RIPs and RSPs of threads

[juergenkulow]

x64dbg:

I want to output the current RIPs and RSPs of all threads of my program in PureBasic like x64dbg does. How do I do that?

Code: Select all

; How to get rip and rsp of each Thread without changing the Thread?
Structure ThreadType
  ID.i
  RIP.i
  RSP.i
EndStructure
NewList ThreadList.ThreadType()
#Anzahl=10

Procedure myThread(*t.ThreadType)
  Protected i
  Repeat
    ; *t\RIP=?Label13 : Label13:  ; without doing this every code line. 
    Delay(1)
    For i=1 To 1000000 
    Next
  ForEver
EndProcedure

For i=1 To #Anzahl
  AddElement(Threadlist())
  Threadlist()\ID=CreateThread(@myThread(),@Threadlist())
Next 

Window=OpenWindow(#PB_Any,0,0,300,#Anzahl*20,"List Thread RIP, RSP",#PB_Window_SystemMenu)
AddWindowTimer(Window,123,1600)
TextGadget(0,0,0,300,#Anzahl*20,"RIP                              RSP")
Repeat
  Event=WaitWindowEvent(16)
  Select Event
    Case #PB_Event_Timer
      Select EventTimer()
          Case 123
            s.s="RIP"+#CRLF$
            ForEach Threadlist()
              Threadlist()\RIP=$13DA111B+Random(50)  ; ???
              s+RSet(Hex(ThreadList()\RIP,#PB_Quad),16,"0")+#CRLF$
            Next
            SetGadgetText(0,s)
      EndSelect      
  EndSelect    
Until Event=#PB_Event_CloseWindow

CompilerIf #PB_Compiler_Thread=0 
  CompilerError "Please switch Thread save on."
CompilerEndIf 

[idle]

isn't RIP global only, I don't think I understand the question?
lea reg [rip+0] or lea reg, [global]

[juergenkulow]

The main program has an instruction pointer and each thread has an instruction pointer, i.e. 11 in my example. The main program has a stack and each thread has a stack, i.e. 11 stack pointers. I want to output or evaluate all these pointers with PureBasic, like x64dbg does on the thread view.

[DarkDragon]

Probably you need something like this combined:

https://learn.microsoft.com/en-us/windo ... hread-list
https://learn.microsoft.com/en-us/windo ... dfrom=MSDN

The CONTEXT structure contains the addresses. Pc and Sp. If you want the stack frame you can also use the STACKFRAME64 structure.

[juergenkulow]

Code: Select all

; Threads rip and rsp - Windows x64
Structure ThreadType
  ID.i
  RIP.i
  RSP.i
  RIPLine.i 
EndStructure

CompilerIf #PB_Compiler_OS<>#PB_OS_Windows Or #PB_Compiler_Processor<>#PB_Processor_x64 
  CompilerError "Windows x64 only."
CompilerEndIf

NewList ThreadList.ThreadType()
#Anzahl=10

Procedure myThread(*t.ThreadType)
  Protected i
  Repeat
    *t\RIPLine=?Label14 : Label14:  
    Delay(1)
    For i=1 To 100000000
    Next
    Delay(1)
  ForEver
EndProcedure

Procedure myThread2(*t.ThreadType)
  Protected i
  *t\RIPLine=?Label24 : Label24:
  Repeat
    i+1
  ForEver
EndProcedure

; Start Threads
For i=1 To #Anzahl
  AddElement(Threadlist())
  Threadlist()\ID=CreateThread(@myThread(),@Threadlist())
Next 
AddElement(Threadlist())
Threadlist()\ID=CreateThread(@myThread2(),@Threadlist())

Window=OpenWindow(#PB_Any,0,0,400,#Anzahl*22+25,"Threads Instruction Pointer and Stack Pointer ",#PB_Window_SystemMenu)
AddWindowTimer(Window,123,16) ; 60 times per second
ListIconGadget(0,  10,  5, 380, #Anzahl*22, "RIP", 120)
AddGadgetColumn(0, 2, "RIPLine ", 120)
AddGadgetColumn(0, 3, "RSP ", 130)
Define *ctxfull = AllocateMemory(SizeOf(CONTEXT)+16) 
Define *ctx.CONTEXT = *ctxfull + (*ctxfull % 16)
Repeat
  Event=WaitWindowEvent(16)
  Select Event
    Case #PB_Event_Timer
      Select EventTimer()
          Case 123
            ClearGadgetItems(0)
            i=1
            ForEach Threadlist()
              *ctx\ContextFlags = #CONTEXT_FULL
              SuspendThread_(ThreadID(Threadlist()\ID))
              If GetThreadContext_(ThreadID(Threadlist()\ID), *ctx)
                Threadlist()\RIP=*ctx\Rip;
                Threadlist()\RSP=*ctx\Rsp;
              Else 
                Threadlist()\RIP=0
                Threadlist()\RSP=0
              EndIf 
              ResumeThread_(ThreadID(Threadlist()\ID))
              AddGadgetItem(0,i,RSet(Hex(ThreadList()\RIP,#PB_Quad),16,"0")+Chr(10)+
                                RSet(Hex(ThreadList()\RIPLine,#PB_Quad),16,"0")+Chr(10)+
                                RSet(Hex(ThreadList()\RSP,#PB_Quad),16,"0")+#CRLF$)
              i+1
            Next
        EndSelect      
  EndSelect    
Until Event=#PB_Event_CloseWindow

CompilerIf #PB_Compiler_Thread=0 
  CompilerError "Please switch Thread save on."
CompilerEndIf 

Under Linux, how can I access the RIPs and RSPs of the threads?

[tj1010]

The ONLY way to log EIP or RIP(which are both global across threads and imports) is debug API. I've tried with a driver and python->fridda and you just get intermittent tracing.. Using debug API to trace a robust process is a waiting game; even using x64debug and windbg and gdb.. You also have to deal with exception handlers when doing it..

ollydbg and x64debug both use the windows debug API for tracing, and it's accessible from userland