Home       Trees       Indices       Help   
WinAppDbg - Programming Reference
Package winappdbg :: Module crash :: Class Crash
[hide private]
[frames] | no frames]

Class Crash

source code

Represents a crash, bug, or another interesting event in the debugee.

Instance Methods [hide private]
 
__init__(self, event)
x.__init__(...) initializes x; see help(type(x)) for signature		 source code
 
__str__(self)
str(x)		 source code
 
key(self)
Alias of signature.		 source code
 
__is_control_flow(self)
Private method to tell if the instruction pointed to by the program counter is a control flow instruction.		 source code
 
__is_block_data_move(self)
Private method to tell if the instruction pointed to by the program counter is a block data move instruction.		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __subclasshook__

    Report
tuple( str, str, str )
isExploitable(self)
Guess how likely is it that the bug causing the crash can be leveraged into an exploitable vulnerability.		 source code
str
briefReport(self)
Returns: Short description of the event.		 source code
str
fullReport(self, bShowNotes=True)
Returns: Long description of the event.		 source code
str
environmentReport(self)
Returns: The process environment variables, merged and formatted for a report.		 source code
str
notesReport(self)
Returns: All notes, merged and formatted for a report.		 source code
    Notes
 
addNote(self, msg)
Add a note to the crash event.		 source code
 
clearNotes(self)
Clear the notes of this crash event.		 source code
list( str )
getNotes(self)
Get the list of notes of this crash event.		 source code
listiterator
iterNotes(self)
Iterate the notes of this crash event.		 source code
bool
hasNotes(self)
Returns: True if there are notes for this crash event.		 source code
    Miscellaneous
 
fetch_extra_data(self, event, takeMemorySnapshot=0)
Fetch extra data from the Event object.		 source code
Instance Variables [hide private]
int _rowid
Row ID in the database.
    Basic information
object signature
Approximately unique signature for the Crash object.
str arch
Processor architecture.
int bits
32 or 64 bits.
int eventCode
Event code as defined by the Win32 API.
str eventName
Event code user-friendly name.
None or str labelPC
Label pointing to the program counter.
str os
Operating system version.
int pid
Process global ID.
dict( str → int ) registers
Dictionary mapping register names to their values.
int tid
Thread global ID.
float timeStamp
Timestamp as returned by time.time().
    Optional information
None or str debugString
Debug string sent by the debugee.
None or int exceptionAddress
Memory address where the exception occured.
None or int exceptionCode
Exception code as defined by the Win32 API.
None or str exceptionDescription
Exception description.
None or str exceptionLabel
Label pointing to the exception address.
None or str exceptionName
Exception code user-friendly name.
None or int faultAddress
Access violation memory address.
None or str faultLabel
Label pointing to the access violation memory address.
None or int faultType
Access violation type.
None or bool firstChance
True for first chance exceptions, False for second chance.
bool isOurBreakpoint
True for breakpoints defined by the Debug class, False otherwise.
bool isSystemBreakpoint
True for known system-defined breakpoints, False otherwise.
None or int lpBaseOfDll
Base of module where the program counter points to.
None or str modFileName
File name of module where the program counter points to.
None or tuple of tuple( int, int, str ) stackTrace
Stack trace of the current thread as a tuple of ( frame pointer, return address, module filename ).
None or tuple( str... ) stackTraceLabels
Tuple of labels pointing to the return addresses in the stack trace.
None or tuple( int... ) stackTracePC
Tuple of return addresses in the stack trace.
None or tuple of tuple( int, str ) stackTracePretty
Stack trace of the current thread as a tuple of ( frame pointer, return location ).
    Extra information
None or str commandLine
Command line for the target process.
None or dict( str → str ) environment
Environment variables for the target process.
None or list of str environmentData
Environment data for the target process.
None or str faultCode
Data pointed to by the program counter.
None or tuple of tuple( long, int, str, str ) faultDisasm
Dissassembly around the program counter.
None or str faultMem
Data pointed to by the exception address.
None or dict( int→ str ) faultPeek
Dictionary mapping guessed pointers at faultMem to the data they point to.
None or list of win32.MemoryBasicInformation objects. memoryMap
Memory snapshot of the program.
None or dict( str → str ) registersPeek
Dictionary mapping register names to the data they point to.
None or str stackFrame
Data pointed to by the stack pointer.
None or dict( int → str ) stackPeek
Dictionary mapping stack offsets to the data they point to.
tuple( int, int ) stackRange
Stack beginning and end pointers, in memory addresses order.
    Notes
list( str ) notes
List of strings, each string is a note.
Properties [hide private]

Inherited from object: __class__

    Basic information
int pc
Value of the program counter register.
int sp
Value of the stack pointer register.
int fp
Value of the frame pointer register.
Method Details [hide private]

__init__(self, event)
(Constructor)

source code 

x.__init__(...) initializes x; see help(type(x)) for signature

Parameters:
  • event (Event) - Event object for crash.
Overrides: object.__init__

fetch_extra_data(self, event, takeMemorySnapshot=0)

source code 

Fetch extra data from the Event object.

Parameters:

Note: Since this method may take a little longer to run, it's best to call it only after you've determined the crash is interesting and you want to save it.

__str__(self)
(Informal representation operator)

source code 

str(x)

Overrides: object.__str__
(inherited documentation)

key(self)

source code 

Alias of signature. Deprecated since WinAppDbg 1.5.

isExploitable(self)

source code 

Guess how likely is it that the bug causing the crash can be leveraged into an exploitable vulnerability.

Returns: tuple( str, str, str )
The first element of the tuple is the result of the analysis, being one of the following:
  • Not an exception
  • Not exploitable
  • Not likely exploitable
  • Unknown
  • Probably exploitable
  • Exploitable

The second element of the tuple is a code to identify the matched heuristic rule.

The third element of the tuple is a description string of the reason behind the result.

Note: Don't take this as an equivalent of a real exploitability analysis, that can only be done by a human being! This is only a guideline, useful for example to sort crashes - placing the most interesting ones at the top.

See Also: The heuristics are similar to those of the !exploitable extension for WinDBG, which can be downloaded from here:

http://www.codeplex.com/msecdbg

__is_control_flow(self)

source code 

Private method to tell if the instruction pointed to by the program counter is a control flow instruction.

Currently only works for x86 and amd64 architectures.

__is_block_data_move(self)

source code 

Private method to tell if the instruction pointed to by the program counter is a block data move instruction.

Currently only works for x86 and amd64 architectures.

briefReport(self)

source code 
Returns: str
Short description of the event.

fullReport(self, bShowNotes=True)

source code 
Parameters:
  • bShowNotes (bool) - True to show the user notes, False otherwise.
Returns: str
Long description of the event.

environmentReport(self)

source code 
Returns: str
The process environment variables, merged and formatted for a report.

notesReport(self)

source code 
Returns: str
All notes, merged and formatted for a report.

addNote(self, msg)

source code 

Add a note to the crash event.

Parameters:
  • msg (str) - Note text.

getNotes(self)

source code 

Get the list of notes of this crash event.

Returns: list( str )
List of notes.

iterNotes(self)

source code 

Iterate the notes of this crash event.

Returns: listiterator
Iterator of the list of notes.

hasNotes(self)

source code 
Returns: bool
True if there are notes for this crash event.

Instance Variable Details [hide private]

signature

Approximately unique signature for the Crash object.

This signature can be used as an heuristic to determine if two crashes were caused by the same software error. Ideally it should be treated as as opaque serializable object that can be tested for equality.

Get Method:
unreachable.signature(self)

_rowid

Row ID in the database. Internally used by the DAO layer. Only present in crash dumps retrieved from the database. Do not rely on this property to be present in future versions of WinAppDbg.
Type:
int

commandLine

Command line for the target process.

None if unapplicable or unable to retrieve.

Type:
None or str

debugString

Debug string sent by the debugee.

None if unapplicable or unable to retrieve.

Type:
None or str

environment

Environment variables for the target process.

None if unapplicable or unable to retrieve.

Type:
None or dict( str → str )

environmentData

Environment data for the target process.

None if unapplicable or unable to retrieve.

Type:
None or list of str

exceptionAddress

Memory address where the exception occured.

None if unapplicable or unable to retrieve.

Type:
None or int

exceptionCode

Exception code as defined by the Win32 API.

None if unapplicable or unable to retrieve.

Type:
None or int

exceptionDescription

Exception description.

None if unapplicable or unable to retrieve.

Type:
None or str

exceptionLabel

Label pointing to the exception address.

None or invalid if unapplicable or unable to retrieve.

Type:
None or str

exceptionName

Exception code user-friendly name.

None if unapplicable or unable to retrieve.

Type:
None or str

faultAddress

Access violation memory address. Only applicable to memory faults.

None if unapplicable or unable to retrieve.

Type:
None or int

faultCode

Data pointed to by the program counter.

None or empty if unapplicable or unable to retrieve.

Type:
None or str

faultDisasm

Dissassembly around the program counter.

None or empty if unapplicable or unable to retrieve.

Type:
None or tuple of tuple( long, int, str, str )

faultLabel

Label pointing to the access violation memory address. Only applicable to memory faults.

None if unapplicable or unable to retrieve.

Type:
None or str

faultMem

Data pointed to by the exception address.

None or empty if unapplicable or unable to retrieve.

Type:
None or str

faultPeek

Dictionary mapping guessed pointers at faultMem to the data they point to.

None or empty if unapplicable or unable to retrieve.

Type:
None or dict( int→ str )

faultType

Access violation type. Only applicable to memory faults. Should be one of the following constants:

None if unapplicable or unable to retrieve.

Type:
None or int

firstChance

True for first chance exceptions, False for second chance.

None if unapplicable or unable to retrieve.

Type:
None or bool

isOurBreakpoint

True for breakpoints defined by the Debug class, False otherwise.

None if unapplicable.

Type:
bool

isSystemBreakpoint

True for known system-defined breakpoints, False otherwise.

None if unapplicable.

Type:
bool

labelPC

Label pointing to the program counter.

None or invalid if unapplicable or unable to retrieve.

Type:
None or str

lpBaseOfDll

Base of module where the program counter points to.

None if unapplicable or unable to retrieve.

Type:
None or int

memoryMap

Memory snapshot of the program. May contain the actual data from the entire process memory if requested. See fetch_extra_data for more details.

None or empty if unapplicable or unable to retrieve.

Type:
None or list of win32.MemoryBasicInformation objects.

modFileName

File name of module where the program counter points to.

None or invalid if unapplicable or unable to retrieve.

Type:
None or str

os

Operating system version.

May indicate a 64 bit version even if arch and bits indicate 32 bits. This means the crash occurred inside a WOW64 process.

Type:
str

registersPeek

Dictionary mapping register names to the data they point to.

None if unapplicable or unable to retrieve.

Type:
None or dict( str → str )

stackFrame

Data pointed to by the stack pointer.

None or empty if unapplicable or unable to retrieve.

Type:
None or str

stackPeek

Dictionary mapping stack offsets to the data they point to.

None or empty if unapplicable or unable to retrieve.

Type:
None or dict( int → str )

stackRange

Stack beginning and end pointers, in memory addresses order.

None if unapplicable or unable to retrieve.

Type:
tuple( int, int )

stackTrace

Stack trace of the current thread as a tuple of ( frame pointer, return address, module filename ).

None or empty if unapplicable or unable to retrieve.

Type:
None or tuple of tuple( int, int, str )

stackTraceLabels

Tuple of labels pointing to the return addresses in the stack trace.

None or empty if unapplicable or unable to retrieve.

Type:
None or tuple( str... )

stackTracePC

Tuple of return addresses in the stack trace.

None or empty if unapplicable or unable to retrieve.

Type:
None or tuple( int... )

stackTracePretty

Stack trace of the current thread as a tuple of ( frame pointer, return location ).

None or empty if unapplicable or unable to retrieve.

Type:
None or tuple of tuple( int, str )

Property Details [hide private]

pc

Value of the program counter register.

Get Method:
unreachable.pc(self) - Value of the program counter register.
Type:
int

sp

Value of the stack pointer register.

Get Method:
unreachable.sp(self) - Value of the stack pointer register.
Type:
int

fp

Value of the frame pointer register.

Get Method:
unreachable.fp(self) - Value of the frame pointer register.
Type:
int

   Home       Trees       Indices       Help   
WinAppDbg - Programming Reference
Generated by Epydoc 3.0.1 on Fri Dec 20 17:54:51 2013 http://epydoc.sourceforge.net