here is a memory address conversion question for you.

[goldbaby]

I can't figure out how to find a base address or virtual process address of EIP during a breakpoint in a debugger session debugging a program....

the "getthreadselectorentry" code below doesn't work to give me data about the con\eip address... anybody know anything about this stuff?

Code: Select all

global con.context

  hThreadh = CallFunction(libkernel32,"OpenThread", #PROCESS_ALL_ACCESS_VISTA_WIN7, 0,de\DWthreadid)
con\ContextFlags = #CONTEXT_CONTROL
res=GetThreadContext_(hthreadh,@con)




 PUSH eax
MOV eax,con\eflags
OR eax,$100
MOV con\eflags,eax
POP eax


eap=de\u\exception\exceptionrecord\exceptionaddress
Global   selentry.LDT_ENTRY;
Global   dwDsBase.l;
 

 ;  /* try and calculate the address of EIP so i have the (I think it is called) process's virtual address of EIP */ 
   GetThreadSelectorEntry_(hThreadh, Con\eip, @SelEntry);
   ;MessageRequester("basehi",Str(con\eip))
   dwDsBase =  (SelEntry\HighWord\Bytes\BaseHi << 24) | (SelEntry\HighWord\Bytes\BaseMid << 16) | SelEntry\BaseLow

the get threadselectorentry is not returning data about con\eip into, for example, SelEntry\HighWord\Bytes\BaseHi........ all the data that is in the SelEntry "LDT_ENTRY" structure is always empty after calling GetThreadSelectorEntry.

[goldbaby]

what i am looking for is convert the current EIP address during a breakpoint exception into the process's virtual address (if i speak that correctly)

[SFSxOI]

You mean the base address of a process? Is so then try this:

Code: Select all

; returns a module base address
; usage : RetrieveModuleBase("notepad.exe", "kernel32.dll")

Procedure.s RetrieveModuleBase(ProcName.s, ModuleName.s) 
lReturnID.i 
hSnapProcess.i 
hSnapModule.i 
procx.PROCESSENTRY32 
Module.MODULEENTRY32 

OpenLibrary(0, "kernel32.dll")
hSnapProcess=CallFunction(0, "CreateToolhelp32Snapshot", #TH32CS_SNAPPROCESS, 0) 
If hSnapProcess <> 0 
  procx\dwSize = SizeOf(procx) 
  lReturnID = CallFunction(0, "Process32First", hSnapProcess, @procx) 
  While lReturnID<>0 
    If FindString(Left(PeekS(@procx\szExeFile), Len(ProcName)), ProcName, 1)=1 
      hSnapModule = CallFunction(0, "CreateToolhelp32Snapshot", #TH32CS_SNAPMODULE, procx\th32ProcessID) 
      If hSnapModule 
        Module\dwSize = SizeOf(Module) 
        lReturnID = CallFunction(0, "Module32First", hSnapModule, @Module) 
        
        While lReturnID<>0 
          If FindString(Left(PeekS(@Module\szModule), Len(ModuleName)), ModuleName, 1)=1 
            CloseLibrary(0) 
            ProcedureReturn "$"+Hex(Module\modBaseAddr) 
          EndIf 
          lReturnID = CallFunction(0, "Module32Next", hSnapModule, @Module) 
        Wend 
      
      EndIf 
    EndIf 
    lReturnID = CallFunction(0, "Process32Next", hSnapProcess, @procx) 
  Wend 
EndIf 
CloseLibrary(0) 
ProcedureReturn  "0" 
EndProcedure

Debug RetrieveModuleBase("notepad.exe", "kernel32.dll")

[goldbaby]

the debugger was returning the value zero when i tried it with notepad.exe running and then tried it with another program called tordns.exe
I wonder why it returned the value zero instead of the base address.... thanks for the code btw I just can't figure out why it doesnt work for some reason..... im running windows 7 64 bit

[SFSxOI]

Assuming you made the proper changes for 64 bit, dunno. But works here on Windows 7 Ultimate 32 bit.

[goldbaby]

what im looking for is to convert whatever type of addressing the exceptionaddress is of a debug breakpoint for example, which seems to always be the same as EIP register while the program is running, into the other type of addressing, virtual or physical, i dont have a complete grasp of windows memory......... I know u can enumerate the process's memory, and every process has its own virtual memory...... the code im trying to use can not use the address that the exceptionaddress or current EIP register address is unless it converted to another type of addressing..... I suppose its called convert it to a virtual address of the process im debugging, but im not sure......

[Thorium]

Hm, if i understand it right you don't have to convert anything. You have to access the address with ReadProcessMemory_ and WriteProcessMemory_

[goldbaby]

well, what it was about is to find the start of the code in memory, which when calculated looks different from the addressing of for example the current EIP in the context of the currently debugged thread (process thread)...... I'll try and figure it out...... the start code of an EXE is usually around $401000 or something but the current EIP is always way larger looking number.... I'm trying to stop the debugger at the beginning or addressofentrypoint of the process.....

[Rook Zimbabwe]

if it is a numeric value you are looking for... I use Cheat -O-Matic to scan through memory addresses and locate them. This has started working again as game hacking methodology has improved and the old ways are forgotten.