),
enable code breakpoint(), enable hardware breakpoint(), enable one shot code breakpoint(),
enable one shot hardware breakpoint(), enable one shot page breakpoint(), enable page breakpoint()
erase code breakpoint(), erase hardware breakpoint(), erase page breakpoint(), get code breakpoint()
get hardware breakpoint(), get page breakpoint(), has code breakpoint(), has hardware breakpoint(),
has page breakpoint()
Listing breakpoints
Inherited from winappdbg.breakpoint. BreakpointContainer
get
get
get
get

all breakpoints(), get all code breakpoints(), get all deferred code breakpoints(),
all hardware breakpoints(), get all page breakpoints(), get process breakpoints(),
process code breakpoints(), get process deferred code breakpoints(), get process hardware breakp
process page breakpoints(), get thread hardware breakpoints()

Batch operations on breakpoints


Inherited from winappdbg.breakpoint. BreakpointContainer

disable all breakpoints(), disable process breakpoints(), enable all breakpoints(),


enable one shot all breakpoints(), enable one shot process breakpoints(), enable process breakpoints(
erase all breakpoints(), erase process breakpoints()

495

Instance Variables

74.2

Class winappdbg.debug.Debug

Properties
Name
Inherited from object
class

74.3

Description

Class Variables
Name
Description
Breakpoint types
Inherited from winappdbg.breakpoint. BreakpointContainer
BP TYPE ANY, BP TYPE CODE, BP TYPE HARDWARE,
BP TYPE PAGE
Breakpoint states
Inherited from winappdbg.breakpoint. BreakpointContainer
BP STATE DISABLED, BP STATE ENABLED, BP STATE ONESHOT,
BP STATE RUNNING
Memory breakpoint trigger flags
Inherited from winappdbg.breakpoint. BreakpointContainer
BP BREAK ON ACCESS, BP BREAK ON EXECUTION,
BP BREAK ON WRITE
Memory breakpoint size flags
Inherited from winappdbg.breakpoint. BreakpointContainer
BP WATCH BYTE, BP WATCH DWORD, BP WATCH QWORD,
BP WATCH WORD

74.4

Instance Variables
Name
system

Description
A System snapshot that is automatically
updated for processes being debugged.
Processes not being debugged in this snapshot
may be outdated.
(type=System)

496

Properties

75

Class winappdbg.debug.MixedBitsWarning

Class winappdbg.debug.MixedBitsWarning

object
exceptions.BaseException
exceptions.Exception
exceptions.Warning
exceptions.RuntimeWarning
winappdbg.debug.MixedBitsWarning
This warning is issued when mixing 32 and 64 bit processes.
75.1

Methods

Inherited from exceptions.RuntimeWarning


init (),

new ()

Inherited from exceptions.BaseException


delattr (), getattribute (), getitem (), getslice (),
setattr (), setstate (), str (), unicode ()

reduce (),

Inherited from object


format (),
75.2

hash (),

reduce ex (),

sizeof (),

subclasshook ()

Properties
Name
Inherited from exceptions.BaseException
args, message
Inherited from object
class

497

Description

repr (),

Class winappdbg.disasm.BeaEngine

76

Class winappdbg.disasm.BeaEngine

object
winappdbg.disasm.Engine
winappdbg.disasm.BeaEngine
Integration with the BeaEngine disassembler by Beatrix.
See Also: https://sourceforge.net/projects/winappdbg/files/additional%20packages/BeaEngine/
76.1

Methods
decode(self, address, code)
Parameters
address: Memory address where the code was read from.
code:

Machine code to disassemble.

Return Value
List of tuples. Each tuple represents an assembly instruction and
contains:

Memory address of instruction.


Size of instruction in bytes.
Disassembly line of instruction.
Hexadecimal dump of instruction.

(type=list of tuple( long, int, str, str ))


Raises
NotImplementedError This disassembler could not be loaded. This
may be due to missing dependencies.
Overrides: winappdbg.disasm.Engine.decode extit(inherited documentation)

498

Class Variables

Class winappdbg.disasm.BeaEngine

init (self, arch=None)


x. init (...) initializes x; see help(type(x)) for signature
Parameters
arch: Name of the processor architecture. If not provided the
current processor architecture is assumed. For more details
see win32.version. get arch.
(type=str)
Raises
NotImplementedError This disassembler doesnt support the
requested processor architecture.
Overrides: object. init
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
76.2

Properties
Name
Inherited from object
class

76.3

Description

Class Variables
Name
name
desc
url

supported

Description
Engine name to use with the Disassembler
class.
Value: BeaEngine (type=str)
User friendly name of the disassembler engine.
Value: BeaEngine disassembler by
Beatrix (type=str)
Download URL.
Value:
https://sourceforge.net/projects/winappdbg/files/additio..
(type=str)
Set of supported processor architectures. For
more details see win32.version. get arch.
Value: set([amd64, i386])
(type=set(str))

499

Instance Variables

76.4

Class winappdbg.disasm.BeaEngine

Instance Variables
Name
arch

Description
Name of the processor architecture.
(type=str)

500

Class winappdbg.disasm.CapstoneEngine

77

Class winappdbg.disasm.CapstoneEngine

object
winappdbg.disasm.Engine
winappdbg.disasm.CapstoneEngine
Integration with the Capstone disassembler by Nguyen Anh Quynh.
See Also: http://www.capstone-engine.org/
77.1

Methods
decode(self, address, code)
Parameters
address: Memory address where the code was read from.
code:

Machine code to disassemble.

Return Value
List of tuples. Each tuple represents an assembly instruction and
contains:

Memory address of instruction.


Size of instruction in bytes.
Disassembly line of instruction.
Hexadecimal dump of instruction.

(type=list of tuple( long, int, str, str ))


Raises
NotImplementedError This disassembler could not be loaded. This
may be due to missing dependencies.
Overrides: winappdbg.disasm.Engine.decode extit(inherited documentation)

501

Class Variables

Class winappdbg.disasm.CapstoneEngine

init (self, arch=None)


x. init (...) initializes x; see help(type(x)) for signature
Parameters
arch: Name of the processor architecture. If not provided the
current processor architecture is assumed. For more details
see win32.version. get arch.
(type=str)
Raises
NotImplementedError This disassembler doesnt support the
requested processor architecture.
Overrides: object. init
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
77.2

Properties
Name
Inherited from object
class

77.3

Description

Class Variables
Name
name
desc
url
supported

Description
Engine name to use with the Disassembler
class.
Value: Capstone (type=str)
User friendly name of the disassembler engine.
Value: Capstone disassembler by Nguyen
Anh Quynh (type=str)
Download URL.
Value: http://www.capstone-engine.org/
(type=str)
Set of supported processor architectures. For
more details see win32.version. get arch.
Value: set([amd64, arm, arm64,
i386, thumb]) (type=set(str))

502

Instance Variables

77.4

Class winappdbg.disasm.CapstoneEngine

Instance Variables
Name
arch

Description
Name of the processor architecture.
(type=str)

503

Class winappdbg.disasm.Disassembler

78

Class winappdbg.disasm.Disassembler

object
winappdbg.disasm.Disassembler
Generic disassembler. Uses a set of adapters to decide which library to load for which
supported platform.
78.1

Methods
new (cls, arch=None, engine=None)
Factory class. You cant really instance a Disassembler object, instead one of
the adapter Engine subclasses is returned.
Parameters
arch: (Optional) Name of the processor architecture. If not
provided the current processor architecture is assumed. For
more details see win32.version. get arch.
(type=str)
engine: (Optional) Name of the disassembler engine. If not
provided a compatible one is loaded automatically. See:
Engine.name
(type=str)
Return Value
a new object with type S, a subtype of T
Raises
NotImplementedError No compatible disassembler was found that
could decode machine code for the requested architecture. This
may be due to missing dependencies.
ValueError An unknown engine name was supplied.
Overrides: object. new

Inherited from object


delattr (), format (), getattribute (), hash (), init (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
78.2

Properties

504

Class Variables

Class winappdbg.disasm.Disassembler

Name
Inherited from object
class

78.3

Description

Class Variables
Name
engines

Description
Set of supported engines. If you implement
your own adapter you can add its class here to
make it available to Disassembler. Supported
disassemblers are:
diStorm - diStorm disassembler by Gil
Dabah
(https://code.google.com/p/distorm3 )
BeaEngine - BeaEngine disassembler by
Beatrix
(https://sourceforge.net/projects/winappdbg/files/additional%20pa
Capstone - Capstone disassembler by
Nguyen Anh Quynh
(http://www.capstone-engine.org/ )
Libdisassemble - Immunity libdisassemble
(http://www.immunitysec.com/resources-freesoftware.shtml)
PyDasm - PyDasm: Python bindings to
libdasm
(https://code.google.com/p/libdasm/ )
Value: (<class
winappdbg.disasm.DistormEngine>,
<class winapp... (type=tuple( Engine ))

505

Class winappdbg.disasm.DistormEngine

79

Class winappdbg.disasm.DistormEngine

object
winappdbg.disasm.Engine
winappdbg.disasm.DistormEngine
Integration with the diStorm disassembler by Gil Dabah.
See Also: https://code.google.com/p/distorm3
79.1

Methods
decode(self, address, code)
Parameters
address: Memory address where the code was read from.
code:

Machine code to disassemble.

Return Value
List of tuples. Each tuple represents an assembly instruction and
contains:

Memory address of instruction.


Size of instruction in bytes.
Disassembly line of instruction.
Hexadecimal dump of instruction.

(type=list of tuple( long, int, str, str ))


Raises
NotImplementedError This disassembler could not be loaded. This
may be due to missing dependencies.
Overrides: winappdbg.disasm.Engine.decode extit(inherited documentation)

506

Class Variables

Class winappdbg.disasm.DistormEngine

init (self, arch=None)


x. init (...) initializes x; see help(type(x)) for signature
Parameters
arch: Name of the processor architecture. If not provided the
current processor architecture is assumed. For more details
see win32.version. get arch.
(type=str)
Raises
NotImplementedError This disassembler doesnt support the
requested processor architecture.
Overrides: object. init
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
79.2

Properties
Name
Inherited from object
class

79.3

Description

Class Variables
Name
name
desc
url

supported

Description
Engine name to use with the Disassembler
class.
Value: diStorm (type=str)
User friendly name of the disassembler engine.
Value: diStorm disassembler by Gil
Dabah (type=str)
Download URL.
Value:
https://code.google.com/p/distorm3
(type=str)
Set of supported processor architectures. For
more details see win32.version. get arch.
Value: set([amd64, i386])
(type=set(str))

507

Instance Variables

79.4

Class winappdbg.disasm.DistormEngine

Instance Variables
Name
arch

Description
Name of the processor architecture.
(type=str)

508

Class winappdbg.disasm.Engine

80

Class winappdbg.disasm.Engine

object
winappdbg.disasm.Engine

Known Subclasses: winappdbg.disasm.BeaEngine, winappdbg.disasm.DistormEngine, winappdbg.disasm.PyDasmEngine, winappdbg.disasm.CapstoneEngine, winappdbg.disasm.LibdisassembleEngin


Base class for disassembly engine adaptors.
80.1

Methods
init (self, arch=None)
x. init (...) initializes x; see help(type(x)) for signature
Parameters
arch: Name of the processor architecture. If not provided the
current processor architecture is assumed. For more details
see win32.version. get arch.
(type=str)
Raises
NotImplementedError This disassembler doesnt support the
requested processor architecture.
Overrides: object. init

509

Class Variables

Class winappdbg.disasm.Engine

decode(self, address, code)


Parameters
address: Memory address where the code was read from.
(type=int)
code:

Machine code to disassemble.


(type=str)

Return Value
List of tuples. Each tuple represents an assembly instruction and
contains:

Memory address of instruction.


Size of instruction in bytes.
Disassembly line of instruction.
Hexadecimal dump of instruction.

(type=list of tuple( long, int, str, str ))


Raises
NotImplementedError This disassembler could not be loaded. This
may be due to missing dependencies.
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
80.2

Properties
Name
Inherited from object
class

80.3

Description

Class Variables
Name
name

desc

Description
Engine name to use with the Disassembler
class.
Value: <insert engine name here>
(type=str)
User friendly name of the disassembler engine.
Value: <insert engine description
here> (type=str)
continued on next page

510

Instance Variables

Class winappdbg.disasm.Engine

Name
url
supported

80.4

Description
Download URL.
Value: <insert download url here>
(type=str)
Set of supported processor architectures. For
more details see win32.version. get arch.
Value: set([]) (type=set(str))

Instance Variables
Name
arch

Description
Name of the processor architecture.
(type=str)

511

Class winappdbg.disasm.LibdisassembleEngine

81

Class winappdbg.disasm.LibdisassembleEngine

object
winappdbg.disasm.Engine
winappdbg.disasm.LibdisassembleEngine
Integration with Immunity libdisassemble.
See Also: http://www.immunitysec.com/resources-freesoftware.shtml
81.1

Methods
decode(self, address, code)
Parameters
address: Memory address where the code was read from.
code:

Machine code to disassemble.

Return Value
List of tuples. Each tuple represents an assembly instruction and
contains:

Memory address of instruction.


Size of instruction in bytes.
Disassembly line of instruction.
Hexadecimal dump of instruction.

(type=list of tuple( long, int, str, str ))


Raises
NotImplementedError This disassembler could not be loaded. This
may be due to missing dependencies.
Overrides: winappdbg.disasm.Engine.decode extit(inherited documentation)

512

Class Variables

Class winappdbg.disasm.LibdisassembleEngine

init (self, arch=None)


x. init (...) initializes x; see help(type(x)) for signature
Parameters
arch: Name of the processor architecture. If not provided the
current processor architecture is assumed. For more details
see win32.version. get arch.
(type=str)
Raises
NotImplementedError This disassembler doesnt support the
requested processor architecture.
Overrides: object. init
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
81.2

Properties
Name
Inherited from object
class

81.3

Description

Class Variables
Name
name
desc
url

supported

Description
Engine name to use with the Disassembler
class.
Value: Libdisassemble (type=str)
User friendly name of the disassembler engine.
Value: Immunity libdisassemble
(type=str)
Download URL.
Value:
http://www.immunitysec.com/resources-freesoftware.shtml
(type=str)
Set of supported processor architectures. For
more details see win32.version. get arch.
Value: set([i386]) (type=set(str))

513

Instance Variables

81.4

Class winappdbg.disasm.LibdisassembleEngine

Instance Variables
Name
arch

Description
Name of the processor architecture.
(type=str)

514

Class winappdbg.disasm.PyDasmEngine

82

Class winappdbg.disasm.PyDasmEngine

object
winappdbg.disasm.Engine
winappdbg.disasm.PyDasmEngine
Integration with PyDasm: Python bindings to libdasm.
See Also: https://code.google.com/p/libdasm/
82.1

Methods
decode(self, address, code)
Parameters
address: Memory address where the code was read from.
code:

Machine code to disassemble.

Return Value
List of tuples. Each tuple represents an assembly instruction and
contains:

Memory address of instruction.


Size of instruction in bytes.
Disassembly line of instruction.
Hexadecimal dump of instruction.

(type=list of tuple( long, int, str, str ))


Raises
NotImplementedError This disassembler could not be loaded. This
may be due to missing dependencies.
Overrides: winappdbg.disasm.Engine.decode extit(inherited documentation)

515

Class Variables

Class winappdbg.disasm.PyDasmEngine

init (self, arch=None)


x. init (...) initializes x; see help(type(x)) for signature
Parameters
arch: Name of the processor architecture. If not provided the
current processor architecture is assumed. For more details
see win32.version. get arch.
(type=str)
Raises
NotImplementedError This disassembler doesnt support the
requested processor architecture.
Overrides: object. init
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
82.2

Properties
Name
Inherited from object
class

82.3

Description

Class Variables
Name
name
desc
url

supported

Description
Engine name to use with the Disassembler
class.
Value: PyDasm (type=str)
User friendly name of the disassembler engine.
Value: PyDasm: Python bindings to
libdasm (type=str)
Download URL.
Value:
https://code.google.com/p/libdasm/
(type=str)
Set of supported processor architectures. For
more details see win32.version. get arch.
Value: set([i386]) (type=set(str))

516

Instance Variables

82.4

Class winappdbg.disasm.PyDasmEngine

Instance Variables
Name
arch

Description
Name of the processor architecture.
(type=str)

517

Class winappdbg.event.CreateProcessEvent

83

Class winappdbg.event.CreateProcessEvent

object
winappdbg.event.Event
winappdbg.event.CreateProcessEvent
Process creation event.
83.1

Methods
get file handle(self )
Return Value
File handle to the main module, received from the system. Returns
None if the handle is not available.
(type=FileHandle or None)
get process handle(self )
Return Value
Process handle received from the system. Returns None if the handle
is not available.
(type=ProcessHandle)
get thread handle(self )
Return Value
Thread handle received from the system. Returns None if the handle
is not available.
(type=ThreadHandle)
get start address(self )
Return Value
Pointer to the first instruction to execute in this process.
Returns NULL when the debugger attaches to a process.
See http://msdn.microsoft.com/en-us/library/ms679295(VS.85).aspx
(type=int)

518

Methods

Class winappdbg.event.CreateProcessEvent

get image base(self )


Return Value
Base address of the main module.
(type=int)
Warning: This value is taken from the PE file and may be incorrect because
of ASLR!
get teb(self )
Return Value
Pointer to the TEB.
(type=int)
get debug info(self )
Return Value
Debugging information.
(type=str)
get filename(self )
Return Value
This method does its best to retrieve the filename to the main
module of the process. However, sometimes thats not possible, and
None is returned instead.
(type=str, None)
get module base(self )
Return Value
Base address of the main module.
(type=int)
get module(self )
Return Value
Main module of the process.
(type=Module)

519

Methods

Class winappdbg.event.CreateProcessEvent

init (self, debug, raw )


x. init (...) initializes x; see help(type(x)) for signature
Parameters
debug: Debug object that received the event.
(type=Debug)
raw:

Raw DEBUG EVENT structure as used by the Win32 API.


(type=DEBUG EVENT)

Overrides: object. init


get event code(self )
Return Value
Debug event code as defined in the Win32 API.
(type=int)
get event description(self )
Return Value
User-friendly description of the event.
(type=str)
get event name(self )
Return Value
User-friendly name of the event.
(type=str)
get pid(self )
Return Value
Process global ID where the event occured.
(type=int)
See Also: get process
get process(self )
Return Value
Process where the event occured.
(type=Process)
See Also: get pid

520

Instance Variables

Class winappdbg.event.CreateProcessEvent

get thread(self )
Return Value
Thread where the event occured.
(type=Thread)
See Also: get tid
get tid(self )
Return Value
Thread global ID where the event occured.
(type=int)
See Also: get thread
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
83.2

Properties
Name
Inherited from object
class

83.3

Class Variables
Name
eventMethod
eventName
eventDescription

83.4

Description

Description
Method name to call when using EventHandler
subclasses. Used internally.
Value: create process (type=str)
User-friendly name of the event.
Value: Process creation event (type=str)
User-friendly description of the event.
Value: A new process has started.
(type=str)

Instance Variables

521

Instance Variables

Name
continueStatus
debug
raw

Class winappdbg.event.CreateProcessEvent

Description
Continue status to pass to
win32.ContinueDebugEvent.
(type=int)
Debug object that received the event.
(type=Debug)
Raw DEBUG EVENT structure as used by the
Win32 API.
(type=DEBUG EVENT)

522

Class winappdbg.event.CreateThreadEvent

84

Class winappdbg.event.CreateThreadEvent

object
winappdbg.event.Event
winappdbg.event.CreateThreadEvent
Thread creation event.
84.1

Methods
get thread handle(self )
Return Value
Thread handle received from the system. Returns None if the handle
is not available.
(type=ThreadHandle)
get teb(self )
Return Value
Pointer to the TEB.
(type=int)
get start address(self )
Return Value
Pointer to the first instruction to execute in this thread.
Returns NULL when the debugger attached to a process and the
thread already existed.
See http://msdn.microsoft.com/en-us/library/ms679295(VS.85).aspx
(type=int)

523

Methods

Class winappdbg.event.CreateThreadEvent

init (self, debug, raw )


x. init (...) initializes x; see help(type(x)) for signature
Parameters
debug: Debug object that received the event.
(type=Debug)
raw:

Raw DEBUG EVENT structure as used by the Win32 API.


(type=DEBUG EVENT)

Overrides: object. init


get event code(self )
Return Value
Debug event code as defined in the Win32 API.
(type=int)
get event description(self )
Return Value
User-friendly description of the event.
(type=str)
get event name(self )
Return Value
User-friendly name of the event.
(type=str)
get pid(self )
Return Value
Process global ID where the event occured.
(type=int)
See Also: get process
get process(self )
Return Value
Process where the event occured.
(type=Process)
See Also: get pid

524

Instance Variables

Class winappdbg.event.CreateThreadEvent

get thread(self )
Return Value
Thread where the event occured.
(type=Thread)
See Also: get tid
get tid(self )
Return Value
Thread global ID where the event occured.
(type=int)
See Also: get thread
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
84.2

Properties
Name
Inherited from object
class

84.3

Class Variables
Name
eventMethod
eventName
eventDescription

84.4

Description

Description
Method name to call when using EventHandler
subclasses. Used internally.
Value: create thread (type=str)
User-friendly name of the event.
Value: Thread creation event (type=str)
User-friendly description of the event.
Value: A new thread has started.
(type=str)

Instance Variables

525

Instance Variables

Name
continueStatus
debug
raw

Class winappdbg.event.CreateThreadEvent

Description
Continue status to pass to
win32.ContinueDebugEvent.
(type=int)
Debug object that received the event.
(type=Debug)
Raw DEBUG EVENT structure as used by the
Win32 API.
(type=DEBUG EVENT)

526

Class winappdbg.event.Event

85

Class winappdbg.event.Event

object
winappdbg.event.Event

Known Subclasses: winappdbg.event.CreateProcessEvent, winappdbg.event.CreateThreadEvent,


winappdbg.event.ExceptionEvent, winappdbg.event.ExitProcessEvent, winappdbg.event.ExitThreadEvent
winappdbg.event.LoadDLLEvent, winappdbg.event.OutputDebugStringEvent, winappdbg.event.RIPEvent
winappdbg.event.UnloadDLLEvent, winappdbg.event.NoEvent
Event object.
85.1

Methods
init (self, debug, raw )
x. init (...) initializes x; see help(type(x)) for signature
Parameters
debug: Debug object that received the event.
(type=Debug)
raw:

Raw DEBUG EVENT structure as used by the Win32 API.


(type=DEBUG EVENT)

Overrides: object. init


get event name(self )
Return Value
User-friendly name of the event.
(type=str)
get event description(self )
Return Value
User-friendly description of the event.
(type=str)
get event code(self )
Return Value
Debug event code as defined in the Win32 API.
(type=int)
527

Class Variables

Class winappdbg.event.Event

get pid(self )
Return Value
Process global ID where the event occured.
(type=int)
See Also: get process
get tid(self )
Return Value
Thread global ID where the event occured.
(type=int)
See Also: get thread
get process(self )
Return Value
Process where the event occured.
(type=Process)
See Also: get pid
get thread(self )
Return Value
Thread where the event occured.
(type=Thread)
See Also: get tid
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
85.2

Properties
Name
Inherited from object
class

85.3

Description

Class Variables

528

Instance Variables

Name
eventMethod
eventName
eventDescription

85.4

Class winappdbg.event.Event

Description
Method name to call when using EventHandler
subclasses. Used internally.
Value: unknown event (type=str)
User-friendly name of the event.
Value: Unknown event (type=str)
User-friendly description of the event.
Value: A debug event of an unknown type
has occured. (type=str)

Instance Variables
Name
continueStatus
debug
raw

Description
Continue status to pass to
win32.ContinueDebugEvent.
(type=int)
Debug object that received the event.
(type=Debug)
Raw DEBUG EVENT structure as used by the
Win32 API.
(type=DEBUG EVENT)

529

Properties

86

Class winappdbg.event.EventCallbackWarning

Class winappdbg.event.EventCallbackWarning

object
exceptions.BaseException
exceptions.Exception
exceptions.Warning
exceptions.RuntimeWarning
winappdbg.event.EventCallbackWarning
This warning is issued when an uncaught exception was raised by a user-defined event handler.
86.1

Methods

Inherited from exceptions.RuntimeWarning


init (),

new ()

Inherited from exceptions.BaseException


delattr (), getattribute (), getitem (), getslice (),
setattr (), setstate (), str (), unicode ()

reduce (),

Inherited from object


format (),
86.2

hash (),

reduce ex (),

sizeof (),

subclasshook ()

Properties
Name
Inherited from exceptions.BaseException
args, message
Inherited from object
class

530

Description

repr (),

Class winappdbg.event.EventDispatcher

87

Class winappdbg.event.EventDispatcher

object
winappdbg.event.EventDispatcher
Known Subclasses: winappdbg.debug.Debug
Implements debug event dispatching capabilities.
87.1

Methods
init (self, eventHandler =None)
Event dispatcher.
Parameters
eventHandler: (Optional) User-defined event handler.
(type=EventHandler)
Raises
TypeError The event handler is of an incorrect type.
Overrides: object. init
Note: The eventHandler parameter may be any callable Python object (for
example a function, or an instance method). However youll probably find it
more convenient to use an instance of a subclass of EventHandler here.
dispatch(self, event)
Sends event notifications to the Debug object and the EventHandler object
provided by the user.
The Debug object will forward the notifications to its contained snapshot
objects (System, Process, Thread and Module) when appropriate.
Parameters
event: Event object passed to Debug.dispatch.
(type=Event)
Raises
WindowsError Raises an exception on error.
Warning: This method is called automatically from Debug.dispatch.
See Also: Debug.cont, Debug.loop, Debug.wait

Inherited from object


531

Methods

Class winappdbg.event.EventDispatcher

delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
Debugging events
get event handler(self )
Get the event handler.
Return Value
Current event handler object, or None.
(type=EventHandler)
See Also: set event handler
set event handler(self, eventHandler )
Set the event handler.
Parameters
eventHandler: New event handler object, or None.
(type=EventHandler)
Return Value
Previous event handler object, or None.
(type=EventHandler)
Raises
TypeError The event handler is of an incorrect type.
Warning: This is normally not needed. Use with care!
Note: The eventHandler parameter may be any callable Python object (for
example a function, or an instance method). However youll probably find it
more convenient to use an instance of a subclass of EventHandler here.

532

Properties

Class winappdbg.event.EventDispatcher

get handler method(eventHandler, event, fallback =None)


Retrieves the appropriate callback method from an EventHandler instance for
the given Event object.
Parameters
eventHandler: Event handler object whose methods we are
examining.
(type=EventHandler)
event:

Debugging event to be handled.


(type=Event)

fallback:

(Optional) If no suitable method is found in the


EventHandler instance, return this value.
(type=callable)

Return Value
Bound method that will handle the debugging event. Returns None
if no such method is defined.
(type=callable)

87.2

Properties
Name
Inherited from object
class

Description

533

Class Variables

88

Class winappdbg.event.EventFactory

Class winappdbg.event.EventFactory

object
winappdbg.util.StaticClass
winappdbg.event.EventFactory
Factory of Event objects.
88.1

Methods
get(cls, debug, raw )
Parameters
debug: Debug object that received the event.
(type=Debug)
raw:

Raw DEBUG EVENT structure as used by the Win32 API.


(type=DEBUG EVENT)

Return Value
An Event object or one of its subclasses, depending on the event
type.
(type=Event)
Inherited from winappdbg.util.StaticClass
new ()
Inherited from object
delattr (), format (), getattribute (), hash (), init (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
88.2

Properties
Name
Inherited from object
class

88.3

Description

Class Variables

534

Class Variables

Name
eventClasses

Class winappdbg.event.EventFactory

Description
Dictionary that maps event codes to Event
subclasses.
Value: {1: <class
winappdbg.event.ExceptionEvent>, 2:
<class ... (type=dict( int Event ))

535

Class winappdbg.event.EventHandler

89

Class winappdbg.event.EventHandler

object
winappdbg.event.EventHandler
Known Subclasses: winappdbg.event.EventSift, winappdbg.interactive.ConsoleDebugger
Base class for debug event handlers.
Your program should subclass it to implement its own event handling.
The constructor can be overriden as long as you call the superclass constructor. The special
method call MUST NOT be overriden.
The signature for event handlers is the following:
def event handler(self, event):
Where event is an Event object.
Each event handler is named after the event they handle. This is the list of all valid event
handler names:
event
Receives an Event object or an object of any of its subclasses, and handles any event
for which no handler was defined.
unknown event
Receives an Event object or an object of any of its subclasses, and handles any event
unknown to the debugging engine. (This is not likely to happen unless the Win32
debugging API is changed in future versions of Windows).
exception
Receives an ExceptionEvent object and handles any exception for which no handler
was defined. See above for exception handlers.
unknown exception
Receives an ExceptionEvent object and handles any exception unknown to the debugging engine. This usually happens for C++ exceptions, which are not standardized and
may change from one compiler to the next.
Currently we have partial support for C++ exceptions thrown by Microsoft compilers.
Also see: RaiseException()1
create thread
Receives a CreateThreadEvent object.
create process
1 http://msdn.microsoft.com/en-us/library/ms680552(VS.85).aspx

536

Class winappdbg.event.EventHandler

Receives a CreateProcessEvent object.


exit thread
Receives a ExitThreadEvent object.
exit process
Receives a ExitProcessEvent object.
load dll
Receives a LoadDLLEvent object.
unload dll
Receives an UnloadDLLEvent object.
output string
Receives an OutputDebugStringEvent object.
rip
Receives a RIPEvent object.

This is the list of all valid exception handler names (they all receive an ExceptionEvent
object):

access violation
array bounds exceeded
breakpoint
control c exit
datatype misalignment
debug control c
float denormal operand
float divide by zero
float inexact result
float invalid operation
float overflow
float stack check
float underflow
guard page
illegal instruction
in page error
integer divide by zero
integer overflow
invalid disposition
invalid handle
ms vc exception
537

Methods

89.1

Class winappdbg.event.EventHandler

noncontinuable exception
possible deadlock
privileged instruction
single step
stack overflow
wow64 breakpoint
Methods
init (self )
Class constructor. Dont forget to call it when subclassing!
Forgetting to call the superclass constructor is a common mistake when youre
new to Python. :)
Example:
class MyEventHandler (EventHandler):
# Override the constructor to use an extra argument.
def init (self, myArgument):
# Do something with the argument, like keeping it
# as an instance variable.
self.myVariable = myArgument
# Call the superclass constructor.
super(MyEventHandler, self). init ()
# The rest of your code below...
Overrides: object. init
call (self, event)
Dispatch debug events.
Parameters
event: Event object.
(type=Event)
Warning: Dont override this method!

Inherited from object

538

Class Variables

Class winappdbg.event.EventHandler

delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
89.2

Properties
Name
Inherited from object
class

89.3

Description

Class Variables

539

Class Variables

Class winappdbg.event.EventHandler

continued on next page

540

Class Variables

Class winappdbg.event.EventHandler

Name
Name
apiHooks

Description
Description
Dictionary that maps module names to lists of
tuples of ( procedure name, parameter count ).
All procedures listed here will be hooked for
calls from the debugee. When this happens, the
corresponding event handler can be notified
both when the procedure is entered and when
its left by the debugee.
For example, lets hook the LoadLibraryEx()
API call. This would be the declaration of
apiHooks:
from winappdbg import EventHandler
from winappdbg.win32 import *
# (...)
class MyEventHandler (EventHandler):
apiHook = {
"kernel32.dll" : (
#
(

Procedure name
"LoadLibraryEx",

Signature
(PVOID, HANDLE, DWOR

# (more procedures can go here...)


),
# (more libraries can go here...)
}

# (your method definitions go here...)


Note that all pointer types are treated like void
pointers, so your callback wont get the string
or structure pointed to by it, but the remote
memory address instead. This is so to prevent
the ctypes library from being too helpful and
trying to dereference the pointer. To get the
actual data being pointed to, use one of the
Process.read methods.
Now, to intercept calls to LoadLibraryEx define
a method like this in your event handler class:
def pre LoadLibraryEx(self, event, ra, lpFilename, hFile
szFilename = event.get process().peek string(lpFilen
#541(...)
Note that the first parameter is always the
Event object, and the second parameter is the
return address. The third parameter and above

Class Variables

Class winappdbg.event.EventHandler

Name

Description

542

Class winappdbg.event.EventSift

90

Class winappdbg.event.EventSift

object
winappdbg.event.EventHandler
winappdbg.event.EventSift
Event handler that allows you to use customized event handlers for each process youre
attached to.
This makes coding the event handlers much easier, because each instance will only know
about one process. So you can code your event handler as if only one process was being
debugged, but your debugger can attach to multiple processes.
Example:
from winappdbg import Debug, EventHandler, EventSift
# This class was written assuming only one process is attached.
# If you used it directly it would break when attaching to another
# process, or when a child process is spawned.
class MyEventHandler (EventHandler):
def create process(self, event):
self.first = True
self.name = event.get process().get filename()
print "Attached to %s" % self.name
def breakpoint(self, event):
if self.first:
self.first = False
print "First breakpoint reached at %s" % self.name
def exit process(self, event):
print "Detached from %s" % self.name
# Now when debugging we use the EventSift to be able to work with
# multiple processes while keeping our code simple. :)
if name == " main ":
handler = EventSift(MyEventHandler)
#handler = MyEventHandler() # try uncommenting this line...
with Debug(handler) as debug:
debug.execl("calc.exe")
debug.execl("notepad.exe")

543

Class winappdbg.event.EventSift

debug.execl("charmap.exe")
debug.loop()
Subclasses of EventSift can prevent specific event types from being forwarded by simply
defining a method for it. That means your subclass can handle some event types globally
while letting other types be handled on per-process basis. To forward events manually you
can call self.event(event).
Example:
class MySift (EventSift):
# Dont forward this event.
def debug control c(self, event):
pass
# Handle this event globally without forwarding it.
def output string(self, event):
print "Debug string: %s" % event.get debug string()
# Handle this event globally and then forward it.
def create process(self, event):
print "New process created, PID: %d" % event.get pid()
return self.event(event)
# All other events will be forwarded.
Note that overriding the event method would cause no events to be forwarded at all. To
prevent this, call the superclass implementation.
Example:
def we want to forward this event(event):
"Use whatever logic you want here..."
# (...return True or False...)
class MySift (EventSift):
def event(self, event):
# If the event matches some custom criteria...
if we want to forward this event(event):
# Forward it.
return super(MySift, self).event(event)

544

Methods

Class winappdbg.event.EventSift

# Otherwise, dont.
90.1

Methods
init (self, cls, *argv, **argd )
Maintains an instance of your event handler for each process being debugged,
and forwards the events of each process to each corresponding instance.
Parameters
cls: Event handler class. This must be the class itself, not an
instance! All additional arguments passed to the constructor of
the event forwarder will be passed on to the constructor of this
class as well.
(type=class)
Overrides: object. init
Warning: If you subclass EventSift and reimplement this method, dont
forget to call the superclass constructor!
See Also: event
call (self, event)
Dispatch debug events.
Parameters
event: Event object.
Overrides: winappdbg.event.EventHandler. call
documentation)

extit(inherited

event(self, event)
Forwards events to the corresponding instance of your event handler for this
process.
If you subclass EventSift and reimplement this method, no event will be
forwarded at all unless you call the superclass implementation.
If your filtering is based on the event type, theres a much easier way to do it:
just implement a handler for it.
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()

545

Class Variables

90.2

Class winappdbg.event.EventSift

Properties
Name
Inherited from object
class

90.3

Description

Class Variables

546

Class Variables

Class winappdbg.event.EventSift

continued on next page

547

Class Variables

Class winappdbg.event.EventSift

Name
Name
apiHooks

Description
Description
Dictionary that maps module names to lists of
tuples of ( procedure name, parameter count ).
All procedures listed here will be hooked for
calls from the debugee. When this happens, the
corresponding event handler can be notified
both when the procedure is entered and when
its left by the debugee.
For example, lets hook the LoadLibraryEx()
API call. This would be the declaration of
apiHooks:
from winappdbg import EventHandler
from winappdbg.win32 import *
# (...)
class MyEventHandler (EventHandler):
apiHook = {
"kernel32.dll" : (
#
(

Procedure name
"LoadLibraryEx",

Signature
(PVOID, HANDLE, DWOR

# (more procedures can go here...)


),
# (more libraries can go here...)
}

# (your method definitions go here...)


Note that all pointer types are treated like void
pointers, so your callback wont get the string
or structure pointed to by it, but the remote
memory address instead. This is so to prevent
the ctypes library from being too helpful and
trying to dereference the pointer. To get the
actual data being pointed to, use one of the
Process.read methods.
Now, to intercept calls to LoadLibraryEx define
a method like this in your event handler class:
def pre LoadLibraryEx(self, event, ra, lpFilename, hFile
szFilename = event.get process().peek string(lpFilen
#548(...)
Note that the first parameter is always the
Event object, and the second parameter is the
return address. The third parameter and above

Instance Variables

Class winappdbg.event.EventSift

Name

90.4

Description

Instance Variables
Name
argd
argv
cls

forward

Description
Keyword arguments to pass to the constructor
of cls.
(type=list)
Positional arguments to pass to the constructor
of cls.
(type=list)
Event handler class. There will be one instance
of this class per debugged process in the
forward dictionary.
(type=class)
Dictionary that maps each debugged process ID
to an instance of cls.
(type=dict)

549

Class winappdbg.event.ExceptionEvent

91

Class winappdbg.event.ExceptionEvent

object
winappdbg.event.Event
winappdbg.event.ExceptionEvent
Exception event.
91.1

Methods
get exception name(self )
Return Value
Name of the exception as defined by the Win32 API.
(type=str)
get exception description(self )
Return Value
User-friendly name of the exception.
(type=str)
is first chance(self )
Return Value
True for first chance exceptions, False for last chance.
(type=bool)
is last chance(self )
Return Value
The opposite of is first chance.
(type=bool)

550

Methods

Class winappdbg.event.ExceptionEvent

is noncontinuable(self )
Return Value
True if the exception is noncontinuable, False otherwise.
Attempting to continue a noncontinuable exception results in an
EXCEPTION NONCONTINUABLE EXCEPTION exception to be
raised.
(type=bool)
See Also: http://msdn.microsoft.com/en-us/library/aa363082(VS.85).aspx
is continuable(self )
Return Value
The opposite of is noncontinuable.
(type=bool)
is user defined exception(self )
Determines if this is an user-defined exception. User-defined exceptions may
contain any exception code that is not system reserved.
Often the exception code is also a valid Win32 error code, but thats up to the
debugged application.
Return Value
True if the exception is user-defined, False otherwise.
(type=bool)
is system defined exception(self )
Return Value
The opposite of is user defined exception.
(type=bool)
get exception code(self )
Return Value
Exception code as defined by the Win32 API.
(type=int)

551

Methods

Class winappdbg.event.ExceptionEvent

get exception address(self )


Return Value
Memory address where the exception occured.
(type=int)
get exception information(self, index )
Parameters
index: Index into the exception information block.
(type=int)
Return Value
Exception information DWORD.
(type=int)
get exception information as list(self )
Return Value
Exception information block.
(type=list( int ))
get fault type(self )
Return Value
Access violation type. Should be one of the following constants:
win32.EXCEPTION READ FAULT
win32.EXCEPTION WRITE FAULT
win32.EXCEPTION EXECUTE FAULT
(type=int)
Raises
NotImplementedError Wrong kind of exception.
Note: This method is only meaningful for access violation exceptions, in-page
memory error exceptions and guard page exceptions.

552

Methods

Class winappdbg.event.ExceptionEvent

get fault address(self )


Return Value
Access violation memory address.
(type=int)
Raises
NotImplementedError Wrong kind of exception.
Note: This method is only meaningful for access violation exceptions, in-page
memory error exceptions and guard page exceptions.
get ntstatus code(self )
Return Value
NTSTATUS status code that caused the exception.
(type=int)
Raises
NotImplementedError Not an in-page memory error.
Note: This method is only meaningful for in-page memory error exceptions.
is nested(self )
Return Value
Returns True if there are additional exception records associated
with this exception. This would mean the exception is nested, that
is, it was triggered while trying to handle at least one previous
exception.
(type=bool)
get raw exception record list(self )
Traverses the exception record linked list and builds a Python list.
Nested exception records are received for nested exceptions. This happens
when an exception is raised in the debugee while trying to handle a previous
exception.
Return Value
List of raw exception record structures as used by the Win32 API.
There is always at least one exception record, so the list is never
empty. All other methods of this class read from the first exception
record only, that is, the most recent exception.
(type=list( win32.EXCEPTION RECORD ))

553

Methods

Class winappdbg.event.ExceptionEvent

get nested exceptions(self )


Traverses the exception record linked list and builds a Python list.
Nested exception records are received for nested exceptions. This happens
when an exception is raised in the debugee while trying to handle a previous
exception.
Return Value
List of ExceptionEvent objects representing each exception record
found in this event.
There is always at least one exception record, so the list is never
empty. All other methods of this class read from the first exception
record only, that is, the most recent exception.
(type=list( ExceptionEvent ))
init (self, debug, raw )
x. init (...) initializes x; see help(type(x)) for signature
Parameters
debug: Debug object that received the event.
(type=Debug)
raw:

Raw DEBUG EVENT structure as used by the Win32 API.


(type=DEBUG EVENT)

Overrides: object. init


get event code(self )
Return Value
Debug event code as defined in the Win32 API.
(type=int)
get event description(self )
Return Value
User-friendly description of the event.
(type=str)
get event name(self )
Return Value
User-friendly name of the event.
(type=str)
554

Class Variables

Class winappdbg.event.ExceptionEvent

get pid(self )
Return Value
Process global ID where the event occured.
(type=int)
See Also: get process
get process(self )
Return Value
Process where the event occured.
(type=Process)
See Also: get pid
get thread(self )
Return Value
Thread where the event occured.
(type=Thread)
See Also: get tid
get tid(self )
Return Value
Thread global ID where the event occured.
(type=int)
See Also: get thread
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
91.2

Properties
Name
eventMethod
Inherited from object
class

91.3

Description

Class Variables

555

Instance Variables

Name
eventName
eventDescription
exceptionDescription
exceptionName

91.4

Class winappdbg.event.ExceptionEvent

Description
User-friendly name of the event.
Value: Exception event (type=str)
User-friendly description of the event.
Value: An exception was raised by the
debugee. (type=str)
Mapping of exception constants to user-friendly
strings.
(type=dict( int str ))
Mapping of exception constants to their names.
(type=dict( int str ))

Instance Variables
Name
breakpoint

continueStatus
debug
hook

raw

Description
If the exception was caused by one of our
breakpoints, this member contains a reference
to the breakpoint object. Otherwise its not
defined. It should only be used from the
condition or action callback routines, instead of
the event handler.
(type=Breakpoint)
Continue status to pass to
win32.ContinueDebugEvent.
(type=int)
Debug object that received the event.
(type=Debug)
If the exception was caused by a function hook,
this member contains a reference to the hook
object. Otherwise its not defined. It should
only be used from the hook callback routines,
instead of the event handler.
(type=Hook)
Raw DEBUG EVENT structure as used by the
Win32 API.
(type=DEBUG EVENT)

556

Class winappdbg.event.ExitProcessEvent

92

Class winappdbg.event.ExitProcessEvent

object
winappdbg.event.Event
winappdbg.event.ExitProcessEvent
Process termination event.
92.1

Methods
get exit code(self )
Return Value
Exit code of the process.
(type=int)
get filename(self )
Return Value
Filename of the main module. None if the filename is unknown.
(type=None or str)
get image base(self )
Return Value
Base address of the main module.
(type=int)
get module base(self )
Return Value
Base address of the main module.
(type=int)
get module(self )
Return Value
Main module of the process.
(type=Module)

557

Methods

Class winappdbg.event.ExitProcessEvent

init (self, debug, raw )


x. init (...) initializes x; see help(type(x)) for signature
Parameters
debug: Debug object that received the event.
(type=Debug)
raw:

Raw DEBUG EVENT structure as used by the Win32 API.


(type=DEBUG EVENT)

Overrides: object. init


get event code(self )
Return Value
Debug event code as defined in the Win32 API.
(type=int)
get event description(self )
Return Value
User-friendly description of the event.
(type=str)
get event name(self )
Return Value
User-friendly name of the event.
(type=str)
get pid(self )
Return Value
Process global ID where the event occured.
(type=int)
See Also: get process
get process(self )
Return Value
Process where the event occured.
(type=Process)
See Also: get pid

558

Instance Variables

Class winappdbg.event.ExitProcessEvent

get thread(self )
Return Value
Thread where the event occured.
(type=Thread)
See Also: get tid
get tid(self )
Return Value
Thread global ID where the event occured.
(type=int)
See Also: get thread
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
92.2

Properties
Name
Inherited from object
class

92.3

Class Variables
Name
eventMethod
eventName
eventDescription

92.4

Description

Description
Method name to call when using EventHandler
subclasses. Used internally.
Value: exit process (type=str)
User-friendly name of the event.
Value: Process termination event
(type=str)
User-friendly description of the event.
Value: A process has finished
executing. (type=str)

Instance Variables

559

Instance Variables

Name
continueStatus
debug
raw

Class winappdbg.event.ExitProcessEvent

Description
Continue status to pass to
win32.ContinueDebugEvent.
(type=int)
Debug object that received the event.
(type=Debug)
Raw DEBUG EVENT structure as used by the
Win32 API.
(type=DEBUG EVENT)

560

Class winappdbg.event.ExitThreadEvent

93

Class winappdbg.event.ExitThreadEvent

object
winappdbg.event.Event
winappdbg.event.ExitThreadEvent
Thread termination event.
93.1

Methods
get exit code(self )
Return Value
Exit code of the thread.
(type=int)
init (self, debug, raw )
x. init (...) initializes x; see help(type(x)) for signature
Parameters
debug: Debug object that received the event.
(type=Debug)
raw:

Raw DEBUG EVENT structure as used by the Win32 API.


(type=DEBUG EVENT)

Overrides: object. init


get event code(self )
Return Value
Debug event code as defined in the Win32 API.
(type=int)
get event description(self )
Return Value
User-friendly description of the event.
(type=str)

561

Properties

Class winappdbg.event.ExitThreadEvent

get event name(self )


Return Value
User-friendly name of the event.
(type=str)
get pid(self )
Return Value
Process global ID where the event occured.
(type=int)
See Also: get process
get process(self )
Return Value
Process where the event occured.
(type=Process)
See Also: get pid
get thread(self )
Return Value
Thread where the event occured.
(type=Thread)
See Also: get tid
get tid(self )
Return Value
Thread global ID where the event occured.
(type=int)
See Also: get thread
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
93.2

Properties

562

Instance Variables

Class winappdbg.event.ExitThreadEvent

Name
Inherited from object
class

93.3

Class Variables
Name
eventMethod
eventName
eventDescription

93.4

Description

Description
Method name to call when using EventHandler
subclasses. Used internally.
Value: exit thread (type=str)
User-friendly name of the event.
Value: Thread termination event
(type=str)
User-friendly description of the event.
Value: A thread has finished
executing. (type=str)

Instance Variables
Name
continueStatus
debug
raw

Description
Continue status to pass to
win32.ContinueDebugEvent.
(type=int)
Debug object that received the event.
(type=Debug)
Raw DEBUG EVENT structure as used by the
Win32 API.
(type=DEBUG EVENT)

563

Class winappdbg.event.LoadDLLEvent

94

Class winappdbg.event.LoadDLLEvent

object
winappdbg.event.Event
winappdbg.event.LoadDLLEvent
Module load event.
94.1

Methods
get module base(self )
Return Value
Base address for the newly loaded DLL.
(type=int)
get module(self )
Return Value
Module object for the newly loaded DLL.
(type=Module)
get file handle(self )
Return Value
File handle to the newly loaded DLL received from the system.
Returns None if the handle is not available.
(type=FileHandle or None)
get filename(self )
Return Value
This method does its best to retrieve the filename to the newly
loaded module. However, sometimes thats not possible, and None is
returned instead.
(type=str, None)

564

Methods

Class winappdbg.event.LoadDLLEvent

init (self, debug, raw )


x. init (...) initializes x; see help(type(x)) for signature
Parameters
debug: Debug object that received the event.
(type=Debug)
raw:

Raw DEBUG EVENT structure as used by the Win32 API.


(type=DEBUG EVENT)

Overrides: object. init


get event code(self )
Return Value
Debug event code as defined in the Win32 API.
(type=int)
get event description(self )
Return Value
User-friendly description of the event.
(type=str)
get event name(self )
Return Value
User-friendly name of the event.
(type=str)
get pid(self )
Return Value
Process global ID where the event occured.
(type=int)
See Also: get process
get process(self )
Return Value
Process where the event occured.
(type=Process)
See Also: get pid

565

Instance Variables

Class winappdbg.event.LoadDLLEvent

get thread(self )
Return Value
Thread where the event occured.
(type=Thread)
See Also: get tid
get tid(self )
Return Value
Thread global ID where the event occured.
(type=int)
See Also: get thread
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
94.2

Properties
Name
Inherited from object
class

94.3

Class Variables
Name
eventMethod
eventName
eventDescription

94.4

Description

Description
Method name to call when using EventHandler
subclasses. Used internally.
Value: load dll (type=str)
User-friendly name of the event.
Value: Module load event (type=str)
User-friendly description of the event.
Value: A new DLL library was loaded by
the debugee. (type=str)

Instance Variables

566

Instance Variables

Name
continueStatus
debug
raw

Class winappdbg.event.LoadDLLEvent

Description
Continue status to pass to
win32.ContinueDebugEvent.
(type=int)
Debug object that received the event.
(type=Debug)
Raw DEBUG EVENT structure as used by the
Win32 API.
(type=DEBUG EVENT)

567

Class winappdbg.event.NoEvent

95

Class winappdbg.event.NoEvent

object
winappdbg.event.Event
winappdbg.event.NoEvent
Known Subclasses: winappdbg.interactive.DummyEvent
No event.
Dummy Event object that can be used as a placeholder when no debug event has occured
yet. Its never returned by the EventFactory.
95.1

Methods
init (self, debug, raw =None)
x. init (...) initializes x; see help(type(x)) for signature
Parameters
debug: Debug object that received the event.
raw:

Raw DEBUG EVENT structure as used by the Win32 API.

Overrides: object. init

extit(inherited documentation)

len (self )
Always returns 0, so when evaluating the object as a boolean its always
False. This prevents Debug.cont from trying to continue a dummy event.
get event code(self )
Return Value
Debug event code as defined in the Win32 API.
(type=int)
Overrides: winappdbg.event.Event.get event code extit(inherited
documentation)

568

Methods

Class winappdbg.event.NoEvent

get pid(self )
Return Value
Process global ID where the event occured.
(type=int)
Overrides: winappdbg.event.Event.get pid extit(inherited documentation)
get tid(self )
Return Value
Thread global ID where the event occured.
(type=int)
Overrides: winappdbg.event.Event.get tid extit(inherited documentation)
get process(self )
Return Value
Process where the event occured.
(type=Process)
Overrides: winappdbg.event.Event.get process extit(inherited documentation)
get thread(self )
Return Value
Thread where the event occured.
(type=Thread)
Overrides: winappdbg.event.Event.get thread extit(inherited documentation)
get event description(self )
Return Value
User-friendly description of the event.
(type=str)
get event name(self )
Return Value
User-friendly name of the event.
(type=str)
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
569

Instance Variables

repr (),
95.2

Class winappdbg.event.NoEvent

setattr (),

sizeof (),

str (),

Properties
Name
Inherited from object
class

95.3

Description

Class Variables
Name
eventMethod
eventName
eventDescription

95.4

subclasshook ()

Description
Method name to call when using EventHandler
subclasses. Used internally.
Value: no event (type=str)
User-friendly name of the event.
Value: No event (type=str)
User-friendly description of the event.
Value: No debug event has occured.
(type=str)

Instance Variables
Name
continueStatus
debug
raw

Description
Continue status to pass to
win32.ContinueDebugEvent.
(type=int)
Debug object that received the event.
(type=Debug)
Raw DEBUG EVENT structure as used by the
Win32 API.
(type=DEBUG EVENT)

570

Class winappdbg.event.OutputDebugStringEvent

96

Class winappdbg.event.OutputDebugStringEvent

object
winappdbg.event.Event
winappdbg.event.OutputDebugStringEvent
Debug string output event.
96.1

Methods
get debug string(self )
Return Value
String sent by the debugee. It may be ANSI or Unicode and may
end with a null character.
(type=str, unicode)
init (self, debug, raw )
x. init (...) initializes x; see help(type(x)) for signature
Parameters
debug: Debug object that received the event.
(type=Debug)
raw:

Raw DEBUG EVENT structure as used by the Win32 API.


(type=DEBUG EVENT)

Overrides: object. init


get event code(self )
Return Value
Debug event code as defined in the Win32 API.
(type=int)
get event description(self )
Return Value
User-friendly description of the event.
(type=str)

571

Properties

Class winappdbg.event.OutputDebugStringEvent

get event name(self )


Return Value
User-friendly name of the event.
(type=str)
get pid(self )
Return Value
Process global ID where the event occured.
(type=int)
See Also: get process
get process(self )
Return Value
Process where the event occured.
(type=Process)
See Also: get pid
get thread(self )
Return Value
Thread where the event occured.
(type=Thread)
See Also: get tid
get tid(self )
Return Value
Thread global ID where the event occured.
(type=int)
See Also: get thread
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
96.2

Properties

572

Instance Variables

Class winappdbg.event.OutputDebugStringEvent

Name
Inherited from object
class

96.3

Class Variables
Name
eventMethod
eventName
eventDescription

96.4

Description

Description
Method name to call when using EventHandler
subclasses. Used internally.
Value: output string (type=str)
User-friendly name of the event.
Value: Debug string output event
(type=str)
User-friendly description of the event.
Value: The debugee sent a message to
the debugger. (type=str)

Instance Variables
Name
continueStatus
debug
raw

Description
Continue status to pass to
win32.ContinueDebugEvent.
(type=int)
Debug object that received the event.
(type=Debug)
Raw DEBUG EVENT structure as used by the
Win32 API.
(type=DEBUG EVENT)

573

Class winappdbg.event.RIPEvent

97

Class winappdbg.event.RIPEvent

object
winappdbg.event.Event
winappdbg.event.RIPEvent
RIP event.
97.1

Methods
get rip error(self )
Return Value
RIP error code as defined by the Win32 API.
(type=int)
get rip type(self )
Return Value
RIP type code as defined by the Win32 API. May be 0 or one of the
following:
win32.SLE ERROR
win32.SLE MINORERROR
win32.SLE WARNING
(type=int)
init (self, debug, raw )
x. init (...) initializes x; see help(type(x)) for signature
Parameters
debug: Debug object that received the event.
(type=Debug)
raw:

Raw DEBUG EVENT structure as used by the Win32 API.


(type=DEBUG EVENT)

Overrides: object. init

574

Methods

Class winappdbg.event.RIPEvent

get event code(self )


Return Value
Debug event code as defined in the Win32 API.
(type=int)
get event description(self )
Return Value
User-friendly description of the event.
(type=str)
get event name(self )
Return Value
User-friendly name of the event.
(type=str)
get pid(self )
Return Value
Process global ID where the event occured.
(type=int)
See Also: get process
get process(self )
Return Value
Process where the event occured.
(type=Process)
See Also: get pid
get thread(self )
Return Value
Thread where the event occured.
(type=Thread)
See Also: get tid

575

Instance Variables

Class winappdbg.event.RIPEvent

get tid(self )
Return Value
Thread global ID where the event occured.
(type=int)
See Also: get thread
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
97.2

Properties
Name
Inherited from object
class

97.3

Class Variables
Name
eventMethod
eventName
eventDescription

97.4

Description

Description
Method name to call when using EventHandler
subclasses. Used internally.
Value: rip (type=str)
User-friendly name of the event.
Value: RIP event (type=str)
User-friendly description of the event.
Value: An error has occured and the
process can no longer be de... (type=str)

Instance Variables
Name
continueStatus
debug
raw

Description
Continue status to pass to
win32.ContinueDebugEvent.
(type=int)
Debug object that received the event.
(type=Debug)
Raw DEBUG EVENT structure as used by the
Win32 API.
(type=DEBUG EVENT)

576

Class winappdbg.event.UnloadDLLEvent

98

Class winappdbg.event.UnloadDLLEvent

object
winappdbg.event.Event
winappdbg.event.UnloadDLLEvent
Module unload event.
98.1

Methods
get module base(self )
Return Value
Base address for the recently unloaded DLL.
(type=int)
get module(self )
Return Value
Module object for the recently unloaded DLL.
(type=Module)
get file handle(self )
Return Value
File handle to the recently unloaded DLL. Returns None if the
handle is not available.
(type=None or FileHandle)
get filename(self )
Return Value
Filename of the recently unloaded DLL. None if the filename is
unknown.
(type=None or str)

577

Methods

Class winappdbg.event.UnloadDLLEvent

init (self, debug, raw )


x. init (...) initializes x; see help(type(x)) for signature
Parameters
debug: Debug object that received the event.
(type=Debug)
raw:

Raw DEBUG EVENT structure as used by the Win32 API.


(type=DEBUG EVENT)

Overrides: object. init


get event code(self )
Return Value
Debug event code as defined in the Win32 API.
(type=int)
get event description(self )
Return Value
User-friendly description of the event.
(type=str)
get event name(self )
Return Value
User-friendly name of the event.
(type=str)
get pid(self )
Return Value
Process global ID where the event occured.
(type=int)
See Also: get process
get process(self )
Return Value
Process where the event occured.
(type=Process)
See Also: get pid

578

Instance Variables

Class winappdbg.event.UnloadDLLEvent

get thread(self )
Return Value
Thread where the event occured.
(type=Thread)
See Also: get tid
get tid(self )
Return Value
Thread global ID where the event occured.
(type=int)
See Also: get thread
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
98.2

Properties
Name
Inherited from object
class

98.3

Class Variables
Name
eventMethod
eventName
eventDescription

98.4

Description

Description
Method name to call when using EventHandler
subclasses. Used internally.
Value: unload dll (type=str)
User-friendly name of the event.
Value: Module unload event (type=str)
User-friendly description of the event.
Value: A DLL library was unloaded by
the debugee. (type=str)

Instance Variables

579

Instance Variables

Name
continueStatus
debug
raw

Class winappdbg.event.UnloadDLLEvent

Description
Continue status to pass to
win32.ContinueDebugEvent.
(type=int)
Debug object that received the event.
(type=Debug)
Raw DEBUG EVENT structure as used by the
Win32 API.
(type=DEBUG EVENT)

580

Properties

99

Class winappdbg.interactive.CmdError

Class winappdbg.interactive.CmdError

object
exceptions.BaseException
exceptions.Exception
winappdbg.interactive.CmdError
Exception raised when a command parsing error occurs. Used internally by ConsoleDebugger.
99.1

Methods

Inherited from exceptions.Exception


init (),

new ()

Inherited from exceptions.BaseException


delattr (), getattribute (), getitem (), getslice (),
setattr (), setstate (), str (), unicode ()

reduce (),

Inherited from object


format (),
99.2

hash (),

reduce ex (),

sizeof (),

subclasshook ()

Properties
Name
Inherited from exceptions.BaseException
args, message
Inherited from object
class

581

Description

repr (),

Class winappdbg.interactive.ConsoleDebugger

100

Class winappdbg.interactive.ConsoleDebugger
cmd.Cmd

object
winappdbg.event.EventHandler
winappdbg.interactive.ConsoleDebugger
Interactive console debugger.
See Also: Debug.interactive
100.1

Methods
init (self )

Interactive console debugger.


Overrides: object. init
See Also: Debug.interactive
start using debugger(self, debug)
stop using debugger(self )
destroy debugger(self, autodetach=True)
set fake last event(self, process)
join tokens(self, token list)
split tokens(self, arg, min count=0, max count=None)
input thread(self, token)
input thread list(self, token list)
input process(self, token)

582

Methods

Class winappdbg.interactive.ConsoleDebugger

input process list(self, token list)


input command line(self, command line)
input hexadecimal integer(self, token)
input integer(self, token)
input address(self, token, pid =None, tid =None)
input address range(self, token list, pid =None, tid =None)
is register(self, token)
input register(self, token, tid =None)
input full address range(self, token list)
input breakpoint(self, token list)
input display(self, token list, default size=64)
print module load(self, event)
print module unload(self, event)
print process start(self, event)
print thread start(self, event)
print process end(self, event)
print thread end(self, event)
print debug string(self, event)
print event(self, event)
print exception(self, event)
583

Methods

Class winappdbg.interactive.ConsoleDebugger

print event location(self, event)


print breakpoint location(self, event)
print current location(self, process=None, thread =None, pc=None)
print memory display(self, arg, method )
get process id from prefix(self )
get thread id from prefix(self )
get process from prefix(self )
get thread from prefix(self )
get process and thread ids from prefix(self )
get process and thread from prefix(self )
get process(self, pid =None)
get thread(self, tid =None)
read memory(self, address, size, pid =None)
write memory(self, address, data, pid =None)
change register(self, register, value, tid =None)
find in memory(self, query, process)
kill process(self, pid )
kill thread(self, tid )
prompt user(self )
ask user(self, msg, prompt=Are you sure?
584

(y/N): )

Methods

Class winappdbg.interactive.ConsoleDebugger

autocomplete(self, cmd )
get help(self, commands)
split prefix(self, line)
get names(self )
Overrides: cmd.Cmd.get names
parseline(self, line)
Parse the line into a command name and a string containing the arguments.
Returns a tuple containing (command, args, line). command and args may
be None if the line couldnt be parsed.
Overrides: cmd.Cmd.parseline extit(inherited documentation)
preloop(self )
Hook method executed once when the cmdloop() method is called.
Overrides: cmd.Cmd.preloop extit(inherited documentation)
get lastcmd(self )
set lastcmd(self, lastcmd )
postcmd(self, stop, line)
Hook method executed just after a command dispatch is finished.
Overrides: cmd.Cmd.postcmd extit(inherited documentation)
do help(self, arg)
? - show the list of available commands ? * - show help for all commands ?
<command> [command...] - show help for the given command(s) help - show
the list of available commands help * - show help for all commands help
<command> [command...] - show help for the given command(s)
Overrides: cmd.Cmd.do help

585

Methods

Class winappdbg.interactive.ConsoleDebugger

do shell(self, arg)
! - spawn a system shell shell - spawn a system shell ! <command>
[arguments...] - execute a single shell command shell <command>
[arguments...] - execute a single shell command
do python(self, arg)
# - spawn a python interpreter python - spawn a python interpreter #
<statement> - execute a single python statement python <statement> execute a single python statement
do plugin(self, arg)
[prefix] .<name> [arguments] - run a plugin command [prefix] plugin
<name> [arguments] - run a plugin command
do quit(self, arg)
quit - close the debugging session q - close the debugging session
do q(self, arg)
quit - close the debugging session q - close the debugging session
do attach(self, arg)
attach <target> [target...] - attach to the given process(es)
do detach(self, arg)
[process] detach - detach from the current process detach - detach from the
current process detach <target> [target...] - detach from the given process(es)
do windowed(self, arg)
windowed <target> [arguments...] - run a windowed program for debugging
do console(self, arg)
console <target> [arguments...] - run a console program for debugging
do continue(self, arg)
continue - continue execution g - continue execution go - continue execution

586

Methods

Class winappdbg.interactive.ConsoleDebugger

do g(self, arg)
continue - continue execution g - continue execution go - continue execution
do go(self, arg)
continue - continue execution g - continue execution go - continue execution
do gh(self, arg)
gh - go with exception handled
do gn(self, arg)
gn - go with exception not handled
do refresh(self, arg)
refresh - refresh the list of running processes and threads [process] refresh refresh the list of running threads
do processlist(self, arg)
pl - show the processes being debugged processlist - show the processes being
debugged
do pl(self, arg)
pl - show the processes being debugged processlist - show the processes being
debugged
do threadlist(self, arg)
tl - show the threads being debugged threadlist - show the threads being
debugged
do tl(self, arg)
tl - show the threads being debugged threadlist - show the threads being
debugged
do kill(self, arg)
[process] kill - kill a process [thread] kill - kill a thread kill - kill the current
process kill * - kill all debugged processes kill <processes and/or threads...> kill the given processes and threads

587

Methods

Class winappdbg.interactive.ConsoleDebugger

do modload(self, arg)
[process] modload <filename.dll> - load a DLL module
do stack(self, arg)
[thread] k - show the stack trace [thread] stack - show the stack trace
do k(self, arg)
[thread] k - show the stack trace [thread] stack - show the stack trace
do break(self, arg)
break - force a debug break in all debugees break <process> [process...] - force
a debug break
do step(self, arg)
p - step on the current assembly instruction next - step on the current
assembly instruction step - step on the current assembly instruction
do p(self, arg)
p - step on the current assembly instruction next - step on the current
assembly instruction step - step on the current assembly instruction
do next(self, arg)
p - step on the current assembly instruction next - step on the current
assembly instruction step - step on the current assembly instruction
do trace(self, arg)
t - trace at the current assembly instruction trace - trace at the current
assembly instruction
do t(self, arg)
t - trace at the current assembly instruction trace - trace at the current
assembly instruction
do bp(self, arg)
[process] bp <address> - set a code breakpoint

588

Methods

Class winappdbg.interactive.ConsoleDebugger

do ba(self, arg)
[thread] ba <a|w|e> <1|2|4|8> <address> - set hardware breakpoint
do bm(self, arg)
[process] bm <address-address> - set memory breakpoint
do bl(self, arg)
bl - list the breakpoints for the current process bl * - list the breakpoints for
all processes [process] bl - list the breakpoints for the given process bl
<process> [process...] - list the breakpoints for each given process
do bo(self, arg)
[process] bo <address> - make a code breakpoint one-shot [thread] bo
<address> - make a hardware breakpoint one-shot [process] bo
<address-address> - make a memory breakpoint one-shot [process] bo
<address> <size> - make a memory breakpoint one-shot
do be(self, arg)
[process] be <address> - enable a code breakpoint [thread] be <address> enable a hardware breakpoint [process] be <address-address> - enable a
memory breakpoint [process] be <address> <size> - enable a memory
breakpoint
do bd(self, arg)
[process] bd <address> - disable a code breakpoint [thread] bd <address> disable a hardware breakpoint [process] bd <address-address> - disable a
memory breakpoint [process] bd <address> <size> - disable a memory
breakpoint
do bc(self, arg)
[process] bc <address> - clear a code breakpoint [thread] bc <address> clear a hardware breakpoint [process] bc <address-address> - clear a memory
breakpoint [process] bc <address> <size> - clear a memory breakpoint
do disassemble(self, arg)
[thread] u [register] - show code disassembly [process] u [address] - show
code disassembly [thread] disassemble [register] - show code disassembly
[process] disassemble [address] - show code disassembly

589

Methods

Class winappdbg.interactive.ConsoleDebugger

do u(self, arg)
[thread] u [register] - show code disassembly [process] u [address] - show
code disassembly [thread] disassemble [register] - show code disassembly
[process] disassemble [address] - show code disassembly
do search(self, arg)
[process] s [address-address] <search string> [process] search
[address-address] <search string>
do s(self, arg)
[process] s [address-address] <search string> [process] search
[address-address] <search string>
do searchhex(self, arg)
[process] sh [address-address] <hexadecimal pattern> [process] searchhex
[address-address] <hexadecimal pattern>
do sh(self, arg)
[process] sh [address-address] <hexadecimal pattern> [process] searchhex
[address-address] <hexadecimal pattern>
do d(self, arg)
[thread] d <register> - show memory contents [thread] d <register-register>
- show memory contents [thread] d <register> <size> - show memory
contents [process] d <address> - show memory contents [process] d
<address-address> - show memory contents [process] d <address> <size> show memory contents
do db(self, arg)
[thread] db <register> - show memory contents as bytes [thread] db
<register-register> - show memory contents as bytes [thread] db <register>
<size> - show memory contents as bytes [process] db <address> - show
memory contents as bytes [process] db <address-address> - show memory
contents as bytes [process] db <address> <size> - show memory contents as
bytes

590

Methods

Class winappdbg.interactive.ConsoleDebugger

do dw(self, arg)
[thread] dw <register> - show memory contents as words [thread] dw
<register-register> - show memory contents as words [thread] dw <register>
<size> - show memory contents as words [process] dw <address> - show
memory contents as words [process] dw <address-address> - show memory
contents as words [process] dw <address> <size> - show memory contents as
words
do dd(self, arg)
[thread] dd <register> - show memory contents as dwords [thread] dd
<register-register> - show memory contents as dwords [thread] dd
<register> <size> - show memory contents as dwords [process] dd
<address> - show memory contents as dwords [process] dd
<address-address> - show memory contents as dwords [process] dd
<address> <size> - show memory contents as dwords
do dq(self, arg)
[thread] dq <register> - show memory contents as qwords [thread] dq
<register-register> - show memory contents as qwords [thread] dq
<register> <size> - show memory contents as qwords [process] dq
<address> - show memory contents as qwords [process] dq
<address-address> - show memory contents as qwords [process] dq
<address> <size> - show memory contents as qwords
do ds(self, arg)
[thread] ds <register> - show memory contents as ANSI string [process] ds
<address> - show memory contents as ANSI string
do du(self, arg)
[thread] du <register> - show memory contents as Unicode string [process]
du <address> - show memory contents as Unicode string
do register(self, arg)
[thread] r - print the value of all registers [thread] r <register> - print the
value of a register [thread] r <register>=<value> - change the value of a
register [thread] register - print the value of all registers [thread] register
<register> - print the value of a register [thread] register
<register>=<value> - change the value of a register

591

Methods

Class winappdbg.interactive.ConsoleDebugger

do r(self, arg)
[thread] r - print the value of all registers [thread] r <register> - print the
value of a register [thread] r <register>=<value> - change the value of a
register [thread] register - print the value of all registers [thread] register
<register> - print the value of a register [thread] register
<register>=<value> - change the value of a register
do eb(self, arg)
[process] eb <address> <data> - write the data to the specified address
do find(self, arg)
[process] f <string> - find the string in the process memory [process] find
<string> - find the string in the process memory
do f (self, arg)
[process] f <string> - find the string in the process memory [process] find
<string> - find the string in the process memory
do memory(self, arg)
[process] m - show the process memory map [process] memory - show the
process memory map
do m(self, arg)
[process] m - show the process memory map [process] memory - show the
process memory map
event(self, event)
exception(self, event)
breakpoint(self, event)
wow64 breakpoint(self, event)
single step(self, event)
ms vc exception(self, event)

592

Properties

Class winappdbg.interactive.ConsoleDebugger

create process(self, event)


exit process(self, event)
create thread(self, event)
exit thread(self, event)
load dll(self, event)
unload dll(self, event)
output string(self, event)
load history(self )
save history(self )
loop(self )
call (self, event)
Dispatch debug events.
Parameters
event: Event object.
(type=Event)
Warning: Dont override this method!
Inherited from cmd.Cmd
cmdloop(), columnize(), complete(), complete help(), completedefault(), completenames(), default(), emptyline(), onecmd(), postloop(), precmd(), print topics()
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
100.2

Properties

593

Class Variables

Class winappdbg.interactive.ConsoleDebugger

Name
lastEvent
prompt
lastcmd
Inherited from object
class

100.3

Description

Class Variables

Name
dwMilliseconds
history file
confirm quit
valid plugin name chars
segment names
register alias 64 to 32
register alias 64 to 16
register alias 64 to 8 low
register alias 64 to 8 high
register alias 32 to 16
register alias 32 to 8 low
register alias 32 to 8 high
register aliases full 32
register aliases full 64
jump instructions
call instructions
loop instructions
control flow instructions
doc header

Description

Value: 100
Value: .winappdbg history
Value: True
Value:
ABCDEFGHIJKLMNOPQRSTUVWXYabcdefghijklmnopqrstuvwxy012345..
Value: (cs, ds, es, fs, gs)
Value: {eax: Rax, ebp: Rbp,
ebx: Rbx, ecx: Rcx, ...
Value: {ax: Rax, bx: Rbx,
cx: Rcx, dx: Rdx}
Value: {al: Rax, bl: Rbx,
cl: Rcx, dl: Rdx}
Value: {ah: Rax, bh: Rbx,
ch: Rcx, dh: Rdx}
Value: {ax: Eax, bx: Ebx,
cx: Ecx, dx: Edx}
Value: {al: Eax, bl: Ebx,
cl: Ecx, dl: Edx}
Value: {ah: Eax, bh: Ebx,
ch: Ecx, dh: Edx}
Value: (cs, ds, es, fs, gs,
ax, cx, bx, dx, b...
Value: (cs, ds, es, fs, gs,
eax, edi, ebp, eip...
Value: (jmp, jecxz, jcxz, ja,
jnbe, jae, jnb, jb...
Value: (call, ret, retn)
Value: (loop, loopz, loopnz,
loope, loopne)
Value: (call, ret, retn, loop,
loopz, loopnz, loope...
Value: Available commands (type help *
or help <command>)
continued on next page

594

Class Variables

Class winappdbg.interactive.ConsoleDebugger

Name

Description
continued on next page

595

Class Variables

Class winappdbg.interactive.ConsoleDebugger

Name
apiHooks

Description
Dictionary that maps module names to lists of
tuples of ( procedure name, parameter count ).
All procedures listed here will be hooked for
calls from the debugee. When this happens, the
corresponding event handler can be notified
both when the procedure is entered and when
its left by the debugee.
For example, lets hook the LoadLibraryEx()
API call. This would be the declaration of
apiHooks:
from winappdbg import EventHandler
from winappdbg.win32 import *
# (...)
class MyEventHandler (EventHandler):
apiHook = {
"kernel32.dll" : (
#
(

Procedure name
"LoadLibraryEx",

Signature
(PVOID, HANDLE, DWOR

# (more procedures can go here...)


),
# (more libraries can go here...)
}

# (your method definitions go here...)


Note that all pointer types are treated like void
pointers, so your callback wont get the string
or structure pointed to by it, but the remote
memory address instead. This is so to prevent
the ctypes library from being too helpful and
trying to dereference the pointer. To get the
actual data being pointed to, use one of the
Process.read methods.
Now, to intercept calls to LoadLibraryEx define
a method like this in your event handler class:
def pre LoadLibraryEx(self, event, ra, lpFilename, hFile
szFilename = event.get process().peek string(lpFilen
# (...)
Note that596
the first parameter is always the
Event object, and the second parameter is the
return address. The third parameter and above
are the values passed to the hooked function.

Class Variables

Class winappdbg.interactive.ConsoleDebugger

Name
Description
Inherited from cmd.Cmd
doc leader, identchars, intro, misc header, nohelp, ruler, undoc header,
use rawinput

597

Properties

101

Class winappdbg.module.DebugSymbolsWarning

Class winappdbg.module.DebugSymbolsWarning

object
exceptions.BaseException
exceptions.Exception
exceptions.Warning
exceptions.UserWarning
winappdbg.module.DebugSymbolsWarning
This warning is issued if the support for debug symbols isnt working properly.
101.1

Methods

Inherited from exceptions.UserWarning


init (),

new ()

Inherited from exceptions.BaseException


delattr (), getattribute (), getitem (), getslice (),
setattr (), setstate (), str (), unicode ()

reduce (),

Inherited from object


format (),
101.2

hash (),

reduce ex (),

sizeof (),

subclasshook ()

Properties

Name
Inherited from exceptions.BaseException
args, message
Inherited from object
class

598

Description

repr (),

Class winappdbg.module.Module

102

Class winappdbg.module.Module

object
winappdbg.module.Module
Interface to a DLL library loaded in the context of another process.
102.1

Methods

init (self, lpBaseOfDll, hFile=None, fileName=None, SizeOfImage=None,


EntryPoint=None, process=None)
x. init (...) initializes x; see help(type(x)) for signature
Parameters
lpBaseOfDll: Base address of the module.
(type=str)
hFile:

(Optional) Handle to the module file.


(type=FileHandle)

fileName:

(Optional) Module filename.


(type=str)

SizeOfImage: (Optional) Size of the module.


(type=int)
EntryPoint: (Optional) Entry point of the module.
(type=int)
process:

(Optional) Process where the module is loaded.


(type=Process)

Overrides: object. init


Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
Properties

599

Methods

Class winappdbg.module.Module

set handle(self, hFile)


Parameters
hFile: File handle. Use None to clear.
(type=Handle)
get process(self )
Return Value
Parent Process object. Returns None if unknown.
(type=Process)
set process(self, process=None)
Manually set the parent process. Use with care!
Parameters
process: (Optional) Process object. Use None for no process.
(type=Process)
get pid(self )
Return Value
Parent process global ID. Returns None on error.
(type=int or None)
get base(self )
Return Value
Base address of the module. Returns None if unknown.
(type=int or None)
get size(self )
Return Value
Base size of the module. Returns None if unknown.
(type=int or None)
get entry point(self )
Return Value
Entry point of the module. Returns None if unknown.
(type=int or None)

600

Methods

Class winappdbg.module.Module

get filename(self )
Return Value
Module filename. Returns None if unknown.
(type=str or None)
get name(self )
Return Value
Module name, as used in labels.
(type=str)
Warning: Names are NOT guaranteed to be unique.
If you need unique identification for a loaded module, use the base address
instead.
See Also: get label
open handle(self )
Opens a new handle to the module.
The new handle is stored in the hFile property.
close handle(self )
Closes the handle to the module.
Note: Normally you dont need to call this method. All handles created by
WinAppDbg are automatically closed when the garbage collector claims them.
So unless youve been tinkering with it, setting hFile to None should be
enough.
get handle(self )
Return Value
Handle to the module file.
(type=FileHandle)
Labels
match name(self, name)
Return Value
True if the given name could refer to this module. It may not be
exactly the same returned by get name.
(type=bool)
601

Methods

Class winappdbg.module.Module

get label(self, function=None, offset=None)


Retrieves the label for the given function of this module or the module base
address if no function name is given.
Parameters
function: (Optional) Exported function name.
(type=str)
offset:

(Optional) Offset from the module base address.


(type=int)

Return Value
Label for the module base address, plus the offset if given.
(type=str)
get label at address(self, address, offset=None)
Creates a label from the given memory address.
If the address belongs to the module, the label is made relative to its base
address.
Parameters
address: Memory address.
(type=int)
offset: (Optional) Offset value.
(type=None or int)
Return Value
Label pointing to the given address.
(type=str)
is address here(self, address)
Tries to determine if the given address belongs to this module.
Parameters
address: Memory address.
(type=int)
Return Value
True if the address belongs to the module, False if it doesnt, and
None if it cant be determined.
(type=bool or None)

602

Methods

Class winappdbg.module.Module

resolve(self, function)
Resolves a function exported by this module.
Parameters
function: str: Name of the function. int: Ordinal of the function.
(type=str or int)
Return Value
Memory address of the exported function in the process. Returns
None on error.
(type=int)
resolve label(self, label )
Resolves a label for this module only. If the label refers to another module, an
exception is raised.
Parameters
label: Label to resolve.
(type=str)
Return Value
Memory address pointed to by the label.
(type=int)
Raises
ValueError The label is malformed or impossible to resolve.
RuntimeError Cannot resolve the module or function.
Symbols
load symbols(self )
Loads the debugging symbols for a module. Automatically called by
get symbols.
unload symbols(self )
Unloads the debugging symbols for a module.

603

Methods

Class winappdbg.module.Module

get symbols(self )
Returns the debugging symbols for a module. The symbols are automatically
loaded when needed.
Return Value
List of symbols. Each symbol is represented by a tuple that contains:
Symbol name
Symbol memory address
Symbol size in bytes
(type=list of tuple( str, int, int ))
iter symbols(self )
Returns an iterator for the debugging symbols in a module, in no particular
order. The symbols are automatically loaded when needed.
Return Value
Iterator of symbols. Each symbol is represented by a tuple that
contains:
Symbol name
Symbol memory address
Symbol size in bytes
(type=iterator of tuple( str, int, int ))
resolve symbol(self, symbol, bCaseSensitive=False)
Resolves a debugging symbols address.
Parameters
symbol:

Name of the symbol to resolve.


(type=str)

bCaseSensitive: True for case sensitive matches, False for case


insensitive.
(type=bool)
Return Value
Memory address of symbol. None if not found.
(type=int or None)

604

Instance Variables

Class winappdbg.module.Module

get symbol at address(self, address)


Tries to find the closest matching symbol for the given address.
Parameters
address: Memory address to query.
(type=int)
Return Value
Returns a tuple consisting of:
Name
Address
Size (in bytes)
Returns None if no symbol could be matched.
(type=None or tuple( str, int, int ))
Modules snapshot
clear(self )
Clears the resources held by this object.
102.2

Properties

Name
Inherited from object
class

102.3

Class Variables
Name

unknown

102.4

Description

Description
Suggested tag for unknown modules.
Value: <unknown> (type=str)

Instance Variables
Name

hFile
process
EntryPoint

Description

Entry point of the module. Use


get entry point instead.
(type=int)
continued on next page

605

Instance Variables

Name
SizeOfImage
fileName
lpBaseOfDll

Class winappdbg.module.Module

Description
Size of the module. Use get size instead.
(type=int)
Module filename. Use get filename instead.
(type=str)
Base of DLL module. Use get base instead.
(type=int)

606

Class winappdbg.process.Process

103

Class winappdbg.process.Process

object
winappdbg.thread. ThreadContainer
object
winappdbg.module. ModuleContainer
winappdbg.process.Process
Interface to a process. Contains threads and modules snapshots.
103.1

Methods
init (self, dwProcessId, hProcess=None, fileName=None)

x. init (...) initializes x; see help(type(x)) for signature


Parameters
dwProcessId: Global process ID.
(type=int)
hProcess:

Handle to the process.


(type=ProcessHandle)

fileName:

(Optional) Filename of the main module.


(type=str)

Overrides: object. init


Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
Properties
get pid(self )
Return Value
Process global ID.
(type=int)

607

Methods

Class winappdbg.process.Process

get filename(self )
Return Value
Filename of the main module of the process.
(type=str)
open handle(self, dwDesiredAccess=2097151)
Opens a new handle to the process.
The new handle is stored in the hProcess property.

Parameters
dwDesiredAccess: Desired access rights. Defaults to
win32.PROCESS ALL ACCESS. See:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms684880(v=vs
(type=int)
Raises
WindowsError Its not possible to open a handle to the process with
the requested access rights. This tipically happens because the
target process is a system process and the debugger is not
runnning with administrative rights.
Warning: Normally you should call get handle instead, since its much
smarter and tries to reuse handles and merge access rights.
close handle(self )
Closes the handle to the process.
Note: Normally you dont need to call this method. All handles created by
WinAppDbg are automatically closed when the garbage collector claims them.
So unless youve been tinkering with it, setting hProcess to None should be
enough.

608

Methods

Class winappdbg.process.Process

get handle(self, dwDesiredAccess=2097151)


Returns a handle to the process with at least the access rights requested.

Parameters
dwDesiredAccess: Desired access rights. Defaults to
win32.PROCESS ALL ACCESS. See:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms684880(v=vs
(type=int)
Return Value
Handle to the process.
(type=ProcessHandle)
Raises
WindowsError Its not possible to open a handle to the process with
the requested access rights. This tipically happens because the
target process is a system process and the debugger is not
runnning with administrative rights.
Note: If a handle was previously opened and has the required access rights,
its reused. If not, a new handle is opened with the combination of the old and
new access rights.
is debugged(self )
Tries to determine if the process is being debugged by another process. It may
detect other debuggers besides WinAppDbg.
Return Value
True if the process has a debugger attached.
(type=bool)
Warning: May return inaccurate results when some anti-debug techniques
are used by the target process.
Note: To know if a process currently being debugged by a Debug object, call
Debug.is debugee instead.
is alive(self )
Return Value
True if the process is currently running.
(type=bool)

609

Methods

Class winappdbg.process.Process

get exit code(self )


Return Value
Process exit code, or STILL ACTIVE if its still alive.
(type=int)
Warning: If a process returns STILL ACTIVE as its exit code, you may not be
able to determine if its active or not with this method. Use is alive to check
if the process is still active. Alternatively you can call get handle to get the
handle object and then ProcessHandle.wait on it to wait until the process
finishes running.
is wow64(self )
Determines if the process is running under WOW64.
Return Value
True if the process is running under WOW64. That is, a 32-bit
application running in a 64-bit Windows.
False if the process is either a 32-bit application running in a 32-bit
Windows, or a 64-bit application running in a 64-bit Windows.
(type=bool)
Raises
WindowsError On error an exception is raised.
See Also: http://msdn.microsoft.com/en-us/library/aa384249(VS.85).aspx
get arch(self )
Return Value
The architecture in which this process believes to be running. For
example, if running a 32 bit binary in a 64 bit machine, the
architecture returned by this method will be win32.ARCH I386, but
the value of System.arch will be win32.ARCH AMD64.
(type=str)
get bits(self )
Return Value
The number of bits in which this process believes to be running. For
example, if running a 32 bit binary in a 64 bit machine, the number
of bits returned by this method will be 32, but the value of
System.arch will be 64.
(type=str)

610

Methods

Class winappdbg.process.Process

get start time(self )


Determines when has this process started running.
Return Value
Process start time.
(type=win32.SYSTEMTIME)
get exit time(self )
Determines when has this process finished running. If the process is still alive,
the current time is returned instead.
Return Value
Process exit time.
(type=win32.SYSTEMTIME)
get running time(self )
Determines how long has this process been running.
Return Value
Process running time in milliseconds.
(type=long)
get services(self )
Retrieves the list of system services that are currently running in this process.
Return Value
List of service status descriptors.
(type=list( win32.ServiceStatusProcessEntry ))
See Also: System.get services

611

Methods

Class winappdbg.process.Process

get dep policy(self )


Retrieves the DEP (Data Execution Prevention) policy for this process.
Return Value
The first member of the tuple is the DEP flags. It can be a
combination of the following values:
0: DEP is disabled for this process.
1: DEP is enabled for this process. (PROCESS DEP ENABLE)
2: DEP-ATL thunk emulation is disabled for this process.
(PROCESS DEP DISABLE ATL THUNK EMULATION)
The second member of the tuple is the permanent flag. If TRUE the
DEP settings cannot be changed in runtime for this process.
(type=tuple(int, int))
Raises
WindowsError On error an exception is raised.
Note: This method is only available in Windows XP SP3 and above, and only
for 32 bit processes. It will fail in any other circumstance.
See Also: http://msdn.microsoft.com/en-us/library/bb736297(v=vs.85).aspx
get peb(self )
Returns a copy of the PEB. To dereference pointers in it call
Process.read structure.
Return Value
PEB structure.
(type=win32.PEB)
Raises
WindowsError An exception is raised on error.
get peb address(self )
Returns a remote pointer to the PEB.
Return Value
Remote pointer to the win32.PEB structure. Returns None on error.
(type=int)

612

Methods

Class winappdbg.process.Process

get entry point(self )


Alias to process.get main module().get entry point().
Return Value
Address of the entry point of the main module.
(type=int)
get main module(self )
Return Value
Module object for the process main module.
(type=Module)
get image base(self )
Return Value
Image base address for the process main module.
(type=int)
get image name(self )
Return Value
Filename of the process main module.
This method does its best to retrieve the filename. However
sometimes this is not possible, so None may be returned instead.
(type=int)
get command line block(self )
Retrieves the command line block memory address and size.
Return Value
Tuple with the memory address of the command line block and its
maximum size in Unicode characters.
(type=tuple(int, int))
Raises
WindowsError On error an exception is raised.

613

Methods

Class winappdbg.process.Process

get environment block(self )


Retrieves the environment block memory address for the process.
Return Value
Tuple with the memory address of the environment block and its
size.
(type=tuple(int, int))
Raises
WindowsError On error an exception is raised.
Note: The size is always enough to contain the environment data, but it may
not be an exact size. Its best to read the memory and scan for two null wide
chars to find the actual size.
get command line(self )
Retrieves the command line with wich the program was started.
Return Value
Command line string.
(type=str)
Raises
WindowsError On error an exception is raised.
get environment variables(self )
Retrieves the environment variables with wich the program is running.
Return Value
Environment keys and values as found in the process memory.
(type=list of tuple(unicode, unicode))
Raises
WindowsError On error an exception is raised.

614

Methods

Class winappdbg.process.Process

get environment(self, fUnicode=None)


Retrieves the environment with wich the program is running.
Parameters
fUnicode: True to return a list of Unicode strings, False to return
a list of ANSI strings, or None to return whatever the
default is for string types.
(type=bool or None)
Return Value
Dictionary of environment keys and values.
(type=dict(str str))
Raises
WindowsError On error an exception is raised.
Note: Duplicated keys are joined using null characters. To avoid this
behavior, call get environment variables instead and convert the results to
a dictionary directly, like this:
dict(process.get environment variables())
See Also: win32.GuessStringType
Instrumentation
wait(self, dwTimeout=None)
Waits for the process to finish executing.
Raises
WindowsError On error an exception is raised.
kill(self, dwExitCode=0)
Terminates the execution of the process.
Raises
WindowsError On error an exception is raised.
suspend(self )
Suspends execution on all threads of the process.
Raises
WindowsError On error an exception is raised.

615

Methods

Class winappdbg.process.Process

resume(self )
Resumes execution on all threads of the process.
Raises
WindowsError On error an exception is raised.
inject code(self, payload, lpParameter =0)
Injects relocatable code into the process memory and executes it.
Parameters
payload:

Relocatable code to run in a new thread.


(type=str)

lpParameter: (Optional) Parameter to be pushed in the stack.


(type=int)
Return Value
The injected Thread object and the memory address where the code
was written.
(type=tuple( Thread, int ))
Raises
WindowsError An exception is raised on error.
Warning: Dont forget to free the memory when youre done with it!
Otherwise youll be leaking memory in the target process.
See Also: inject dll

616

Methods

Class winappdbg.process.Process

inject dll(self, dllname, procname=None, lpParameter =0, bWait=True,


dwTimeout=None)
Injects a DLL into the process memory.
Parameters
dllname:

Name of the DLL module to load.


(type=str)

procname:

(Optional) Procedure to call when the DLL is loaded.


(type=str)

lpParameter: (Optional) Parameter to the procname procedure.


(type=int)
bWait:

True to wait for the process to finish. False to


return immediately.
(type=bool)

dwTimeout:

(Optional) Timeout value in milliseconds. Ignored if


bWait is False.
(type=int)

Return Value
Newly created thread object. If bWait is set to True the thread will
be dead, otherwise it will be alive.
(type=Thread)
Raises
NotImplementedError The target platform is not supported.
Currently calling a procedure in the library is only supported in
the i386 architecture.
WindowsError An exception is raised on error.
Warnings:
Setting bWait to True when the process is frozen by a debug
event will cause a deadlock in your debugger.
This involves allocating memory in the target process. This is
how the freeing of this memory is handled:
If the bWait flag is set to True the memory will be freed
automatically before returning from this method.
If the bWait flag is set to False, the memory address is set
as the Thread.pInjectedMemory property of the returned
thread object.
Debug objects free Thread.pInjectedMemory automatically
both when it detaches from a process and when the injected
thread finishes its execution.
The {Thread.kill} method617
also frees
Thread.pInjectedMemory automatically, even if youre not
attached to the process.
You could still be leaking memory if not careful. For example, if
you inject a dll into a process youre not attached to, you dont

Methods

Class winappdbg.process.Process

clean exit(self, dwExitCode=0, bWait=False, dwTimeout=None)


Injects a new thread to call ExitProcess(). Optionally waits for the injected
thread to finish.
Parameters
dwExitCode: Process exit code.
(type=int)
bWait:

True to wait for the process to finish. False to return


immediately.
(type=bool)

dwTimeout: (Optional) Timeout value in milliseconds. Ignored if


bWait is False.
(type=int)
Raises
WindowsError An exception is raised on error.
Warning: Setting bWait to True when the process is frozen by a debug event
will cause a deadlock in your debugger.
Inherited from winappdbg.thread. ThreadContainer
start thread()
Disassembly

618

Methods

Class winappdbg.process.Process

disassemble string(self, lpAddress, code)


Disassemble instructions from a block of binary code.
Parameters
lpAddress: Memory address where the code was read from.
(type=int)
code:

Binary code to disassemble.


(type=str)

Return Value
List of tuples. Each tuple represents an assembly instruction and
contains:

Memory address of instruction.


Size of instruction in bytes.
Disassembly line of instruction.
Hexadecimal dump of instruction.

(type=list of tuple( long, int, str, str ))


Raises
NotImplementedError No compatible disassembler was found for
the current platform.
disassemble(self, lpAddress, dwSize)
Disassemble instructions from the address space of the process.
Parameters
lpAddress: Memory address where to read the code from.
(type=int)
dwSize:

Size of binary code to disassemble.


(type=int)

Return Value
List of tuples. Each tuple represents an assembly instruction and
contains:

Memory address of instruction.


Size of instruction in bytes.
Disassembly line of instruction.
Hexadecimal dump of instruction.

(type=list of tuple( long, int, str, str ))

619

Methods

Class winappdbg.process.Process

disassemble around(self, lpAddress, dwSize=64)


Disassemble around the given address.
Parameters
lpAddress: Memory address where to read the code from.
(type=int)
dwSize:

Delta offset. Code will be read from lpAddress - dwSize


to lpAddress + dwSize.
(type=int)

Return Value
List of tuples. Each tuple represents an assembly instruction and
contains:

Memory address of instruction.


Size of instruction in bytes.
Disassembly line of instruction.
Hexadecimal dump of instruction.

(type=list of tuple( long, int, str, str ))


disassemble around pc(self, dwThreadId, dwSize=64)
Disassemble around the program counter of the given thread.
Parameters
dwThreadId: Global thread ID. The program counter for this thread
will be used as the disassembly address.
(type=int)
dwSize:

Delta offset. Code will be read from pc - dwSize to pc


+ dwSize.
(type=int)

Return Value
List of tuples. Each tuple represents an assembly instruction and
contains:

Memory address of instruction.


Size of instruction in bytes.
Disassembly line of instruction.
Hexadecimal dump of instruction.

(type=list of tuple( long, int, str, str ))

620

Methods

Class winappdbg.process.Process

disassemble instruction(self, lpAddress)


Disassemble the instruction at the given memory address.
Parameters
lpAddress: Memory address where to read the code from.
(type=int)
Return Value
The tuple represents an assembly instruction and contains:

Memory address of instruction.


Size of instruction in bytes.
Disassembly line of instruction.
Hexadecimal dump of instruction.

(type=tuple( long, int, str, str ))


disassemble current(self, dwThreadId )
Disassemble the instruction at the program counter of the given thread.
Parameters
dwThreadId: Global thread ID. The program counter for this thread
will be used as the disassembly address.
(type=int)
Return Value
The tuple represents an assembly instruction and contains:

Memory address of instruction.


Size of instruction in bytes.
Disassembly line of instruction.
Hexadecimal dump of instruction.

(type=tuple( long, int, str, str ))


Debugging
flush instruction cache(self )
Flush the instruction cache. This is required if the process memory is modified
and one or more threads are executing nearby the modified memory region.
Raises
WindowsError Raises exception on error.
See Also:
http://blogs.msdn.com/oldnewthing/archive/2003/12/08/55954.aspx#55958

621

Methods

Class winappdbg.process.Process

debug break(self )
Triggers the system breakpoint in the process.
Raises
WindowsError On error an exception is raised.
peek pointers in data(self, data, peekSize=16, peekStep=1)
Tries to guess which values in the given data are valid pointers, and reads
some data from them.
Parameters
data:

Binary data to find pointers in.


(type=str)

peekSize: Number of bytes to read from each pointer found.


(type=int)
peekStep: Expected data alignment. Tipically you specify 1 when
data alignment is unknown, or 4 when you expect data to
be DWORD aligned. Any other value may be specified.
(type=int)
Return Value
Dictionary mapping stack offsets to the data they point to.
(type=dict( str str ))
See Also: peek
Inherited from winappdbg.module. ModuleContainer
get break on error ptr(), get breakin breakpoint(), get system breakpoint(), get user breakpoint(),
get wow64 breakin breakpoint(), get wow64 system breakpoint(), get wow64 user breakpoint(),
is system defined breakpoint()
Memory mapping

622

Methods

Class winappdbg.process.Process

is pointer(self, address)
Determines if an address is a valid code or data pointer.
That is, the address must be valid and must point to code or data in the
target process.
Parameters
address: Memory address to query.
(type=int)
Return Value
True if the address is a valid code or data pointer.
(type=bool)
Raises
WindowsError An exception is raised on error.
is address valid(self, address)
Determines if an address is a valid user mode address.
Parameters
address: Memory address to query.
(type=int)
Return Value
True if the address is a valid user mode address.
(type=bool)
Raises
WindowsError An exception is raised on error.
is address free(self, address)
Determines if an address belongs to a free page.
Parameters
address: Memory address to query.
(type=int)
Return Value
True if the address belongs to a free page.
(type=bool)
Raises
WindowsError An exception is raised on error.
Note: Returns always False for kernel mode addresses.

623

Methods

Class winappdbg.process.Process

is address reserved(self, address)


Determines if an address belongs to a reserved page.
Parameters
address: Memory address to query.
(type=int)
Return Value
True if the address belongs to a reserved page.
(type=bool)
Raises
WindowsError An exception is raised on error.
Note: Returns always False for kernel mode addresses.
is address commited(self, address)
Determines if an address belongs to a commited page.
Parameters
address: Memory address to query.
(type=int)
Return Value
True if the address belongs to a commited page.
(type=bool)
Raises
WindowsError An exception is raised on error.
Note: Returns always False for kernel mode addresses.
is address guard(self, address)
Determines if an address belongs to a guard page.
Parameters
address: Memory address to query.
(type=int)
Return Value
True if the address belongs to a guard page.
(type=bool)
Raises
WindowsError An exception is raised on error.
Note: Returns always False for kernel mode addresses.

624

Methods

Class winappdbg.process.Process

is address readable(self, address)


Determines if an address belongs to a commited and readable page. The page
may or may not have additional permissions.
Parameters
address: Memory address to query.
(type=int)
Return Value
True if the address belongs to a commited and readable page.
(type=bool)
Raises
WindowsError An exception is raised on error.
Note: Returns always False for kernel mode addresses.
is address writeable(self, address)
Determines if an address belongs to a commited and writeable page. The page
may or may not have additional permissions.
Parameters
address: Memory address to query.
(type=int)
Return Value
True if the address belongs to a commited and writeable page.
(type=bool)
Raises
WindowsError An exception is raised on error.
Note: Returns always False for kernel mode addresses.

625

Methods

Class winappdbg.process.Process

is address copy on write(self, address)


Determines if an address belongs to a commited, copy-on-write page. The
page may or may not have additional permissions.
Parameters
address: Memory address to query.
(type=int)
Return Value
True if the address belongs to a commited, copy-on-write page.
(type=bool)
Raises
WindowsError An exception is raised on error.
Note: Returns always False for kernel mode addresses.
is address executable(self, address)
Determines if an address belongs to a commited and executable page. The
page may or may not have additional permissions.
Parameters
address: Memory address to query.
(type=int)
Return Value
True if the address belongs to a commited and executable page.
(type=bool)
Raises
WindowsError An exception is raised on error.
Note: Returns always False for kernel mode addresses.

626

Methods

Class winappdbg.process.Process

is address executable and writeable(self, address)


Determines if an address belongs to a commited, writeable and executable
page. The page may or may not have additional permissions.
Looking for writeable and executable pages is important when exploiting a
software vulnerability.
Parameters
address: Memory address to query.
(type=int)
Return Value
True if the address belongs to a commited, writeable and executable
page.
(type=bool)
Raises
WindowsError An exception is raised on error.
Note: Returns always False for kernel mode addresses.
is buffer(self, address, size)
Determines if the given memory area is a valid code or data buffer.
Parameters
address: Memory address.
(type=int)
size:

Number of bytes. Must be greater than zero.


(type=int)

Return Value
True if the memory area is a valid code or data buffer, False
otherwise.
(type=bool)
Raises
ValueError The size argument must be greater than zero.
WindowsError On error an exception is raised.
Note: Returns always False for kernel mode addresses.
See Also: mquery

627

Methods

Class winappdbg.process.Process

is buffer readable(self, address, size)


Determines if the given memory area is readable.
Parameters
address: Memory address.
(type=int)
size:

Number of bytes. Must be greater than zero.


(type=int)

Return Value
True if the memory area is readable, False otherwise.
(type=bool)
Raises
ValueError The size argument must be greater than zero.
WindowsError On error an exception is raised.
Note: Returns always False for kernel mode addresses.
See Also: mquery
is buffer writeable(self, address, size)
Determines if the given memory area is writeable.
Parameters
address: Memory address.
(type=int)
size:

Number of bytes. Must be greater than zero.


(type=int)

Return Value
True if the memory area is writeable, False otherwise.
(type=bool)
Raises
ValueError The size argument must be greater than zero.
WindowsError On error an exception is raised.
Note: Returns always False for kernel mode addresses.
See Also: mquery

628

Methods

Class winappdbg.process.Process

is buffer copy on write(self, address, size)


Determines if the given memory area is marked as copy-on-write.
Parameters
address: Memory address.
(type=int)
size:

Number of bytes. Must be greater than zero.


(type=int)

Return Value
True if the memory area is marked as copy-on-write, False
otherwise.
(type=bool)
Raises
ValueError The size argument must be greater than zero.
WindowsError On error an exception is raised.
Note: Returns always False for kernel mode addresses.
See Also: mquery
is buffer executable(self, address, size)
Determines if the given memory area is executable.
Parameters
address: Memory address.
(type=int)
size:

Number of bytes. Must be greater than zero.


(type=int)

Return Value
True if the memory area is executable, False otherwise.
(type=bool)
Raises
ValueError The size argument must be greater than zero.
WindowsError On error an exception is raised.
Note: Returns always False for kernel mode addresses.
See Also: mquery

629

Methods

Class winappdbg.process.Process

is buffer executable and writeable(self, address, size)


Determines if the given memory area is writeable and executable.
Looking for writeable and executable pages is important when exploiting a
software vulnerability.
Parameters
address: Memory address.
(type=int)
size:

Number of bytes. Must be greater than zero.


(type=int)

Return Value
True if the memory area is writeable and executable, False
otherwise.
(type=bool)
Raises
ValueError The size argument must be greater than zero.
WindowsError On error an exception is raised.
Note: Returns always False for kernel mode addresses.
See Also: mquery
get memory map(self, minAddr =None, maxAddr =None)
Produces a memory map to the process address space.
Optionally restrict the map to the given address range.
Parameters
minAddr: (Optional) Starting address in address range to query.
(type=int)
maxAddr: (Optional) Ending address in address range to query.
(type=int)
Return Value
List of memory region information objects.
(type=list( win32.MemoryBasicInformation ))
See Also: mquery

630

Methods

Class winappdbg.process.Process

generate memory map(self, minAddr =None, maxAddr =None)


Returns a Regenerator that can iterate indefinitely over the memory map to
the process address space.
Optionally restrict the map to the given address range.
Parameters
minAddr: (Optional) Starting address in address range to query.
(type=int)
maxAddr: (Optional) Ending address in address range to query.
(type=int)
Return Value
List of memory region information objects.
(type=Regenerator of win32.MemoryBasicInformation)
See Also: mquery
iter memory map(self, minAddr =None, maxAddr =None)
Produces an iterator over the memory map to the process address space.
Optionally restrict the map to the given address range.
Parameters
minAddr: (Optional) Starting address in address range to query.
(type=int)
maxAddr: (Optional) Ending address in address range to query.
(type=int)
Return Value
List of memory region information objects.
(type=iterator of win32.MemoryBasicInformation)
See Also: mquery

631

Methods

Class winappdbg.process.Process

get mapped filenames(self, memoryMap=None)


Retrieves the filenames for memory mapped files in the debugee.
Parameters
memoryMap: (Optional) Memory map returned by get memory map.
If not given, the current memory map is used.
(type=list( win32.MemoryBasicInformation ))
Return Value
Dictionary mapping memory addresses to file names. Native
filenames are converted to Win32 filenames when possible.
(type=dict( int str ))

632

Methods

Class winappdbg.process.Process

generate memory snapshot(self, minAddr =None, maxAddr =None)


Returns a Regenerator that allows you to iterate through the memory
contents of a process indefinitely.
Its basically the same as the take memory snapshot method, but it takes the
snapshot of each memory region as it goes, as opposed to taking the whole
snapshot at once. This allows you to work with very large snapshots without a
significant performance penalty.
Example:
# Print the memory contents of a process.
process.suspend()
try:
snapshot = process.generate memory snapshot()
for mbi in snapshot:
print HexDump.hexblock(mbi.content, mbi.BaseAddress)
finally:
process.resume()
The downside of this is the process must remain suspended while iterating the
snapshot, otherwise strange things may happen.
The snapshot can be iterated more than once. Each time its iterated the
memory contents of the process will be fetched again.
You can also iterate the memory of a dead process, just as long as the last
open handle to it hasnt been closed.
Parameters
minAddr: (Optional) Starting address in address range to query.
(type=int)
maxAddr: (Optional) Ending address in address range to query.
(type=int)
Return Value
Generator that when iterated returns memory region information
objects. Two extra properties are added to these objects:
filename: Mapped filename, or None.
content: Memory contents, or None.
(type=Regenerator of win32.MemoryBasicInformation)
See Also: take memory snapshot

633

Methods

Class winappdbg.process.Process

iter memory snapshot(self, minAddr =None, maxAddr =None)


Returns an iterator that allows you to go through the memory contents of a
process.
Its basically the same as the take memory snapshot method, but it takes the
snapshot of each memory region as it goes, as opposed to taking the whole
snapshot at once. This allows you to work with very large snapshots without a
significant performance penalty.
Example:
# Print the memory contents of a process.
process.suspend()
try:
snapshot = process.generate memory snapshot()
for mbi in snapshot:
print HexDump.hexblock(mbi.content, mbi.BaseAddress)
finally:
process.resume()
The downside of this is the process must remain suspended while iterating the
snapshot, otherwise strange things may happen.
The snapshot can only iterated once. To be able to iterate indefinitely call the
generate memory snapshot method instead.
You can also iterate the memory of a dead process, just as long as the last
open handle to it hasnt been closed.
Parameters
minAddr: (Optional) Starting address in address range to query.
(type=int)
maxAddr: (Optional) Ending address in address range to query.
(type=int)
Return Value
Iterator of memory region information objects. Two extra properties
are added to these objects:
filename: Mapped filename, or None.
content: Memory contents, or None.
(type=iterator of win32.MemoryBasicInformation)
See Also: take memory snapshot

634

Methods

Class winappdbg.process.Process

take memory snapshot(self, minAddr =None, maxAddr =None)


Takes a snapshot of the memory contents of the process.
Its best if the process is suspended (if alive) when taking the snapshot.
Execution can be resumed afterwards.
Example:
# Print the memory contents of a process.
process.suspend()
try:
snapshot = process.take memory snapshot()
for mbi in snapshot:
print HexDump.hexblock(mbi.content, mbi.BaseAddress)
finally:
process.resume()
You can also iterate the memory of a dead process, just as long as the last
open handle to it hasnt been closed.
Parameters
minAddr: (Optional) Starting address in address range to query.
(type=int)
maxAddr: (Optional) Ending address in address range to query.
(type=int)
Return Value
List of memory region information objects. Two extra properties are
added to these objects:
filename: Mapped filename, or None.
content: Memory contents, or None.
(type=list( win32.MemoryBasicInformation ))
Warning: If the target process has a very big memory footprint, the resulting
snapshot will be equally big. This may result in a severe performance penalty.
See Also: generate memory snapshot

635

Methods

Class winappdbg.process.Process

restore memory snapshot(self, snapshot, bSkipMappedFiles=True,


bSkipOnError =False)
Attempts to restore the memory state as it was when the given snapshot was
taken.
Parameters
snapshot:

Memory snapshot returned by


take memory snapshot. Snapshots returned by
generate memory snapshot dont work here.
(type=list( win32.MemoryBasicInformation
))

bSkipMappedFiles: True to avoid restoring the contents of memory


mapped files, False otherwise. Use with care!
Setting this to False can cause undesired side
effects - changes to memory mapped files may
be written to disk by the OS. Also note that
most mapped files are typically executables and
dont change, so trying to restore their contents
is usually a waste of time.
(type=bool)
bSkipOnError:

True to issue a warning when an error occurs


during the restoration of the snapshot, False
to stop and raise an exception instead. Use
with care! Setting this to True will cause the
debugger to falsely believe the memory
snapshot has been correctly restored.
(type=bool)

Raises
WindowsError An error occured while restoring the snapshot.
RuntimeError An error occured while restoring the snapshot.
TypeError A snapshot of the wrong type was passed.
Warning: Currently only the memory contents, state and protect bits are
restored. Under some circumstances this method may fail (for example if
memory was freed and then reused by a mapped file).
Memory allocation

636

Methods

Class winappdbg.process.Process

malloc(self, dwSize, lpAddress=None)


Allocates memory into the address space of the process.
Parameters
dwSize:

Number of bytes to allocate.


(type=int)

lpAddress: (Optional) Desired address for the newly allocated


memory. This is only a hint, the memory could still be
allocated somewhere else.
(type=int)
Return Value
Address of the newly allocated memory.
(type=int)
Raises
WindowsError On error an exception is raised.
See Also: free
mprotect(self, lpAddress, dwSize, flNewProtect)
Set memory protection in the address space of the process.
Parameters
lpAddress:

Address of memory to protect.


(type=int)

dwSize:

Number of bytes to protect.


(type=int)

flNewProtect: New protect flags.


(type=int)
Return Value
Old protect flags.
(type=int)
Raises
WindowsError On error an exception is raised.
See Also: http://msdn.microsoft.com/en-us/library/aa366899.aspx

637

Methods

Class winappdbg.process.Process

mquery(self, lpAddress)
Query memory information from the address space of the process. Returns a
win32.MemoryBasicInformation object.
Parameters
lpAddress: Address of memory to query.
(type=int)
Return Value
Memory region information.
(type=win32.MemoryBasicInformation)
Raises
WindowsError On error an exception is raised.
See Also: http://msdn.microsoft.com/en-us/library/aa366907(VS.85).aspx
free(self, lpAddress)
Frees memory from the address space of the process.
Parameters
lpAddress: Address of memory to free. Must be the base address
returned by malloc.
(type=int)
Raises
WindowsError On error an exception is raised.
See Also: http://msdn.microsoft.com/en-us/library/aa366894(v=vs.85).aspx
Memory read

638

Methods

Class winappdbg.process.Process

read(self, lpBaseAddress, nSize)


Reads from the memory of the process.
Parameters
lpBaseAddress: Memory address to begin reading.
(type=int)
nSize:

Number of bytes to read.


(type=int)

Return Value
Bytes read from the process memory.
(type=str)
Raises
WindowsError On error an exception is raised.
See Also: peek
read char(self, lpBaseAddress)
Reads a single character to the memory of the process.
Parameters
lpBaseAddress: Memory address to begin writing.
(type=int)
Return Value
Character value read from the process memory.
(type=int)
Raises
WindowsError On error an exception is raised.
See Also: peek char

639

Methods

Class winappdbg.process.Process

read int(self, lpBaseAddress)


Reads a signed integer from the memory of the process.
Parameters
lpBaseAddress: Memory address to begin reading.
(type=int)
Return Value
Integer value read from the process memory.
(type=int)
Raises
WindowsError On error an exception is raised.
See Also: peek int
read uint(self, lpBaseAddress)
Reads an unsigned integer from the memory of the process.
Parameters
lpBaseAddress: Memory address to begin reading.
(type=int)
Return Value
Integer value read from the process memory.
(type=int)
Raises
WindowsError On error an exception is raised.
See Also: peek uint
read float(self, lpBaseAddress)
Reads a float from the memory of the process.
Parameters
lpBaseAddress: Memory address to begin reading.
(type=int)
Return Value
Floating point value read from the process memory.
(type=int)
Raises
WindowsError On error an exception is raised.
See Also: peek float

640

Methods

Class winappdbg.process.Process

read double(self, lpBaseAddress)


Reads a double from the memory of the process.
Parameters
lpBaseAddress: Memory address to begin reading.
(type=int)
Return Value
Floating point value read from the process memory.
(type=int)
Raises
WindowsError On error an exception is raised.
See Also: peek double
read pointer(self, lpBaseAddress)
Reads a pointer value from the memory of the process.
Parameters
lpBaseAddress: Memory address to begin reading.
(type=int)
Return Value
Pointer value read from the process memory.
(type=int)
Raises
WindowsError On error an exception is raised.
See Also: peek pointer
read dword(self, lpBaseAddress)
Reads a DWORD from the memory of the process.
Parameters
lpBaseAddress: Memory address to begin reading.
(type=int)
Return Value
Integer value read from the process memory.
(type=int)
Raises
WindowsError On error an exception is raised.
See Also: peek dword

641

Methods

Class winappdbg.process.Process

read qword(self, lpBaseAddress)


Reads a QWORD from the memory of the process.
Parameters
lpBaseAddress: Memory address to begin reading.
(type=int)
Return Value
Integer value read from the process memory.
(type=int)
Raises
WindowsError On error an exception is raised.
See Also: peek qword
read structure(self, lpBaseAddress, stype)
Reads a ctypes structure from the memory of the process.
Parameters
lpBaseAddress: Memory address to begin reading.
(type=int)
stype:

Structure definition.
(type=class ctypes.Structure or a subclass.)

Return Value
Structure instance filled in with data read from the process memory.
(type=int)
Raises
WindowsError On error an exception is raised.
See Also: read

642

Methods

Class winappdbg.process.Process

read string(self, lpBaseAddress, nChars, fUnicode=False)


Reads an ASCII or Unicode string from the address space of the process.
Parameters
lpBaseAddress: Memory address to begin reading.
(type=int)
nChars:

String length to read, in characters. Remember


that Unicode strings have two byte characters.
(type=int)

fUnicode:

True is the string is expected to be Unicode, False


if its expected to be ANSI.
(type=bool)

Return Value
String read from the process memory space.
(type=str, unicode)
Raises
WindowsError On error an exception is raised.
See Also: peek string
peek(self, lpBaseAddress, nSize)
Reads the memory of the process.
Parameters
lpBaseAddress: Memory address to begin reading.
(type=int)
nSize:

Number of bytes to read.


(type=int)

Return Value
Bytes read from the process memory. Returns an empty string on
error.
(type=str)
See Also: read

643

Methods

Class winappdbg.process.Process

peek char(self, lpBaseAddress)


Reads a single character from the memory of the process.
Parameters
lpBaseAddress: Memory address to begin reading.
(type=int)
Return Value
Character read from the process memory. Returns zero on error.
(type=int)
See Also: read char
peek int(self, lpBaseAddress)
Reads a signed integer from the memory of the process.
Parameters
lpBaseAddress: Memory address to begin reading.
(type=int)
Return Value
Integer value read from the process memory. Returns zero on error.
(type=int)
See Also: read int
peek uint(self, lpBaseAddress)
Reads an unsigned integer from the memory of the process.
Parameters
lpBaseAddress: Memory address to begin reading.
(type=int)
Return Value
Integer value read from the process memory. Returns zero on error.
(type=int)
See Also: read uint

644

Methods

Class winappdbg.process.Process

peek float(self, lpBaseAddress)


Reads a float from the memory of the process.
Parameters
lpBaseAddress: Memory address to begin reading.
(type=int)
Return Value
Integer value read from the process memory. Returns zero on error.
(type=int)
See Also: read float
peek double(self, lpBaseAddress)
Reads a double from the memory of the process.
Parameters
lpBaseAddress: Memory address to begin reading.
(type=int)
Return Value
Integer value read from the process memory. Returns zero on error.
(type=int)
See Also: read double
peek dword(self, lpBaseAddress)
Reads a DWORD from the memory of the process.
Parameters
lpBaseAddress: Memory address to begin reading.
(type=int)
Return Value
Integer value read from the process memory. Returns zero on error.
(type=int)
See Also: read dword

645

Methods

Class winappdbg.process.Process

peek qword(self, lpBaseAddress)


Reads a QWORD from the memory of the process.
Parameters
lpBaseAddress: Memory address to begin reading.
(type=int)
Return Value
Integer value read from the process memory. Returns zero on error.
(type=int)
See Also: read qword
peek pointer(self, lpBaseAddress)
Reads a pointer value from the memory of the process.
Parameters
lpBaseAddress: Memory address to begin reading.
(type=int)
Return Value
Pointer value read from the process memory. Returns zero on error.
(type=int)
See Also: read pointer
peek string(self, lpBaseAddress, fUnicode=False, dwMaxSize=4096)
Tries to read an ASCII or Unicode string from the address space of the process.
Parameters
lpBaseAddress: Memory address to begin reading.
(type=int)
fUnicode:

True is the string is expected to be Unicode, False


if its expected to be ANSI.
(type=bool)

dwMaxSize:

Maximum allowed string length to read, in bytes.


(type=int)

Return Value
String read from the process memory space. It doesnt include the
terminating null character. Returns an empty string on failure.
(type=str, unicode)
See Also: read string
646

Methods

Class winappdbg.process.Process

Memory write
write(self, lpBaseAddress, lpBuffer )
Writes to the memory of the process.
Parameters
lpBaseAddress: Memory address to begin writing.
(type=int)
lpBuffer:

Bytes to write.
(type=str)

Raises
WindowsError On error an exception is raised.
Note: Page permissions may be changed temporarily while writing.
See Also: poke
write char(self, lpBaseAddress, char )
Writes a single character to the memory of the process.
Parameters
lpBaseAddress: Memory address to begin writing.
(type=int)
char:

Character to write.
(type=int)

Raises
WindowsError On error an exception is raised.
Note: Page permissions may be changed temporarily while writing.
See Also: poke char

647

Methods

Class winappdbg.process.Process

write int(self, lpBaseAddress, unpackedValue)


Writes a signed integer to the memory of the process.
Parameters
lpBaseAddress: Memory address to begin writing.
(type=int)
unpackedValue: Value to write.
(type=int, long)
Raises
WindowsError On error an exception is raised.
Note: Page permissions may be changed temporarily while writing.
See Also: poke int
write uint(self, lpBaseAddress, unpackedValue)
Writes an unsigned integer to the memory of the process.
Parameters
lpBaseAddress: Memory address to begin writing.
(type=int)
unpackedValue: Value to write.
(type=int, long)
Raises
WindowsError On error an exception is raised.
Note: Page permissions may be changed temporarily while writing.
See Also: poke uint

648

Methods

Class winappdbg.process.Process

write float(self, lpBaseAddress, unpackedValue)


Writes a float to the memory of the process.
Parameters
lpBaseAddress: Memory address to begin writing.
(type=int)
unpackedValue: Floating point value to write.
(type=int, long)
Raises
WindowsError On error an exception is raised.
Note: Page permissions may be changed temporarily while writing.
See Also: poke float
write double(self, lpBaseAddress, unpackedValue)
Writes a double to the memory of the process.
Parameters
lpBaseAddress: Memory address to begin writing.
(type=int)
unpackedValue: Floating point value to write.
(type=int, long)
Raises
WindowsError On error an exception is raised.
Note: Page permissions may be changed temporarily while writing.
See Also: poke double

649

Methods

Class winappdbg.process.Process

write pointer(self, lpBaseAddress, unpackedValue)


Writes a pointer value to the memory of the process.
Parameters
lpBaseAddress: Memory address to begin writing.
(type=int)
unpackedValue: Value to write.
(type=int, long)
Raises
WindowsError On error an exception is raised.
Note: Page permissions may be changed temporarily while writing.
See Also: poke pointer
write dword(self, lpBaseAddress, unpackedValue)
Writes a DWORD to the memory of the process.
Parameters
lpBaseAddress: Memory address to begin writing.
(type=int)
unpackedValue: Value to write.
(type=int, long)
Raises
WindowsError On error an exception is raised.
Note: Page permissions may be changed temporarily while writing.
See Also: poke dword

650

Methods

Class winappdbg.process.Process

write qword(self, lpBaseAddress, unpackedValue)


Writes a QWORD to the memory of the process.
Parameters
lpBaseAddress: Memory address to begin writing.
(type=int)
unpackedValue: Value to write.
(type=int, long)
Raises
WindowsError On error an exception is raised.
Note: Page permissions may be changed temporarily while writing.
See Also: poke qword
poke(self, lpBaseAddress, lpBuffer )
Writes to the memory of the process.
Parameters
lpBaseAddress: Memory address to begin writing.
(type=int)
lpBuffer:

Bytes to write.
(type=str)

Return Value
Number of bytes written. May be less than the number of bytes to
write.
(type=int)
Note: Page permissions may be changed temporarily while writing.
See Also: write

651

Methods

Class winappdbg.process.Process

poke char(self, lpBaseAddress, char )


Writes a single character to the memory of the process.
Parameters
lpBaseAddress: Memory address to begin writing.
(type=int)
char:

Character to write.
(type=str)

Return Value
Number of bytes written. May be less than the number of bytes to
write.
(type=int)
Note: Page permissions may be changed temporarily while writing.
See Also: write char
poke int(self, lpBaseAddress, unpackedValue)
Writes a signed integer to the memory of the process.
Parameters
lpBaseAddress: Memory address to begin writing.
(type=int)
unpackedValue: Value to write.
(type=int, long)
Return Value
Number of bytes written. May be less than the number of bytes to
write.
(type=int)
Note: Page permissions may be changed temporarily while writing.
See Also: write int

652

Methods

Class winappdbg.process.Process

poke uint(self, lpBaseAddress, unpackedValue)


Writes an unsigned integer to the memory of the process.
Parameters
lpBaseAddress: Memory address to begin writing.
(type=int)
unpackedValue: Value to write.
(type=int, long)
Return Value
Number of bytes written. May be less than the number of bytes to
write.
(type=int)
Note: Page permissions may be changed temporarily while writing.
See Also: write uint
poke float(self, lpBaseAddress, unpackedValue)
Writes a float to the memory of the process.
Parameters
lpBaseAddress: Memory address to begin writing.
(type=int)
unpackedValue: Value to write.
(type=int, long)
Return Value
Number of bytes written. May be less than the number of bytes to
write.
(type=int)
Note: Page permissions may be changed temporarily while writing.
See Also: write float

653

Methods

Class winappdbg.process.Process

poke double(self, lpBaseAddress, unpackedValue)


Writes a double to the memory of the process.
Parameters
lpBaseAddress: Memory address to begin writing.
(type=int)
unpackedValue: Value to write.
(type=int, long)
Return Value
Number of bytes written. May be less than the number of bytes to
write.
(type=int)
Note: Page permissions may be changed temporarily while writing.
See Also: write double
poke dword(self, lpBaseAddress, unpackedValue)
Writes a DWORD to the memory of the process.
Parameters
lpBaseAddress: Memory address to begin writing.
(type=int)
unpackedValue: Value to write.
(type=int, long)
Return Value
Number of bytes written. May be less than the number of bytes to
write.
(type=int)
Note: Page permissions may be changed temporarily while writing.
See Also: write dword

654

Methods

Class winappdbg.process.Process

poke qword(self, lpBaseAddress, unpackedValue)


Writes a QWORD to the memory of the process.
Parameters
lpBaseAddress: Memory address to begin writing.
(type=int)
unpackedValue: Value to write.
(type=int, long)
Return Value
Number of bytes written. May be less than the number of bytes to
write.
(type=int)
Note: Page permissions may be changed temporarily while writing.
See Also: write qword
poke pointer(self, lpBaseAddress, unpackedValue)
Writes a pointer value to the memory of the process.
Parameters
lpBaseAddress: Memory address to begin writing.
(type=int)
unpackedValue: Value to write.
(type=int, long)
Return Value
Number of bytes written. May be less than the number of bytes to
write.
(type=int)
Note: Page permissions may be changed temporarily while writing.
See Also: write pointer
Memory search

655

Methods

Class winappdbg.process.Process

search(self, pattern, minAddr =None, maxAddr =None)


Search for the given pattern within the process memory.
Parameters
pattern: Pattern to search for. It may be a byte string, a Unicode
string, or an instance of Pattern.
The following Pattern subclasses are provided by
WinAppDbg:

BytePattern
TextPattern
RegExpPattern
HexPattern

You can also write your own subclass of Pattern for


customized searches.
(type=str, unicode or Pattern)
minAddr: (Optional) Start the search at this memory address.
(type=int)
maxAddr: (Optional) Stop the search at this memory address.
(type=int)
Return Value
An iterator of tuples. Each tuple contains the following:
The memory address where the pattern was found.
The size of the data that matches the pattern.
The data that matches the pattern.
(type=iterator of tuple( int, int, str ))
Raises
WindowsError An error occurred when querying or reading the
process memory.

656

Methods

Class winappdbg.process.Process

search bytes(self, bytes, minAddr =None, maxAddr =None)


Search for the given byte pattern within the process memory.
Parameters
bytes:

Bytes to search for.


(type=str)

minAddr: (Optional) Start the search at this memory address.


(type=int)
maxAddr: (Optional) Stop the search at this memory address.
(type=int)
Return Value
An iterator of memory addresses where the pattern was found.
(type=iterator of int)
Raises
WindowsError An error occurred when querying or reading the
process memory.

657

Methods

Class winappdbg.process.Process

search text(self, text, encoding=utf-16le, caseSensitive=False,


minAddr =None, maxAddr =None)
Search for the given text within the process memory.
Parameters
text:

Text to search for.


(type=str or unicode)

encoding:

(Optional) Encoding for the text parameter. Only


used when the text to search for is a Unicode
string. Dont change unless you know what youre
doing!
(type=str)

caseSensitive: True of the search is case sensitive, False


otherwise.
(type=bool)
minAddr:

(Optional) Start the search at this memory


address.
(type=int)

maxAddr:

(Optional) Stop the search at this memory address.


(type=int)

Return Value
An iterator of tuples. Each tuple contains the following:
The memory address where the pattern was found.
The text that matches the pattern.
(type=iterator of tuple( int, str ))
Raises
WindowsError An error occurred when querying or reading the
process memory.

658

Methods

Class winappdbg.process.Process

search regexp(self, regexp, flags=0, minAddr =None, maxAddr =None,


bufferPages=-1)
Search for the given regular expression within the process memory.
Parameters
regexp:

Regular expression string.


(type=str)

flags:

Regular expression flags.


(type=int)

minAddr:

(Optional) Start the search at this memory address.


(type=int)

maxAddr:

(Optional) Stop the search at this memory address.


(type=int)

bufferPages: (Optional) Number of memory pages to buffer when


performing the search. Valid values are:
0 or None: Automatically determine the required
buffer size. May not give complete results for
regular expressions that match variable sized
strings.
> 0: Set the buffer size, in memory pages.
< 0: Disable buffering entirely. This may give
you a little speed gain at the cost of an increased
memory usage. If the target process has very
large contiguous memory regions it may actually
be slower or even fail. Its also the only way to
guarantee complete results for regular expressions
that match variable sized strings.
(type=int)
Return Value
An iterator of tuples. Each tuple contains the following:
The memory address where the pattern was found.
The size of the data that matches the pattern.
The data that matches the pattern.
(type=iterator of tuple( int, int, str ))
Raises
WindowsError An error occurred when querying or reading the
process memory.

659

Methods

Class winappdbg.process.Process

search hexa(self, hexa, minAddr =None, maxAddr =None)


Search for the given hexadecimal pattern within the process memory.
Hex patterns must be in this form:
"68 65 6c 6c 6f 20 77 6f 72 6c 64"

# "hello world"

Spaces are optional. Capitalization of hex digits doesnt matter. This is


exactly equivalent to the previous example:
"68656C6C6F20776F726C64"

# "hello world"

Wildcards are allowed, in the form of a ? sign in any hex digit:


"5? 5? c3"
"b8 ?? ?? ?? ??"
Parameters
hexa:

# pop register / pop register / ret


# mov eax, immediate value

Pattern to search for.


(type=str)

minAddr: (Optional) Start the search at this memory address.


(type=int)
maxAddr: (Optional) Stop the search at this memory address.
(type=int)
Return Value
An iterator of tuples. Each tuple contains the following:
The memory address where the pattern was found.
The bytes that match the pattern.
(type=iterator of tuple( int, str ))
Raises
WindowsError An error occurred when querying or reading the
process memory.

660

Methods

Class winappdbg.process.Process

strings(self, minSize=4, maxSize=1024)


Extract ASCII strings from the process memory.
Parameters
minSize: (Optional) Minimum size of the strings to search for.
(type=int)
maxSize: (Optional) Maximum size of the strings to search for.
(type=int)
Return Value
Iterator of strings extracted from the process memory. Each tuple
contains the following:
The memory address where the string was found.
The size of the string.
The string.
(type=iterator of tuple(int, int, str))
Processes snapshot
contains (self, anObject)
The same as: self.has thread(anObject) or self.has module(anObject)
Parameters
anObject: Object to look for. Can be a Thread, Module, thread
global ID or module base address.
(type=Thread, Module or int)
Return Value
True if the requested object was found in the snapshot.
(type=bool)
Overrides: winappdbg.module. ModuleContainer. contains
len (self )
Return Value
Count of Thread and Module objects in this snapshot.
(type=int)
Overrides: winappdbg.module. ModuleContainer. len
See Also: get thread count, get module count

661

Methods

Class winappdbg.process.Process

iter (self )
Return Value
Iterator of Thread and Module objects in this snapshot. All threads
are iterated first, then all modules.
(type=iterator)
Overrides: winappdbg.module. ModuleContainer. iter
See Also: iter threads, iter modules
scan(self )
Populates the snapshot of threads and modules.
clear(self )
Clears the snapshot of threads and modules.
Deprecated
get environment data(self, fUnicode=None)
Retrieves the environment block data with wich the program is running.
Parameters
fUnicode: True to return a list of Unicode strings, False to return
a list of ANSI strings, or None to return whatever the
default is for string types.
(type=bool or None)
Return Value
Environment keys and values separated by a (=) character, as found
in the process memory.
(type=list of str)
Raises
WindowsError On error an exception is raised.
Warning: Deprecated since WinAppDbg 1.5.
See Also: win32.GuessStringType

662

Properties

Class winappdbg.process.Process

parse environment data(block )


Parse the environment block into a Python dictionary.
Parameters
block: List of strings as returned by get environment data.
(type=list of str)
Return Value
Dictionary of environment keys and values.
(type=dict(str str))
Warning: Deprecated since WinAppDbg 1.5.
Note: Values of duplicated keys are joined using null characters.
Threads snapshot
Inherited from winappdbg.thread. ThreadContainer
clear dead threads(), clear threads(), close thread handles(), find threads by name(),
get thread(), get thread count(), get thread ids(), get windows(), has thread(), iter thread ids(),
iter threads(), scan threads()
Modules snapshot
Inherited from winappdbg.module. ModuleContainer
clear modules(), get module(), get module at address(), get module bases(), get module by name(),
get module count(), has module(), iter module addresses(), iter modules(), scan modules()
Labels
Inherited from winappdbg.module. ModuleContainer
get label at address(), parse label(), resolve label(), resolve label components(), sanitize label(), split label(), split label fuzzy(), split label strict()
Symbols
Inherited from winappdbg.module. ModuleContainer
get symbol at address(), get symbols(), iter symbols(), load symbols(), resolve symbol(),
unload symbols()
103.2

Properties

Name
Inherited from object
class

Description

663

Instance Variables

103.3

Class winappdbg.process.Process

Instance Variables

Name
dwProcessId
fileName
hProcess

Description
Global process ID. Use get pid instead.
(type=int)
Filename of the main module. Use
get filename instead.
(type=str)
Handle to the process. Use get handle instead.
(type=ProcessHandle)

664

Class winappdbg.registry.Registry

104

Class winappdbg.registry.Registry

object
winappdbg.registry. RegistryContainer
winappdbg.registry.Registry
Exposes the Windows Registry as a Python container.
104.1

Methods
init (self, machine=None)

Opens a local or remote registry.


Parameters
machine: Optional machine name. If None it opens the local
registry.
(type=str)
Overrides: object. init
close(self )
Closes all open connections to the remote Registry.
No exceptions are raised, even if an error occurs.
This method has no effect when opening the local Registry.
The remote Registry will still be accessible after calling this method (new
connections will be opened automatically on access).
enter (self )
exit (self, exc type, exc value, traceback )
repr (self )
repr(x)
Overrides: object. repr

extit(inherited documentation)

contains (self, path)

665

Methods

Class winappdbg.registry.Registry

getitem (self, path)


setitem (self, path, value)
delitem (self, path)
create(self, path)
Creates a new Registry key.
Parameters
path: Registry key path.
(type=str)
Return Value
The newly created Registry key.
(type=RegistryKey)
subkeys(self, path)
Returns a list of subkeys for the given Registry key.
Parameters
path: Registry key path.
(type=str)
Return Value
List of subkey names.
(type=list(str))
iterate(self, path)
Returns a recursive iterator on the specified key and its subkeys.
Parameters
path: Registry key path.
(type=str)
Return Value
Recursive iterator that returns Registry key paths.
(type=iterator)
Raises
KeyError The specified path does not exist.

666

Instance Variables

Class winappdbg.registry.Registry

iterkeys(self )
Returns an iterator that crawls the entire Windows Registry.
Inherited from winappdbg.registry. RegistryContainer
iter (), get(), has key(), setdefault()
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
setattr (), sizeof (), str (), subclasshook ()
104.2

Properties

Name
Inherited from object
class

104.3

Description

Instance Variables
Name

Description

machine

667

Class winappdbg.search.BytePattern

105

Class winappdbg.search.BytePattern

object
winappdbg.search.Pattern
winappdbg.search.BytePattern
Known Subclasses: winappdbg.search.TextPattern
Fixed byte pattern.
105.1

Methods
init (self, pattern)

Class constructor.
The only mandatory argument should be the pattern string.
This method MUST be reimplemented by subclasses of Pattern.
Parameters
pattern: Byte string to search for.
(type=str)
Overrides: object. init
len (self )
Returns the exact length of the pattern.
Overrides: winappdbg.search.Pattern. len
See Also: Pattern. len

668

Methods

Class winappdbg.search.BytePattern

find(self, buffer, pos=None)


Searches for the pattern in the given buffer, optionally starting at the given
position within the buffer.
This method MUST be reimplemented by subclasses of Pattern.
Parameters
buffer: Buffer to search on.
pos:

(Optional) Position within the buffer to start searching


from.

Return Value
Tuple containing the following:
Position within the buffer where a match is found, or -1 if no
match was found.
Length of the matched data if a match is found, or undefined if
no match was found.
(type=tuple( int, int ))
Overrides: winappdbg.search.Pattern.find extit(inherited documentation)

669

Properties

Class winappdbg.search.BytePattern

found(self, address, size, data)


This method gets called when a match is found.
This allows subclasses of Pattern to filter out unwanted results, or modify the
results before giving them to the caller of Search.search process.
If the return value is None the result is skipped.
Subclasses of Pattern dont need to reimplement this method unless filtering
is needed.
Parameters
address: The memory address where the pattern was found.
(type=int)
size:

The size of the data that matches the pattern.


(type=int)

data:

The data that matches the pattern.


(type=str)

Return Value
Tuple containing the following: * The memory address where the
pattern was found. * The size of the data that matches the pattern.
* The data that matches the pattern.
(type=tuple( int, int, str ))
read(self, process, address, size)
Reads the requested number of bytes from the process memory at the given
address.
Subclasses of Pattern tipically dont need to reimplement this method.
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
105.2

Properties

Name
Inherited from object
class

Description

670

Instance Variables

105.3

Class winappdbg.search.BytePattern

Instance Variables
Name

length
pattern

Description
Length of the byte pattern.
(type=int)
Byte string to search for.
(type=str)

671

Class winappdbg.search.HexPattern

106

Class winappdbg.search.HexPattern

object
winappdbg.search.Pattern
winappdbg.search.RegExpPattern
winappdbg.search.HexPattern
Hexadecimal pattern.
Hex patterns must be in this form:
"68 65 6c 6c 6f 20 77 6f 72 6c 64"

# "hello world"

Spaces are optional. Capitalization of hex digits doesnt matter. This is exactly equivalent
to the previous example:
"68656C6C6F20776F726C64"

# "hello world"

Wildcards are allowed, in the form of a ? sign in any hex digit:


"5? 5? c3"
"b8 ?? ?? ?? ??"
106.1

# pop register / pop register / ret


# mov eax, immediate value

Methods
new (cls, pattern)

If the pattern is completely static (no wildcards are present) a BytePattern is


created instead. Thats because searching for a fixed byte pattern is faster
than searching for a regular expression.
Return Value
a new object with type S, a subtype of T
Overrides: object. new

672

Methods

Class winappdbg.search.HexPattern

init (self, hexa)


Hex patterns must be in this form:
"68 65 6c 6c 6f 20 77 6f 72 6c 64"

# "hello world"

Spaces are optional. Capitalization of hex digits doesnt matter. This is


exactly equivalent to the previous example:
"68656C6C6F20776F726C64"

# "hello world"

Wildcards are allowed, in the form of a ? sign in any hex digit:


"5? 5? c3"
"b8 ?? ?? ?? ??"

# pop register / pop register / ret


# mov eax, immediate value

Parameters
hexa: Pattern to search for.
(type=str)
Overrides: object. init
len (self )
Returns the maximum expected length of the strings matched by this pattern.
This value is taken from the maxLength argument of the constructor if this
class.
Ideally it should be an exact value, but in some cases its not possible to
calculate so an upper limit should be returned instead.
If thats not possible either an exception must be raised.
This value will be used to calculate the required buffer size when doing
buffered searches.
Overrides: winappdbg.search.Pattern. len

673

Methods

Class winappdbg.search.HexPattern

find(self, buffer, pos=None)


Searches for the pattern in the given buffer, optionally starting at the given
position within the buffer.
This method MUST be reimplemented by subclasses of Pattern.
Parameters
buffer: Buffer to search on.
pos:

(Optional) Position within the buffer to start searching


from.

Return Value
Tuple containing the following:
Position within the buffer where a match is found, or -1 if no
match was found.
Length of the matched data if a match is found, or undefined if
no match was found.
(type=tuple( int, int ))
Overrides: winappdbg.search.Pattern.find extit(inherited documentation)

674

Properties

Class winappdbg.search.HexPattern

found(self, address, size, data)


This method gets called when a match is found.
This allows subclasses of Pattern to filter out unwanted results, or modify the
results before giving them to the caller of Search.search process.
If the return value is None the result is skipped.
Subclasses of Pattern dont need to reimplement this method unless filtering
is needed.
Parameters
address: The memory address where the pattern was found.
(type=int)
size:

The size of the data that matches the pattern.


(type=int)

data:

The data that matches the pattern.


(type=str)

Return Value
Tuple containing the following: * The memory address where the
pattern was found. * The size of the data that matches the pattern.
* The data that matches the pattern.
(type=tuple( int, int, str ))
read(self, process, address, size)
Reads the requested number of bytes from the process memory at the given
address.
Subclasses of Pattern tipically dont need to reimplement this method.
Inherited from object
delattr (), format (), getattribute (), hash (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
106.2

Properties

Name
Inherited from object
class

Description

675

Instance Variables

106.3

Class winappdbg.search.HexPattern

Instance Variables
Name

flags
maxLength

pattern
regexp

Description
Regular expression flags.
(type=int)
Maximum expected length of the strings
matched by this regular expression.
This value will be used to calculate the required
buffer size when doing buffered searches.
Ideally it should be an exact value, but in some
cases its not possible to calculate so an upper
limit should be given instead.
If thats not possible either, None should be
used. That will cause an exception to be raised
if this pattern is used in a buffered search.
(type=int)
Regular expression in text form.
(type=str)
Regular expression in compiled form.
(type=re.compile)

676

Class winappdbg.search.Pattern

107

Class winappdbg.search.Pattern

object
winappdbg.search.Pattern
Known Subclasses: winappdbg.search.BytePattern, winappdbg.search.RegExpPattern
Base class for search patterns.
The following Pattern subclasses are provided by WinAppDbg:

BytePattern
TextPattern
RegExpPattern
HexPattern

See Also: Search.search process


107.1

Methods
init (self, pattern)

Class constructor.
The only mandatory argument should be the pattern string.
This method MUST be reimplemented by subclasses of Pattern.
Overrides: object. init
len (self )
Returns the maximum expected length of the strings matched by this pattern.
Exact behavior is implementation dependent.
Ideally it should be an exact value, but in some cases its not possible to
calculate so an upper limit should be returned instead.
If thats not possible either an exception must be raised.
This value will be used to calculate the required buffer size when doing
buffered searches.
This method MUST be reimplemented by subclasses of Pattern.

677

Methods

Class winappdbg.search.Pattern

read(self, process, address, size)


Reads the requested number of bytes from the process memory at the given
address.
Subclasses of Pattern tipically dont need to reimplement this method.
find(self, buffer, pos=None)
Searches for the pattern in the given buffer, optionally starting at the given
position within the buffer.
This method MUST be reimplemented by subclasses of Pattern.
Parameters
buffer: Buffer to search on.
(type=str)
pos:

(Optional) Position within the buffer to start searching


from.
(type=int)

Return Value
Tuple containing the following:
Position within the buffer where a match is found, or -1 if no
match was found.
Length of the matched data if a match is found, or undefined if
no match was found.
(type=tuple( int, int ))

678

Properties

Class winappdbg.search.Pattern

found(self, address, size, data)


This method gets called when a match is found.
This allows subclasses of Pattern to filter out unwanted results, or modify the
results before giving them to the caller of Search.search process.
If the return value is None the result is skipped.
Subclasses of Pattern dont need to reimplement this method unless filtering
is needed.
Parameters
address: The memory address where the pattern was found.
(type=int)
size:

The size of the data that matches the pattern.


(type=int)

data:

The data that matches the pattern.


(type=str)

Return Value
Tuple containing the following: * The memory address where the
pattern was found. * The size of the data that matches the pattern.
* The data that matches the pattern.
(type=tuple( int, int, str ))
Inherited from object
delattr (), format (), getattribute (), hash (), new (), reduce (), reduce ex (),
repr (), setattr (), sizeof (), str (), subclasshook ()
107.2

Properties

Name
Inherited from object
class

Description

679

Class winappdbg.search.RegExpPattern

108

Class winappdbg.search.RegExpPattern

object
winappdbg.search.Pattern
winappdbg.search.RegExpPattern
Known Subclasses: winappdbg.search.HexPattern
Regular expression pattern.
108.1

Methods
init (self, regexp, flags=0, maxLength=None)

Class constructor.
The only mandatory argument should be the pattern string.
This method MUST be reimplemented by subclasses of Pattern.
Parameters
regexp:

Regular expression string.


(type=str)

flags:

Regular expression flags.


(type=int)

maxLength: Maximum expected length of the strings matched by


this regular expression.
This value will be used to calculate the required buffer
size when doing buffered searches.
Ideally it should be an exact value, but in some cases
its not possible to calculate so an upper limit should be
given instead.
If thats not possible either, None should be used. That
will cause an exception to be raised if this pattern is
used in a buffered search.
(type=int)
Overrides: object. init

680

Methods

Class winappdbg.search.RegExpPattern

len (self )
Returns the maximum expected length of the strings matched by this pattern.
This value is taken from the maxLength argument of the constructor if this
class.
Ideally it should be an exact value, but in some cases its not possible to
calculate so an upper limit should be returned instead.
If thats not possible either an exception must be raised.
This value will be used to calculate the required buffer size when doing
buffered searches.
Overrides: winappdbg.search.Pattern. len
find(self, buffer, pos=None)
Searches for the pattern in the given buffer, optionally starting at the given
position within the buffer.
This method MUST be reimplemented by subclasses of Pattern.
Parameters
buffer: Buffer to search on.
pos:

(Optional) Position within the buffer to start searching


from.

Return Value
Tuple containing the following:
Position within the buffer where a match is found, or -1 if no
match was found.
Length of the matched data if a match is found, or undefined if
no match was found.
(type=tuple( int, int ))
Overrides: winappdbg.search.Pattern.find extit(inherited documentation)

681

Properties

Class winappdbg.search.RegExpPattern

found(self, address, size, data)


This method gets called when a match is found.
This allows subclasses of Pattern to filter out unwanted results, or modify the
results before giving them to the caller of Search.search process.
If the return value is None the result is skipped.
Subclasses of Pattern dont need to reimplement this method unless filterin