PyQBDI API

Introduction

We offer bindings for Python, the whole C/C++ API is available through them, but they are also backed up by plenty of helpers that fluidify the script writing.

On Linux and macOS, PyQBDI supports QBDIPreload as PyQBDIPreload.

However, you must be aware that PyQBDI has some limitations:

  • The library can handle only one VM at a time.

  • The VM must not be used in the atexit module.

  • 32-bit versions of PyQBDI and Python are needed to instrument 32-bit targets.

  • PyQBDI cannot be used to instrument a Python process since both the host and the target will use the Python runtime.

VM class

class pyqbdi.VM
__init__(self: pyqbdi.VM, cpu: str = '', mattrs: List[str] = [], options: pyqbdi.Options = <Options.NO_OPT: 0>) None

Construct a new VM for a given CPU with specific attributes

property options

Options of the VM

State management

pyqbdi.VM.getGPRState(self: pyqbdi.VM) pyqbdi.GPRState

Obtain the current general purpose register state.

pyqbdi.VM.getFPRState(self: pyqbdi.VM) pyqbdi.FPRState

Obtain the current floating point register state.

pyqbdi.VM.getErrno(self: pyqbdi.VM) int

Get the backuped errno.

pyqbdi.VM.setGPRState(self: pyqbdi.VM, gprState: pyqbdi.GPRState) None

Set the GPR state.

pyqbdi.VM.setFPRState(self: pyqbdi.VM, fprState: pyqbdi.FPRState) None

Set the FPR state.

pyqbdi.VM.setErrno(self: pyqbdi.VM, errno: int) None

Set the backuped errno.

Instrumentation range

Addition

pyqbdi.VM.addInstrumentedRange(self: pyqbdi.VM, start: int, end: int) None

Add an address range to the set of instrumented address ranges.

pyqbdi.VM.addInstrumentedModule(self: pyqbdi.VM, name: str) bool

Add the executable address ranges of a module to the set of instrumented address ranges.

pyqbdi.VM.addInstrumentedModuleFromAddr(self: pyqbdi.VM, addr: int) bool

Add the executable address ranges of a module to the set of instrumented address ranges using an address belonging to the module.

pyqbdi.VM.instrumentAllExecutableMaps(self: pyqbdi.VM) bool

Adds all the executable memory maps to the instrumented range set.

Removal

pyqbdi.VM.removeInstrumentedRange(self: pyqbdi.VM, start: int, end: int) None

Remove an address range from the set of instrumented address ranges.

pyqbdi.VM.removeInstrumentedModule(self: pyqbdi.VM, name: str) bool

Remove the executable address ranges of a module from the set of instrumented address ranges.

pyqbdi.VM.removeInstrumentedModuleFromAddr(self: pyqbdi.VM, addr: int) bool

Remove the executable address ranges of a module from the set of instrumented address ranges using an address belonging to the module.

pyqbdi.VM.removeAllInstrumentedRanges(self: pyqbdi.VM) None

Remove all instrumented ranges.

Callback management

InstCallback

pyqbdi.VM.addCodeCB(self: pyqbdi.VM, pos: pyqbdi.InstPosition, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object, priority: int = <CallbackPriority.PRIORITY_DEFAULT: 0>) object

Register a callback event for every instruction executed.

pyqbdi.VM.addCodeAddrCB(self: pyqbdi.VM, address: int, pos: pyqbdi.InstPosition, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object, priority: int = <CallbackPriority.PRIORITY_DEFAULT: 0>) object

Register a callback for when a specific address is executed.

pyqbdi.VM.addCodeRangeCB(self: pyqbdi.VM, start: int, end: int, pos: pyqbdi.InstPosition, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object, priority: int = <CallbackPriority.PRIORITY_DEFAULT: 0>) object

Register a callback for when a specific address range is executed.

pyqbdi.VM.addMnemonicCB(self: pyqbdi.VM, mnemonic: str, pos: pyqbdi.InstPosition, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object, priority: int = <CallbackPriority.PRIORITY_DEFAULT: 0>) object

Register a callback event if the instruction matches the mnemonic.

VMEvent

pyqbdi.VM.addVMEventCB(self: pyqbdi.VM, mask: pyqbdi.VMEvent, cbk: Callable[[pyqbdi.VM, pyqbdi.VMState, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object) object

Register a callback event for a specific VM event.

MemoryAccess

pyqbdi.VM.addMemAccessCB(self: pyqbdi.VM, type: pyqbdi.MemoryAccessType, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object, priority: int = <CallbackPriority.PRIORITY_DEFAULT: 0>) object

Register a callback event for every memory access matching the type bitfield made by the instructions.

pyqbdi.VM.addMemAddrCB(self: pyqbdi.VM, address: int, type: pyqbdi.MemoryAccessType, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object) object

Add a virtual callback which is triggered for any memory access at a specific address matching the access type. Virtual callbacks are called via callback forwarding by a gate callback triggered on every memory access. This incurs a high performance cost.

pyqbdi.VM.addMemRangeCB(self: pyqbdi.VM, start: int, end: int, type: pyqbdi.MemoryAccessType, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object) object

Add a virtual callback which is triggered for any memory access at a specific address range matching the access type. Virtual callbacks are called via callback forwarding by a gate callback triggered on every memory access. This incurs a high performance cost.

InstrRuleCallback

pyqbdi.VM.addInstrRule(self: pyqbdi.VM, cbk: Callable[[pyqbdi.VM, pyqbdi.InstAnalysis, object], List[pyqbdi.InstrRuleDataCBK]], type: pyqbdi.AnalysisType, data: object) object

Add a custom instrumentation rule to the VM.

pyqbdi.VM.addInstrRuleRange(self: pyqbdi.VM, start: int, end: int, cbk: Callable[[pyqbdi.VM, pyqbdi.InstAnalysis, object], List[pyqbdi.InstrRuleDataCBK]], type: pyqbdi.AnalysisType, data: object) object

Add a custom instrumentation rule to the VM on a specify range.

Removal

pyqbdi.VM.deleteInstrumentation(self: pyqbdi.VM, id: int) None

Remove an instrumentation.

pyqbdi.VM.deleteAllInstrumentations(self: pyqbdi.VM) None

Remove all the registered instrumentations.

Run

pyqbdi.VM.run(self: pyqbdi.VM, start: int, stop: int) bool

Start the execution by the DBI.

pyqbdi.VM.call(self: pyqbdi.VM, function: int, args: List[int]) Tuple[bool, int]

Call a function using the DBI (and its current state).

InstAnalysis

pyqbdi.VM.getInstAnalysis(self: pyqbdi.VM, type: pyqbdi.AnalysisType = AnalysisType.ANALYSIS_INSTRUCTION | AnalysisType.ANALYSIS_DISASSEMBLY) pyqbdi.InstAnalysis

Obtain the analysis of the current instruction. Analysis results are cached in the VM.

pyqbdi.VM.getCachedInstAnalysis(self: pyqbdi.VM, address: int, type: pyqbdi.AnalysisType = AnalysisType.ANALYSIS_INSTRUCTION | AnalysisType.ANALYSIS_DISASSEMBLY) pyqbdi.InstAnalysis

Obtain the analysis of a cached instruction. Analysis results are cached in the VM.

MemoryAccess

pyqbdi.VM.getInstMemoryAccess(self: pyqbdi.VM) List[pyqbdi.MemoryAccess]

Obtain the memory accesses made by the last executed instruction.

pyqbdi.VM.getBBMemoryAccess(self: pyqbdi.VM) List[pyqbdi.MemoryAccess]

Obtain the memory accesses made by the last executed sequence.

pyqbdi.VM.recordMemoryAccess(self: pyqbdi.VM, type: pyqbdi.MemoryAccessType) bool

Add instrumentation rules to log memory access using inline instrumentation and instruction shadows.

Cache management

pyqbdi.VM.precacheBasicBlock(self: pyqbdi.VM, pc: int) bool

Pre-cache a known basic block

pyqbdi.VM.clearCache(self: pyqbdi.VM, start: int, end: int) None

Clear a specific address range from the translation cache.

pyqbdi.VM.clearAllCache(self: pyqbdi.VM) None

Clear the entire translation cache.

Register state

This documentation only shows the register for the X86_64 architectures. For ARM and AARCH64, the GPRState and FPRState are similar to the C/C++ QBDI::GPRState and QBDI::FPRState.

class pyqbdi.GPRState
property AVAILABLE_GPR

shadow of rbp

property NUM_GPR

shadow of eflags

property REG_BP

shadow of rbp

property REG_FLAG

shadow of eflags

property REG_LR

not available on X86_64

property REG_PC

shadow of rip

property REG_RETURN

shadow of rax

property REG_SP

shadow of rsp

__getitem__(self: pyqbdi.GPRState, index: int) int

Get a register like QBDI_GPR_GET

__setitem__(self: pyqbdi.GPRState, index: int, value: int) int

Set a register like QBDI_GPR_SET

property eflags
property fs
property gs
property r10
property r11
property r12
property r13
property r14
property r15
property r8
property r9
property rax
property rbp
property rbx
property rcx
property rdi
property rdx
property rip
property rsi
property rsp
class pyqbdi.FPRState
property cs

x87 FPU Instruction Pointer Selector

property dp

x87 FPU Instruction Operand(Data) Pointer offset

property ds

x87 FPU Instruction Operand(Data) Pointer Selector

property fcw

x87 FPU control word

property fop

x87 FPU Opcode

property fsw

x87 FPU status word

property ftw

x87 FPU tag word

property ip

x87 FPU Instruction Pointer offset

property mxcsr

MXCSR Register state

property mxcsrmask

MXCSR mask

property rfcw

x87 FPU control word

property rfsw

x87 FPU status word

property stmm0

ST0/MM0

property stmm1

ST1/MM1

property stmm2

ST2/MM2

property stmm3

ST3/MM3

property stmm4

ST4/MM4

property stmm5

ST5/MM5

property stmm6

ST6/MM6

property stmm7

ST7/MM7

property xmm0

XMM 0

property xmm1

XMM 1

property xmm10

XMM 10

property xmm11

XMM 11

property xmm12

XMM 12

property xmm13

XMM 13

property xmm14

XMM 14

property xmm15

XMM 15

property xmm2

XMM 2

property xmm3

XMM 3

property xmm4

XMM 4

property xmm5

XMM 5

property xmm6

XMM 6

property xmm7

XMM 7

property xmm8

XMM 8

property xmm9

XMM 9

property ymm0

YMM0[255:128]

property ymm1

YMM1[255:128]

property ymm10

YMM10[255:128]

property ymm11

YMM11[255:128]

property ymm12

YMM12[255:128]

property ymm13

YMM13[255:128]

property ymm14

YMM14[255:128]

property ymm15

YMM15[255:128]

property ymm2

YMM2[255:128]

property ymm3

YMM3[255:128]

property ymm4

YMM4[255:128]

property ymm5

YMM5[255:128]

property ymm6

YMM6[255:128]

property ymm7

YMM7[255:128]

property ymm8

YMM8[255:128]

property ymm9

YMM9[255:128]

pyqbdi.REG_RETURN
pyqbdi.REG_BP
pyqbdi.REG_SP
pyqbdi.REG_PC
pyqbdi.NUM_GPR

Callback

pyqbdi.InstCallback(vm: pyqbdi.VM, gpr: pyqbdi.GPRState, fpr: pyqbdi.FPRState, data: object) pyqbdi.VMAction

This is the prototype of a function callback for:

Parameters:
  • vm (VM) – The current QBDI object

  • gpr (GPRState) – The current GPRState

  • fpr (FPRState) – The current FPRState

  • data (Object) – A user-defined object.

Returns:

the VMAction to continue or stop the execution

pyqbdi.VMCallback(vm: pyqbdi.VM, vmState: pyqbdi.VMState, gpr: pyqbdi.GPRState, fpr: pyqbdi.FPRState, data: object) pyqbdi.VMAction

This is the prototype of a function callback for pyqbdi.VM.addVMEventCB().

Parameters:
  • vm (VM) – The current QBDI object

  • vmState (VMState) – A structure containing the current state of the VM.

  • gpr (GPRState) – The current GPRState

  • fpr (FPRState) – The current FPRState

  • data (Object) – A user-defined object

Returns:

the VMAction to continue or stop the execution

pyqbdi.InstrRuleCallback(vm: pyqbdi.VM, ana: pyqbdi.InstAnalysis, data: object) List[pyqbdi.InstrRuleDataCBK]

This is the prototype of a function callback for pyqbdi.VM.addInstrRule() and pyqbdi.VM.addInstrRuleRange().

Parameters:
  • vm (VM) – The current QBDI object

  • ana (InstAnalysis) – The current QBDI object

  • data (Object) – A user-defined object

Returns:

A list of pyqbdi.InstrRuleDataCBK

class pyqbdi.InstrRuleDataCBK
__init__(self: pyqbdi.InstrRuleDataCBK, cbk: Callable[[QBDI::VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object, position: pyqbdi.InstPosition, priority: int = <CallbackPriority.PRIORITY_DEFAULT: 0>) None
property cbk

Address of the function to call when the instruction is executed

property data

User defined data which will be forward to cbk.

property position

Relative position of the event callback (PREINST / POSTINST).

property priority

Priority of the callback.

pyqbdi.InstPosition = <class 'pyqbdi.InstPosition'>

Position relative to an instruction.

Members:

PREINST : Positioned before the instruction.

POSTINST : Positioned after the instruction.

pyqbdi.CallbackPriority = <class 'pyqbdi.CallbackPriority'>

Priority of callback.

Members:

PRIORITY_DEFAULT : Default priority for callback.

PRIORITY_MEMACCESS_LIMIT : Maximum priority if getInstMemoryAccess is used in the callback.

pyqbdi.VMAction = <class 'pyqbdi.VMAction'>

The callback results.

Members:

CONTINUE : The execution of the basic block continues.

SKIP_INST : Available only with PREINST InstCallback. The instruction and the remained PREINST callbacks are skip. The execution continue with the POSTINST instruction.

We recommand to used this result with a low priority PREINST callback in order to emulate the instruction without skipping the POSTINST callback.

SKIP_PATCH : Available only with InstCallback. The current instruction and the reminding callback (PRE and POST) are skip. The execution continues to the next instruction.

For instruction that change the instruction pointer (jump/call/ret), BREAK_TO_VM must be used insted of SKIP.

SKIP can break the record of MemoryAccess for the current instruction.

BREAK_TO_VM : The execution breaks and returns to the VM causing a complete reevaluation of the execution state. A BREAK_TO_VM is needed to ensure that modifications of the Program Counter or the program code are taken into account.

STOP : Stops the execution of the program. This causes the run function to return early.

InstAnalysis

pyqbdi.AnalysisType = <class 'pyqbdi.AnalysisType'>

Instruction analysis type

Members:

ANALYSIS_INSTRUCTION : Instruction analysis (address, mnemonic, …)

ANALYSIS_DISASSEMBLY : Instruction disassembly

ANALYSIS_OPERANDS : Instruction operands analysis

ANALYSIS_SYMBOL : Instruction symbol

class pyqbdi.InstAnalysis
property address

Instruction address (if ANALYSIS_INSTRUCTION)

property affectControlFlow

True if instruction affects control flow (if ANALYSIS_INSTRUCTION)

property condition

Condition associated with the instruction (if ANALYSIS_INSTRUCTION)

property disassembly

Instruction disassembly (if ANALYSIS_DISASSEMBLY)

property flagsAccess

Flag access type (noaccess, r, w, rw) (if ANALYSIS_OPERANDS)

property instSize

Instruction size (in bytes) (if ANALYSIS_INSTRUCTION)

property isBranch

True if instruction acts like a ‘jump’ (if ANALYSIS_INSTRUCTION)

property isCall

True if instruction acts like a ‘call’ (if ANALYSIS_INSTRUCTION)

property isCompare

True if instruction is a comparison (if ANALYSIS_INSTRUCTION)

property isMoveImm

True if this instruction is a move immediate (including conditional moves) instruction. (if ANALYSIS_INSTRUCTION)

property isPredicable

True if instruction contains a predicate (~is conditional) (if ANALYSIS_INSTRUCTION)

property isReturn

True if instruction acts like a ‘return’ (if ANALYSIS_INSTRUCTION)

property loadSize

size of the expected read access (if ANALYSIS_INSTRUCTION)

property mayLoad

True if QBDI detects a load for this instruction (if ANALYSIS_INSTRUCTION)

property mayStore

True if QBDI detects a store for this instruction (if ANALYSIS_INSTRUCTION)

property mnemonic

LLVM mnemonic (if ANALYSIS_INSTRUCTION)

property module

Instruction module name (if ANALYSIS_SYMBOL and found) (deprecated)

property moduleName

Instruction module name (if ANALYSIS_SYMBOL and found)

property numOperands

Number of operands used by the instruction (if ANALYSIS_OPERANDS)

property operands

Structure containing analysis results of an operand provided by the VM (if ANALYSIS_OPERANDS)

property storeSize

size of the expected write access (if ANALYSIS_INSTRUCTION)

property symbol

Instruction symbol (if ANALYSIS_SYMBOL and found) (deprecated)

property symbolName

Instruction symbol (if ANALYSIS_SYMBOL and found)

property symbolOffset

Instruction symbol offset (if ANALYSIS_SYMBOL)

pyqbdi.ConditionType = <class 'pyqbdi.ConditionType'>

Condition type

Members:

CONDITION_NONE : The instruction is unconditionnal

CONDITION_ALWAYS : The instruction is always true

CONDITION_NEVER : The instruction is always false

CONDITION_EQUALS : Equals ( ‘==’ )

CONDITION_NOT_EQUALS : Not Equals ( ‘!=’ )

CONDITION_ABOVE : Above ( ‘>’ unsigned )

CONDITION_BELOW_EQUALS : Below or Equals ( ‘<=’ unsigned )

CONDITION_ABOVE_EQUALS : Above or Equals ( ‘>=’ unsigned )

CONDITION_BELOW : Below ( ‘<’ unsigned )

CONDITION_GREAT : Great ( ‘>’ signed )

CONDITION_LESS_EQUALS : Less or Equals ( ‘<=’ signed )

CONDITION_GREAT_EQUALS : Great or Equals ( ‘>=’ signed )

CONDITION_LESS : Less ( ‘<’ signed )

CONDITION_EVEN : Even

CONDITION_ODD : Odd

CONDITION_OVERFLOW : Overflow

CONDITION_NOT_OVERFLOW : Not Overflow

CONDITION_SIGN : Sign

CONDITION_NOT_SIGN : Not Sign

class pyqbdi.OperandAnalysis
property flag

Operand flag

property regAccess

Register access type (r, w, rw)

property regCtxIdx

Register index in VM state

property regName

Register name

property regOff

Sub-register offset in register (in bits)

property size

Operand size (in bytes)

property type

Operand type

property value

Operand value (if immediate), or register Id

pyqbdi.OperandType = <class 'pyqbdi.OperandType'>

Operand type

Members:

OPERAND_INVALID : Invalid operand

OPERAND_IMM : Immediate operand

OPERAND_GPR : Register operand

OPERAND_PRED : Predicate operand

OPERAND_FPR : Float register operand

OPERAND_SEG : Segment or unsupported register operand

pyqbdi.OperandFlag = <class 'pyqbdi.OperandFlag'>

Operand flag

Members:

OPERANDFLAG_NONE : No flag

OPERANDFLAG_ADDR : The operand is used to compute an address

OPERANDFLAG_PCREL : The value of the operand is PC relative

OPERANDFLAG_UNDEFINED_EFFECT : The operand role isn’t fully defined

OPERANDFLAG_IMPLICIT : The operand is implicit

pyqbdi.RegisterAccessType = <class 'pyqbdi.RegisterAccessType'>

Access type (R/W/RW) of a register operand

Members:

REGISTER_UNUSED : Unused register

REGISTER_READ : Register read access

REGISTER_WRITE : Register write access

REGISTER_READ_WRITE : Register read/write access

MemoryAccess

class pyqbdi.MemoryAccess
property accessAddress

Address of accessed memory

property flags

Memory access flags

property instAddress

Address of instruction making the access

property size

Size of memory access (in bytes)

property type

Memory access type (READ / WRITE)

property value

Value read from / written to memory

pyqbdi.MemoryAccessType = <class 'pyqbdi.MemoryAccessType'>

Memory access type (read / write / …)

Members:

MEMORY_READ : Memory read access

MEMORY_WRITE : Memory write access

MEMORY_READ_WRITE : Memory read/write access

pyqbdi.MemoryAccessFlags = <class 'pyqbdi.MemoryAccessFlags'>

Memory access flags

Members:

MEMORY_NO_FLAGS : Empty flags

MEMORY_UNKNOWN_SIZE : The size of the access isn’t known.

MEMORY_MINIMUM_SIZE : The given size is a minimum size.

MEMORY_UNKNOWN_VALUE : The value of the access is unknown or hasn’t been retrived.

VMEvent

pyqbdi.VMEvent = <class 'pyqbdi.VMEvent'>

Members:

SEQUENCE_ENTRY : Triggered when the execution enters a sequence.

SEQUENCE_EXIT : Triggered when the execution exits from the current sequence.

BASIC_BLOCK_ENTRY : Triggered when the execution enters a basic block.

BASIC_BLOCK_EXIT : Triggered when the execution exits from the current basic block.

BASIC_BLOCK_NEW : Triggered when the execution enters a new (~unknown) basic block.

EXEC_TRANSFER_CALL : Triggered when the ExecBroker executes an execution transfer.

EXEC_TRANSFER_RETURN : Triggered when the ExecBroker returns from an execution transfer.

class pyqbdi.VMState
property basicBlockEnd

The current basic block end address which can also be the execution transfer destination.

property basicBlockStart

The current basic block start address which can also be the execution transfer destination.

property event

The event(s) which triggered the callback (must be checked using a mask: event & BASIC_BLOCK_ENTRY).

property sequenceEnd

The current sequence end address which can also be the execution transfer destination.

property sequenceStart

The current sequence start address which can also be the execution transfer destination.

Memory management

Allocation

pyqbdi.alignedAlloc(size: int, align: int) int

Allocate a block of memory of a specified sized with an aligned base address.

pyqbdi.allocateVirtualStack(gprstate: pyqbdi.GPRState, size: int) object

Allocate a new stack and setup the GPRState accordingly. The allocated stack needs to be freed with alignedFree(). The result was int, or None if the allocation fails.

pyqbdi.alignedFree(ptr: int) None

Free a block of aligned memory allocated with alignedAlloc.

pyqbdi.simulateCall(ctx: pyqbdi.GPRState, returnAddress: int, args: List[int] = []) None

Simulate a call by modifying the stack and registers accordingly.

Exploration

pyqbdi.getModuleNames() List[str]

Get a list of all the module names loaded in the process memory.

pyqbdi.getCurrentProcessMaps(full_path: bool = False) List[pyqbdi.MemoryMap]

Get a list of all the memory maps (regions) of the current process.

pyqbdi.getRemoteProcessMaps(pid: int, full_path: bool = False) List[pyqbdi.MemoryMap]

Get a list of all the memory maps (regions) of a process.

class pyqbdi.MemoryMap
property name

Region name (useful when a region is mapping a module).

property permission

Region access rights (PF_READ, PF_WRITE, PF_EXEC).

property range

A range of memory (region), delimited between a start and an (excluded) end address.

pyqbdi.Permission = <class 'pyqbdi.Permission'>

Memory access rights.

Members:

PF_NONE : No access

PF_READ : Read access

PF_WRITE : Write access

PF_EXEC : Execution access

Other globals

This documentation only shows the options available for the X86_64 architectures. For ARM and AARCH64, refer the C/C++ API QBDI::Options.

pyqbdi.Options = <class 'pyqbdi.Options'>

VM options

Members:

NO_OPT : Default value

OPT_DISABLE_FPR : Disable all operation on FPU (SSE, AVX, SIMD). May break the execution if the target use the FPU.

OPT_DISABLE_OPTIONAL_FPR : Disable context switch optimisation when the target execblock doesn’t used FPR

OPT_DISABLE_MEMORYACCESS_VALUE : Don’t load memory access value

OPT_DISABLE_ERRNO_BACKUP : Don’t save and restore errno

OPT_ATT_SYNTAX : Used the AT&T syntax for instruction disassembly

OPT_ENABLE_FS_GS : Enable Backup/Restore of FS/GS segment. This option uses the instructions (RD|WR)(FS|GS)BASE that must be supported by the operating system.

pyqbdi.VMError = <class 'pyqbdi.VMError'>

QBDI Error values

Members:

INVALID_EVENTID : Mark a returned event id as invalid

Miscellaneous

Version & info

pyqbdi.__arch__
pyqbdi.__platform__
pyqbdi.__preload__

Library load with pyqbdipreload

pyqbdi.__version__

Version of QBDI

Log

pyqbdi.LogPriority = <class 'pyqbdi.LogPriority'>

Each log has a priority (or level) which can be used to control verbosity In production builds, only Warning and Error logs are kept.

Members:

DEBUG : Debug logs

INFO : Info logs (default)

WARNING : Warning logs

ERROR : Error logs

DISABLE : Disable logs message

pyqbdi.setLogPriority(priority: pyqbdi.LogPriority) None

Enable logs matching priority.

Range

class pyqbdi.Range
contains(*args, **kwargs)

Overloaded function.

  1. contains(self: pyqbdi.Range, t: int) -> bool

Return True if an value is inside current range boundaries.

  1. contains(self: pyqbdi.Range, r: pyqbdi.Range) -> bool

Return True if a range is inside current range boundaries.

property end

Range end value (always excluded).

intersect(self: pyqbdi.Range, r: pyqbdi.Range) pyqbdi.Range

Return the intersection of two ranges.

overlaps(self: pyqbdi.Range, r: pyqbdi.Range) bool

Return True if a range is overlapping current range lower or/and upper boundary.

size(self: pyqbdi.Range) int

Return the total length of a range.

property start

Range start value.

Memory helpers

pyqbdi.readMemory(address: int, size: int) bytes

Read a content from a base address.

Parameters:
  • address – Base address

  • size – Read size

Returns:

Bytes of content.

Warning

This API is hazardous as the whole process memory can be read.

pyqbdi.readRword(address: int) int

Read a rword to the specified address

Parameters:

address – Base address

Returns:

the value as a unsigned integer

Warning

This API is hazardous as the whole process memory can be read.

pyqbdi.writeMemory(address: int, bytes: str) None

Write a memory content to a base address.

Parameters:
  • address – Base address

  • bytes – Memory content

Warning

This API is hazardous as the whole process memory can be written.

pyqbdi.writeRword(address: int, value: int) None

Write a rword in a base address.

Parameters:
  • address – Base address

  • value – The value to write, as a unsigned integer

Warning

This API is hazardous as the whole process memory can be written.

pyqbdi.allocateRword() int

Allocate a raw memory space to store a rword.

Returns:

Address to a memory space to store a rword

pyqbdi.allocateMemory(length: int) int

Allocate a raw memory space of specified length.

Parameters:

length – length of the memory space to allocate

Returns:

Address to the allocated memory

pyqbdi.freeMemory(address: int) None

Free a memory space allocate with allocateRword or allocateMemory.

Parameters:

address – Address of the allocated memory

Float helpers

pyqbdi.encodeFloat(val: float) int

Encode a float as a signed integer.

Parameters:

val – Float value

Returns:

a sigend integer

pyqbdi.decodeFloat(val: int) float

Encode a sigend integer as a float.

Parameters:

val – signed integer value

Returns:

a float

pyqbdi.encodeFloatU(val: float) int

Encode a float as an unsigned interger.

Parameters:

val – Float value

Returns:

an unsigned integer

pyqbdi.decodeFloatU(val: int) float

Encode an unsigend integer as a float.

Parameters:

val – unsigned integer value

Returns:

a float

pyqbdi.encodeDouble(val: float) int

Encode a double as a signed integer.

Parameters:

val – Double value

Returns:

a sigend integer

pyqbdi.decodeDouble(val: int) float

Encode a sigend integer as a double.

Parameters:

val – signed integer value

Returns:

a double

pyqbdi.encodeDoubleU(val: float) int

Encode a double as an unsigned interger.

Parameters:

val – Double value

Returns:

an unsigned integer

pyqbdi.decodeDoubleU(val: int) float

Encode an unsigend integer as a double.

Parameters:

val – unsigned integer value

Returns:

a double

For more conversion utilities, check out the Python’s struct library.