Reading N bytes from a memory address using LLDB's Python API

Question

Although LLDB's Python API seems incredibly powerful, it's a bit hard to get started. Specifically, I'm looking for a way to read N bytes from a given memory address. I thought I would be able to do so using lldb.SBValue.CreateValueFromAddress method, which maps to:

SBValue_CreateValueFromAddress(SBValue self, char const * name, lldb::addr_t address, SBType type) -> SBValue

Unfortunately, I can't figure out from the reference documentation what arguments to pass and what they mean. Another approach was to create an lldb.SBAddress but again, I get stuck at the same point as the arguments required for __init__ are unclear to me.

Question: How can I read N bytes from a given memory address using LLDB's Python API? Good reading material on the subject is most welcome as well.

Thanks in advance.

Answer 1

You should use SBProcess.ReadMemory.

def my_command(debugger, command, result, internal_dict):
    my_address = 0xdeadbeef  # change for some real address
    my_data_size = 0x1000  # change for some real memory size

    error_ref = lldb.SBError()
    process = debugger.GetSelectedTarget().GetProcess()
    memory = process.ReadMemory(my_address, my_data_size, error_ref)
    if error_ref.Success():
        # `memory` is a regular byte string
    else:
        result.AppendString(str(error_ref))

ReadMemory modifies error_ref if an error occurs.

Answer 2

Using EvaluateExpression on the current Frame object does the trick. For example:

debugger.GetSelectedTarget().GetProcess().GetSelectedThread().GetFrameAtIndex(0).EvaluateExpression(*(int*)(0x0000000100400000)).GetValue()

Based on this answer.

Answer 3

Here's an example from Rust's LLDB formatters:

    element_type_size = element_type.GetByteSize()
    def render_element(i):
        address = start_address + i * element_type_size
        element_val = raw_value.CreateValueFromAddress(array_name + ("[%s]" % i),
                                                   address,
                                                   element_type)

This is indexing into a contiguous array of memory all of the same type. The name param seems to be a label the debugger can use to display to the user, but is unrelated to the actual value being displayed (I.e. you can set it to anything and it should work).

Alas I haven't quite figured out how one creates the final argument from scratch.