Page 1 of 1
here is a memory address conversion question for you.
Posted: Fri Jun 18, 2010 4:03 pm
by goldbaby
I can't figure out how to find a base address or virtual process address of EIP during a breakpoint in a debugger session debugging a program....
the "getthreadselectorentry" code below doesn't work to give me data about the con\eip address... anybody know anything about this stuff?
Code: Select all
global con.context
hThreadh = CallFunction(libkernel32,"OpenThread", #PROCESS_ALL_ACCESS_VISTA_WIN7, 0,de\DWthreadid)
con\ContextFlags = #CONTEXT_CONTROL
res=GetThreadContext_(hthreadh,@con)
PUSH eax
MOV eax,con\eflags
OR eax,$100
MOV con\eflags,eax
POP eax
eap=de\u\exception\exceptionrecord\exceptionaddress
Global selentry.LDT_ENTRY;
Global dwDsBase.l;
; /* try and calculate the address of EIP so i have the (I think it is called) process's virtual address of EIP */
GetThreadSelectorEntry_(hThreadh, Con\eip, @SelEntry);
;MessageRequester("basehi",Str(con\eip))
dwDsBase = (SelEntry\HighWord\Bytes\BaseHi << 24) | (SelEntry\HighWord\Bytes\BaseMid << 16) | SelEntry\BaseLow
the get threadselectorentry is not returning data about con\eip into, for example, SelEntry\HighWord\Bytes\BaseHi........ all the data that is in the SelEntry "LDT_ENTRY" structure is always empty after calling GetThreadSelectorEntry.
Re: here is a memory address conversion question for you.
Posted: Fri Jun 18, 2010 4:13 pm
by goldbaby
what i am looking for is convert the current EIP address during a breakpoint exception into the process's virtual address (if i speak that correctly)
Re: here is a memory address conversion question for you.
Posted: Fri Jun 18, 2010 5:44 pm
by SFSxOI
You mean the base address of a process? Is so then try this:
Code: Select all
; returns a module base address
; usage : RetrieveModuleBase("notepad.exe", "kernel32.dll")
Procedure.s RetrieveModuleBase(ProcName.s, ModuleName.s)
lReturnID.i
hSnapProcess.i
hSnapModule.i
procx.PROCESSENTRY32
Module.MODULEENTRY32
OpenLibrary(0, "kernel32.dll")
hSnapProcess=CallFunction(0, "CreateToolhelp32Snapshot", #TH32CS_SNAPPROCESS, 0)
If hSnapProcess <> 0
procx\dwSize = SizeOf(procx)
lReturnID = CallFunction(0, "Process32First", hSnapProcess, @procx)
While lReturnID<>0
If FindString(Left(PeekS(@procx\szExeFile), Len(ProcName)), ProcName, 1)=1
hSnapModule = CallFunction(0, "CreateToolhelp32Snapshot", #TH32CS_SNAPMODULE, procx\th32ProcessID)
If hSnapModule
Module\dwSize = SizeOf(Module)
lReturnID = CallFunction(0, "Module32First", hSnapModule, @Module)
While lReturnID<>0
If FindString(Left(PeekS(@Module\szModule), Len(ModuleName)), ModuleName, 1)=1
CloseLibrary(0)
ProcedureReturn "$"+Hex(Module\modBaseAddr)
EndIf
lReturnID = CallFunction(0, "Module32Next", hSnapModule, @Module)
Wend
EndIf
EndIf
lReturnID = CallFunction(0, "Process32Next", hSnapProcess, @procx)
Wend
EndIf
CloseLibrary(0)
ProcedureReturn "0"
EndProcedure
Debug RetrieveModuleBase("notepad.exe", "kernel32.dll")
Re: here is a memory address conversion question for you.
Posted: Sat Jun 19, 2010 2:12 pm
by goldbaby
the debugger was returning the value zero when i tried it with notepad.exe running and then tried it with another program called tordns.exe
I wonder why it returned the value zero instead of the base address.... thanks for the code btw I just can't figure out why it doesnt work for some reason..... im running windows 7 64 bit
Re: here is a memory address conversion question for you.
Posted: Sat Jun 19, 2010 4:20 pm
by SFSxOI
Assuming you made the proper changes for 64 bit, dunno. But works here on Windows 7 Ultimate 32 bit.
Re: here is a memory address conversion question for you.
Posted: Sun Jun 20, 2010 4:07 pm
by goldbaby
what im looking for is to convert whatever type of addressing the exceptionaddress is of a debug breakpoint for example, which seems to always be the same as EIP register while the program is running, into the other type of addressing, virtual or physical, i dont have a complete grasp of windows memory......... I know u can enumerate the process's memory, and every process has its own virtual memory...... the code im trying to use can not use the address that the exceptionaddress or current EIP register address is unless it converted to another type of addressing..... I suppose its called convert it to a virtual address of the process im debugging, but im not sure......
Re: here is a memory address conversion question for you.
Posted: Sun Jun 20, 2010 7:08 pm
by Thorium
Hm, if i understand it right you don't have to convert anything. You have to access the address with ReadProcessMemory_ and WriteProcessMemory_
Re: here is a memory address conversion question for you.
Posted: Sun Jun 20, 2010 9:42 pm
by goldbaby
well, what it was about is to find the start of the code in memory, which when calculated looks different from the addressing of for example the current EIP in the context of the currently debugged thread (process thread)...... I'll try and figure it out...... the start code of an EXE is usually around $401000 or something but the current EIP is always way larger looking number.... I'm trying to stop the debugger at the beginning or addressofentrypoint of the process.....
Re: here is a memory address conversion question for you.
Posted: Mon Jun 21, 2010 12:36 am
by Rook Zimbabwe
if it is a numeric value you are looking for... I use
Cheat -O-Matic to scan through memory addresses and locate them. This has started working again as game hacking methodology has improved and the old ways are forgotten.
