2.5. Exception and Context related structures

This module regroups all the Exception/Context related structures and functions. Most of the structures are the Windows structure with a prefix E (For enhanced)

Those structure have the same fields that the normal windows ones but their types might vary for a simpler use.

This module also define the decorator VectoredException() which allows to play with Vectored Exception Handler in Python

Note

See sample VectoredException() samples

2.5.1. Exception Records

class windows.winobject.exception.EEXCEPTION_RECORD

Enhanced exception record

property ExceptionAddress

The Exception Address

Type:

int

property ExceptionCode

The Exception code

Type:

int

fields = ['ExceptionCode', 'ExceptionFlags', 'ExceptionRecord', 'ExceptionAddress', 'NumberParameters', 'ExceptionInformation']

The fields of the structure

class windows.winobject.exception.EEXCEPTION_RECORD32

Enhanced exception record (32bits)

property ExceptionAddress

The Exception Address

Type:

int

property ExceptionCode

The Exception code

Type:

int

fields = ['ExceptionCode', 'ExceptionFlags', 'ExceptionRecord', 'ExceptionAddress', 'NumberParameters', 'ExceptionInformation']

The fields of the structure

class windows.winobject.exception.EEXCEPTION_RECORD64

Enhanced exception record (64bits)

property ExceptionAddress

The Exception Address

Type:

int

property ExceptionCode

The Exception code

Type:

int

fields = ['ExceptionCode', 'ExceptionFlags', 'ExceptionRecord', 'ExceptionAddress', 'NumberParameters', '__unusedAlignment', 'ExceptionInformation']

The fields of the structure

2.5.2. EXCEPTION DEBUG INFO

class windows.winobject.exception.EEXCEPTION_DEBUG_INFO32

Enhanced Debug info

ExceptionRecord

Type:

EEXCEPTION_RECORD32

fields = ['ExceptionRecord', 'dwFirstChance']

The fields of the structure

class windows.winobject.exception.EEXCEPTION_DEBUG_INFO64

Enhanced Debug info

ExceptionRecord

Type:

EEXCEPTION_RECORD64

fields = ['ExceptionRecord', 'dwFirstChance']

The fields of the structure

2.5.3. Context

class windows.winobject.exception.ECONTEXT32

property EDr7

Enhanced view of the DR7 register (you also have Dr7 for the raw value)

Type:

EDr7

property EEFlags

Enhanced view of the Eflags (you also have EFlags for the raw value)

Type:

EEflags

dump(to_dump=None)

Dump (print) the current context

fields = ['ContextFlags', 'Dr0', 'Dr1', 'Dr2', 'Dr3', 'Dr6', 'Dr7', 'FloatSave', 'SegGs', 'SegFs', 'SegEs', 'SegDs', 'Edi', 'Esi', 'Ebx', 'Edx', 'Ecx', 'Eax', 'Ebp', 'Eip', 'SegCs', 'EFlags', 'Esp', 'SegSs', 'ExtendedRegisters']

The fields of the structure

property func_result

Function Resultat register (EAX or RAX)

property pc

Program Counter register (EIP or RIP)

regs(to_dump=None)

Return the name and values of the registers

Returns:

[(reg_name, value)] – A list of tuple

property sp

Stack Pointer register (ESP or RSP)

class windows.winobject.exception.ECONTEXTWOW64

property EDr7

Enhanced view of the DR7 register (you also have Dr7 for the raw value)

Type:

EDr7

property EEFlags

Enhanced view of the Eflags (you also have EFlags for the raw value)

Type:

EEflags

dump(to_dump=None)

Dump (print) the current context

fields = ['ContextFlags', 'Dr0', 'Dr1', 'Dr2', 'Dr3', 'Dr6', 'Dr7', 'FloatSave', 'SegGs', 'SegFs', 'SegEs', 'SegDs', 'Edi', 'Esi', 'Ebx', 'Edx', 'Ecx', 'Eax', 'Ebp', 'Eip', 'SegCs', 'EFlags', 'Esp', 'SegSs', 'ExtendedRegisters']

The fields of the structure

property func_result

Function Resultat register (EAX or RAX)

property pc

Program Counter register (EIP or RIP)

regs(to_dump=None)

Return the name and values of the registers

Returns:

[(reg_name, value)] – A list of tuple

property sp

Stack Pointer register (ESP or RSP)

class windows.winobject.exception.ECONTEXT64

property EDr7

Enhanced view of the DR7 register (you also have Dr7 for the raw value)

Type:

EDr7

property EEFlags

Enhanced view of the Eflags (you also have EFlags for the raw value)

Type:

EEflags

dump(to_dump=None)

Dump (print) the current context

fields = ['P1Home', 'P2Home', 'P3Home', 'P4Home', 'P5Home', 'P6Home', 'ContextFlags', 'MxCsr', 'SegCs', 'SegDs', 'SegEs', 'SegFs', 'SegGs', 'SegSs', 'EFlags', 'Dr0', 'Dr1', 'Dr2', 'Dr3', 'Dr6', 'Dr7', 'Rax', 'Rcx', 'Rdx', 'Rbx', 'Rsp', 'Rbp', 'Rsi', 'Rdi', 'R8', 'R9', 'R10', 'R11', 'R12', 'R13', 'R14', 'R15', 'Rip', 'DUMMYUNIONNAME', 'VectorRegister', 'VectorControl', 'DebugControl', 'LastBranchToRip', 'LastBranchFromRip', 'LastExceptionToRip', 'LastExceptionFromRip']

The fields of the structure

property func_result

Function Resultat register (EAX or RAX)

classmethod new_aligned()

Return a new ECONTEXT64 aligned on 16 bits

temporary workaround or horrible hack ? choose your side

property pc

Program Counter register (EIP or RIP)

regs(to_dump=None)

Return the name and values of the registers

Returns:

[(reg_name, value)] – A list of tuple

property sp

Stack Pointer register (ESP or RSP)

class windows.winobject.exception.EEflags

Flag view of the Eflags register

fields = ['CF', 'RES_1', 'PF', 'RES_3', 'AF', 'RES_5', 'ZF', 'SF', 'TF', 'IF', 'DF', 'OF', 'IOPL_1', 'IOPL_2', 'NT', 'RES_15', 'RF', 'VM', 'AC', 'VIF', 'VIP', 'ID']

The fields of the structure

property raw

Raw value of the eflags

Type:

int

class windows.winobject.exception.EDr7

Flag view of the DR7 register

fields = ['L0', 'G0', 'L1', 'G1', 'L2', 'G2', 'L3', 'G3', 'LE', 'GE', 'RES_1', 'GD', 'RES_1', 'RW0', 'LEN0', 'RW1', 'LEN1', 'RW2', 'LEN2', 'RW3', 'LEN3']

The fields of the structure

2.5.4. EXCEPTION POINTERS

class windows.winobject.exception.EEXCEPTION_POINTERS

ExceptionRecord

Type:

POINTER to EEXCEPTION_RECORD

ContextRecord

Type:

POINTER to ECONTEXT32 or ECONTEXT64

dump()

Dump (print) the EEXCEPTION_POINTERS

2.5.5. Vectored Exception

Note

See sample VectoredException()

class windows.winobject.exception.VectoredException(func)

A decorator that create a callable which can be passed to AddVectoredExceptionHandler()

func_type

alias of WinFunctionType