Use ReadProcessMemory to record pointed instructions

Question

I'm trying to log pointed instructions with ReadProcessMemory, in fact I use EIP register to get the next insctruction address. Next, I use distorm lib to display mnemonic. But ReadProcessMemory reads nothing.

void display_instruction(Debuggee* debuggee)
{
    CONTEXT lcContext;
    lcContext.ContextFlags = CONTEXT_ALL;
    GetThreadContext(debuggee->debugEvent->u.CreateProcessInfo.hThread, &lcContext);

    BYTE cInstruction = 0;
    DWORD dwReadBytes;
    ReadProcessMemory(debuggee->debugEvent->u.CreateProcessInfo.hProcess, (void*)&lcContext.Eip, &cInstruction, 1, &dwReadBytes);
    decode((void*)cInstruction); //Distorm Mnemonic 
    printf("Instruction  : 0x%03.3X , %d\n",cInstruction,dwReadBytes);
}

}

I need your help please !^^

Standard mistakes are using GetThreadContext() when the thread wasn't suspended, trying to access the context of a 64-bit thread in a 32-bit debugger and completely ignoring the return values of these winapi functions so they you can't find out why they fail. — Hans Passant, Feb 25 '14 at 16:56
Thank's for your answer. The debugger uses Trap Flag to stop target execution. I displays instruction when i received an EXCEPTION_SINGLE_STEP. The next instruction can not be execute until display_instruction is not completed (I don't have put all the code). — nasm, Feb 25 '14 at 19:56

score 0 · Accepted Answer · answered Feb 25 '14 at 17:03

0

This probably:

ReadProcessMemory(debuggee->debugEvent->u.CreateProcessInfo.hProcess,
                 (void*) &lcContext.Eip, // <
                 &cInstruction,
                 1,
                 &dwReadBytes);

should be:

ReadProcessMemory(debuggee->debugEvent->u.CreateProcessInfo.hProcess,
                 (void*) lcContext.Eip, // <
                 &cInstruction,
                 1,
                 &dwReadBytes);

as ReadProcessMemory expects the address in the virtual memory of the target process.

plus you can check the return value and the reason of failure.

answered Feb 25 '14 at 17:03

Hi, thanks for your answer, I get the error code 998 : ERROR_NOACCESS 998 (0x3E6): Invalid access to memory location. The debuggee (debugging process) is launched like this : CreateProcessW (debuggee->path_to_binary,NULL, NULL, NULL, FALSE,DEBUG_ONLY_THIS_PROCESS, NULL,NULL, &debuggee->startup_info, &debuggee->process_information ) – nasm Feb 25 '14 at 20:59
I changed debuggee->debugEvent->u.CreateProcessInfo.hProcess by debuggee->process_information.hProcess and &lcContext.Eip by lcContext.Eip. It works ! Thanks ! – nasm Feb 25 '14 at 21:10

Use ReadProcessMemory to record pointed instructions

1 Answers1