Class Vdb

Instantiate a line-oriented interpreter framework.

The optional argument 'completekey' is the readline name of a completion key; it defaults to the Tab key. If completekey is not None and the readline module is available, command completion is done automatically. The optional arguments stdin and stdout specify alternate input and output file objects; if not specified, sys.stdin and sys.stdout are used.

Overrides: vtrace.util.TraceManager.__init__

Generate a new trace for this vdb instance. This fixes many of the new attach/exec data munging issues because tracer re-use is *very* sketchy...

Overrides: envi.cli.EnviCli.parseExpression

Over-ride this to have things like the eval command and the python command use more locals than the sybolic defaults.

Overrides: envi.cli.EnviCli.getExpressionLocals

(inherited documentation)

Return a string representing the best known name for the given address

Overrides: envi.cli.EnviCli.reprPointer

Overrides: vtrace.notifiers.Notifier.notify

List the available structure modules and optionally structure definitions from a particular module in the current vstruct.

Usage: vstruct [modname]

Print out the opcodes for a given address expression

Usage: dis <address expression> [<size expression>]

Set a variable in the expression parsing context. This allows for scratchspace names (python compatable names) to be used in expressions.

Usage: var <name> <addr_expression>

NOTE: The address expression *must* resolve at the time you set it.

Allocate a chunk of memory in the target process. It will be allocated with rwx permissions.

Usage: alloc <size expr>

Load a file into memory. (straight mapping, no parsing)

Usage: memload <filename>

Break out a strcuture from memory. You may use the command "vstruct" to show the known structures in vstruct.

Usage: struct <StructName> <vtrace expression>

Show the current pending signal/exception code.

Usage: signal

Take a process snapshot of the current (stopped) trace and save it to the specified file.

Usage: snapshot <filename>

Add the specified signal id (exception id for windows) to the ignored
signals list for the current trace.  This will make the smallest possible
performance impact for that particular signal but will also not alert
you that it has occured.

Usage: ignore [options] [-c | <sigcode>...]
-d - Remove the specified signal codes.
-c - Include the *current* signal in the sigcode list
-C - Clear the list of ignored signals

Example: ignore -c # Ignore the currently posted signal
         ignore -d 0x80000001 # Remove 0x80000001 from the ignores

Execute a program with the given command line and attach to it. Usage: exec </some/where and some args>

List the current threads in the target process or select the current thread context for the target tracer. Usage: threads [thread id]

Suspend a thread.

Usage: suspend <-A | <tid>[ <tid>...]>

Restart the current process.

Usage: restart

NOTE: This only works if the process was exec'd to begin with!

TODO: Plumb options for persisting bp's etc...

Resume a thread.

Usage: resume <-A | <tid>[ <tid>...]>

Set modes in the tracers... mode Foo=True/False

Show the current register values. Additionally, you may specify name=<expression> to set a register

Usage: reg [regname=vtrace_expression]

Single step the target tracer. Usage: stepi [ options ]

-A <addr> - Step to <addr> -B - Step past the next branch instruction -C <count> - Step <count> instructions -R - Step to return from this function -V - Show operand values during single step (verbose!)

Continue the target tracer. -I go icount linear instructions forward (step over style) -U go *out* of fcount frames (step out style) <until addr> go until explicit address

Usage: go [-U <fcount> | -I <icount> | <until addr expression>]

Attempt to spawn the VDB gui. Assuming GTK etc are all installed.

Run the target process until the specified library (by normalized name such as 'kernel32' or 'libc') is loaded. Disable waiting with -D.

Usage: waitlib [ -D | <libname> ]

Start a vtrace server on the local box. If the server is already running, show which processes are being remotely debugged.

Usage: server

List symbols and by file.

Usage: syms [-s <pattern>] [filename]

With no arguments, syms will self.vprint(the possible libraries with symbol resolvers. Specify a library to see all the symbols for it.

Allows a C-like syntax for calling functions inside the target process (from his context). Example: call printf("yermom %d", 10)

Return the "best name" string for an address.

Usage: bestname <vtrace expression>

Overrides: envi.cli.EnviCli.do_EOF

Quit VDB

use "quit force" to hard-force a quit regardless of everything.

Overrides: envi.cli.EnviCli.do_quit

Attach to a process by PID or by process name. In the event of more than one process by a given name, attach to the last (most recently created) one in the list.

Usage: attach [<pid>,<name>]

NOTE: This is *not* a regular expression. The given string must be found as a substring of the process name...

Manipulate the auto-continue behavior for the trace. This will cause particular event types to automagically continue execution.

Usage: autocont [event name]

Called when an empty line is entered in response to the prompt.

If this method is not overridden, it repeats the last nonempty command entered.

Overrides: cmd.Cmd.emptyline

(inherited documentation)

Show a stack backtrace for the currently selected thread.

Usage: bt

Show the loaded libraries and their base addresses.

Usage: lm [libname]

Parse and display a Global Unique Identifier (GUID) from memory (eventually, use GUID db to lookup the name/meaning of the GUID).

Usage: guid <addr_exp>

Set the python code for a breakpoint from the contents of a file.

Usage: bpfile <bpid> <filename>

Manipulcate the python code that will be run for a given breakpoint by ID. (Also the way to view the code).

Usage: bpedit <id> ["optionally new code"]

NOTE: Your code must be surrounded by "s and may not contain any "s

Show, add,  and enable/disable breakpoints
USAGE: bp [-d <addr>] [-a <addr>] [-o <addr>] [[-c pycode] <address> [vdb cmds]]
-C - Clear All Breakpoints
-c "py code" - Set the breakpoint code to the given python string
-d <id> - Disable Breakpoint
-e <id> - Enable Breakpoint
-r <id> - Remove Breakpoint
-o <addr> - Create a OneTimeBreak
-L <libname> - Add bp's to all functions in <libname>
-F <filename> - Load bpcode from file
-W perms:size - Set a hardware Watchpoint with perms/size (ie -W rw:4)
-f - Make added breakpoints from this command into "fastbreaks"
-S <libname>:<regex> - Add bp's to all matching funcs in <libname>

<address>... - Create Breakpoint

[vdb cmds].. - (optional) vdb cli comand to run on BP hit (seperate
               multiple commands with ;; )

NOTE: -c adds python code to the breakpoint.  The python code will
    be run with the following objects mapped into it's namespace
    automagically:
        vtrace  - the vtrace package
        trace   - the tracer
        bp      - the breakpoint object

Show all the open Handles/FileDescriptors for the target process. The "typecode" shown in []'s is the vtrace typecode for that kind of fd/handle.

Usage: fds

Show the current process list.

Usage: ps

Send the break signal to the target tracer to stop it's execution.

Usage: break

Show the metadata for the current trace.

Usage: meta

Save and compare snapshots of memory to enumerate changes.

Usage: memdiff [options]
-C             Clear all current memory diff snapshots.
-A <va:size>   Add the given virtual address to the list.
-M <va>        Add the entire memory map which contains VA to the list.
-D             Compare currently tracked memory with the target process
               and show any differences.

Cli interface to the "stack doping" api inside recon. *BETA*

(Basically, set all un-initialized stack memory to V's to tease out uninitialized stack bugs)

Usage: dope [ options ] -E Enable automagic thread stack doping on all continue events -D Disable automagic thread stack doping on all continue events -A Dope all current thread stacks

Cli front end to the vdb recon subsystem which allows runtime
analysis of known API calls.

Usage: recon [options]
-A <sym_expr>:<recon_fmt> - Add a recon breakpoint with the given format
-C - Clear the current list of recon breakpoint hits.
-H - Print the current list of recon breakpoint hits.
-Q - Toggle "quiet" mode which prints nothing on bp hits.
-S <sym_expr>:<argidx> - Add a sniper break for arg index

NOTE: A "recon format" is a special format sequence which tells the
      recon subsystem how to present the argument data for a given
      breakpoint hit.

Recon Format:
C - A character
I - A decimal integer
P - A pointer (display symbol if possible)
S - An ascii string (up to 260 chars)
U - A unicode string (up to 260 chars)
X - A hex number

Cli front end to the VDB code coverage subsystem. FIXME MORE DOCS!

Usage: stalker [options] -C - Cleanup stalker breaks and hit info -c - Clear the current hits (so you can make more ;) -E <addr_expr> - Add the specified entry point for tracking -H - Show the current hits -L <lib>:<regex> - Add stalker breaks to all matching library symbols -R - Reset all breakpoints to enabled and clear hit info

Act as a remote debugging client to the server running on the specified host/ip.

Usage: remote <host>