dbgscript Module¶

The dbgscript module provides a set of top-level APIs that serve as an entry point in obtaining other classes.

dbgscript.getGlobal(symbol) → TypedObject¶

Create a TypedObject from a global variable in the process identified by symbol. Symbol should be module-qualified for best results. E.g. foo!bar.

dbgscript.currentThread() → Thread¶

Get the current thread in the process.

dbgscript.getThreads() → table of Thread¶

Get the collection of threads in the process.

dbgscript.createTypedObject(type, addr) → TypedObject¶

Create a TypedObject from an address and type.

Note

Prefer using the fully-qualfied type name (i.e. including the module prefix) as it will accelerate symbol lookup dramatically. I.e. module!Foo, not Foo.

dbgscript.createTypedPointer(type, addr) → TypedObject¶

Create a pointer to a TypedObject from an address and type. Specify the base type for type. E.g. for an int*, pass int. This works for arbitrary buffers; arrays included.

Note

Prefer using the fully-qualfied type name (i.e. including the module prefix) as it will accelerate symbol lookup dramatically. I.e. module!Foo, not Foo.

New in version 1.0.5.

dbgscript.readPtr(addr) → integer¶

Read a pointer value from the virtual address space of the target process. addr must be a valid (accessible) address. This will be 8 bytes on an x64 target.

dbgscript.readString(addr[, count]) → string¶

Read an ANSI string from the target process starting at addr. count (optional) specifies the maximum number of characters to read.

New in version 1.0.4.

dbgscript.readWideString(addr[, count]) → string¶

Read a wide string from the target process starting at addr. count (optional) specifies the maximum number of characters to read.

New in version 1.0.4.

dbgscript.readBytes(addr, count) → string¶

Read count bytes from addr.

New in version 1.0.3.

dbgscript.getNearestSym(addr) → string¶

Lookup the nearest symbol to address addr. Operates similar to the debugger ln command.

New in version 1.0.1.

dbgscript.getPeb() → integer¶

Get the address of the current process’ PEB.

New in version 1.0.3.

dbgscript.fieldOffset(type, field) → integer¶

Obtain the offset of field in type. Behaves like offsetof macro in C.

New in version 1.0.2.

dbgscript.getTypeSize(type) → integer¶

Obtain the size of type in bytes. Behaves like sizeof operator in C.

New in version 1.0.4.

dbgscript.searchMemory(start, size, pattern, pattern_granularity) → integer¶

Search the address space from [start, start + size) for pattern. Throws an error if no match found.

Parameters:	start (integer) – Start of address space to search. size (integer) – Amount of bytes to search. pattern (string) – Pattern to search for. #pattern must be a multiple of pattern_granularity. pattern_granularity (integer) – Only consider matches at this granularity.
Returns:	location of match.
Return type:	integer

New in version 1.0.6.

dbgscript.startBuffering()¶

Start an output buffering session. All output from this point will be buffered in 8K chunks. This can help improve performance when writing a lot of content in a loop, as the WinDbg command window will not be redrawn after every line of output.

dbgscript.stopBuffering()¶

Stop an output buffering session. The buffer will also automatically be flushed on script terminaton, for any reason (unhandled exception or otherwise).

dbgscript.execCommand(cmd)¶

Executes a debugger command cmd and prints the output.

dbgscript.resolveEnum(enum, val) → string¶

Obtains the textual name of the enumerant given an enum enum and a value val.