I'm trying to read the return address of the method but of another memory. so I'm getting the frame pointer, and read the value of the return value. As far as I understand I'm supposed to get a value equals to m_stackframe.AddrReturn.Offset, but:
- If I add the Esp to the frame pointer address - ReadProcessMemory returns false.
- If I simply use the address frame offset - I get a wrong value.
//Reading the top method in the stack. bool ok = StackWalk64(IMAGE_FILE_MACHINE_I386,m_processInfo.Handle ,m_threadInfo.Handle, &m_stackframe,&m_threadContext, 0,SymFunctionTableAccess64,SymGetModuleBase64,0); // the Esp register is the base address of the stack, right? DWORD baseAddressOfCallstack = m_threadContext.Esp; // Getting the absolute address by adding the ESP to the stack frame address. DWORD absoluteAddressInCallstack = m_stackframe.AddrFrame.Offset + baseAddressOfCallstack ; // Converting it to a pointer. DWORD* addressInCallStack = (DWORD*)absoluteAddressInCallstack; DWORD val = 0; SIZE_T bytesRead = 0; // and trying to read it from the process... ok = ReadProcessMemory(m_processInfo.Handle, addressInCallStack, (void*)&val, sizeof(DWORD),&bytesRead);
I'm using c++ on windows. can anybody tell me what's wrong with it? thanks :)
The return address is at EBP + 4 in your current stack frame.
Whenever a new function is called a new stack frame is set up, and the old ESP (stack pointer) is moved to EBP (base pointer). Local variables are created on the stack by subtracting the new stack pointer. Passed arguments are pushed in reverse order prior to calling. From the base pointer you can get return address.