Read eax register

1
votes

I would like to know if it is possible to read the eax register of another process immediately after an assembly instruction has been executed.

In my case I have the following assembly code:

mov byte ptr ss:[EBP-4]
call dword ptr ds:[<&MSVCR100.??2@YAPAXI@Z>]
add esp, 4

The idea is to get the eax value just after the "call dword ptr ds:[<&MSVCR100.??2@YAPAXI@Z>]" instruction has been executed. Indeed, I have to retrieve the memory address returned by the instanciation of an object created in another process, in my C++ code.

Dunno if I have been clear enough. And please forgive my bad english.

1
c++memoryassembly
It is possible using debugger.Lol4t0
You could put a hardware breakpoint at that location.Matthew
A better way would be to modify the other process so you can hook it more cleanly. For example, you might have a registered callout that the process makes after it calls the function where it passes the value to the callout. This sort of low-level hackery tends to be very fragile.Raymond Chen

1 Answers

2
votes

You could debug the process using a hardware breakpoint.

Example using winapi:

DWORD address = 0x12345678; // address of the instruction after the call

DebugActiveProcess(pid); // PID of target process

CONTEXT ctx = {0};
ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS | CONTEXT_INTEGER;
ctx.Dr0 = address;
ctx.Dr7 = 0x00000001;
SetThreadContext(hThread, &ctx); // hThread with enough permissions

DEBUG_EVENT dbgEvent;
while (true)
{
    if (WaitForDebugEvent(&dbgEvent, INFINITE) == 0)
        break;

    if (dbgEvent.dwDebugEventCode == EXCEPTION_DEBUG_EVENT &&
        dbgEvent.u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_SINGLE_STEP)
    {
        if (dbgEvent.u.Exception.ExceptionRecord.ExceptionAddress == (LPVOID)address)
        {
            GetThreadContext(hThread, &ctx);
            DWORD eax = ctx.Eax; // eax get
        }
    }

    ContinueDebugEvent(dbgEvent.dwProcessId, dbgEvent.dwThreadId, DBG_CONTINUE);
}