dbgscript Module

The dbgscript module provides a set of top-level APIs that serve as an entry point in obtaining other classes.

You do not need to import dbgscript. It is already visible in the global namespace.

dbgscript.get_global(symbol) → TypedObject

Create a TypedObject from a global variable in the process identified by symbol. Symbol should be module-qualified for best results. E.g. foo!bar.

dbgscript.current_thread() → Thread

Get the current thread in the process.

dbgscript.get_threads() → tuple of Thread

Get the collection of threads in the process.

dbgscript.create_typed_object(type, addr) → TypedObject

Create a TypedObject from an address and type.

Note

Prefer using the fully-qualfied type name (i.e. including the module prefix) as it will accelerate symbol lookup dramatically. I.e. module!Foo, not Foo.

dbgscript.create_typed_pointer(type, addr) → TypedObject

Create a pointer to a TypedObject from an address and type. Specify the base type for type. E.g. for an int*, pass int. This works for arbitrary buffers; arrays included.

Note

Prefer using the fully-qualfied type name (i.e. including the module prefix) as it will accelerate symbol lookup dramatically. I.e. module!Foo, not Foo.

New in version 1.0.5.

dbgscript.read_ptr(addr) → int

Read a pointer value from the virtual address space of the target process. addr must be a valid (accessible) address. This will be 8 bytes on an x64 target.

dbgscript.read_string(addr[, count]) → str

Read an ANSI string from the target process starting at addr. count (optional) specifies the maximum number of characters to read.

New in version 1.0.4.

dbgscript.read_wide_string(addr[, count]) → str

Read a wide string from the target process starting at addr. count (optional) specifies the maximum number of characters to read.

New in version 1.0.4.

dbgscript.read_bytes(addr, count) → bytes

Read count bytes from addr.

New in version 1.0.3.

dbgscript.get_nearest_sym(addr) → str

Lookup the nearest symbol to address addr. Operates similar to the debugger ln command.

New in version 1.0.1.

dbgscript.get_peb() → int

Get the address of the current process’ PEB.

New in version 1.0.3.

dbgscript.field_offset(type, field) → int

Obtain the offset of field in type. Behaves like offsetof macro in C.

New in version 1.0.2.

dbgscript.get_type_size(type) → int

Obtain the size of type in bytes. Behaves like sizeof operator in C.

New in version 1.0.4.

dbgscript.search_memory(start, size, pattern, pattern_granularity) → int

Search the address space from [start, start + size) for pattern.

Parameters:
  • start (int) – Start of address space to search.
  • size (int) – Amount of bytes to search.
  • pattern (bytes) – Pattern to search for. len(pattern) must be a multiple of pattern_granularity.
  • pattern_granularity (int) – Only consider matches at this granularity.
Returns:

location of match.
Return type:

int
Raises LookupError:
 

if no match found.

New in version 1.0.6.

dbgscript.start_buffering()

Start an output buffering session. All output from this point will be buffered in 8K chunks. This can help improve performance when writing a lot of content in a loop, as the WinDbg command window will not be redrawn after every line of output.

dbgscript.stop_buffering()

Stop an output buffering session. The buffer will also automatically be flushed on script terminaton, for any reason (unhandled exception or otherwise).

dbgscript.execute_command(cmd)

Executes a debugger command cmd and prints the output.

dbgscript.resolve_enum(enum, val) → str

Obtains the textual name of the enumerant given an enum enum and a value val.