PyQBDI API
Introduction
We offer bindings for Python, the whole C/C++ API is available through them, but they are also backed up by plenty of helpers that fluidify the script writing.
On Linux and macOS, PyQBDI supports QBDIPreload as PyQBDIPreload.
However, you must be aware that PyQBDI has some limitations:
VM class
- class pyqbdi.VM
- __init__(self: pyqbdi.VM, cpu: str = '', mattrs: List[str] = [], options: pyqbdi.Options = <Options.NO_OPT: 0>) None
Construct a new VM for a given CPU with specific attributes
- property options
Options of the VM
State management
- pyqbdi.VM.getGPRState(self: pyqbdi.VM) pyqbdi.GPRState
Obtain the current general purpose register state.
- pyqbdi.VM.getFPRState(self: pyqbdi.VM) pyqbdi.FPRState
Obtain the current floating point register state.
- pyqbdi.VM.setGPRState(self: pyqbdi.VM, gprState: pyqbdi.GPRState) None
Set the GPR state.
- pyqbdi.VM.setFPRState(self: pyqbdi.VM, fprState: pyqbdi.FPRState) None
Set the FPR state.
Instrumentation range
Addition
- pyqbdi.VM.addInstrumentedRange(self: pyqbdi.VM, start: int, end: int) None
Add an address range to the set of instrumented address ranges.
- pyqbdi.VM.addInstrumentedModule(self: pyqbdi.VM, name: str) bool
Add the executable address ranges of a module to the set of instrumented address ranges.
Removal
- pyqbdi.VM.removeInstrumentedRange(self: pyqbdi.VM, start: int, end: int) None
Remove an address range from the set of instrumented address ranges.
- pyqbdi.VM.removeInstrumentedModule(self: pyqbdi.VM, name: str) bool
Remove the executable address ranges of a module from the set of instrumented address ranges.
Callback management
InstCallback
- pyqbdi.VM.addCodeCB(self: pyqbdi.VM, pos: pyqbdi.InstPosition, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object, priority: int = <CallbackPriority.PRIORITY_DEFAULT: 0>) object
Register a callback event for every instruction executed.
- pyqbdi.VM.addCodeAddrCB(self: pyqbdi.VM, address: int, pos: pyqbdi.InstPosition, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object, priority: int = <CallbackPriority.PRIORITY_DEFAULT: 0>) object
Register a callback for when a specific address is executed.
- pyqbdi.VM.addCodeRangeCB(self: pyqbdi.VM, start: int, end: int, pos: pyqbdi.InstPosition, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object, priority: int = <CallbackPriority.PRIORITY_DEFAULT: 0>) object
Register a callback for when a specific address range is executed.
- pyqbdi.VM.addMnemonicCB(self: pyqbdi.VM, mnemonic: str, pos: pyqbdi.InstPosition, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object, priority: int = <CallbackPriority.PRIORITY_DEFAULT: 0>) object
Register a callback event if the instruction matches the mnemonic.
VMEvent
- pyqbdi.VM.addVMEventCB(self: pyqbdi.VM, mask: pyqbdi.VMEvent, cbk: Callable[[pyqbdi.VM, pyqbdi.VMState, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object) object
Register a callback event for a specific VM event.
MemoryAccess
- pyqbdi.VM.addMemAccessCB(self: pyqbdi.VM, type: pyqbdi.MemoryAccessType, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object, priority: int = <CallbackPriority.PRIORITY_DEFAULT: 0>) object
Register a callback event for every memory access matching the type bitfield made by the instructions.
- pyqbdi.VM.addMemAddrCB(self: pyqbdi.VM, address: int, type: pyqbdi.MemoryAccessType, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object) object
Add a virtual callback which is triggered for any memory access at a specific address matching the access type. Virtual callbacks are called via callback forwarding by a gate callback triggered on every memory access. This incurs a high performance cost.
- pyqbdi.VM.addMemRangeCB(self: pyqbdi.VM, start: int, end: int, type: pyqbdi.MemoryAccessType, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object) object
Add a virtual callback which is triggered for any memory access at a specific address range matching the access type. Virtual callbacks are called via callback forwarding by a gate callback triggered on every memory access. This incurs a high performance cost.
InstrRuleCallback
- pyqbdi.VM.addInstrRule(self: pyqbdi.VM, cbk: Callable[[pyqbdi.VM, pyqbdi.InstAnalysis, object], List[pyqbdi.InstrRuleDataCBK]], type: pyqbdi.AnalysisType, data: object) object
Add a custom instrumentation rule to the VM.
- pyqbdi.VM.addInstrRuleRange(self: pyqbdi.VM, start: int, end: int, cbk: Callable[[pyqbdi.VM, pyqbdi.InstAnalysis, object], List[pyqbdi.InstrRuleDataCBK]], type: pyqbdi.AnalysisType, data: object) object
Add a custom instrumentation rule to the VM on a specify range.
Removal
Run
InstAnalysis
- pyqbdi.VM.getInstAnalysis(self: pyqbdi.VM, type: pyqbdi.AnalysisType = AnalysisType.ANALYSIS_INSTRUCTION | AnalysisType.ANALYSIS_DISASSEMBLY) pyqbdi.InstAnalysis
Obtain the analysis of the current instruction. Analysis results are cached in the VM.
- pyqbdi.VM.getCachedInstAnalysis(self: pyqbdi.VM, address: int, type: pyqbdi.AnalysisType = AnalysisType.ANALYSIS_INSTRUCTION | AnalysisType.ANALYSIS_DISASSEMBLY) pyqbdi.InstAnalysis
Obtain the analysis of a cached instruction. Analysis results are cached in the VM.
MemoryAccess
- pyqbdi.VM.getInstMemoryAccess(self: pyqbdi.VM) List[pyqbdi.MemoryAccess]
Obtain the memory accesses made by the last executed instruction.
- pyqbdi.VM.getBBMemoryAccess(self: pyqbdi.VM) List[pyqbdi.MemoryAccess]
Obtain the memory accesses made by the last executed sequence.
Cache management
Register state
This documentation only shows the register for the X86_64 architectures. For ARM
and AARCH64, the GPRState and FPRState are similar to the C/C++
QBDI::GPRState
and QBDI::FPRState
.
- class pyqbdi.GPRState
- property AVAILABLE_GPR
shadow of rbp
- property NUM_GPR
shadow of eflags
- property REG_BP
shadow of rbp
- property REG_FLAG
shadow of eflags
- property REG_LR
not available on X86_64
- property REG_PC
shadow of rip
- property REG_RETURN
shadow of rax
- property REG_SP
shadow of rsp
- __getitem__(self: pyqbdi.GPRState, index: int) int
Get a register like QBDI_GPR_GET
- __setitem__(self: pyqbdi.GPRState, index: int, value: int) int
Set a register like QBDI_GPR_SET
- property eflags
- property fs
- property gs
- property r10
- property r11
- property r12
- property r13
- property r14
- property r15
- property r8
- property r9
- property rax
- property rbp
- property rbx
- property rcx
- property rdi
- property rdx
- property rip
- property rsi
- property rsp
- class pyqbdi.FPRState
- property cs
x87 FPU Instruction Pointer Selector
- property dp
x87 FPU Instruction Operand(Data) Pointer offset
- property ds
x87 FPU Instruction Operand(Data) Pointer Selector
- property fcw
x87 FPU control word
- property fop
x87 FPU Opcode
- property fsw
x87 FPU status word
- property ftw
x87 FPU tag word
- property ip
x87 FPU Instruction Pointer offset
- property mxcsr
MXCSR Register state
- property mxcsrmask
MXCSR mask
- property rfcw
x87 FPU control word
- property rfsw
x87 FPU status word
- property stmm0
ST0/MM0
- property stmm1
ST1/MM1
- property stmm2
ST2/MM2
- property stmm3
ST3/MM3
- property stmm4
ST4/MM4
- property stmm5
ST5/MM5
- property stmm6
ST6/MM6
- property stmm7
ST7/MM7
- property xmm0
XMM 0
- property xmm1
XMM 1
- property xmm10
XMM 10
- property xmm11
XMM 11
- property xmm12
XMM 12
- property xmm13
XMM 13
- property xmm14
XMM 14
- property xmm15
XMM 15
- property xmm2
XMM 2
- property xmm3
XMM 3
- property xmm4
XMM 4
- property xmm5
XMM 5
- property xmm6
XMM 6
- property xmm7
XMM 7
- property xmm8
XMM 8
- property xmm9
XMM 9
- property ymm0
YMM0[255:128]
- property ymm1
YMM1[255:128]
- property ymm10
YMM10[255:128]
- property ymm11
YMM11[255:128]
- property ymm12
YMM12[255:128]
- property ymm13
YMM13[255:128]
- property ymm14
YMM14[255:128]
- property ymm15
YMM15[255:128]
- property ymm2
YMM2[255:128]
- property ymm3
YMM3[255:128]
- property ymm4
YMM4[255:128]
- property ymm5
YMM5[255:128]
- property ymm6
YMM6[255:128]
- property ymm7
YMM7[255:128]
- property ymm8
YMM8[255:128]
- property ymm9
YMM9[255:128]
- pyqbdi.REG_RETURN
- pyqbdi.REG_BP
- pyqbdi.REG_SP
- pyqbdi.REG_PC
- pyqbdi.NUM_GPR
Callback
- pyqbdi.InstCallback(vm: pyqbdi.VM, gpr: pyqbdi.GPRState, fpr: pyqbdi.FPRState, data: object) pyqbdi.VMAction
This is the prototype of a function callback for:
- pyqbdi.VMCallback(vm: pyqbdi.VM, vmState: pyqbdi.VMState, gpr: pyqbdi.GPRState, fpr: pyqbdi.FPRState, data: object) pyqbdi.VMAction
This is the prototype of a function callback for
pyqbdi.VM.addVMEventCB()
.
- pyqbdi.InstrRuleCallback(vm: pyqbdi.VM, ana: pyqbdi.InstAnalysis, data: object) List[pyqbdi.InstrRuleDataCBK]
This is the prototype of a function callback for
pyqbdi.VM.addInstrRule()
andpyqbdi.VM.addInstrRuleRange()
.- Parameters:
vm (VM) – The current QBDI object
ana (InstAnalysis) – The current QBDI object
data (Object) – A user-defined object
- Returns:
A list of
pyqbdi.InstrRuleDataCBK
- class pyqbdi.InstrRuleDataCBK
- __init__(self: pyqbdi.InstrRuleDataCBK, cbk: Callable[[QBDI::VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object, position: pyqbdi.InstPosition, priority: int = <CallbackPriority.PRIORITY_DEFAULT: 0>) None
- property cbk
Address of the function to call when the instruction is executed
- property data
User defined data which will be forward to cbk.
- property position
Relative position of the event callback (PREINST / POSTINST).
- property priority
Priority of the callback.
- pyqbdi.InstPosition = <class 'pyqbdi.InstPosition'>
Position relative to an instruction.
Members:
PREINST : Positioned before the instruction.
POSTINST : Positioned after the instruction.
- pyqbdi.CallbackPriority = <class 'pyqbdi.CallbackPriority'>
Priority of callback.
Members:
PRIORITY_DEFAULT : Default priority for callback.
PRIORITY_MEMACCESS_LIMIT : Maximum priority if getInstMemoryAccess is used in the callback.
- pyqbdi.VMAction = <class 'pyqbdi.VMAction'>
The callback results.
Members:
CONTINUE : The execution of the basic block continues.
SKIP_INST : Available only with PREINST InstCallback. The instruction and the remained PREINST callbacks are skip. The execution continue with the POSTINST instruction.
We recommand to used this result with a low priority PREINST callback in order to emulate the instruction without skipping the POSTINST callback.
SKIP_PATCH : Available only with InstCallback. The current instruction and the reminding callback (PRE and POST) are skip. The execution continues to the next instruction.
For instruction that change the instruction pointer (jump/call/ret), BREAK_TO_VM must be used insted of SKIP.
SKIP can break the record of MemoryAccess for the current instruction.
BREAK_TO_VM : The execution breaks and returns to the VM causing a complete reevaluation of the execution state. A BREAK_TO_VM is needed to ensure that modifications of the Program Counter or the program code are taken into account.
STOP : Stops the execution of the program. This causes the run function to return early.
InstAnalysis
- pyqbdi.AnalysisType = <class 'pyqbdi.AnalysisType'>
Instruction analysis type
Members:
ANALYSIS_INSTRUCTION : Instruction analysis (address, mnemonic, …)
ANALYSIS_DISASSEMBLY : Instruction disassembly
ANALYSIS_OPERANDS : Instruction operands analysis
ANALYSIS_SYMBOL : Instruction symbol
- class pyqbdi.InstAnalysis
- property address
Instruction address (if ANALYSIS_INSTRUCTION)
- property affectControlFlow
True if instruction affects control flow (if ANALYSIS_INSTRUCTION)
- property condition
Condition associated with the instruction (if ANALYSIS_INSTRUCTION)
- property disassembly
Instruction disassembly (if ANALYSIS_DISASSEMBLY)
- property flagsAccess
Flag access type (noaccess, r, w, rw) (if ANALYSIS_OPERANDS)
- property instSize
Instruction size (in bytes) (if ANALYSIS_INSTRUCTION)
- property isBranch
True if instruction acts like a ‘jump’ (if ANALYSIS_INSTRUCTION)
- property isCall
True if instruction acts like a ‘call’ (if ANALYSIS_INSTRUCTION)
- property isCompare
True if instruction is a comparison (if ANALYSIS_INSTRUCTION)
- property isMoveImm
True if this instruction is a move immediate (including conditional moves) instruction. (if ANALYSIS_INSTRUCTION)
- property isPredicable
True if instruction contains a predicate (~is conditional) (if ANALYSIS_INSTRUCTION)
- property isReturn
True if instruction acts like a ‘return’ (if ANALYSIS_INSTRUCTION)
- property loadSize
size of the expected read access (if ANALYSIS_INSTRUCTION)
- property mayLoad
True if QBDI detects a load for this instruction (if ANALYSIS_INSTRUCTION)
- property mayStore
True if QBDI detects a store for this instruction (if ANALYSIS_INSTRUCTION)
- property mnemonic
LLVM mnemonic (if ANALYSIS_INSTRUCTION)
- property module
Instruction module name (if ANALYSIS_SYMBOL and found) (deprecated)
- property moduleName
Instruction module name (if ANALYSIS_SYMBOL and found)
- property numOperands
Number of operands used by the instruction (if ANALYSIS_OPERANDS)
- property operands
Structure containing analysis results of an operand provided by the VM (if ANALYSIS_OPERANDS)
- property storeSize
size of the expected write access (if ANALYSIS_INSTRUCTION)
- property symbol
Instruction symbol (if ANALYSIS_SYMBOL and found) (deprecated)
- property symbolName
Instruction symbol (if ANALYSIS_SYMBOL and found)
- property symbolOffset
Instruction symbol offset (if ANALYSIS_SYMBOL)
- pyqbdi.ConditionType = <class 'pyqbdi.ConditionType'>
Condition type
Members:
CONDITION_NONE : The instruction is unconditionnal
CONDITION_ALWAYS : The instruction is always true
CONDITION_NEVER : The instruction is always false
CONDITION_EQUALS : Equals ( ‘==’ )
CONDITION_NOT_EQUALS : Not Equals ( ‘!=’ )
CONDITION_ABOVE : Above ( ‘>’ unsigned )
CONDITION_BELOW_EQUALS : Below or Equals ( ‘<=’ unsigned )
CONDITION_ABOVE_EQUALS : Above or Equals ( ‘>=’ unsigned )
CONDITION_BELOW : Below ( ‘<’ unsigned )
CONDITION_GREAT : Great ( ‘>’ signed )
CONDITION_LESS_EQUALS : Less or Equals ( ‘<=’ signed )
CONDITION_GREAT_EQUALS : Great or Equals ( ‘>=’ signed )
CONDITION_LESS : Less ( ‘<’ signed )
CONDITION_EVEN : Even
CONDITION_ODD : Odd
CONDITION_OVERFLOW : Overflow
CONDITION_NOT_OVERFLOW : Not Overflow
CONDITION_SIGN : Sign
CONDITION_NOT_SIGN : Not Sign
- class pyqbdi.OperandAnalysis
- property flag
Operand flag
- property regAccess
Register access type (r, w, rw)
- property regCtxIdx
Register index in VM state
- property regName
Register name
- property regOff
Sub-register offset in register (in bits)
- property size
Operand size (in bytes)
- property type
Operand type
- property value
Operand value (if immediate), or register Id
- pyqbdi.OperandType = <class 'pyqbdi.OperandType'>
Operand type
Members:
OPERAND_INVALID : Invalid operand
OPERAND_IMM : Immediate operand
OPERAND_GPR : Register operand
OPERAND_PRED : Predicate operand
OPERAND_FPR : Float register operand
OPERAND_SEG : Segment or unsupported register operand
- pyqbdi.OperandFlag = <class 'pyqbdi.OperandFlag'>
Operand flag
Members:
OPERANDFLAG_NONE : No flag
OPERANDFLAG_ADDR : The operand is used to compute an address
OPERANDFLAG_PCREL : The value of the operand is PC relative
OPERANDFLAG_UNDEFINED_EFFECT : The operand role isn’t fully defined
OPERANDFLAG_IMPLICIT : The operand is implicit
- pyqbdi.RegisterAccessType = <class 'pyqbdi.RegisterAccessType'>
Access type (R/W/RW) of a register operand
Members:
REGISTER_UNUSED : Unused register
REGISTER_READ : Register read access
REGISTER_WRITE : Register write access
REGISTER_READ_WRITE : Register read/write access
MemoryAccess
- class pyqbdi.MemoryAccess
- property accessAddress
Address of accessed memory
- property flags
Memory access flags
- property instAddress
Address of instruction making the access
- property size
Size of memory access (in bytes)
- property type
Memory access type (READ / WRITE)
- property value
Value read from / written to memory
- pyqbdi.MemoryAccessType = <class 'pyqbdi.MemoryAccessType'>
Memory access type (read / write / …)
Members:
MEMORY_READ : Memory read access
MEMORY_WRITE : Memory write access
MEMORY_READ_WRITE : Memory read/write access
- pyqbdi.MemoryAccessFlags = <class 'pyqbdi.MemoryAccessFlags'>
Memory access flags
Members:
MEMORY_NO_FLAGS : Empty flags
MEMORY_UNKNOWN_SIZE : The size of the access isn’t known.
MEMORY_MINIMUM_SIZE : The given size is a minimum size.
MEMORY_UNKNOWN_VALUE : The value of the access is unknown or hasn’t been retrived.
VMEvent
- pyqbdi.VMEvent = <class 'pyqbdi.VMEvent'>
Members:
SEQUENCE_ENTRY : Triggered when the execution enters a sequence.
SEQUENCE_EXIT : Triggered when the execution exits from the current sequence.
BASIC_BLOCK_ENTRY : Triggered when the execution enters a basic block.
BASIC_BLOCK_EXIT : Triggered when the execution exits from the current basic block.
BASIC_BLOCK_NEW : Triggered when the execution enters a new (~unknown) basic block.
EXEC_TRANSFER_CALL : Triggered when the ExecBroker executes an execution transfer.
EXEC_TRANSFER_RETURN : Triggered when the ExecBroker returns from an execution transfer.
- class pyqbdi.VMState
- property basicBlockEnd
The current basic block end address which can also be the execution transfer destination.
- property basicBlockStart
The current basic block start address which can also be the execution transfer destination.
- property event
The event(s) which triggered the callback (must be checked using a mask: event & BASIC_BLOCK_ENTRY).
- property sequenceEnd
The current sequence end address which can also be the execution transfer destination.
- property sequenceStart
The current sequence start address which can also be the execution transfer destination.
Memory management
Allocation
- pyqbdi.alignedAlloc(size: int, align: int) int
Allocate a block of memory of a specified sized with an aligned base address.
- pyqbdi.allocateVirtualStack(gprstate: pyqbdi.GPRState, size: int) object
Allocate a new stack and setup the GPRState accordingly. The allocated stack needs to be freed with alignedFree(). The result was int, or None if the allocation fails.
- pyqbdi.alignedFree(ptr: int) None
Free a block of aligned memory allocated with alignedAlloc.
- pyqbdi.simulateCall(ctx: pyqbdi.GPRState, returnAddress: int, args: List[int] = []) None
Simulate a call by modifying the stack and registers accordingly.
Exploration
- pyqbdi.getModuleNames() List[str]
Get a list of all the module names loaded in the process memory.
- pyqbdi.getCurrentProcessMaps(full_path: bool = False) List[pyqbdi.MemoryMap]
Get a list of all the memory maps (regions) of the current process.
- pyqbdi.getRemoteProcessMaps(pid: int, full_path: bool = False) List[pyqbdi.MemoryMap]
Get a list of all the memory maps (regions) of a process.
- class pyqbdi.MemoryMap
- property name
Region name (useful when a region is mapping a module).
- property permission
Region access rights (PF_READ, PF_WRITE, PF_EXEC).
- property range
A range of memory (region), delimited between a start and an (excluded) end address.
- pyqbdi.Permission = <class 'pyqbdi.Permission'>
Memory access rights.
Members:
PF_NONE : No access
PF_READ : Read access
PF_WRITE : Write access
PF_EXEC : Execution access
Other globals
This documentation only shows the options available for the X86_64 architectures. For ARM
and AARCH64, refer the C/C++ API QBDI::Options
.
- pyqbdi.Options = <class 'pyqbdi.Options'>
VM options
Members:
NO_OPT : Default value
OPT_DISABLE_FPR : Disable all operation on FPU (SSE, AVX, SIMD). May break the execution if the target use the FPU.
OPT_DISABLE_OPTIONAL_FPR : Disable context switch optimisation when the target execblock doesn’t used FPR
OPT_DISABLE_MEMORYACCESS_VALUE : Don’t load memory access value
OPT_DISABLE_ERRNO_BACKUP : Don’t save and restore errno
OPT_ATT_SYNTAX : Used the AT&T syntax for instruction disassembly
OPT_ENABLE_FS_GS : Enable Backup/Restore of FS/GS segment. This option uses the instructions (RD|WR)(FS|GS)BASE that must be supported by the operating system.
- pyqbdi.VMError = <class 'pyqbdi.VMError'>
QBDI Error values
Members:
INVALID_EVENTID : Mark a returned event id as invalid
Miscellaneous
Version & info
- pyqbdi.__arch__
- pyqbdi.__platform__
- pyqbdi.__preload__
Library load with pyqbdipreload
- pyqbdi.__version__
Version of QBDI
Log
- pyqbdi.LogPriority = <class 'pyqbdi.LogPriority'>
Each log has a priority (or level) which can be used to control verbosity In production builds, only Warning and Error logs are kept.
Members:
DEBUG : Debug logs
INFO : Info logs (default)
WARNING : Warning logs
ERROR : Error logs
DISABLE : Disable logs message
- pyqbdi.setLogPriority(priority: pyqbdi.LogPriority) None
Enable logs matching priority.
Range
- class pyqbdi.Range
- contains(*args, **kwargs)
Overloaded function.
contains(self: pyqbdi.Range, t: int) -> bool
Return True if an value is inside current range boundaries.
contains(self: pyqbdi.Range, r: pyqbdi.Range) -> bool
Return True if a range is inside current range boundaries.
- property end
Range end value (always excluded).
- intersect(self: pyqbdi.Range, r: pyqbdi.Range) pyqbdi.Range
Return the intersection of two ranges.
- overlaps(self: pyqbdi.Range, r: pyqbdi.Range) bool
Return True if a range is overlapping current range lower or/and upper boundary.
- size(self: pyqbdi.Range) int
Return the total length of a range.
- property start
Range start value.
Memory helpers
- pyqbdi.readMemory(address: int, size: int) bytes
Read a content from a base address.
- Parameters:
address – Base address
size – Read size
- Returns:
Bytes of content.
Warning
This API is hazardous as the whole process memory can be read.
- pyqbdi.readRword(address: int) int
Read a rword to the specified address
- Parameters:
address – Base address
- Returns:
the value as a unsigned integer
Warning
This API is hazardous as the whole process memory can be read.
- pyqbdi.writeMemory(address: int, bytes: str) None
Write a memory content to a base address.
- Parameters:
address – Base address
bytes – Memory content
Warning
This API is hazardous as the whole process memory can be written.
- pyqbdi.writeRword(address: int, value: int) None
Write a rword in a base address.
- Parameters:
address – Base address
value – The value to write, as a unsigned integer
Warning
This API is hazardous as the whole process memory can be written.
- pyqbdi.allocateRword() int
Allocate a raw memory space to store a rword.
- Returns:
Address to a memory space to store a rword
- pyqbdi.allocateMemory(length: int) int
Allocate a raw memory space of specified length.
- Parameters:
length – length of the memory space to allocate
- Returns:
Address to the allocated memory
- pyqbdi.freeMemory(address: int) None
Free a memory space allocate with allocateRword or allocateMemory.
- Parameters:
address – Address of the allocated memory
Float helpers
- pyqbdi.encodeFloat(val: float) int
Encode a float as a signed integer.
- Parameters:
val – Float value
- Returns:
a sigend integer
- pyqbdi.decodeFloat(val: int) float
Encode a sigend integer as a float.
- Parameters:
val – signed integer value
- Returns:
a float
- pyqbdi.encodeFloatU(val: float) int
Encode a float as an unsigned interger.
- Parameters:
val – Float value
- Returns:
an unsigned integer
- pyqbdi.decodeFloatU(val: int) float
Encode an unsigend integer as a float.
- Parameters:
val – unsigned integer value
- Returns:
a float
- pyqbdi.encodeDouble(val: float) int
Encode a double as a signed integer.
- Parameters:
val – Double value
- Returns:
a sigend integer
- pyqbdi.decodeDouble(val: int) float
Encode a sigend integer as a double.
- Parameters:
val – signed integer value
- Returns:
a double
- pyqbdi.encodeDoubleU(val: float) int
Encode a double as an unsigned interger.
- Parameters:
val – Double value
- Returns:
an unsigned integer
- pyqbdi.decodeDoubleU(val: int) float
Encode an unsigend integer as a double.
- Parameters:
val – unsigned integer value
- Returns:
a double
For more conversion utilities, check out the Python’s struct library.