Heya,
let's assume I have a code like this:
mov eax, 1000h
mov eax, dword ptr

eventually, a read error will occur at the second line when running this code. Question is, how can I find out from another process which is debugging this program what address was trying to access de mov instruction at the second line of code.
For example, windows would display The instruction at "0x4xxxxxx" referenced memory at "0x00001000"..ok, it's easy to get the eip of exception using debug api, but how can I find out at what memory location occured the read error?

thank you
Posted on 2004-07-07 16:10:21 by DZA
:confused:


how can I find out at what memory location occured the read error?


I don't understand the question exactly...

Since a process is mapped in his own adress space, if you get EIP, you get the memory location where the error occured.

In a debugger loop:



.if DBEvent.u.Exception.pExceptionRecord.ExceptionCode==EXCEPTION_ACCESS_VIOLATION
mov eax,DBEvent.u.Exception.pExceptionRecord.ExceptionAddress ;eax==location of error



Neitsa.
Posted on 2004-07-07 18:13:01 by Neitsa

:confused:



I don't understand the question exactly...

Since a process is mapped in his own adress space, if you get EIP, you get the memory location where the error occured.

In a debugger loop:



.if DBEvent.u.Exception.pExceptionRecord.ExceptionCode==EXCEPTION_ACCESS_VIOLATION
mov eax,DBEvent.u.Exception.pExceptionRecord.ExceptionAddress ;eax==location of error



Neitsa.


They are looking for the address that EAX points to, not EIP.
Posted on 2004-07-07 18:16:25 by mark_larson
:o Oops...

Sorry, misunderstanding the question...

Debug structs and APIs are very powerfull !

The 'EXCEPTION_RECORD' struct is your friend. Take a look at this member:



ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];

Array of additional arguments that describe the exception. The RaiseException function can specify this array of
arguments. For most exception codes, the array elements are undefined. The following table describes the
exception codes whose array elements are defined.


[B]The second array element specifies the virtual address of the inaccessible data.[/B]

Posted on 2004-07-07 18:31:21 by Neitsa

:o Oops...

Sorry, misunderstanding the question...

Debug structs and APIs are very powerfull !

The 'EXCEPTION_RECORD' struct is your friend. Take a look at this member:



ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];

Array of additional arguments that describe the exception. The RaiseException function can specify this array of
arguments. For most exception codes, the array elements are undefined. The following table describes the
exception codes whose array elements are defined.


[B]The second array element specifies the virtual address of the inaccessible data.[/B]



no biggie. I misunderstand stuff too. I would have posted an answer but I don't know the answer.
Posted on 2004-07-07 19:45:15 by mark_larson
ok, so I don't want to find the EIP of the exception (of course, as the progra is debugged and suspended on exception it's current EIP is identical to the exception address)..but the exception record does not seem to hold information as what memory the instruction failed to read..
for example a:
mov eax, dword ptr [1000h]
where in the exception record I could find the adress "1000h"?!

thank you
Posted on 2004-07-08 11:47:11 by DZA

ok, so I don't want to find the EIP of the exception (of course, as the progra is debugged and suspended on exception it's current EIP is identical to the exception address)..but the exception record does not seem to hold information as what memory the instruction failed to read..
for example a:
mov eax, dword ptr [1000h]
where in the exception record I could find the adress "1000h"?!

thank you


ULONG_PTR ExceptionInformation ???

EXCEPTION_ACCESS_VIOLATION
The first element of the array contains a read-write flag that indicates the type of operation that caused the access violation. If this value is zero, the thread attempted to read the inaccessible data. If this value is 1, the thread attempted to write to an inaccessible address.
The second array element specifies the virtual address of the inaccessible data.
Posted on 2004-07-08 13:43:11 by Mecurius
thank you Mercurius:)
Posted on 2004-07-08 13:49:05 by DZA
whats up with your homepage, DZA?
Posted on 2004-07-08 15:27:01 by diablo2oo2