PyQBDI API¶

Introduction¶

We offer bindings for Python, the whole C/C++ API is available through them, but they are also backed up by plenty of helpers that fluidify the script writing.

On Linux and macOS, PyQBDI supports QBDIPreload as PyQBDIPreload.

However, you must be aware that PyQBDI has some limitations:

The library can handle only one VM at a time.
The VM must not be used in the atexit module.
32-bit versions of PyQBDI and Python are needed to instrument 32-bit targets.
PyQBDI cannot be used to instrument a Python process since both the host and the target will use the Python runtime.

VM class¶

class pyqbdi.VM¶

__init__(self: pyqbdi.VM, cpu: str = '', mattrs: List[str] = [], options: pyqbdi.Options = <Options.NO_OPT: 0>) → None¶: Construct a new VM for a given CPU with specific attributes

property options¶: Options of the VM

State management¶

pyqbdi.VM.getGPRState(self: pyqbdi.VM) → pyqbdi.GPRState ¶: Obtain the current general purpose register state.

pyqbdi.VM.getFPRState(self: pyqbdi.VM) → pyqbdi.FPRState ¶: Obtain the current floating point register state.

pyqbdi.VM.setGPRState(self: pyqbdi.VM, gprState: pyqbdi.GPRState) → None¶: Set the GPR state.

pyqbdi.VM.setFPRState(self: pyqbdi.VM, fprState: pyqbdi.FPRState) → None¶: Set the FPR state.

Instrumentation range¶

Addition¶

pyqbdi.VM.addInstrumentedRange(self: pyqbdi.VM, start: int, end: int) → None¶: Add an address range to the set of instrumented address ranges.

pyqbdi.VM.addInstrumentedModule(self: pyqbdi.VM, name: str) → bool¶: Add the executable address ranges of a module to the set of instrumented address ranges.

pyqbdi.VM.addInstrumentedModuleFromAddr(self: pyqbdi.VM, addr: int) → bool¶: Add the executable address ranges of a module to the set of instrumented address ranges using an address belonging to the module.

pyqbdi.VM.instrumentAllExecutableMaps(self: pyqbdi.VM) → bool¶: Adds all the executable memory maps to the instrumented range set.

Removal¶

pyqbdi.VM.removeInstrumentedRange(self: pyqbdi.VM, start: int, end: int) → None¶: Remove an address range from the set of instrumented address ranges.

pyqbdi.VM.removeInstrumentedModule(self: pyqbdi.VM, name: str) → bool¶: Remove the executable address ranges of a module from the set of instrumented address ranges.

pyqbdi.VM.removeInstrumentedModuleFromAddr(self: pyqbdi.VM, addr: int) → bool¶: Remove the executable address ranges of a module from the set of instrumented address ranges using an address belonging to the module.

pyqbdi.VM.removeAllInstrumentedRanges(self: pyqbdi.VM) → None¶: Remove all instrumented ranges.

Callback management¶

InstCallback¶

pyqbdi.VM.addCodeCB(self: pyqbdi.VM, pos: pyqbdi.InstPosition, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object) → object¶: Register a callback event for every instruction executed.

pyqbdi.VM.addCodeAddrCB(self: pyqbdi.VM, address: int, pos: pyqbdi.InstPosition, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object) → object¶: Register a callback for when a specific address is executed.

pyqbdi.VM.addCodeRangeCB(self: pyqbdi.VM, start: int, end: int, pos: pyqbdi.InstPosition, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object) → object¶: Register a callback for when a specific address range is executed.

pyqbdi.VM.addMnemonicCB(self: pyqbdi.VM, mnemonic: str, pos: pyqbdi.InstPosition, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object) → object¶: Register a callback event if the instruction matches the mnemonic.

VMEvent¶

pyqbdi.VM.addVMEventCB(self: pyqbdi.VM, mask: pyqbdi.VMEvent, cbk: Callable[[pyqbdi.VM, pyqbdi.VMState, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object) → object¶: Register a callback event for a specific VM event.

MemoryAccess¶

pyqbdi.VM.addMemAccessCB(self: pyqbdi.VM, type: pyqbdi.MemoryAccessType, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object) → object¶: Register a callback event for every memory access matching the type bitfield made by the instructions.

pyqbdi.VM.addMemAddrCB(self: pyqbdi.VM, address: int, type: pyqbdi.MemoryAccessType, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object) → object¶: Add a virtual callback which is triggered for any memory access at a specific address matching the access type. Virtual callbacks are called via callback forwarding by a gate callback triggered on every memory access. This incurs a high performance cost.

pyqbdi.VM.addMemRangeCB(self: pyqbdi.VM, start: int, end: int, type: pyqbdi.MemoryAccessType, cbk: Callable[[pyqbdi.VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object) → object¶: Add a virtual callback which is triggered for any memory access at a specific address range matching the access type. Virtual callbacks are called via callback forwarding by a gate callback triggered on every memory access. This incurs a high performance cost.

InstrRuleCallback¶

pyqbdi.VM.addInstrRule(self: pyqbdi.VM, cbk: Callable[[pyqbdi.VM, pyqbdi.InstAnalysis, object], List[pyqbdi.InstrRuleDataCBK]], type: pyqbdi.AnalysisType, data: object) → object¶: Add a custom instrumentation rule to the VM.

pyqbdi.VM.addInstrRuleRange(self: pyqbdi.VM, start: int, end: int, cbk: Callable[[pyqbdi.VM, pyqbdi.InstAnalysis, object], List[pyqbdi.InstrRuleDataCBK]], type: pyqbdi.AnalysisType, data: object) → object¶: Add a custom instrumentation rule to the VM on a specify range.

Removal¶

pyqbdi.VM.deleteInstrumentation(self: pyqbdi.VM, id: int) → None¶: Remove an instrumentation.

pyqbdi.VM.deleteAllInstrumentations(self: pyqbdi.VM) → None¶: Remove all the registered instrumentations.

Run¶

pyqbdi.VM.run(self: pyqbdi.VM, start: int, stop: int) → bool¶: Start the execution by the DBI.

pyqbdi.VM.call(self: pyqbdi.VM, function: int, args: List[int]) → Tuple[bool, int]¶: Call a function using the DBI (and its current state).

InstAnalysis¶

pyqbdi.VM.getInstAnalysis(self: pyqbdi.VM, type: pyqbdi.AnalysisType = AnalysisType.ANALYSIS_INSTRUCTION | AnalysisType.ANALYSIS_DISASSEMBLY) → pyqbdi.InstAnalysis ¶: Obtain the analysis of the current instruction. Analysis results are cached in the VM.

pyqbdi.VM.getCachedInstAnalysis(self: pyqbdi.VM, address: int, type: pyqbdi.AnalysisType = AnalysisType.ANALYSIS_INSTRUCTION | AnalysisType.ANALYSIS_DISASSEMBLY) → pyqbdi.InstAnalysis ¶: Obtain the analysis of a cached instruction. Analysis results are cached in the VM.

MemoryAccess¶

pyqbdi.VM.getInstMemoryAccess(self: pyqbdi.VM) → List[pyqbdi.MemoryAccess]¶: Obtain the memory accesses made by the last executed instruction.

pyqbdi.VM.getBBMemoryAccess(self: pyqbdi.VM) → List[pyqbdi.MemoryAccess]¶: Obtain the memory accesses made by the last executed sequence.

pyqbdi.VM.recordMemoryAccess(self: pyqbdi.VM, type: pyqbdi.MemoryAccessType) → bool¶: Add instrumentation rules to log memory access using inline instrumentation and instruction shadows.

Cache management¶

pyqbdi.VM.precacheBasicBlock(self: pyqbdi.VM, pc: int) → bool¶: Pre-cache a known basic block

pyqbdi.VM.clearCache(self: pyqbdi.VM, start: int, end: int) → None¶: Clear a specific address range from the translation cache.

pyqbdi.VM.clearAllCache(self: pyqbdi.VM) → None¶: Clear the entire translation cache.

Register state¶

class pyqbdi.GPRState¶

property AVAILABLE_GPR¶: shadow of rbp

property NUM_GPR¶: shadow of eflags

property REG_BP¶: shadow of rbp

property REG_LR¶: not available on X86_64

property REG_PC¶: shadow of rip

property REG_RETURN¶: shadow of rax

property REG_SP¶: shadow of rsp

__getitem__(self: pyqbdi.GPRState, index: int) → int¶: Get a register like QBDI_GPR_GET

__setitem__(self: pyqbdi.GPRState, index: int, value: int) → int¶: Set a register like QBDI_GPR_SET

property eflags¶

property r10¶

property r11¶

property r12¶

property r13¶

property r14¶

property r15¶

property r8¶

property r9¶

property rax¶

property rbp¶

property rbx¶

property rcx¶

property rdi¶

property rdx¶

property rip¶

property rsi¶

property rsp¶

class pyqbdi.FPRState¶

property cs¶: x87 FPU Instruction Pointer Selector

property dp¶: x87 FPU Instruction Operand(Data) Pointer offset

property ds¶: x87 FPU Instruction Operand(Data) Pointer Selector

property fcw¶: x87 FPU control word

property fop¶: x87 FPU Opcode

property fsw¶: x87 FPU status word

property ftw¶: x87 FPU tag word

property ip¶: x87 FPU Instruction Pointer offset

property mxcsr¶: MXCSR Register state

property mxcsrmask¶: MXCSR mask

property rfcw¶: x87 FPU control word

property rfsw¶: x87 FPU status word

property stmm0¶: ST0/MM0

property stmm1¶: ST1/MM1

property stmm2¶: ST2/MM2

property stmm3¶: ST3/MM3

property stmm4¶: ST4/MM4

property stmm5¶: ST5/MM5

property stmm6¶: ST6/MM6

property stmm7¶: ST7/MM7

property xmm0¶: XMM 0

property xmm1¶: XMM 1

property xmm10¶: XMM 10

property xmm11¶: XMM 11

property xmm12¶: XMM 12

property xmm13¶: XMM 13

property xmm14¶: XMM 14

property xmm15¶: XMM 15

property xmm2¶: XMM 2

property xmm3¶: XMM 3

property xmm4¶: XMM 4

property xmm5¶: XMM 5

property xmm6¶: XMM 6

property xmm7¶: XMM 7

property xmm8¶: XMM 8

property xmm9¶: XMM 9

property ymm0¶: YMM0[255:128]

property ymm1¶: YMM1[255:128]

property ymm10¶: YMM10[255:128]

property ymm11¶: YMM11[255:128]

property ymm12¶: YMM12[255:128]

property ymm13¶: YMM13[255:128]

property ymm14¶: YMM14[255:128]

property ymm15¶: YMM15[255:128]

property ymm2¶: YMM2[255:128]

property ymm3¶: YMM3[255:128]

property ymm4¶: YMM4[255:128]

property ymm5¶: YMM5[255:128]

property ymm6¶: YMM6[255:128]

property ymm7¶: YMM7[255:128]

property ymm8¶: YMM8[255:128]

property ymm9¶: YMM9[255:128]

pyqbdi.REG_RETURN¶

pyqbdi.REG_BP¶

pyqbdi.REG_SP¶

pyqbdi.REG_PC¶

pyqbdi.NUM_GPR¶

Callback¶

pyqbdi.InstCallback(vm: pyqbdi.VM, gpr: pyqbdi.GPRState, fpr: pyqbdi.FPRState, data: object) → pyqbdi.VMAction ¶

This is the prototype of a function callback for:

pyqbdi.VM.addCodeCB(), pyqbdi.VM.addCodeAddrCB() and pyqbdi.VM.addCodeRangeCB()
pyqbdi.VM.addMnemonicCB()
pyqbdi.VM.addMemAccessCB(), pyqbdi.VM.addMemAddrCB() and pyqbdi.VM.addMemRangeCB()
pyqbdi.InstrRuleDataCBK.

Parameters

vm (VM) – The current QBDI object
gpr (GPRState) – The current GPRState
fpr (FPRState) – The current FPRState
data (Object) – A user-defined object.

Returns

the VMAction to continue or stop the execution

pyqbdi.VMCallback(vm: pyqbdi.VM, vmState: pyqbdi.VMState, gpr: pyqbdi.GPRState, fpr: pyqbdi.FPRState, data: object) → pyqbdi.VMAction ¶

This is the prototype of a function callback for pyqbdi.VM.addVMEventCB().

Parameters

vm (VM) – The current QBDI object
vmState (VMState) – A structure containing the current state of the VM.
gpr (GPRState) – The current GPRState
fpr (FPRState) – The current FPRState
data (Object) – A user-defined object

Returns

the VMAction to continue or stop the execution

pyqbdi.InstrRuleCallback(vm: pyqbdi.VM, ana: pyqbdi.InstAnalysis, data: object) → List[pyqbdi.InstrRuleDataCBK]¶

This is the prototype of a function callback for pyqbdi.VM.addInstrRule() and pyqbdi.VM.addInstrRuleRange().

Parameters

vm (VM) – The current QBDI object
ana (InstAnalysis) – The current QBDI object
data (Object) – A user-defined object

Returns

A list of pyqbdi.InstrRuleDataCBK

class pyqbdi.InstrRuleDataCBK¶

__init__(self: pyqbdi.InstrRuleDataCBK, cbk: Callable[[QBDI::VM, pyqbdi.GPRState, pyqbdi.FPRState, object], pyqbdi.VMAction], data: object, position: pyqbdi.InstPosition) → None¶

property cbk¶: Address of the function to call when the instruction is executed

property data¶: User defined data which will be forward to cbk.

property position¶: Relative position of the event callback (PREINST / POSTINST).

pyqbdi.InstPosition = <class 'pyqbdi.InstPosition'>¶

Position relative to an instruction.

Members:

PREINST : Positioned before the instruction.

POSTINST : Positioned after the instruction.

pyqbdi.VMAction = <class 'pyqbdi.VMAction'>¶

The callback results.

Members:

CONTINUE : The execution of the basic block continues.

BREAK_TO_VM : The execution breaks and returns to the VM causing a complete reevaluation of the execution state. A BREAK_TO_VM is needed to ensure that modifications of the Program Counter or the program code are taken into account.

STOP : Stops the execution of the program. This causes the run function to return early.

InstAnalysis¶

pyqbdi.AnalysisType = <class 'pyqbdi.AnalysisType'>¶

Instruction analysis type

Members:

ANALYSIS_INSTRUCTION : Instruction analysis (address, mnemonic, …)

ANALYSIS_DISASSEMBLY : Instruction disassembly

ANALYSIS_OPERANDS : Instruction operands analysis

ANALYSIS_SYMBOL : Instruction symbol

class pyqbdi.InstAnalysis¶

property address¶: Instruction address (if ANALYSIS_INSTRUCTION)

property affectControlFlow¶: True if instruction affects control flow (if ANALYSIS_INSTRUCTION)

property condition¶: Condition associated with the instruction (if ANALYSIS_INSTRUCTION)

property disassembly¶: Instruction disassembly (if ANALYSIS_DISASSEMBLY)

property flagsAccess¶: Flag access type (noaccess, r, w, rw) (if ANALYSIS_OPERANDS)

property instSize¶: Instruction size (in bytes) (if ANALYSIS_INSTRUCTION)

property isBranch¶: True if instruction acts like a ‘jump’ (if ANALYSIS_INSTRUCTION)

property isCall¶: True if instruction acts like a ‘call’ (if ANALYSIS_INSTRUCTION)

property isCompare¶: True if instruction is a comparison (if ANALYSIS_INSTRUCTION)

property isPredicable¶: True if instruction contains a predicate (~is conditional) (if ANALYSIS_INSTRUCTION)

property isReturn¶: True if instruction acts like a ‘return’ (if ANALYSIS_INSTRUCTION)

property loadSize¶: size of the expected read access (if ANALYSIS_INSTRUCTION)

property mayLoad¶: True if QBDI detects a load for this instruction (if ANALYSIS_INSTRUCTION)

property mayStore¶: True if QBDI detects a store for this instruction (if ANALYSIS_INSTRUCTION)

property mnemonic¶: LLVM mnemonic (if ANALYSIS_INSTRUCTION)

property module¶: Instruction module name (if ANALYSIS_SYMBOL and found)

property numOperands¶: Number of operands used by the instruction (if ANALYSIS_OPERANDS)

property operands¶: Structure containing analysis results of an operand provided by the VM (if ANALYSIS_OPERANDS)

property storeSize¶: size of the expected write access (if ANALYSIS_INSTRUCTION)

property symbol¶: Instruction symbol (if ANALYSIS_SYMBOL and found)

property symbolOffset¶: Instruction symbol offset (if ANALYSIS_SYMBOL)

pyqbdi.ConditionType = <class 'pyqbdi.ConditionType'>¶

Condition type

Members:

CONDITION_NONE : The instruction is unconditionnal

CONDITION_ALWAYS : The instruction is always true

CONDITION_NEVER : The instruction is always false

CONDITION_EQUALS : Equals ( ‘==’ )

CONDITION_NOT_EQUALS : Not Equals ( ‘!=’ )

CONDITION_ABOVE : Above ( ‘>’ unsigned )

CONDITION_BELOW_EQUALS : Below or Equals ( ‘<=’ unsigned )

CONDITION_ABOVE_EQUALS : Above or Equals ( ‘>=’ unsigned )

CONDITION_BELOW : Below ( ‘<’ unsigned )

CONDITION_GREAT : Great ( ‘>’ signed )

CONDITION_LESS_EQUALS : Less or Equals ( ‘<=’ signed )

CONDITION_GREAT_EQUALS : Great or Equals ( ‘>=’ signed )

CONDITION_LESS : Less ( ‘<’ signed )

CONDITION_EVEN : Even

CONDITION_ODD : Odd

CONDITION_OVERFLOW : Overflow

CONDITION_NOT_OVERFLOW : Not Overflow

CONDITION_SIGN : Sign

CONDITION_NOT_SIGN : Not Sign

class pyqbdi.OperandAnalysis¶

property flag¶: Operand flag

property regAccess¶: Register access type (r, w, rw)

property regCtxIdx¶: Register index in VM state

property regName¶: Register name

property regOff¶: Sub-register offset in register (in bits)

property size¶: Operand size (in bytes)

property type¶: Operand type

property value¶: Operand value (if immediate), or register Id

pyqbdi.OperandType = <class 'pyqbdi.OperandType'>¶

Operand type

Members:

OPERAND_INVALID : Invalid operand

OPERAND_IMM : Immediate operand

OPERAND_GPR : Register operand

OPERAND_PRED : Predicate operand

OPERAND_FPR : Float register operand

OPERAND_SEG : Segment or unsupported register operand

pyqbdi.OperandFlag = <class 'pyqbdi.OperandFlag'>¶

Operand flag

Members:

OPERANDFLAG_NONE : No flag

OPERANDFLAG_ADDR : The operand is used to compute an address

OPERANDFLAG_PCREL : The value of the operand is PC relative

OPERANDFLAG_UNDEFINED_EFFECT : The operand role isn’t fully defined

OPERANDFLAG_IMPLICIT : The operand is implicit

pyqbdi.RegisterAccessType = <class 'pyqbdi.RegisterAccessType'>¶

Access type (R/W/RW) of a register operand

Members:

REGISTER_UNUSED : Unused register

REGISTER_READ : Register read access

REGISTER_WRITE : Register write access

REGISTER_READ_WRITE : Register read/write access

MemoryAccess¶

class pyqbdi.MemoryAccess¶

property accessAddress¶: Address of accessed memory

property flags¶: Memory access flags

property instAddress¶: Address of instruction making the access

property size¶: Size of memory access (in bytes)

property type¶: Memory access type (READ / WRITE)

property value¶: Value read from / written to memory

pyqbdi.MemoryAccessType = <class 'pyqbdi.MemoryAccessType'>¶

Memory access type (read / write / …)

Members:

MEMORY_READ : Memory read access

MEMORY_WRITE : Memory write access

MEMORY_READ_WRITE : Memory read/write access

pyqbdi.MemoryAccessFlags = <class 'pyqbdi.MemoryAccessFlags'>¶

Memory access flags

Members:

MEMORY_NO_FLAGS : Empty flags

MEMORY_UNKNOWN_SIZE : The size of the access isn’t known.

MEMORY_MINIMUM_SIZE : The given size is a minimum size.

MEMORY_UNKNOWN_VALUE : The value of the access is unknown or hasn’t been retrived.

VMEvent¶

pyqbdi.VMEvent = <class 'pyqbdi.VMEvent'>¶

Members:

SEQUENCE_ENTRY : Triggered when the execution enters a sequence.

SEQUENCE_EXIT : Triggered when the execution exits from the current sequence.

BASIC_BLOCK_ENTRY : Triggered when the execution enters a basic block.

BASIC_BLOCK_EXIT : Triggered when the execution exits from the current basic block.

BASIC_BLOCK_NEW : Triggered when the execution enters a new (~unknown) basic block.

EXEC_TRANSFER_CALL : Triggered when the ExecBroker executes an execution transfer.

EXEC_TRANSFER_RETURN : Triggered when the ExecBroker returns from an execution transfer.

class pyqbdi.VMState¶

property basicBlockEnd¶: The current basic block end address which can also be the execution transfer destination.

property basicBlockStart¶: The current basic block start address which can also be the execution transfer destination.

property event¶: The event(s) which triggered the callback (must be checked using a mask: event & BASIC_BLOCK_ENTRY).

property sequenceEnd¶: The current sequence end address which can also be the execution transfer destination.

property sequenceStart¶: The current sequence start address which can also be the execution transfer destination.

Memory management¶

Allocation¶

pyqbdi.alignedAlloc(size: int, align: int) → int¶: Allocate a block of memory of a specified sized with an aligned base address.

pyqbdi.allocateVirtualStack(gprstate: pyqbdi.GPRState, size: int) → object¶: Allocate a new stack and setup the GPRState accordingly. The allocated stack needs to be freed with alignedFree(). The result was int, or None if the allocation fails.

pyqbdi.alignedFree(ptr: int) → None¶: Free a block of aligned memory allocated with alignedAlloc.

pyqbdi.simulateCall(ctx: pyqbdi.GPRState, returnAddress: int, args: List[int] = []) → None¶: Simulate a call by modifying the stack and registers accordingly.

Exploration¶

pyqbdi.getModuleNames() → List[str]¶: Get a list of all the module names loaded in the process memory.

pyqbdi.getCurrentProcessMaps(full_path: bool = False) → List[pyqbdi.MemoryMap]¶: Get a list of all the memory maps (regions) of the current process.

pyqbdi.getRemoteProcessMaps(pid: int, full_path: bool = False) → List[pyqbdi.MemoryMap]¶: Get a list of all the memory maps (regions) of a process.

class pyqbdi.MemoryMap¶

property name¶: Region name (useful when a region is mapping a module).

property permission¶: Region access rights (PF_READ, PF_WRITE, PF_EXEC).

property range¶: A range of memory (region), delimited between a start and an (excluded) end address.

pyqbdi.Permission = <class 'pyqbdi.Permission'>¶

Memory access rights.

Members:

PF_NONE : No access

PF_READ : Read access

PF_WRITE : Write access

PF_EXEC : Execution access

Other globals¶

pyqbdi.Options = <class 'pyqbdi.Options'>¶

VM options

Members:

NO_OPT : Default value

OPT_DISABLE_FPR : Disable all operation on FPU (SSE, AVX, SIMD). May break the execution if the target use the FPU.

OPT_DISABLE_OPTIONAL_FPR : Disable context switch optimisation when the target execblock doesn’t used FPR

OPT_ATT_SYNTAX : Used the AT&T syntax for instruction disassembly

pyqbdi.VMError = <class 'pyqbdi.VMError'>¶

QBDI Error values

Members:

INVALID_EVENTID : Mark a returned event id as invalid

Miscellaneous¶

Version & info¶

pyqbdi.__arch__¶

pyqbdi.__platform__¶

pyqbdi.__preload__¶: Library load with pyqbdipreload

pyqbdi.__version__¶: Version of QBDI

Log¶

pyqbdi.LogPriority = <class 'pyqbdi.LogPriority'>¶

Each log has a priority (or level) which can be used to control verbosity In production builds, only Warning and Error logs are kept.

Members:

DEBUG : Debug logs

WARNING : Warning logs

ERROR : Error logs

pyqbdi.addLogFilter(tag: str, priority: pyqbdi.LogPriority) → None¶: Enable logs matching tag and priority.

Range¶

class pyqbdi.Range¶

contains(*args, **kwargs)¶

Overloaded function.

contains(self: pyqbdi.Range, t: int) -> bool

Return True if an value is inside current range boundaries.

contains(self: pyqbdi.Range, r: pyqbdi.Range) -> bool

Return True if a range is inside current range boundaries.

property end¶: Range end value (always excluded).

intersect(self: pyqbdi.Range, r: pyqbdi.Range) → pyqbdi.Range ¶: Return the intersection of two ranges.

overlaps(self: pyqbdi.Range, r: pyqbdi.Range) → bool¶: Return True if a range is overlapping current range lower or/and upper boundary.

size(self: pyqbdi.Range) → int¶: Return the total length of a range.

property start¶: Range start value.

Memory helpers¶

pyqbdi.readMemory(address: int, size: int) → bytes¶

Read a content from a base address.

Parameters

address – Base address
size – Read size

Returns

Bytes of content.

Warning

This API is hazardous as the whole process memory can be read.

pyqbdi.readRword(address: int) → int¶

Read a rword to the specified address

Parameters: address – Base address
Returns: the value as a unsigned integer

Warning

This API is hazardous as the whole process memory can be read.

pyqbdi.writeMemory(address: int, bytes: str) → None¶

Write a memory content to a base address.

Parameters

address – Base address
bytes – Memory content

Warning

This API is hazardous as the whole process memory can be written.

pyqbdi.writeRword(address: int, value: int) → None¶

Write a rword in a base address.

Parameters

address – Base address
value – The value to write, as a unsigned integer

Warning

This API is hazardous as the whole process memory can be written.

pyqbdi.allocateRword() → int¶

Allocate a raw memory space to store a rword.

Returns: Address to a memory space to store a rword

pyqbdi.allocateMemory(length: int) → int¶

Allocate a raw memory space of specified length.

Parameters: length – length of the memory space to allocate
Returns: Address to the allocated memory

pyqbdi.freeMemory(address: int) → None¶

Free a memory space allocate with allocateRword or allocateMemory.

Parameters: address – Address of the allocated memory

Float helpers¶

pyqbdi.encodeFloat(val: float) → int¶

Encode a float as a signed integer.

Parameters: val – Float value
Returns: a sigend integer

pyqbdi.decodeFloat(val: int) → float¶

Encode a sigend integer as a float.

Parameters: val – signed integer value
Returns: a float

pyqbdi.encodeFloatU(val: float) → int¶

Encode a float as an unsigned interger.

Parameters: val – Float value
Returns: an unsigned integer

pyqbdi.decodeFloatU(val: int) → float¶

Encode an unsigend integer as a float.

Parameters: val – unsigned integer value
Returns: a float

pyqbdi.encodeDouble(val: float) → int¶

Encode a double as a signed integer.

Parameters: val – Double value
Returns: a sigend integer

pyqbdi.decodeDouble(val: int) → float¶

Encode a sigend integer as a double.

Parameters: val – signed integer value
Returns: a double

pyqbdi.encodeDoubleU(val: float) → int¶

Encode a double as an unsigned interger.

Parameters: val – Double value
Returns: an unsigned integer

pyqbdi.decodeDoubleU(val: int) → float¶

Encode an unsigend integer as a double.

Parameters: val – unsigned integer value
Returns: a double

For more conversion utilities, check out the Python’s struct library.