callstack and ReadProcessMemory

I'm trying to read the return address of the method but of another memory. so I'm getting the frame pointer, and read the value of the return value. As far as I understand I'm supposed to get a value equals to m_stackframe.AddrReturn.Offset, but:

  1. If I add the Esp to the frame pointer address - ReadProcessMemory returns false.
  2. If I simply use the address frame offset - I get a wrong value.

//Reading the top method in the stack. bool ok = StackWalk64(IMAGE_FILE_MACHINE_I386,m_processInfo.Handle ,m_threadInfo.Handle, &m_stackframe,&m_threadContext, 0,SymFunctionTableAccess64,SymGetModuleBase64,0); // the Esp register is the base address of the stack, right? DWORD baseAddressOfCallstack = m_threadContext.Esp; // Getting the absolute address by adding the ESP to the stack frame address. DWORD absoluteAddressInCallstack = m_stackframe.AddrFrame.Offset + baseAddressOfCallstack ; // Converting it to a pointer. DWORD* addressInCallStack = (DWORD*)absoluteAddressInCallstack; DWORD val = 0; SIZE_T bytesRead = 0; // and trying to read it from the process... ok = ReadProcessMemory(m_processInfo.Handle, addressInCallStack, (void*)&val, sizeof(DWORD),&bytesRead);

I'm using c++ on windows. can anybody tell me what's wrong with it? thanks :)

--------------Solutions-------------

The return address is at EBP + 4 in your current stack frame.

Whenever a new function is called a new stack frame is set up, and the old ESP (stack pointer) is moved to EBP (base pointer). Local variables are created on the stack by subtracting the new stack pointer. Passed arguments are pushed in reverse order prior to calling. From the base pointer you can get return address.

Category:c# Time:2010-09-27 Views:1

Related post

  • ReadProcessMemory keeps returning 0 2008-12-06

    I'm currently developing a little hobby project to display health information in a game on my G15 keyboard through VB.NET. When I use ReadProcessMemory via an API call, it keeps returning zero. The MSDN documentation referred me to use the Marshal.Ge

  • Help me analyze this callstack to see whats calling my method 2008-12-18

    Ok, so I have a very simple form with next to no logic in it that is controlled by by a presenter. There is a method on it public void Reset() that resets the form to its initial state. This should be called only by the presenter and in very specific

  • How to perform Xperf callstack capture on 64b OS? 2009-01-26

    I have installed Xperf performance analyzer from Windows SDK and captured a trace as described in the documentation using following command: xperf -on SysProf -stackwalk profile Still, the stack trace does not contain any callstack data. My platform

  • RedirectedThreadFrame in Callstack 2009-01-26

    Has anyone seen a RedirectedThreadFrame in a callstack in windbg? That is from the managed callstack. I am seeing alot of exceptions being thrown inside the framework that I am never seeing bubbled to me and I am trying to figure out why. The native

  • How to get string from the output of ReadProcessMemory 2009-03-11

    This is a snippet of my code. Declare Function ReadProcessMemory Lib "kernel32" _ (ByVal hProcess As Long, _ ByVal lpBaseAddress As Long, _ lpBuffer As Any, _ ByVal nSize As Long, _ lpNumberOfBytesRead As Long) As Long Dim bytearray As String * 65526

  • How can I count the number of callstack frames? 2009-03-26

    For a C++ debug application I want to be able to count the number of callstack frames easily. Is there an OS function to do this? I need this for Windows and Posix, i.e. cross platform. Solutions to either or both platforms would be great. I can walk

  • Is there a visual representation of CallStack in VS .Net (instead of the in-built stacked representation)? 2009-05-27

    Is there a plugin available for Visual Studio .Net that gives a visual representation of the CallStack while debugging (instead of the stacked representation of method calls that is in-built in it)? (I am imagining something similar to an execution p

  • WriteProcessMemory/ReadProcessMemory fail 2009-07-10

    I tried using both ReadProcessMemory() and WriteProcessMemory() in my application,but in both cases I get one result - Only part of a ReadProcessMemory or WriteProcessMemory request was completed. Has anyone met that error code before? I'm using Vist

  • java.lang.IllegalStateException: ApplicationAssociate ctor not called in same callstack as FacesConfigParser.contextInitialized() 2009-07-21

    I'm running Java Server Faces on a IBM WebSphere 6.1. I'm getting this strange error message when I start the server: [2009-07-21 15:49:35:784 CEST] 00000015 ServletWrappe E SRVE0100E: Did not realize init() exception thrown by servlet Faces Servlet:

  • ReadProcessMemory returns a larger buffer (C, windows) 2009-08-20

    I'm trying to read a process memory using the following code: void readdata(HANDLE phandle, LPCVOID paddress, SIZE_T datasize) { char *buff; SIZE_T dataread; BOOL b = FALSE; buff = (char *) malloc (datasize); b = ReadProcessMemory(phandle, paddress,

  • Problem using OpenProcess and ReadProcessMemory 2009-08-26

    I'm having some problems implementing an algorithm to read a foreign process' memory. Here is the main code: System.Diagnostics.Process.EnterDebugMode(); IntPtr retValue = WinApi.OpenProcess((int)WinApi.OpenProcess_Access.VMRead | (int)WinApi.OpenPro

  • Print n levels of callstack? 2009-08-27

    Using C++ with Visual Studio, I was wondering if there's an API that will print the callstack for me. Preferably, I'd like to print a callstack 5 levels deep. Does windows provide a simple API to allow me to do this? --------------Solutions----------

  • Switching callstack for C++ functions 2009-09-03

    Here's my previous question about switching C callstacks. However, C++ uses a different calling convention (thiscall) and may require some different asm code. Can someone explain the differences and point to or supply some code snippets that switch C

  • How to know that my callstack is wrong? 2009-09-22

    How can I recognize that the callstack that is shown by the debugger when my program crashes may be wrong and misleading. For example when the callstack says the following frames may be missing or incorrect, what that actually means? Also what the +

  • Sharepoint "Unknown Error" debugging - but can't turn on CallStack-? 2009-09-23

    On one dev machine, the standard method for enabling SharePoint debugging is not working. From c:\inetpub\wwwroot\wss\VirtualDirectories\80\web.config: <SharePoint> <SafeMode MaxControls="200" CallStack="true" DirectFileDependencies="10" Tot

  • Using WinDbg/SOS to debug managed->native callstack. I get "Failed to request ThreadStore" 2009-09-25

    MyManagedFunc in managed.exe calls into MyUnmanagedFunc() in unmanaged.dll. I produce a minidump in unmanaged.dll using Win32. SetUnhandledExceptionFilter. I can see MyUnmanagedFunc in the callstack, but nothing usefull in the managed side. I'm suppo

  • Answering "Which method called me?" at the run-time in .NET? Or is CallStack data readable by the code? 2009-12-09

    Presume that there are methodA() , methodB() and methodC(). And methodC() is called at the run-time. Is is possible to know methodC() is called from what method? I was thinking if CallStack can be read at the run-time for some checks? If yes, I think

  • Scripting WinDBG to take a callstack every time it breaks and then move on (unhandled ex, or the debugee saying debug.break()) 2009-12-29

    We're running an application, happens to be web server we've written, and we're saying some nasty issues only in production, so for about 12 hours we're going to put this under WinDBG and take callstacks every time it breaks. Sometimes it'll break be

  • .net Compact Framework callstack - how? 2010-02-19

    The System.Diagnostics namespace (and GetFrame(int frameNumber) in particular) is not available in the CF. How do I go about getting callstack details when running on CE (6.0 R3) ? Thanks! --------------Solutions------------- If you throw an exceptio

Copyright (C) pcaskme.com, All Rights Reserved.

processed in 0.527 (s). 13 q(s)