Use ReadProcessMemory to record pointed instructions

StackOverflow https://stackoverflow.com//questions/22020852

  •  21-12-2019
  •  | 
  •  

Question

I'm trying to log pointed instructions with ReadProcessMemory, in fact I use EIP register to get the next insctruction address. Next, I use distorm lib to display mnemonic. But ReadProcessMemory reads nothing.

void display_instruction(Debuggee* debuggee)
{
    CONTEXT lcContext;
    lcContext.ContextFlags = CONTEXT_ALL;
    GetThreadContext(debuggee->debugEvent->u.CreateProcessInfo.hThread, &lcContext);

    BYTE cInstruction = 0;
    DWORD dwReadBytes;
    ReadProcessMemory(debuggee->debugEvent->u.CreateProcessInfo.hProcess, (void*)&lcContext.Eip, &cInstruction, 1, &dwReadBytes);
    decode((void*)cInstruction); //Distorm Mnemonic 
    printf("Instruction  : 0x%03.3X , %d\n",cInstruction,dwReadBytes);
}

}

I need your help please !^^

Was it helpful?

Solution

This probably:

ReadProcessMemory(debuggee->debugEvent->u.CreateProcessInfo.hProcess,
                 (void*) &lcContext.Eip, // <
                 &cInstruction,
                 1,
                 &dwReadBytes);

should be:

ReadProcessMemory(debuggee->debugEvent->u.CreateProcessInfo.hProcess,
                 (void*) lcContext.Eip, // <
                 &cInstruction,
                 1,
                 &dwReadBytes);

as ReadProcessMemory expects the address in the virtual memory of the target process.

plus you can check the return value and the reason of failure.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top