jockew
June 27th, 2008, 17:48
Hello!
I'm writing a debugging loader for an application using masm32.
I've stumbled upon a very strange thing (bug), well strange to me.
I've read Iczelion's assembler tutorials on "Win32 Debug API" and my code looks alot like his tutorial (part 1).
Now on to my problem...
I'm trying to read a few bytes from the debugee using ReadProcessMemory win32 api. I get an access violation exception when I try to push pi.hProcess member to ReadProcessMemory.
the code's like this in WinAsm (I will shorten it):
.data?
pi PROCESS_INFORMATION <>
.code
invoke CreateProcess ; shorten but ofcource "pi" is set here
invoke WriteProcessMemory ; this one is used without any problem with pi.hProcess
mov eax, 00401F00h
invoke ReadProcessMemory,pi.hProcess, eax, addr buffer, 14, NULL
here is what masm32 compiles it to, taken from olly.
MOV EAX, 43F100
PUSH 0 ; /pBytesRead = NULL
PUSH 0E ; |BytesToRead = E (14.)
PUSH 403144 ; |Buffer = test.00403144
PUSH EAX ; |pBaseAddress => 43F100
PUSH DWORD PTR DS:[403388] ; |hProcess = 000001C0 (window)
CALL 0040126A ; \ReadProcessMemory
And the message from olly about the exception:
Access violation when reading [CC403388]
It seems like it adds a 0xCC to the address. Why? It doesn't do it when i call the WriteProcessMemory.
I hope someone can spread some light on this.
*edit*
PS. perhaps this was posted in the wrong section of this forum. Sorry for that. DS.
Thanks!
// Jockew
I'm writing a debugging loader for an application using masm32.
I've stumbled upon a very strange thing (bug), well strange to me.
I've read Iczelion's assembler tutorials on "Win32 Debug API" and my code looks alot like his tutorial (part 1).
Now on to my problem...
I'm trying to read a few bytes from the debugee using ReadProcessMemory win32 api. I get an access violation exception when I try to push pi.hProcess member to ReadProcessMemory.
the code's like this in WinAsm (I will shorten it):
.data?
pi PROCESS_INFORMATION <>
.code
invoke CreateProcess ; shorten but ofcource "pi" is set here
invoke WriteProcessMemory ; this one is used without any problem with pi.hProcess
mov eax, 00401F00h
invoke ReadProcessMemory,pi.hProcess, eax, addr buffer, 14, NULL
here is what masm32 compiles it to, taken from olly.
MOV EAX, 43F100
PUSH 0 ; /pBytesRead = NULL
PUSH 0E ; |BytesToRead = E (14.)
PUSH 403144 ; |Buffer = test.00403144
PUSH EAX ; |pBaseAddress => 43F100
PUSH DWORD PTR DS:[403388] ; |hProcess = 000001C0 (window)
CALL 0040126A ; \ReadProcessMemory
And the message from olly about the exception:
Access violation when reading [CC403388]
It seems like it adds a 0xCC to the address. Why? It doesn't do it when i call the WriteProcessMemory.
I hope someone can spread some light on this.
*edit*
PS. perhaps this was posted in the wrong section of this forum. Sorry for that. DS.
Thanks!
// Jockew