I am trying to get the registers of a debugged program, and this is done with the GetThreadContext API. However, while this gets me some values, they are not the correct values of the registers. I made a program that wrote 12345678h to six of the registers and then did an int 3 to cause a debug event. When I debugged it, the 12345678h was nowhere to be seen. Also, the word registers, cs ds es ss fs gs, gave me dword values. I use wsprintf to pad the dword registers to eight digits and the word ones to four digits. Sometimes, the word registers, because they are defined as dword in teh CONTEXT structure, were longer than a word. One of these is cs, which gets displayed with six hex digits. The interesting thing about cs is that the first TWO digits of cs are the same as the second and third digits of eip. Somehow, these two places are linked and they always display the same value. Obviously, the CONTEXT structure is faulty. The one I use, is the one defined in the latest version of WINDOWS.INC and is exactly the same as what M$ advertises as the correct thing. Seeing all this, I would find it hard to believe that I am doing soemthing wrong and I am inclined to think the structure is faulty. Does anyone know where the problem lies? Also, why are cs ds es ss fs and gs declared as dword values if in reality the registers are word values? CONTEXT STRUCT ContextFlags DWORD ? iDr0 DWORD ? iDr1 DWORD ? iDr2 DWORD ? iDr3 DWORD ? iDr6 DWORD ? iDr7 DWORD ? FloatSave FLOATING_SAVE_AREA <> regGs DWORD ? regFs DWORD ? regEs DWORD ? regDs DWORD ? regEdi DWORD ? regEsi DWORD ? regEbx DWORD ? regEdx DWORD ? regEcx DWORD ? regEax DWORD ? regEbp DWORD ? regEip DWORD ? regCs DWORD ? regFlag DWORD ? regEsp DWORD ? regSs DWORD ? ExtendedRegisters db MAXIMUM_SUPPORTED_EXTENSION dup(?) CONTEXT ENDS
Posted on 2001-01-26 10:54:00 by Hel
According to the comments in winnt.h, the SegCs and EFlags field must be "sanitized". I don't know if that means clearing garbage bits.
Posted on 2001-01-27 03:28:00 by tank
i would make sure you dont write 012345678h to the esp reg if that is any help. Otherwise the int 3 instruction is not gonna work as it needs to push the return address back onto the stack. Also, theres something to do with a int 3 instruction under NT, im not sure if its a bug or not, but a normal int instruction is 2 bytes long (one for the opcode, one for the actual interupt number), however a int 3 is only one byte long. So try including a nop after the int 3.
Posted on 2001-01-27 21:53:00 by X