72491

Read eax register

Question:

I would like to know if it is possible to read the eax register of another process immediately after an assembly instruction has been executed.

In my case I have the following assembly code:

mov byte ptr ss:[EBP-4] call dword ptr ds:[<&MSVCR100.??2@YAPAXI@Z>] add esp, 4

The idea is to get the eax value just after the "call dword ptr ds:[<&MSVCR100.??2@YAPAXI@Z>]" instruction has been executed. Indeed, I have to retrieve the memory address returned by the instanciation of an object created in another process, in my C++ code.

Dunno if I have been clear enough. And please forgive my bad english.

Answer1:

You could debug the process using a hardware breakpoint.

Example using winapi:

DWORD address = 0x12345678; // address of the instruction after the call DebugActiveProcess(pid); // PID of target process CONTEXT ctx = {0}; ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS | CONTEXT_INTEGER; ctx.Dr0 = address; ctx.Dr7 = 0x00000001; SetThreadContext(hThread, &ctx); // hThread with enough permissions DEBUG_EVENT dbgEvent; while (true) { if (WaitForDebugEvent(&dbgEvent, INFINITE) == 0) break; if (dbgEvent.dwDebugEventCode == EXCEPTION_DEBUG_EVENT && dbgEvent.u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_SINGLE_STEP) { if (dbgEvent.u.Exception.ExceptionRecord.ExceptionAddress == (LPVOID)address) { GetThreadContext(hThread, &ctx); DWORD eax = ctx.Eax; // eax get } } ContinueDebugEvent(dbgEvent.dwProcessId, dbgEvent.dwThreadId, DBG_CONTINUE); }

Recommend

  • Can't Install MSVCP100.dll
  • how to build .exe for python 3.5+, 3.6 if possible?
  • C/C++ returning struct by value under the hood
  • Why AddRef returns zero
  • how to find function boundaries in binary code
  • Html Anchor text formatting
  • x86: Count transitions from 1 to 0 in 32 bit number
  • Ruby: Why does this way of using map throw an error?
  • Parse Framework with Swift
  • How to use the resource module to measure the running time of a function?
  • How to open multiple instances of a program in Linux
  • TSQL Rolling Average of Time Groupings
  • Where these are stored?
  • Find group of records that match multiple values
  • Ubuntu and bcrypt
  • Spark job failing in YARN mode
  • Using JRuby with Rails 3.2
  • Unable to install Git-core+svn by MacPorts
  • Unable to get column index with table.getColumn method using custom table Model
  • Caching attributes in superclass
  • Is it possible to access block's scope in method?
  • Meteor: Do Something On Email Verification Confirmation
  • Cannot resolve symbol 'MyApi'
  • SignalR .NET Client Invoke throws an exception
  • How to get address from latitude and longitude android google map v2 [duplicate]
  • Can I display google adwords (AdView) in javafx on android
  • Read text file and split every line in MSBuild
  • C# - Serializing and deserializing static member
  • DotNetZip - Calculate final zip size before calling Save(stream)
  • Java applet as stand-alone Windows application?
  • Can I make an Android app that runs a web view in Chrome 39?
  • How do I rollback to a specific git commit
  • WPF Applying a trigger on binding failure
  • Benchmarking RAM performance - UWP and C#
  • Error creating VM instance in Google Compute Engine
  • using HTMLImports.whenReady not working in chrome
  • Android Google Maps API OnLocationChanged only called once
  • How to Embed XSL into XML
  • UserPrincipal.Current returns apppool on IIS
  • Conditional In-Line CSS for IE and Others?