Home       Trees       Indices       Help   
WinAppDbg - Programming Reference
Package winappdbg :: Module search :: Class Search
[hide private]
[frames] | no frames]

Class Search

source code

Static class to group the search functionality.

Do not instance this class! Use its static methods instead.

Instance Methods [hide private]

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __init__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Methods [hide private]
iterator of tuple(int, int, str)
extract_ascii_strings(cls, process, minSize=4, maxSize=1024)
Extract ASCII strings from the process memory.		 source code
Static Methods [hide private]
iterator of tuple( int, int, str )
search_process(process, pattern, minAddr=None, maxAddr=None, bufferPages=None, overlapping=False)
Search for the given pattern within the process memory.		 source code
a new object with type S, a subtype of T
__new__(cls, *argv, **argd)
Don't try to instance this class, just use the static methods. (Inherited from winappdbg.util.StaticClass)
Properties [hide private]

Inherited from object: __class__

Method Details [hide private]

search_process(process, pattern, minAddr=None, maxAddr=None, bufferPages=None, overlapping=False)
Static Method

source code 

Search for the given pattern within the process memory.

Parameters:
  • process (Process) - Process to search.
  • pattern (Pattern) - Pattern to search for. It must be an instance of a subclass of Pattern.

    The following Pattern subclasses are provided by WinAppDbg:

    You can also write your own subclass of Pattern for customized searches.

  • minAddr (int) - (Optional) Start the search at this memory address.
  • maxAddr (int) - (Optional) Stop the search at this memory address.
  • bufferPages (int) - (Optional) Number of memory pages to buffer when performing the search. Valid values are:
    • 0 or None: Automatically determine the required buffer size. May not give complete results for regular expressions that match variable sized strings.
    • > 0: Set the buffer size, in memory pages.
    • < 0: Disable buffering entirely. This may give you a little speed gain at the cost of an increased memory usage. If the target process has very large contiguous memory regions it may actually be slower or even fail. It's also the only way to guarantee complete results for regular expressions that match variable sized strings.
  • overlapping (bool) - True to allow overlapping results, False otherwise.

    Overlapping results yield the maximum possible number of results.

    For example, if searching for "AAAA" within "AAAAAAAA" at address 0x10000, when overlapping is turned off the following matches are yielded:

       (0x10000, 4, "AAAA")
   (0x10004, 4, "AAAA")

    If overlapping is turned on, the following matches are yielded:

       (0x10000, 4, "AAAA")
   (0x10001, 4, "AAAA")
   (0x10002, 4, "AAAA")
   (0x10003, 4, "AAAA")
   (0x10004, 4, "AAAA")

    As you can see, the middle results are overlapping the last two.

Returns: iterator of tuple( int, int, str )
An iterator of tuples. Each tuple contains the following:
  • The memory address where the pattern was found.
  • The size of the data that matches the pattern.
  • The data that matches the pattern.
Raises:
  • WindowsError - An error occurred when querying or reading the process memory.

extract_ascii_strings(cls, process, minSize=4, maxSize=1024)
Class Method

source code 

Extract ASCII strings from the process memory.

Parameters:
  • process (Process) - Process to search.
  • minSize (int) - (Optional) Minimum size of the strings to search for.
  • maxSize (int) - (Optional) Maximum size of the strings to search for.
Returns: iterator of tuple(int, int, str)
Iterator of strings extracted from the process memory. Each tuple contains the following:
  • The memory address where the string was found.
  • The size of the string.
  • The string.

   Home       Trees       Indices       Help   
WinAppDbg - Programming Reference
Generated by Epydoc 3.0.1 on Fri Dec 20 17:54:55 2013 http://epydoc.sourceforge.net