Read the eax register

Question

Read the eax register

I would like to know if it is possible to read the eax register of another process immediately after the assembly instruction.

In my case, I have the following assembler code:

mov byte ptr ss:[EBP-4] call dword ptr ds:[<& MSVCR100.??2@YAPAXI @Z>] add esp, 4

The idea is to get the eax value right after the command "call dword ptr ds: [<& MSVCR100. ?? 2 @YAPAXI @Z>]". In fact, I should get the memory address returned by the instanciation of an object created in another process in my C ++ code.

I don’t know if I were clear enough. And please forgive my bad English.

+1

c ++ assembly memory

alkpone May 10, '13 at 21:12

source share

1 answer

typ1232 · Accepted Answer · 2013-05-10T21:50:40+0000

You can debug the process using a hardware breakpoint.

Winapi usage example:

 DWORD address = 0x12345678; // address of the instruction after the call DebugActiveProcess(pid); // PID of target process CONTEXT ctx = {0}; ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS | CONTEXT_INTEGER; ctx.Dr0 = address; ctx.Dr7 = 0x00000001; SetThreadContext(hThread, &ctx); // hThread with enough permissions DEBUG_EVENT dbgEvent; while (true) { if (WaitForDebugEvent(&dbgEvent, INFINITE) == 0) break; if (dbgEvent.dwDebugEventCode == EXCEPTION_DEBUG_EVENT && dbgEvent.u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_SINGLE_STEP) { if (dbgEvent.u.Exception.ExceptionRecord.ExceptionAddress == (LPVOID)address) { GetThreadContext(hThread, &ctx); DWORD eax = ctx.Eax; // eax get } } ContinueDebugEvent(dbgEvent.dwProcessId, dbgEvent.dwThreadId, DBG_CONTINUE); }

Read the eax register

More articles: