读EAX寄存器 [英] Read eax register

问题描述

我想知道是否有可能汇编指令已被执行后立即读取另一个进程的EAX寄存器。

I would like to know if it is possible to read the eax register of another process immediately after an assembly instruction has been executed.

在我的情况，我有以下组装code：

In my case I have the following assembly code:

mov byte ptr ss:[EBP-4]
call dword ptr ds:[<&MSVCR100.??2@YAPAXI@Z>]
add esp, 4

我们的想法是让EAX值只是后叫DWORD PTR DS：[＆LT;＆安培; MSVCR100 ?? 2 @ YAPAXI @ Z>]指令已被执行。
事实上，我要检索另一个进程中创建的对象的instanciation返回的内存地址，在我的C ++ code。

The idea is to get the eax value just after the "call dword ptr ds:[<&MSVCR100.??2@YAPAXI@Z>]" instruction has been executed. Indeed, I have to retrieve the memory address returned by the instanciation of an object created in another process, in my C++ code.

如果我已经说不上不够清楚。并请原谅我的英语不好。

Dunno if I have been clear enough. And please forgive my bad english.

推荐答案

您可以使用硬件断点调试的过程。

You could debug the process using a hardware breakpoint.

例使用WINAPI：

DWORD address = 0x12345678; // address of the instruction after the call

DebugActiveProcess(pid); // PID of target process

CONTEXT ctx = {0};
ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS | CONTEXT_INTEGER;
ctx.Dr0 = address;
ctx.Dr7 = 0x00000001;
SetThreadContext(hThread, &ctx); // hThread with enough permissions

DEBUG_EVENT dbgEvent;
while (true)
{
    if (WaitForDebugEvent(&dbgEvent, INFINITE) == 0)
        break;

    if (dbgEvent.dwDebugEventCode == EXCEPTION_DEBUG_EVENT &&
        dbgEvent.u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_SINGLE_STEP)
    {
        if (dbgEvent.u.Exception.ExceptionRecord.ExceptionAddress == (LPVOID)address)
        {
            GetThreadContext(hThread, &ctx);
            DWORD eax = ctx.Eax; // eax get
        }
    }

    ContinueDebugEvent(dbgEvent.dwProcessId, dbgEvent.dwThreadId, DBG_CONTINUE);
}

这篇关于读EAX寄存器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！