Module `ida_dbg`

Contains functions to control the debugging of a process.

See Debugger functions for a complete explanation of these functions.

These functions are inlined for the kernel. They are not inlined for the user- interfaces.

Global variables

var BKPT_ACTIVE: active?
var BKPT_BADBPT: failed to write the bpt to the process memory (at least one location)
var BKPT_CNDREADY: condition has been compiled
var BKPT_FAKEPEND: fake pending bpt: it is inactive but another bpt of the same type is active at the same address(es)
var BKPT_LISTBPT: include in bpt list (user-defined bpt)
var BKPT_PAGE: written to the process as a page bpt. Available only after writing the bpt to the process.
var BKPT_PARTIAL: partially active? (some locations were not written yet)
var BKPT_TRACE: trace bpt; should not be deleted when the process gets suspended
var BPLT_ABS: absolute address: ea
var BPLT_REL: relative address: module_path, offset
var BPLT_SRC: source level: filename, lineno
var BPLT_SYM: BPLT_SYM = 2
var BPTCK_ACT: breakpoint is active (written to the process)
var BPTCK_NO: breakpoint is disabled
var BPTCK_NONE: breakpoint does not exist
var BPTCK_YES: breakpoint is enabled
var BPTEV_ADDED: Breakpoint has been added.
var BPTEV_CHANGED: Breakpoint has been modified.
var BPTEV_REMOVED: Breakpoint has been removed.
var BPT_BRK: suspend execution upon hit
var BPT_ELANG_MASK: BPT_ELANG_MASK = 4026531840
var BPT_ELANG_SHIFT: index of the extlang (scripting language) of the condition
var BPT_ENABLED: enabled?
var BPT_LOWCND: condition is calculated at low level (on the server side)
var BPT_TRACE: add trace information upon hit
var BPT_TRACEON: enable tracing when the breakpoint is reached
var BPT_TRACE_BBLK: basic block tracing
var BPT_TRACE_FUNC: function tracing
var BPT_TRACE_INSN: instruction tracing
var BPT_TRACE_TYPES: trace insns, functions, and basic blocks. if any of BPT_TRACE_TYPES bits are set but BPT_TRACEON is clear, then turn off tracing for the specified trace types
var BPT_UPDMEM: refresh the memory layout and contents before evaluating bpt condition
var BT_LOG_INSTS: specific options for basic block tracing (see set_bblk_trace_options())

log all instructions in the current basic block
var DBGINV_ALL: invalidate everything
var DBGINV_MEMCFG: invalidate cached process segmentation
var DBGINV_MEMORY: invalidate cached memory contents
var DBGINV_NONE: invalidate nothing
var DBGINV_REDRAW: refresh the screen
var DBGINV_REGS: invalidate cached register values
var DEC_ERROR: error
var DEC_NOTASK: process does not exist
var DEC_TIMEOUT: timeout
var DOPT_BPT_MSGS: log breakpoints
var DOPT_DISABLE_ASLR: disable ASLR
var DOPT_END_BPT: evaluate event condition on process end
var DOPT_ENTRY_BPT: break on program entry point
var DOPT_EXCDLG: exception dialogs:
var DOPT_FAST_STEP: prevent debugger memory refreshes when single-stepping
var DOPT_INFO_BPT: break on debugging information
var DOPT_INFO_MSGS: log debugging info events
var DOPT_LIB_BPT: break on library load/unload
var DOPT_LIB_MSGS: log library loads/unloads
var DOPT_LOAD_DINFO: automatically load debug files (pdb)
var DOPT_REAL_MEMORY: do not hide breakpoint instructions
var DOPT_REDO_STACK: reconstruct the stack
var DOPT_SEGM_MSGS: log debugger segments modifications
var DOPT_START_BPT: break on process start
var DOPT_TEMP_HWBPT: when possible use hardware bpts for temp bpts
var DOPT_THREAD_BPT: break on thread start/exit
var DOPT_THREAD_MSGS: log thread starts/exits
var DSTATE_NOTASK: no process is currently debugged
var DSTATE_RUN: process is running
var DSTATE_SUSP: process is suspended and will not continue
var EXCDLG_ALWAYS: always display
var EXCDLG_NEVER: never display exception dialogs
var EXCDLG_UNKNOWN: display for unknown exceptions
var FT_LOG_RET: specific options for function tracing (see set_func_trace_options())

function tracing will log returning instructions
var IT_LOG_SAME_IP: specific options for instruction tracing (see set_insn_trace_options())

instruction tracing will log new instructions even when IP doesn't change
var MOVBPT_BAD_TYPE: MOVBPT_BAD_TYPE = 3
var MOVBPT_DEST_BUSY: MOVBPT_DEST_BUSY = 2
var MOVBPT_NOT_FOUND: MOVBPT_NOT_FOUND = 1
var MOVBPT_OK: MOVBPT_OK = 0
var SAVE_ALL_VALUES: SAVE_ALL_VALUES = 0
var SAVE_DIFF: SAVE_DIFF = 1
var SAVE_NONE: SAVE_NONE = 2
var SRCDBG_PROV_VERSION: SRCDBG_PROV_VERSION = 4
var SRCIT_EXPR: an expression (a+b*c)
var SRCIT_FUNC: function
var SRCIT_LOCVAR: a stack, register, or register-relative local variable or parameter
var SRCIT_MODULE: module
var SRCIT_NONE: unknown
var SRCIT_STMT: a statement (if/while/for...)
var SRCIT_STTVAR: static variable/code
var ST_ALREADY_LOGGED: step tracing will be disabled when IP is already logged
var ST_DIFFERENTIAL: ST_DIFFERENTIAL = 16
var ST_OPTIONS_DEFAULT: ST_OPTIONS_DEFAULT = 3
var ST_OPTIONS_MASK: mask of available options, to ensure compatibility with newer IDA versions
var ST_OVER_DEBUG_SEG: step tracing will be disabled when IP is in a debugger segment
var ST_OVER_LIB_FUNC: step tracing will be disabled when IP is in a library function
var ST_SKIP_LOOPS: step tracing will try to skip loops already recorded
var WFNE_ANY: return the first event (even if it doesn't suspend the process)
var WFNE_CONT: continue from the suspended state
var WFNE_NOWAIT: do not wait for any event, immediately return DEC_TIMEOUT (to be used with WFNE_CONT)
var WFNE_SILENT: 1: be silent, 0:display modal boxes if necessary
var WFNE_SUSP: wait until the process gets suspended
var WFNE_USEC: timeout is specified in microseconds (minimum non-zero timeout is 40000us)
var dbg_bpt: A user defined breakpoint was reached.
var dbg_bpt_changed: Breakpoint has been changed.
var dbg_exception: dbg_exception = 10
var dbg_finished_loading_bpts: Finished loading breakpoint info from idb.
var dbg_information: dbg_information = 9
var dbg_last: The last debugger notification code.
var dbg_library_load: dbg_library_load = 7
var dbg_library_unload: dbg_library_unload = 8
var dbg_null: dbg_null = 0
var dbg_process_attach: note: This event notification is also an asynchronous function result
notification for start_process() !
var dbg_process_detach: note: This event notification is also an asynchronous function result
notification for start_process() !
var dbg_process_exit: note: This event notification is also an asynchronous function result
notification for start_process() !
var dbg_process_start: note: This event notification is also an asynchronous function result
notification for start_process() !
var dbg_request_error: An error occurred during the processing of a request.
var dbg_run_to: dbg_run_to = 17
var dbg_started_loading_bpts: Started loading breakpoint info from idb.
var dbg_step_into: dbg_step_into = 15
var dbg_step_over: dbg_step_over = 16
var dbg_step_until_ret: dbg_step_until_ret = 18
var dbg_suspend_process: The process is now suspended.

note: This event notification is also an asynchronous function result
notification for suspend_process() !
var dbg_thread_exit: dbg_thread_exit = 6
var dbg_thread_start: dbg_thread_start = 5
var dbg_trace: A step occurred (one instruction was executed). This event notification is only generated if step tracing is enabled.

retval 1: do not log this trace event

retval 0: log it
var tev_bpt: write, read/write, execution trace
var tev_call: a function call trace
var tev_event: debug event occurred
var tev_insn: an instruction trace
var tev_max: first unused event type
var tev_mem: memory layout changed
var tev_none: no event
var tev_ret: a function return trace

Functions

def add_bpt(*args) ‑> bool

add_bpt(ea, size=0, type=BPT_DEFAULT) -> bool

Add a new breakpoint in the debugged process.

Type	available as request
Notification	none (synchronous function)

bpt: (C++: const bpt_t &) Breakpoint to add. It describes the break condition, type, flags,

location (module relative, source breakpoint or absolute) and other attributes.

size: asize_t

type: bpttype_t

add_bpt(bpt) -> bool

bpt: bpt_t const &

def add_path_mapping(*args) ‑> void

add_path_mapping(src, dst)

src: char const *

dst: char const *

def add_virt_module(*args) ‑> bool

add_virt_module(mod) -> bool

mod: modinfo_t const *

def attach_process(*args) ‑> int

attach_process(pid=pid_t(-1), event_id=-1) -> int Attach the debugger to a running process.

Type	available as Request
Notification	dbg_process_attach

note: This function shouldn't be called as a request if NO_PROCESS is used.

pid: (C++: pid_t) PID of the process to attach to. If NO_PROCESS, a dialog box will

interactively ask the user for the process to attach to.

retval -4: debugger was not inited

retval -3: the attaching is not supported

retval -2: impossible to find a compatible process

retval -1: impossible to attach to the given process (process died, privilege

needed, not supported by the debugger plugin, ...)

retval 0: the user cancelled the attaching to the process

retval 1: the debugger properly attached to the process

def bring_debugger_to_front(*args) ‑> void

bring_debugger_to_front()

def check_bpt(*args) ‑> int

check_bpt(ea) -> int

Check the breakpoint at the specified address.

ea: (C++: ea_t)

return: one of Breakpoint status codes

def choose_trace_file(*args) ‑> qstring *

choose_trace_file() -> str

Show the choose trace dialog.

def clear_requests_queue(*args) ‑> void

clear_requests_queue()

Clear the queue of waiting requests.

Type	Synchronous function
Notification	none (synchronous function)

note: If a request is currently running, this one isn't stopped.

def clear_trace(*args) ‑> void

clear_trace()

Clear all events in the trace buffer.

Type	as request
Notification	none (synchronous function)

def collect_stack_trace(*args) ‑> bool

collect_stack_trace(tid, trace) -> bool

tid: thid_t

trace: call_stack_t *

def continue_process(*args) ‑> bool

continue_process() -> bool

Continue the execution of the process in the debugger.

Type	function - available as Request
Notification	none (synchronous function)

note: The continue_process() function can be called from a notification handler

to force the continuation of the process. In this case the request queue will not be examined, IDA will simply resume execution. Usually it makes sense to call request_continue_process() followed by run_requests(), so that IDA will first start a queued request (if any) and then resume the application.

def create_source_viewer(*args) ‑> source_view_t *

create_source_viewer(out_ccv, parent, custview, sf, lines, lnnum, colnum, flags) -> source_view_t *

Create a source code view.

out_ccv: (C++: TWidget **)

parent: (C++: TWidget *)

custview: (C++: TWidget *)

sf: (C++: source_file_ptr)

lines: (C++: strvec_t *)

lnnum: (C++: int)

colnum: (C++: int)

flags: (C++: int)

def dbg_add_bpt_tev(*args) ‑> bool

dbg_add_bpt_tev(tid, ea, bp) -> bool

Add a new breakpoint trace element to the current trace.

Type	function
Notification	none (synchronous function)

tid: (C++: thid_t)

ea: (C++: ea_t)

bp: (C++: ea_t)

return: false if the operation failed, true otherwise

def dbg_add_call_tev(*args) ‑> void

dbg_add_call_tev(tid, caller, callee)

Add a new call trace element to the current trace.

Type	function
Notification	none (synchronous function)

tid: (C++: thid_t)

caller: (C++: ea_t)

callee: (C++: ea_t)

def dbg_add_debug_event(*args) ‑> void

dbg_add_debug_event(event)

Add a new debug event to the current trace.

Type	Synchronous function
Notification	none (synchronous function)

event: (C++: debug_event_t *)

def dbg_add_insn_tev(*args) ‑> bool

dbg_add_insn_tev(tid, ea, save=SAVE_DIFF) -> bool

Add a new instruction trace element to the current trace.

Type	function
Notification	none (synchronous function)

tid: (C++: thid_t)

ea: (C++: ea_t)

save: (C++: save_reg_values_t) enum save_reg_values_t

return: false if the operation failed, true otherwise

def dbg_add_many_tevs(*args) ‑> bool

dbg_add_many_tevs(new_tevs) -> bool

Add many new trace elements to the current trace.

Type	function
Notification	none (synchronous function)

new_tevs: (C++: tevinforeg_vec_t *)

return: false if the operation failed for any tev_info_t object

def dbg_add_ret_tev(*args) ‑> void

dbg_add_ret_tev(tid, ret_insn, return_to)

Add a new return trace element to the current trace.

Type	function
Notification	none (synchronous function)

tid: (C++: thid_t)

ret_insn: (C++: ea_t)

return_to: (C++: ea_t)

def dbg_add_tev(*args) ‑> void

dbg_add_tev(type, tid, address)

Add a new trace element to the current trace.

Type	Synchronous function
Notification	none (synchronous function)

type: (C++: tev_type_t) enum tev_type_t

tid: (C++: thid_t)

address: (C++: ea_t)

def dbg_add_thread(*args) ‑> void

dbg_add_thread(tid)

Add a thread to the current trace.

Type	Synchronous function
Notification	none (synchronous function)

tid: (C++: thid_t)

def dbg_bin_search(*args) ‑> uint64 *, qstring *

dbg_bin_search(start_ea, end_ea, data, srch_flags) -> str

start_ea: ea_t

end_ea: ea_t

data: compiled_binpat_vec_t const &

srch_flags: int

def dbg_can_query(*args) ‑> bool

dbg_can_query() -> bool

This function can be used to check if the debugger can be queried:

debugger is loaded
process is suspended
process is not suspended but can take requests. In this case some requests like
memory read/write, bpt management succeed and register querying will fail. Check if idaapi.get_process_state() < 0 to tell if the process is suspended

return: Boolean

def dbg_del_thread(*args) ‑> void

dbg_del_thread(tid)

Delete a thread from the current trace.

Type	Synchronous function
Notification	none (synchronous function)

tid: (C++: thid_t)

def dbg_is_loaded(*args) ‑> bool

dbg_is_loaded() -> bool

Checks if a debugger is loaded

return: Boolean

def define_exception(*args) ‑> char const *

define_exception(code, name, desc, flags) -> char const *

Convenience function: define new exception code.

code: (C++: uint) exception code (cannot be 0)

name: (C++: const char *) exception name (cannot be empty or nullptr)

desc: (C++: const char *) exception description (maybe nullptr)

flags: (C++: int) combination of Exception info flags

return: failure message or nullptr. You must call store_exceptions() if this

function succeeds

def del_bpt(*args) ‑> bool

del_bpt(ea) -> bool

Delete an existing breakpoint in the debugged process.

Type	function - available as request
Notification	none (synchronous function)

bptloc: (C++: const bpt_location_t &) Breakpoint location

del_bpt(bptloc) -> bool

bptloc: bpt_location_t const &

def del_bptgrp(*args) ‑> bool

del_bptgrp(name) -> bool

Delete a folder, bpt that were part of this folder are moved to the root folder

Type	Synchronous function
Notification	none (synchronous function)

name: (C++: const char *) full path to the folder to be deleted

return: success

def del_virt_module(*args) ‑> bool

del_virt_module(base) -> bool

base: ea_t const

def detach_process(*args) ‑> bool

detach_process() -> bool

Detach the debugger from the debugged process.

Type	available as Request
Notification	dbg_process_detach

def diff_trace_file(*args) ‑> bool

diff_trace_file(NONNULL_filename) -> bool

Show difference between the current trace and the one from 'filename'.

NONNULL_filename: (C++: const char *) char const *

def disable_bblk_trace(*args) ‑> bool

disable_bblk_trace() -> bool

def disable_bpt(*args) ‑> bool

disable_bpt(ea) -> bool

ea: ea_t

disable_bpt(bptloc) -> bool

bptloc: bpt_location_t const &

def disable_func_trace(*args) ‑> bool

disable_func_trace() -> bool

def disable_insn_trace(*args) ‑> bool

disable_insn_trace() -> bool

def disable_step_trace(*args) ‑> bool

disable_step_trace() -> bool

def edit_manual_regions(*args) ‑> void

edit_manual_regions()

def enable_bblk_trace(*args) ‑> bool

enable_bblk_trace(enable=True) -> bool

enable: bool

def enable_bpt(*args) ‑> bool

enable_bpt(ea, enable=True) -> bool

ea: ea_t

enable: bool

enable_bpt(bptloc, enable=True) -> bool

bptloc: bpt_location_t const &

enable: bool

def enable_bptgrp(*args) ‑> int

enable_bptgrp(bptgrp_name, enable=True) -> int

Enable (or disable) all bpts in a folder

Type	Synchronous function
Notification	none (synchronous function)

bptgrp_name: (C++: const char *) absolute path to the folder

enable: (C++: bool) by default true, enable bpts, false disable bpts

return: -1 an error occured 0 no changes >0 nubmers of bpts udpated

def enable_func_trace(*args) ‑> bool

enable_func_trace(enable=True) -> bool

enable: bool

def enable_insn_trace(*args) ‑> bool

enable_insn_trace(enable=True) -> bool

enable: bool

def enable_manual_regions(*args) ‑> void

enable_manual_regions(enable)

enable: bool

def enable_step_trace(*args) ‑> bool

enable_step_trace(enable=1) -> bool

enable: int

def exist_bpt(*args) ‑> bool

exist_bpt(ea) -> bool

Does a breakpoint exist at the given location?

ea: (C++: ea_t)

def exit_process(*args) ‑> bool

exit_process() -> bool

Terminate the debugging of the current process.

Type	- available as Request
Notification	dbg_process_exit

def find_bpt(*args) ‑> bool

find_bpt(bptloc, bpt) -> bool

Find a breakpoint by location.

Type	request
Notification	none (synchronous function)

bptloc: (C++: const bpt_location_t &) Breakpoint location

bpt: (C++: bpt_t *) bpt is filled if the breakpoint was found

def get_bblk_trace_options(*args) ‑> int

get_bblk_trace_options() -> int

Get current basic block tracing options. Also see BT_LOG_INSTS

Type	Synchronous function
Notification	none (synchronous function)

def get_bpt(*args) ‑> bool

get_bpt(ea, bpt) -> bool

Get the characteristics of a breakpoint.

Type	Synchronous function
Notification	none (synchronous function)

ea: (C++: ea_t) any address in the breakpoint range

bpt: (C++: bpt_t *) if not nullptr, is filled with the characteristics.

return: false if no breakpoint exists

def get_bpt_group(*args) ‑> qstring *

get_bpt_group(bptloc) -> str

Retrieve the absolute path to the folder of the bpt based on the bpt_location find_bpt is called to retrieve the bpt

Type	Synchronous function
Notification	none (synchronous function)

bptloc: (C++: const bpt_location_t &) bptlocation of the bpt

return: breakpoint correclty moved to the directory success

def get_bpt_qty(*args) ‑> int

get_bpt_qty() -> int

Get number of breakpoints.

Type	Synchronous function
Notification	(synchronous function)

def get_bpt_tev_ea(*args) ‑> ea_t

get_bpt_tev_ea(n) -> ea_t

Get the address associated to a read, read/write or execution trace event.

Type	Synchronous function
Notification	none (synchronous function)

n: (C++: int) number of trace event, is in range 0..get_tev_qty()-1. 0 represents

the latest added trace event.

return: BADADDR if not a read, read/write or execution trace event.

note: Usually, a breakpoint is associated with a read, read/write or execution

trace event. However, the returned address could be any address in the range of this breakpoint. If the breakpoint was deleted after the trace event, the address no longer corresponds to a valid breakpoint.

def get_bptloc_string(*args) ‑> char const *

get_bptloc_string(i) -> char const *

i: int

def get_call_tev_callee(*args) ‑> ea_t

get_call_tev_callee(n) -> ea_t

Get the called function from a function call trace event.

Type	function
Notification	none (synchronous function)

n: (C++: int) number of trace event, is in range 0..get_tev_qty()-1. 0 represents

the latest added trace event.

return: BADADDR if not a function call event.

def get_current_source_file(*args) ‑> qstring *

get_current_source_file() -> str

def get_current_source_line(*args) ‑> int

get_current_source_line() -> int

def get_current_thread(*args) ‑> thid_t

get_current_thread() -> thid_t

Get current thread ID.

Type	Synchronous function
Notification	(synchronous function)

def get_dbg_byte(*args) ‑> uint32 *

get_dbg_byte(ea) -> bool

Get one byte of the debugged process memory.

ea: (C++: ea_t) linear address

return: true success false address inaccessible or debugger not running

def get_dbg_memory_info(*args) ‑> int

get_dbg_memory_info(ranges) -> int

ranges: meminfo_vec_t *

def get_dbg_reg_info(*args) ‑> bool

get_dbg_reg_info(regname, ri) -> bool

Get register information

Type	Synchronous function
Notification	(synchronous function)

regname: (C++: const char *) char const *

ri: (C++: register_info_t *)

def get_debug_event(*args) ‑> debug_event_t const *

get_debug_event() -> debug_event_t

Get the current debugger event.

def get_debugger_event_cond(*args) ‑> char const *

get_debugger_event_cond() -> char const *

def get_first_module(*args) ‑> bool

get_first_module(modinfo) -> bool

modinfo: modinfo_t *

def get_func_trace_options(*args) ‑> int

get_func_trace_options() -> int

Get current function tracing options. Also see FT_LOG_RET

Type	function
Notification	none (synchronous function)

def get_global_var(*args) ‑> bool

get_global_var(prov, ea, name, out) -> bool

prov: srcinfo_provider_t *

ea: ea_t

name: char const *

out: source_item_ptr *

def get_grp_bpts(*args) ‑> ssize_t

get_grp_bpts(bpts, grp_name) -> ssize_t

Retrieve a copy the bpts stored in a folder

Type	Synchronous function
Notification	none (synchronous function)

bpts: (C++: bpt_vec_t *) : pointer to a vector where the copy of bpts are stored

grp_name: (C++: const char *) absolute path to the folder

return: number of bpts present in the vector

def get_insn_tev_reg_mem(*args) ‑> bool

get_insn_tev_reg_mem(n, memmap) -> bool

Read the memory pointed by register values from an instruction trace event.

Type	Synchronous function
Notification	none (synchronous function)

n: (C++: int) number of trace event, is in range 0..get_tev_qty()-1. 0 represents

the latest added trace event.

memmap: (C++: memreg_infos_t *) result

return: false if not an instruction event or no memory is available

def get_insn_tev_reg_result(*args) ‑> bool

get_insn_tev_reg_result(n, regname, regval) -> bool

n: int

regname: char const *

regval: regval_t *

def get_insn_tev_reg_val(*args) ‑> bool

get_insn_tev_reg_val(n, regname, regval) -> bool

n: int

regname: char const *

regval: regval_t *

def get_insn_trace_options(*args) ‑> int

get_insn_trace_options() -> int

Get current instruction tracing options. Also see IT_LOG_SAME_IP

Type	Synchronous function
Notification	none (synchronous function)

def get_ip_val(*args) ‑> uint64 *

get_ip_val() -> bool

Get value of the IP (program counter) register for the current thread. Requires a suspended debugger.

def get_local_var(*args) ‑> bool

get_local_var(prov, ea, name, out) -> bool

prov: srcinfo_provider_t *

ea: ea_t

name: char const *

out: source_item_ptr *

def get_local_vars(*args) ‑> bool

get_local_vars(prov, ea, out) -> bool

prov: srcinfo_provider_t *

ea: ea_t

out: source_items_t *

def get_manual_regions(*args) ‑> PyObject *

get_manual_regions(ranges)

Returns the manual memory regions

ranges: meminfo_vec_t *

return: list(start_ea, end_ea, name, sclass, sbase, bitness, perm)

get_manual_regions() -> [(int, int, str, str, int, int, int), ...] or None

def get_module_info(*args) ‑> bool

get_module_info(ea, modinfo) -> bool

ea: ea_t

modinfo: modinfo_t *

def get_next_module(*args) ‑> bool

get_next_module(modinfo) -> bool

modinfo: modinfo_t *

def get_process_options(*args) ‑> qstring *, qstring *, qstring *, qstring *, qstring *, int *

get_process_options()

Get process options. Any of the arguments may be nullptr

def get_process_state(*args) ‑> int

get_process_state() -> int

Return the state of the currently debugged process.

Type	function
Notification	none (synchronous function)

return: one of Debugged process states

def get_processes(*args) ‑> ssize_t

get_processes(proclist) -> ssize_t

Take a snapshot of running processes and return their description.

Type	Synchronous function
Notification	none (synchronous function)

proclist: (C++: procinfo_vec_t *) array with information about each running process

return: number of processes or -1 on error

def get_reg_val(*args) ‑> PyObject *

get_reg_val(regname, regval) -> bool

Get register value as an unsigned 64-bit int.

regname: (C++: const char *) char const *

regval: regval_t *

get_reg_val(regname, ival) -> bool

regname: char const *

ival: uint64 *

get_reg_val(regname) -> bool, float, int

regname: char const *

def get_reg_vals(*args) ‑> regvals_t *

get_reg_vals(tid, clsmask=-1) -> regvals_t

Fetch live registers values for the thread

tid: The ID of the thread to read registers for

clsmask: An OR'ed mask of register classes to

read values for (can be used to speed up the retrieval process)

return: a regvals_t instance (empty if an error occurs)

def get_ret_tev_return(*args) ‑> ea_t

get_ret_tev_return(n) -> ea_t

Get the return address from a function return trace event.

Type	function
Notification	none (synchronous function)

n: (C++: int) number of trace event, is in range 0..get_tev_qty()-1. 0 represents

the latest added trace event.

return: BADADDR if not a function return event.

def get_running_notification(*args) ‑> dbg_notification_t

get_running_notification() -> dbg_notification_t

Get the notification associated (if any) with the current running request.

Type	Synchronous function
Notification	none (synchronous function)

return: dbg_null if no running request

def get_running_request(*args) ‑> ui_notification_t

get_running_request() -> ui_notification_t

Get the current running request.

Type	Synchronous function
Notification	none (synchronous function)

return: ui_null if no running request

def get_sp_val(*args) ‑> uint64 *

get_sp_val() -> bool

Get value of the SP register for the current thread. Requires a suspended debugger.

def get_srcinfo_provider(*args) ‑> srcinfo_provider_t *

get_srcinfo_provider(name) -> srcinfo_provider_t *

name: char const *

def get_step_trace_options(*args) ‑> int

get_step_trace_options() -> int

Get current step tracing options.

Type	Synchronous function
Notification	none (synchronous function)

return: Step trace options

def get_tev_ea(*args) ‑> ea_t

get_tev_ea(n) -> ea_t

n: int

def get_tev_event(*args) ‑> bool

get_tev_event(n, d) -> bool

Get the corresponding debug event, if any, for the specified tev object.

Type	Synchronous function
Notification	none (synchronous function)

n: (C++: int) number of trace event, is in range 0..get_tev_qty()-1. 0 represents

the latest added trace event.

d: (C++: debug_event_t *) result

return: false if the tev_t object doesn't have any associated debug event, true

otherwise, with the debug event in "d".

def get_tev_info(*args) ‑> bool

get_tev_info(n, tev_info) -> bool

Get main information about a trace event.

Type	Synchronous function
Notification	none (synchronous function)

n: (C++: int) number of trace event, is in range 0..get_tev_qty()-1. 0 represents

the latest added trace event.

tev_info: (C++: tev_info_t *) result

return: success

def get_tev_memory_info(*args) ‑> bool

get_tev_memory_info(n, mi) -> bool

Get the memory layout, if any, for the specified tev object.

Type	Synchronous function
Notification	none (synchronous function)

n: (C++: int) number of trace event, is in range 0..get_tev_qty()-1. 0 represents

the latest added trace event.

mi: (C++: meminfo_vec_t *) result

return: false if the tev_t object is not of type tev_mem, true otherwise, with

the new memory layout in "mi".

def get_tev_qty(*args) ‑> int

get_tev_qty() -> int

Get number of trace events available in trace buffer.

Type	function
Notification	none (synchronous function)

def get_tev_reg_mem(tev, idx)

def get_tev_reg_mem_ea(tev, idx)

def get_tev_reg_mem_qty(tev)

def get_tev_reg_val(tev, reg)

def get_tev_tid(*args) ‑> int

get_tev_tid(n) -> int

n: int

def get_tev_type(*args) ‑> int

get_tev_type(n) -> int

n: int

def get_thread_qty(*args) ‑> int

get_thread_qty() -> int

Get number of threads.

Type	Synchronous function
Notification	(synchronous function)

def get_trace_base_address(*args) ‑> ea_t

get_trace_base_address() -> ea_t

Get the base address of the current trace.

Type	Synchronous function
Notification	none (synchronous function)

return: the base address of the currently loaded trace

def get_trace_dynamic_register_set(*args) ‑> void

get_trace_dynamic_register_set(idaregs)

Get dynamic register set of current trace.

idaregs: (C++: dynamic_register_set_t *)

def get_trace_file_desc(*args) ‑> qstring *

get_trace_file_desc(filename) -> str

Get the file header of the specified trace file.

filename: (C++: const char *) char const *

def get_trace_platform(*args) ‑> char const *

get_trace_platform() -> char const *

Get platform name of current trace.

def getn_bpt(*args) ‑> bool

getn_bpt(n, bpt) -> bool

Get the characteristics of a breakpoint.

Type	Synchronous function
Notification	none (synchronous function)

n: (C++: int) number of breakpoint, is in range 0..get_bpt_qty()-1

bpt: (C++: bpt_t *) filled with the characteristics.

return: false if no breakpoint exists

def getn_thread(*args) ‑> thid_t

getn_thread(n) -> thid_t

Get the ID of a thread.

Type	Synchronous function
Notification	(synchronous function)

n: (C++: int) number of thread, is in range 0..get_thread_qty()-1

return: NO_THREAD if the thread doesn't exist.

def getn_thread_name(*args) ‑> char const *

getn_thread_name(n) -> char const *

Get the NAME of a thread

Type	Synchronous function
Notification	(synchronous function)

n: (C++: int) number of thread, is in range 0..get_thread_qty()-1 or -1 for the

current thread

return: thread name or nullptr if the thread doesn't exist.

def graph_trace(*args) ‑> bool

graph_trace() -> bool

Show the trace callgraph.

def handle_debug_event(*args) ‑> int

handle_debug_event(ev, rqflags) -> int

ev: debug_event_t const *

rqflags: int

def hide_all_bpts(*args) ‑> int

hide_all_bpts() -> int

def internal_get_sreg_base(*args) ‑> ea_t

internal_get_sreg_base(tid, sreg_value) -> ea_t

Get the sreg base, for the given thread.

tid: thid_t

sreg_value: int

return: The sreg base, or BADADDR on failure.

def internal_ioctl(*args) ‑> int

internal_ioctl(fn, buf, poutbuf, poutsize) -> int

fn: int

buf: void const *

poutbuf: void **

poutsize: ssize_t *

def invalidate_dbg_state(*args) ‑> int

invalidate_dbg_state(dbginv) -> int

Invalidate cached debugger information.

Type	Synchronous function
Notification	none (synchronous function)

dbginv: (C++: int) Debugged process invalidation options

return: current debugger state (one of Debugged process states)

def invalidate_dbgmem_config(*args) ‑> void

invalidate_dbgmem_config()

Invalidate the debugged process memory configuration. Call this function if the debugged process might have changed its memory layout (allocated more memory, for example)

def invalidate_dbgmem_contents(*args) ‑> void

invalidate_dbgmem_contents(ea, size)

Invalidate the debugged process memory contents. Call this function each time the process has been stopped or the process memory is modified. If ea == BADADDR, then the whole memory contents will be invalidated

ea: (C++: ea_t)

size: (C++: asize_t)

def is_bblk_trace_enabled(*args) ‑> bool

is_bblk_trace_enabled() -> bool

def is_debugger_busy(*args) ‑> bool

is_debugger_busy() -> bool

Is the debugger busy?. Some debuggers do not accept any commands while the debugged application is running. For such a debugger, it is unsafe to do anything with the database (even simple queries like get_byte may lead to undesired consequences). Returns: true if the debugged application is running under such a debugger

def is_debugger_memory(*args) ‑> bool

is_debugger_memory(ea) -> bool

Is the address mapped to debugger memory?

ea: (C++: ea_t)

def is_debugger_on(*args) ‑> bool

is_debugger_on() -> bool

Is the debugger currently running?

def is_func_trace_enabled(*args) ‑> bool

is_func_trace_enabled() -> bool

Get current state of functions tracing.

Type	Synchronous function
Notification	none (synchronous function)

def is_insn_trace_enabled(*args) ‑> bool

is_insn_trace_enabled() -> bool

Get current state of instruction tracing.

Type	Synchronous function
Notification	none (synchronous function)

def is_reg_custom(*args) ‑> bool

is_reg_custom(regname) -> bool

Does a register contain a value of a custom data type?

Type	function
Notification	none (synchronous function)

regname: (C++: const char *) char const *

def is_reg_float(*args) ‑> bool

is_reg_float(regname) -> bool

Does a register contain a floating point value?

Type	Synchronous function
Notification	none (synchronous function)

regname: (C++: const char *) char const *

def is_reg_integer(*args) ‑> bool

is_reg_integer(regname) -> bool

Does a register contain an integer value?

Type	Synchronous function
Notification	none (synchronous function)

regname: (C++: const char *) char const *

def is_request_running(*args) ‑> bool

is_request_running() -> bool

Is a request currently running?

def is_step_trace_enabled(*args) ‑> bool

is_step_trace_enabled() -> bool

Get current state of step tracing.

Type	Synchronous function
Notification	none (synchronous function)

def is_valid_dstate(*args) ‑> bool

is_valid_dstate(state) -> bool

state: int

def is_valid_trace_file(*args) ‑> bool

is_valid_trace_file(filename) -> bool

Is the specified file a valid trace file for the current database?

filename: (C++: const char *) char const *

def list_bptgrps(*args) ‑> PyObject *

list_bptgrps(bptgrps) -> size_t

Retrieve the list of absolute path of all folders of bpt dirtree

Type	Synchronous function
Notification	none (synchronous function)

bptgrps: (C++: qstrvec_t *) list of absolute path in the bpt dirtree

return: number of folders returned

list_bptgrps() -> [str, ...]

def load_debugger(*args) ‑> bool

load_debugger(dbgname, use_remote) -> bool

dbgname: char const *

use_remote: bool

def load_trace_file(*args) ‑> qstring *

load_trace_file(filename) -> str

Load a recorded trace file in the 'Tracing' window. If the call succeeds and 'buf' is not null, the description of the trace stored in the binary trace file will be returned in 'buf'

filename: (C++: const char *) char const *

def move_bpt_to_grp(*args) ‑> bool

set_bpt_group(bpt, grp_name) -> bool

Move a bpt into a folder in the breakpoint dirtree if the folder didn't exists, it will be created

Type	Synchronous function
Notification	(synchronous function)

bpt: (C++: bpt_t &) bpt that will be moved

grp_name: (C++: const char *) absolute path to the breakpoint dirtree folder

return: success

def put_dbg_byte(*args) ‑> bool

put_dbg_byte(ea, x) -> bool

Change one byte of the debugged process memory.

ea: (C++: ea_t) linear address

x: (C++: uint32) byte value

return: true if the process memory has been modified

def read_dbg_memory(*args) ‑> ssize_t

read_dbg_memory(ea, buffer, size) -> ssize_t

ea: ea_t

buffer: void *

size: size_t

def refresh_debugger_memory(*args) ‑> PyObject *

refresh_debugger_memory() -> PyObject *

Refreshes the debugger memory

return: Nothing

def rename_bptgrp(*args) ‑> bool

rename_bptgrp(old_name, new_name) -> bool

Rename a folder of bpt dirtree

Type	Synchronous function
Notification	none (synchronous function)

old_name: (C++: const char *) absolute path to the folder to be renamed

new_name: (C++: const char *) absolute path of the new folder name

return: success

def request_add_bpt(*args) ‑> bool

request_add_bpt(ea, size=0, type=BPT_DEFAULT) -> bool

Post an add_bpt(const bpt_t &) request.

ea: ea_t

size: asize_t

type: bpttype_t

request_add_bpt(bpt) -> bool

bpt: bpt_t const &

def request_attach_process(*args) ‑> int

request_attach_process(pid, event_id) -> int

Post an attach_process() request.

pid: (C++: pid_t)

event_id: (C++: int)

def request_clear_trace(*args) ‑> void

request_clear_trace()

Post a clear_trace() request.

def request_continue_process(*args) ‑> bool

request_continue_process() -> bool

Post a continue_process() request.

note: This requires an explicit call to run_requests()

def request_del_bpt(*args) ‑> bool

request_del_bpt(ea) -> bool

Post a del_bpt(const bpt_location_t &) request.

ea: ea_t

request_del_bpt(bptloc) -> bool

bptloc: bpt_location_t const &

def request_detach_process(*args) ‑> bool

request_detach_process() -> bool

Post a detach_process() request.

def request_disable_bblk_trace(*args) ‑> bool

request_disable_bblk_trace() -> bool

def request_disable_bpt(*args) ‑> bool

request_disable_bpt(ea) -> bool

ea: ea_t

request_disable_bpt(bptloc) -> bool

bptloc: bpt_location_t const &

def request_disable_func_trace(*args) ‑> bool

request_disable_func_trace() -> bool

def request_disable_insn_trace(*args) ‑> bool

request_disable_insn_trace() -> bool

def request_disable_step_trace(*args) ‑> bool

request_disable_step_trace() -> bool

def request_enable_bblk_trace(*args) ‑> bool

request_enable_bblk_trace(enable=True) -> bool

enable: bool

def request_enable_bpt(*args) ‑> bool

request_enable_bpt(ea, enable=True) -> bool

ea: ea_t

enable: bool

request_enable_bpt(bptloc, enable=True) -> bool

bptloc: bpt_location_t const &

enable: bool

def request_enable_func_trace(*args) ‑> bool

request_enable_func_trace(enable=True) -> bool

enable: bool

def request_enable_insn_trace(*args) ‑> bool

request_enable_insn_trace(enable=True) -> bool

enable: bool

def request_enable_step_trace(*args) ‑> bool

request_enable_step_trace(enable=1) -> bool

enable: int

def request_exit_process(*args) ‑> bool

request_exit_process() -> bool

Post an exit_process() request.

def request_resume_thread(*args) ‑> int

request_resume_thread(tid) -> int

Post a resume_thread() request.

tid: (C++: thid_t)

def request_run_to(*args) ‑> bool

request_run_to(ea, pid=pid_t(-1), tid=0) -> bool Post a run_to() request.

ea: (C++: ea_t)

pid: (C++: pid_t)

def request_select_thread(*args) ‑> bool

request_select_thread(tid) -> bool

Post a select_thread() request.

tid: (C++: thid_t)

def request_set_bblk_trace_options(*args) ‑> void

request_set_bblk_trace_options(options)

Post a set_bblk_trace_options() request.

options: (C++: int)

def request_set_func_trace_options(*args) ‑> void

request_set_func_trace_options(options)

Post a set_func_trace_options() request.

options: (C++: int)

def request_set_insn_trace_options(*args) ‑> void

request_set_insn_trace_options(options)

Post a set_insn_trace_options() request.

options: (C++: int)

def request_set_reg_val(*args) ‑> PyObject *

request_set_reg_val(regname, o) -> PyObject *

Post a set_reg_val() request.

regname: (C++: const char *) char const *

o: PyObject *

def request_set_resume_mode(*args) ‑> bool

request_set_resume_mode(tid, mode) -> bool

Post a set_resume_mode() request.

tid: (C++: thid_t)

mode: (C++: resume_mode_t) enum resume_mode_t

def request_set_step_trace_options(*args) ‑> void

request_set_step_trace_options(options)

Post a set_step_trace_options() request.

options: (C++: int)

def request_start_process(*args) ‑> int

request_start_process(path=None, args=None, sdir=None) -> int

Post a start_process() request.

path: (C++: const char *) char const *

args: (C++: const char *) char const *

sdir: (C++: const char *) char const *

def request_step_into(*args) ‑> bool

request_step_into() -> bool

Post a step_into() request.

def request_step_over(*args) ‑> bool

request_step_over() -> bool

Post a step_over() request.

def request_step_until_ret(*args) ‑> bool

request_step_until_ret() -> bool

Post a step_until_ret() request.

def request_suspend_process(*args) ‑> bool

request_suspend_process() -> bool

Post a suspend_process() request.

def request_suspend_thread(*args) ‑> int

request_suspend_thread(tid) -> int

Post a suspend_thread() request.

tid: (C++: thid_t)

def resume_thread(*args) ‑> int

resume_thread(tid) -> int

Resume thread.

Type	Synchronous function - available as request
Notification	none (synchronous function)

tid: (C++: thid_t) thread id

retval -1: network error

retval 0: failed

retval 1: ok

def retrieve_exceptions(*args) ‑> excvec_t *

retrieve_exceptions() -> excvec_t

Retrieve the exception information. You may freely modify the returned vector and add/edit/delete exceptions You must call store_exceptions() after any modifications Note: exceptions with code zero, multiple exception codes or names are prohibited

def run_requests(*args) ‑> bool

run_requests() -> bool

Execute requests until all requests are processed or an asynchronous function is called.

Type	Synchronous function
Notification	function)

return: false if not all requests could be processed (indicates an asynchronous

function was started)

note: If called from a notification handler, the execution of requests will be

postponed to the end of the execution of all notification handlers.

def run_to(*args) ‑> bool

run_to(ea, pid=pid_t(-1), tid=0) -> bool Execute the process until the given address is reached. If no process is active, a new process is started. Technically, the debugger sets up a temporary breakpoint at the given address, and continues (or starts) the execution of the whole process. So, all threads continue their execution!

Type	function - available as Request
Notification	dbg_run_to

ea: (C++: ea_t) target address

pid: (C++: pid_t) not used yet. please do not specify this parameter.

def save_trace_file(*args) ‑> bool

save_trace_file(filename, description) -> bool

Save the current trace in the specified file.

filename: (C++: const char *) char const *

description: (C++: const char *) char const *

def select_thread(*args) ‑> bool

select_thread(tid) -> bool

Select the given thread as the current debugged thread. All thread related execution functions will work on this thread. The process must be suspended to select a new thread.

Type	Synchronous function - available as request
Notification	none (synchronous function)

tid: (C++: thid_t) ID of the thread to select

return: false if the thread doesn't exist.

def send_dbg_command(command)

Send a direct command to the debugger backend, and retrieve the result as a string.

Note: any double-quotes in 'command' must be backslash-escaped. Note: this only works with some debugger backends: Bochs, WinDbg, GDB.

Returns: (True, <result string>) on success, or (False, <Error message string>) on failure

def set_bblk_trace_options(*args) ‑> void

set_bblk_trace_options(options)

Modify basic block tracing options (see BT_LOG_INSTS)

options: (C++: int)

def set_bpt_group(*args) ‑> bool

set_bpt_group(bpt, grp_name) -> bool

Move a bpt into a folder in the breakpoint dirtree if the folder didn't exists, it will be created

Type	Synchronous function
Notification	(synchronous function)

bpt: (C++: bpt_t &) bpt that will be moved

grp_name: (C++: const char *) absolute path to the breakpoint dirtree folder

return: success

def set_bptloc_group(*args) ‑> bool

set_bptloc_group(bptloc, grp_name) -> bool

Move a bpt into a folder in the breakpoint dirtree based on the bpt_location find_bpt is called to retrieve the bpt and then set_bpt_group if the folder didn't exists, it will be created

Type	Synchronous function
Notification	none (synchronous function)

bptloc: (C++: const bpt_location_t &) bptlocation of the bpt that will be moved

grp_name: (C++: const char *) absolute path to the breakpoint dirtree folder

return: success

def set_bptloc_string(*args) ‑> int

set_bptloc_string(s) -> int

s: char const *

def set_debugger_event_cond(*args) ‑> void

set_debugger_event_cond(NONNULL_evcond)

NONNULL_evcond: char const *

def set_debugger_options(*args) ‑> uint

set_debugger_options(options) -> uint

Set debugger options. Replaces debugger options with the specification combination Debugger options

options: (C++: uint)

return: the old debugger options

def set_func_trace_options(*args) ‑> void

set_func_trace_options(options)

Modify function tracing options.

Type	request
Notification	none (synchronous function)

options: (C++: int)

def set_highlight_trace_options(*args) ‑> void

set_highlight_trace_options(hilight, color, diff)

Set highlight trace parameters.

hilight: (C++: bool)

color: (C++: bgcolor_t)

diff: (C++: bgcolor_t)

def set_insn_trace_options(*args) ‑> void

set_insn_trace_options(options)

Modify instruction tracing options.

Type	as request
Notification	none (synchronous function)

options: (C++: int)

def set_manual_regions(*args) ‑> void

set_manual_regions(ranges)

ranges: meminfo_vec_t const *

def set_process_options(*args) ‑> void

set_process_options(path, args, sdir, host, _pass, port)

Set process options. Any of the arguments may be nullptr, which means 'do not modify'

path: (C++: const char *) char const *

args: (C++: const char *) char const *

sdir: (C++: const char *) char const *

host: (C++: const char *) char const *

pass: (C++: const char *) char const *

port: (C++: int)

def set_process_state(*args) ‑> int

set_process_state(newstate, p_thid, dbginv) -> int

Set new state for the debugged process. Notifies the IDA kernel about the change of the debugged process state. For example, a debugger module could call this function when it knows that the process is suspended for a short period of time. Some IDA API calls can be made only when the process is suspended. The process state is usually restored before returning control to the caller. You must know that it is ok to change the process state, doing it at arbitrary moments may crash the application or IDA.

Type	Synchronous function
Notification	(synchronous function)

newstate: (C++: int) new process state (one of Debugged process states) if

DSTATE_NOTASK is passed then the state is not changed

p_thid: (C++: thid_t *) ptr to new thread id. may be nullptr or pointer to NO_THREAD. the

pointed variable will contain the old thread id upon return

dbginv: (C++: int) Debugged process invalidation options

return: old debugger state (one of Debugged process states)

def set_reg_val(*args) ‑> PyObject *

set_reg_val(regname, o) -> PyObject

regname: char const *

o: PyObject *

set_reg_val(tid, regidx, o) -> bool, int

tid: thid_t

regidx: int

o: PyObject *

def set_remote_debugger(*args) ‑> void

set_remote_debugger(host, _pass, port=-1)

Set remote debugging options. Should be used before starting the debugger.

host: (C++: const char *) If empty, IDA will use local debugger. If nullptr, the host will

not be set.

pass: (C++: const char *) If nullptr, the password will not be set

port: (C++: int) If -1, the default port number will be used

def set_resume_mode(*args) ‑> bool

set_resume_mode(tid, mode) -> bool

How to resume the application. Set resume mode but do not resume process.

tid: (C++: thid_t)

mode: (C++: resume_mode_t) enum resume_mode_t

def set_step_trace_options(*args) ‑> void

set_step_trace_options(options)

Modify step tracing options.

Type	request
Notification	none (synchronous function)

options: (C++: int)

def set_trace_base_address(*args) ‑> void

set_trace_base_address(ea)

Set the base address of the current trace.

Type	Synchronous function
Notification	none (synchronous function)

ea: (C++: ea_t)

def set_trace_dynamic_register_set(*args) ‑> void

set_trace_dynamic_register_set(idaregs)

Set dynamic register set of current trace.

idaregs: (C++: dynamic_register_set_t &)

def set_trace_file_desc(*args) ‑> bool

set_trace_file_desc(filename, description) -> bool

Change the description of the specified trace file.

filename: (C++: const char *) char const *

description: (C++: const char *) char const *

def set_trace_platform(*args) ‑> void

set_trace_platform(platform)

Set platform name of current trace.

platform: (C++: const char *) char const *

def set_trace_size(*args) ‑> bool

set_trace_size(size) -> bool

Specify the new size of the circular buffer.

Type	Synchronous function
Notification	none (synchronous function)

size: (C++: int) if 0, buffer isn't circular and events are never removed. If the

new size is smaller than the existing number of trace events, a corresponding number of trace events are removed.

note: If you specify 0, all available memory can be quickly used !!!

def srcdbg_request_step_into(*args) ‑> bool

srcdbg_request_step_into() -> bool

def srcdbg_request_step_over(*args) ‑> bool

srcdbg_request_step_over() -> bool

def srcdbg_request_step_until_ret(*args) ‑> bool

srcdbg_request_step_until_ret() -> bool

def srcdbg_step_into(*args) ‑> bool

srcdbg_step_into() -> bool

def srcdbg_step_over(*args) ‑> bool

srcdbg_step_over() -> bool

def srcdbg_step_until_ret(*args) ‑> bool

srcdbg_step_until_ret() -> bool

def start_process(*args) ‑> int

start_process(path=None, args=None, sdir=None) -> int

Start a process in the debugger.

Type	Request
Notification	dbg_process_start

note: You can also use the run_to() function to easily start the execution of a

process until a given address is reached.

note: For all parameters, a nullptr value indicates the debugger will take the

value from the defined Process Options.

path: (C++: const char *) path to the executable to start

args: (C++: const char *) arguments to pass to process

sdir: (C++: const char *) starting directory for the process

retval -1: impossible to create the process

retval 0: the starting of the process was cancelled by the user

retval 1: the process was properly started

def step_into(*args) ‑> bool

step_into() -> bool

Execute one instruction in the current thread. Other threads are kept suspended.

Type	Asynchronous function - available as Request
Notification	dbg_step_into

def step_over(*args) ‑> bool

step_over() -> bool

Execute one instruction in the current thread, but without entering into functions. Others threads keep suspended.

Type	available as Request
Notification	dbg_step_over

def step_until_ret(*args) ‑> bool

step_until_ret() -> bool

Execute instructions in the current thread until a function return instruction is executed (aka "step out"). Other threads are kept suspended.

Type	Asynchronous function - available as Request
Notification	dbg_step_until_ret

def store_exceptions(*args) ‑> bool

store_exceptions() -> bool

Update the exception information stored in the debugger module by invoking its dbg->set_exception_info callback

def suspend_process(*args) ‑> bool

suspend_process() -> bool

Suspend the process in the debugger.

Type	* available as Request
Notification	* dbg_suspend_process (everywhere else)

note: The suspend_process() function can be called from a notification handler

to force the stopping of the process. In this case, no notification will be generated. When you suspend a process, the running command is always aborted.

def suspend_thread(*args) ‑> int

suspend_thread(tid) -> int

Suspend thread. Suspending a thread may deadlock the whole application if the suspended was owning some synchronization objects.

Type	function - available as request
Notification	none (synchronous function)

tid: (C++: thid_t) thread id

retval -1: network error

retval 0: failed

retval 1: ok

def update_bpt(*args) ‑> bool

update_bpt(bpt) -> bool

Update modifiable characteristics of an existing breakpoint. To update the breakpoint location, use change_bptlocs()

Type	Synchronous function
Notification	none (synchronous function)

note: Only the following fields can be modified:

bpt_t::cndbody
bpt_t::pass_count
bpt_t::flags
bpt_t::size
bpt_t::type

note: Changing some properties will require removing and then re-adding the

breakpoint to the process memory (or the debugger backend), which can lead to race conditions (i.e., breakpoint(s) can be missed) in case the process is not suspended. Here are a list of scenarios that will require the breakpoint to be removed & then re-added:

bpt_t::size is modified
bpt_t::type is modified
bpt_t::flags's BPT_ENABLED is modified
bpt_t::flags's BPT_LOWCND is changed
bpt_t::flags's BPT_LOWCND remains set, but cndbody changed

bpt: (C++: const bpt_t *) bpt_t const *

def wait_for_next_event(*args) ‑> dbg_event_code_t

wait_for_next_event(wfne, timeout) -> dbg_event_code_t

Wait for the next event.

This function (optionally) resumes the process execution, and waits for a debugger event until a possible timeout occurs.

wfne: (C++: int) combination of Wait for debugger event flags constants

timeout: (C++: int) number of seconds to wait, -1-infinity

return: either an event_id_t (if > 0), or a dbg_event_code_t (if <= 0)

def write_dbg_memory(*args) ‑> ssize_t

write_dbg_memory(ea, py_buf, size=size_t(-1)) -> ssize_t

ea: ea_t

py_buf: PyObject *

size: size_t

Classes

class DBG_Hooks (*args)

Proxy of C++ DBG_Hooks class.

__init__(self, _flags=0, _hkcb_flags=0x0001) -> DBG_Hooks

_flags: uint32

_hkcb_flags: uint32

Methods

def dbg_bpt(self, *args) ‑> int

dbg_bpt(self, tid, bptea) -> int

A user defined breakpoint was reached.

tid: (thid_t)

bptea: (::ea_t)

def dbg_bpt_changed(self, *args) ‑> void

dbg_bpt_changed(self, bptev_code, bpt)

Breakpoint has been changed.

bptev_code: (int) Breakpoint modification events

bpt: (bpt_t *)

def dbg_exception(self, *args) ‑> int

dbg_exception(self, pid, tid, ea, exc_code, exc_can_cont, exc_ea, exc_info) -> int

event: (const debug_event_t *)

warn: (int *) filled with:

-1: display an exception warning dialog if the process is suspended.
0: never display an exception warning dialog.
1: always display an exception warning dialog.

ea: ea_t

exc_code: int

exc_can_cont: bool

exc_ea: ea_t

exc_info: char const *

def dbg_finished_loading_bpts(self, *args) ‑> void

dbg_finished_loading_bpts(self)

Finished loading breakpoint info from idb.

def dbg_information(self, *args) ‑> void

dbg_information(self, pid, tid, ea, info)

event: (const debug_event_t *)

tid: thid_t

ea: ea_t

info: char const *

def dbg_library_load(self, *args) ‑> void

dbg_library_load(self, pid, tid, ea, modinfo_name, modinfo_base, modinfo_size)

event: (const debug_event_t *)

tid: thid_t

ea: ea_t

modinfo_name: char const *

modinfo_base: ea_t

modinfo_size: asize_t

def dbg_library_unload(self, *args) ‑> void

dbg_library_unload(self, pid, tid, ea, info)

event: (const debug_event_t *)

tid: thid_t

ea: ea_t

info: char const *

def dbg_process_attach(self, *args) ‑> void

dbg_process_attach(self, pid, tid, ea, modinfo_name, modinfo_base, modinfo_size)

event: (const debug_event_t *)

note: This event notification is also an asynchronous function result

notification for start_process() !

tid: thid_t

ea: ea_t

modinfo_name: char const *

modinfo_base: ea_t

modinfo_size: asize_t

def dbg_process_detach(self, *args) ‑> void

dbg_process_detach(self, pid, tid, ea)

event: (const debug_event_t *)

note: This event notification is also an asynchronous function result

notification for start_process() !

tid: thid_t

ea: ea_t

def dbg_process_exit(self, *args) ‑> void

dbg_process_exit(self, pid, tid, ea, exit_code)

event: (const debug_event_t *)

note: This event notification is also an asynchronous function result

notification for start_process() !

tid: thid_t

ea: ea_t

exit_code: int

def dbg_process_start(self, *args) ‑> void

dbg_process_start(self, pid, tid, ea, modinfo_name, modinfo_base, modinfo_size)

event: (const debug_event_t *)

note: This event notification is also an asynchronous function result

notification for start_process() !

tid: thid_t

ea: ea_t

modinfo_name: char const *

modinfo_base: ea_t

modinfo_size: asize_t

def dbg_request_error(self, *args) ‑> void

dbg_request_error(self, failed_command, failed_dbg_notification)

An error occurred during the processing of a request.

failed_command: (ui_notification_t)

failed_dbg_notification: (dbg_notification_t)

def dbg_run_to(self, *args) ‑> void

dbg_run_to(self, pid, tid, ea)

event: (const debug_event_t *)

tid: thid_t

ea: ea_t

def dbg_started_loading_bpts(self, *args) ‑> void

dbg_started_loading_bpts(self)

Started loading breakpoint info from idb.

def dbg_step_into(self, *args) ‑> void

dbg_step_into(self)

def dbg_step_over(self, *args) ‑> void

dbg_step_over(self)

def dbg_step_until_ret(self, *args) ‑> void

dbg_step_until_ret(self)

def dbg_suspend_process(self, *args) ‑> void

dbg_suspend_process(self)

The process is now suspended.

def dbg_thread_exit(self, *args) ‑> void

dbg_thread_exit(self, pid, tid, ea, exit_code)

event: (const debug_event_t *)

tid: thid_t

ea: ea_t

exit_code: int

def dbg_thread_start(self, *args) ‑> void

dbg_thread_start(self, pid, tid, ea)

event: (const debug_event_t *)

tid: thid_t

ea: ea_t

def dbg_trace(self, *args) ‑> int

dbg_trace(self, tid, ip) -> int

A step occurred (one instruction was executed). This event notification is only generated if step tracing is enabled.

tid: (thid_t) thread ID

ip: (::ea_t) current instruction pointer. usually points after the

executed instruction

retval 1: do not log this trace event

retval 0: log it

def hook(self, *args) ‑> bool

hook(self) -> bool

def unhook(self, *args) ‑> bool

unhook(self) -> bool

class bpt_location_t (*args)

Proxy of C++ bpt_location_t class.

__init__(self) -> bpt_location_t

Instance variables

var index: index
var info: info
var loctype: loctype

Methods

def compare(self, *args) ‑> int: compare(self, r) -> int
Lexically compare two breakpoint locations. Bpt locations are first compared based on type (i.e. BPLT_ABS < BPLT_REL). BPLT_ABS locations are compared based on their ea values. For all other location types, locations are first compared based on their string (path/filename/symbol), then their offset/lineno.

r: (C++: const bpt_location_t &) bpt_location_t const &
def ea(self, *args) ‑> ea_t: ea(self) -> ea_t
Get address (BPLT_ABS)
def is_empty_path(self, *args) ‑> bool: is_empty_path(self) -> bool
No path/filename specified? (BPLT_REL, BPLT_SRC)
def lineno(self, *args) ‑> int: lineno(self) -> int
Get line number (BPLT_SRC)
def offset(self, *args) ‑> uval_t: offset(self) -> uval_t
Get offset (BPLT_REL, BPLT_SYM)
def path(self, *args) ‑> char const *: path(self) -> char const *
Get path/filename (BPLT_REL, BPLT_SRC)
def set_abs_bpt(self, *args) ‑> void: set_abs_bpt(self, a)
Specify an absolute address location.

a: (C++: ea_t)
def set_rel_bpt(self, *args) ‑> void: set_rel_bpt(self, mod, _offset)
Specify a relative address location.

mod: (C++: const char *) char const *

_offset: (C++: uval_t)
def set_src_bpt(self, *args) ‑> void: set_src_bpt(self, fn, _lineno)
Specify a source level location.

fn: (C++: const char *) char const *

_lineno: (C++: int)
def set_sym_bpt(self, *args) ‑> void: set_sym_bpt(self, _symbol, _offset=0)
Specify a symbolic location.

_symbol: (C++: const char *) char const *

_offset: (C++: uval_t)
def symbol(self, *args) ‑> char const *: symbol(self) -> char const *
Get symbol name (BPLT_SYM)
def type(self, *args) ‑> bpt_loctype_t: type(self) -> bpt_loctype_t
Get bpt type.

class bpt_t (*args)

Proxy of C++ bpt_t class.

__init__(self) -> bpt_t

Instance variables

var bptid: Internal breakpoint id.
var cb: size of this structure
var cndidx: Internal number of the condition (<0-none)
var condition: condition
var ea: Address, if known. For BPLT_SRC, index into an internal data struct.
var elang: elang
var flags: Breakpoint property bits
var loc: Location.
var pass_count: Number of times the breakpoint is hit before stopping (default is 0: stop always)
var pid: breakpoint process id
var props: Internal breakpoint properties
var size: Size of the breakpoint (0 for software breakpoints)
var tid: breakpoint thread id
var type: Breakpoint type.

Methods

def badbpt(self, *args) ‑> bool: badbpt(self) -> bool
Failed to write bpt to process memory?
def enabled(self, *args) ‑> bool: enabled(self) -> bool
Is breakpoint enabled?
def get_cnd_elang_idx(self, *args) ‑> size_t: get_cnd_elang_idx(self) -> size_t
def get_size(self, *args) ‑> int: get_size(self) -> int
Get bpt size.
def is_absbpt(self, *args) ‑> bool: is_absbpt(self) -> bool
Is absolute address breakpoint?
def is_active(self, *args) ‑> bool: is_active(self) -> bool
Written completely to process?
def is_compiled(self, *args) ‑> bool: is_compiled(self) -> bool
Condition has been compiled?
def is_hwbpt(self, *args) ‑> bool: is_hwbpt(self) -> bool
Is hardware breakpoint?
def is_inactive(self, *args) ‑> bool: is_inactive(self) -> bool
Not written to process at all?
def is_low_level(self, *args) ‑> bool: is_low_level(self) -> bool
Is bpt condition calculated at low level?
def is_page_bpt(self, *args) ‑> bool: is_page_bpt(self) -> bool
Page breakpoint?
def is_partially_active(self, *args) ‑> bool: is_partially_active(self) -> bool
Written partially to process?
def is_relbpt(self, *args) ‑> bool: is_relbpt(self) -> bool
Is relative address breakpoint?
def is_srcbpt(self, *args) ‑> bool: is_srcbpt(self) -> bool
Is source level breakpoint?
def is_symbpt(self, *args) ‑> bool: is_symbpt(self) -> bool
Is symbolic breakpoint?
def is_tracemodebpt(self, *args) ‑> bool: is_tracemodebpt(self) -> bool
Does breakpoint trace anything?
def is_traceoffbpt(self, *args) ‑> bool: is_traceoffbpt(self) -> bool
Is this a tracing breakpoint, and is tracing disabled?
def is_traceonbpt(self, *args) ‑> bool: is_traceonbpt(self) -> bool
Is this a tracing breakpoint, and is tracing enabled?
def listbpt(self, *args) ‑> bool: listbpt(self) -> bool
Include in the bpt list?
def set_abs_bpt(self, *args) ‑> void: set_abs_bpt(self, a)
Set bpt location to an absolute address.

a: (C++: ea_t)
def set_rel_bpt(self, *args) ‑> void: set_rel_bpt(self, mod, o)
Set bpt location to a relative address.

mod: (C++: const char *) char const *

o: (C++: uval_t)
def set_src_bpt(self, *args) ‑> void: set_src_bpt(self, fn, lineno)
Set bpt location to a source line.

fn: (C++: const char *) char const *

lineno: (C++: int)
def set_sym_bpt(self, *args) ‑> void: set_sym_bpt(self, sym, o)
Set bpt location to a symbol.

sym: (C++: const char *) char const *

o: (C++: uval_t)
def set_trace_action(self, *args) ‑> bool: set_trace_action(self, enable, trace_types) -> bool
Configure tracing options.

enable: (C++: bool)

trace_types: (C++: int)

class bpt_vec_t (*args)

Proxy of C++ qvector< bpt_t > class.

__init__(self) -> bpt_vec_t

__init__(self, x) -> bpt_vec_t

x: qvector< bpt_t > const &

Methods

def at(self, *args) ‑> bpt_t const &: at(self, _idx) -> bpt_t
_idx: size_t
def back(self)
def begin(self, *args) ‑> qvector< bpt_t >::const_iterator: begin(self) -> bpt_t
def capacity(self, *args) ‑> size_t: capacity(self) -> size_t
def clear(self, *args) ‑> void: clear(self)
def empty(self, *args) ‑> bool: empty(self) -> bool
def end(self, *args) ‑> qvector< bpt_t >::const_iterator: end(self) -> bpt_t
def erase(self, *args) ‑> qvector< bpt_t >::iterator: erase(self, it) -> bpt_t
it: qvector< bpt_t >::iterator

erase(self, first, last) -> bpt_t
first: qvector< bpt_t >::iterator

last: qvector< bpt_t >::iterator
def extract(self, *args) ‑> bpt_t *: extract(self) -> bpt_t
def front(self)
def grow(self, *args) ‑> void: grow(self, x=bpt_t())

x: bpt_t const &
def inject(self, *args) ‑> void: inject(self, s, len)
s: bpt_t *

len: size_t
def insert(self, *args) ‑> qvector< bpt_t >::iterator: insert(self, it, x) -> bpt_t
it: qvector< bpt_t >::iterator

x: bpt_t const &
def pop_back(self, *args) ‑> void: pop_back(self)
def push_back(self, *args) ‑> bpt_t &: push_back(self, x)
x: bpt_t const &

push_back(self) -> bpt_t
def qclear(self, *args) ‑> void: qclear(self)
def reserve(self, *args) ‑> void: reserve(self, cnt)
cnt: size_t
def resize(self, *args) ‑> void: resize(self, _newsize, x)
_newsize: size_t

x: bpt_t const &

resize(self, _newsize)
_newsize: size_t
def size(self, *args) ‑> size_t: size(self) -> size_t
def swap(self, *args) ‑> void: swap(self, r)
r: qvector< bpt_t > &
def truncate(self, *args) ‑> void: truncate(self)

class bptaddrs_t (*args)

Proxy of C++ bptaddrs_t class.

__init__(self) -> bptaddrs_t

Instance variables

var bpt: bpt

class eval_ctx_t (*args)

Proxy of C++ eval_ctx_t class.

__init__(self, _ea) -> eval_ctx_t

_ea: ea_t

Instance variables

var ea: ea

class memreg_info_t (*args)

Proxy of C++ memreg_info_t class.

__init__(self) -> memreg_info_t

Instance variables

var bytes : PyObject *: get_bytes(self) -> PyObject *
var ea: ea

Methods

def get_bytes(self, *args) ‑> PyObject *: get_bytes(self) -> PyObject *

class memreg_infos_t (*args)

Proxy of C++ qvector< memreg_info_t > class.

__init__(self) -> memreg_infos_t

__init__(self, x) -> memreg_infos_t

x: qvector< memreg_info_t > const &

Methods

def at(self, *args) ‑> memreg_info_t const &: at(self, _idx) -> memreg_info_t
_idx: size_t
def back(self)
def begin(self, *args) ‑> qvector< memreg_info_t >::const_iterator: begin(self) -> memreg_info_t
def capacity(self, *args) ‑> size_t: capacity(self) -> size_t
def clear(self, *args) ‑> void: clear(self)
def empty(self, *args) ‑> bool: empty(self) -> bool
def end(self, *args) ‑> qvector< memreg_info_t >::const_iterator: end(self) -> memreg_info_t
def erase(self, *args) ‑> qvector< memreg_info_t >::iterator: erase(self, it) -> memreg_info_t
it: qvector< memreg_info_t >::iterator

erase(self, first, last) -> memreg_info_t
first: qvector< memreg_info_t >::iterator

last: qvector< memreg_info_t >::iterator
def extract(self, *args) ‑> memreg_info_t *: extract(self) -> memreg_info_t
def front(self)
def grow(self, *args) ‑> void: grow(self, x=memreg_info_t())

x: memreg_info_t const &
def inject(self, *args) ‑> void: inject(self, s, len)
s: memreg_info_t *

len: size_t
def insert(self, *args) ‑> qvector< memreg_info_t >::iterator: insert(self, it, x) -> memreg_info_t
it: qvector< memreg_info_t >::iterator

x: memreg_info_t const &
def pop_back(self, *args) ‑> void: pop_back(self)
def push_back(self, *args) ‑> memreg_info_t &: push_back(self, x)
x: memreg_info_t const &

push_back(self) -> memreg_info_t
def qclear(self, *args) ‑> void: qclear(self)
def reserve(self, *args) ‑> void: reserve(self, cnt)
cnt: size_t
def resize(self, *args) ‑> void: resize(self, _newsize, x)
_newsize: size_t

x: memreg_info_t const &

resize(self, _newsize)
_newsize: size_t
def size(self, *args) ‑> size_t: size(self) -> size_t
def swap(self, *args) ‑> void: swap(self, r)
r: qvector< memreg_info_t > &
def truncate(self, *args) ‑> void: truncate(self)

class tev_info_reg_t (*args)

Proxy of C++ tev_info_reg_t class.

__init__(self) -> tev_info_reg_t

Instance variables

var info: info
var registers: registers

class tev_info_t (*args)

Proxy of C++ tev_info_t class.

__init__(self) -> tev_info_t

Instance variables

var ea: address where the event occurred
var tid: thread where the event was recorded
var type: trace event type

class tev_reg_value_t (*args)

Proxy of C++ tev_reg_value_t class.

__init__(self, _reg_idx=-1, _value=uint64(-1)) -> tev_reg_value_t

_reg_idx: int

_value: uint64

Instance variables

var reg_idx: reg_idx
var value: value

class tev_reg_values_t (*args)

Proxy of C++ qvector< tev_reg_value_t > class.

__init__(self) -> tev_reg_values_t

__init__(self, x) -> tev_reg_values_t

x: qvector< tev_reg_value_t > const &

Methods

def at(self, *args) ‑> tev_reg_value_t const &: at(self, _idx) -> tev_reg_value_t
_idx: size_t
def back(self)
def begin(self, *args) ‑> qvector< tev_reg_value_t >::const_iterator: begin(self) -> tev_reg_value_t
def capacity(self, *args) ‑> size_t: capacity(self) -> size_t
def clear(self, *args) ‑> void: clear(self)
def empty(self, *args) ‑> bool: empty(self) -> bool
def end(self, *args) ‑> qvector< tev_reg_value_t >::const_iterator: end(self) -> tev_reg_value_t
def erase(self, *args) ‑> qvector< tev_reg_value_t >::iterator: erase(self, it) -> tev_reg_value_t
it: qvector< tev_reg_value_t >::iterator

erase(self, first, last) -> tev_reg_value_t
first: qvector< tev_reg_value_t >::iterator

last: qvector< tev_reg_value_t >::iterator
def extract(self, *args) ‑> tev_reg_value_t *: extract(self) -> tev_reg_value_t
def front(self)
def grow(self, *args) ‑> void: grow(self, x=tev_reg_value_t())

x: tev_reg_value_t const &
def inject(self, *args) ‑> void: inject(self, s, len)
s: tev_reg_value_t *

len: size_t
def insert(self, *args) ‑> qvector< tev_reg_value_t >::iterator: insert(self, it, x) -> tev_reg_value_t
it: qvector< tev_reg_value_t >::iterator

x: tev_reg_value_t const &
def pop_back(self, *args) ‑> void: pop_back(self)
def push_back(self, *args) ‑> tev_reg_value_t &: push_back(self, x)
x: tev_reg_value_t const &

push_back(self) -> tev_reg_value_t
def qclear(self, *args) ‑> void: qclear(self)
def reserve(self, *args) ‑> void: reserve(self, cnt)
cnt: size_t
def resize(self, *args) ‑> void: resize(self, _newsize, x)
_newsize: size_t

x: tev_reg_value_t const &

resize(self, _newsize)
_newsize: size_t
def size(self, *args) ‑> size_t: size(self) -> size_t
def swap(self, *args) ‑> void: swap(self, r)
r: qvector< tev_reg_value_t > &
def truncate(self, *args) ‑> void: truncate(self)

class tevinforeg_vec_t (*args)

Proxy of C++ qvector< tev_info_reg_t > class.

__init__(self) -> tevinforeg_vec_t

__init__(self, x) -> tevinforeg_vec_t

x: qvector< tev_info_reg_t > const &

Methods

def at(self, *args) ‑> tev_info_reg_t const &: at(self, _idx) -> tev_info_reg_t
_idx: size_t
def back(self)
def begin(self, *args) ‑> qvector< tev_info_reg_t >::const_iterator: begin(self) -> tev_info_reg_t
def capacity(self, *args) ‑> size_t: capacity(self) -> size_t
def clear(self, *args) ‑> void: clear(self)
def empty(self, *args) ‑> bool: empty(self) -> bool
def end(self, *args) ‑> qvector< tev_info_reg_t >::const_iterator: end(self) -> tev_info_reg_t
def erase(self, *args) ‑> qvector< tev_info_reg_t >::iterator: erase(self, it) -> tev_info_reg_t
it: qvector< tev_info_reg_t >::iterator

erase(self, first, last) -> tev_info_reg_t
first: qvector< tev_info_reg_t >::iterator

last: qvector< tev_info_reg_t >::iterator
def extract(self, *args) ‑> tev_info_reg_t *: extract(self) -> tev_info_reg_t
def front(self)
def grow(self, *args) ‑> void: grow(self, x=tev_info_reg_t())

x: tev_info_reg_t const &
def inject(self, *args) ‑> void: inject(self, s, len)
s: tev_info_reg_t *

len: size_t
def insert(self, *args) ‑> qvector< tev_info_reg_t >::iterator: insert(self, it, x) -> tev_info_reg_t
it: qvector< tev_info_reg_t >::iterator

x: tev_info_reg_t const &
def pop_back(self, *args) ‑> void: pop_back(self)
def push_back(self, *args) ‑> tev_info_reg_t &: push_back(self, x)
x: tev_info_reg_t const &

push_back(self) -> tev_info_reg_t
def qclear(self, *args) ‑> void: qclear(self)
def reserve(self, *args) ‑> void: reserve(self, cnt)
cnt: size_t
def resize(self, *args) ‑> void: resize(self, _newsize, x)
_newsize: size_t

x: tev_info_reg_t const &

resize(self, _newsize)
_newsize: size_t
def size(self, *args) ‑> size_t: size(self) -> size_t
def swap(self, *args) ‑> void: swap(self, r)
r: qvector< tev_info_reg_t > &
def truncate(self, *args) ‑> void: truncate(self)