Read registers in memory

anon_c · #1 09-19-2014, 05:43

I would like to create an application preferably in Delphi/Pascal (but C++ will do) that is able to start an executable and read the registers after a breakpoint at a specific location. Something like the "Serial Sniffer Creator 2.0" By MouradPr / AT4RE would do.

Somebody knows some tutorials, tools or point me where to start for doing this? Some source code examples would be perfect.

Thanks for your help

Sir.V65j · #2 09-19-2014, 14:43

set bp(eb fe) on that offset
then use this function:

Quote:

function SniffSerial(PI: PROCESS_INFORMATION; Ctx: _Context): string;
var
X: Cardinal;
Buff: PChar;
begin
GetMem(Buff,50);

SuspendThread(PI.hThread);
GetThreadContext(PI.hThread,Ctx);
ReadProcessMemory(PI.hProcess,Pointer(Ctx.Edx),Buff,50,X);

Result:=trim(Buff) ;
FreeMem(Buff);
end;

thanks NimaSubZero & anorganix
you can use this source

anon_c · #3 09-20-2014, 01:58

For what I needed, reversing the code appeared to be much easier than anticipated. Thus I won't use the procedure I asked here.

Nevertheless, this sniffing code looks a way more easier to implement than I expected! Many many thanks for the snippet and sources! Thanks go as well to NimaSubZero & anorganix!

For sure I will play with this code in the next week. It can save a lot of time in many occasions. I will let you know if it works. I am confident it will…

anon_c · #4 09-26-2014, 14:01

Thanks to this code, I've written my own sniffer unit. I struggled a little bit to retrieve the BaseAddress of the process, but I finally succeeded. Cool to have this knowledge in the arsenal.

One thing I still don't get completely is how to use and manipulate the ' ContextFlags'… In the code from anorganix, we can see:

// resume the program
ResumeThread(PI.hThread);
Context.ContextFlags:= $00010000+15+$10;

Also, to get the BaseAddress of the process, l use (I translated a C++ code from somewhere into Delphi, but there was no explanation on the website):

Context.ContextFlags := CONTEXT_INTEGER;
GetThreadContext(PI.hThread,Context);
ReadProcessMemory(PI.hProcess, pointer(Context.Ebx + 8), @BaseAddress, SizeOf(BaseAddress), BytesRead);

Still reading to figure it out, but if someone have the explanation for the values used here, you are welcome to help!

Thanks

Carbon · #5 09-26-2014, 17:39

Quote:

Originally Posted by anon_c

ReadProcessMemory(PI.hProcess, pointer(Context.Ebx + 8), @BaseAddress,

EBX -> PEB

+ sizeof(void*)*2

== PEB->ImageBase

niculaita · #6 09-12-2015, 02:30

I need a snnifer but it had to make a list of values of registre for example EAX
for a repeatetive pass of program snnifered at certain address.

anon_c · #7 09-13-2015, 07:25

Hi, I can try to implement this in my sniffer because it might indeed be useful. Please note that for now, it will only work on 32 executables...
Do you have a target to share that has something interesting to be repeatedly sniffed at a specific RVA? You can send me the link by PM.

AC

anon_c · #8 09-15-2015, 12:25

@niculaita
I started looking at your request. After some trials, I found that getting a list of register��s values when snnifed at certain VA of a process can leave a huge amount of data when the process repeatedly go over this VA. More annoying than anything else��

In my opinion, a better tool would be able to pause a process at the user��s request, read the register of interest at a particular VA, and then resume the process. That is how I built a first draft of a sniffer for your target and it works perfectly on Win 7.

@EXETOOLS
I am not aware that such tool is already available, but anybody here knows if it is the case? If no solution already exists, I will definitely share the one I am creating when it is finished��

AC

niculaita · #9 09-15-2015, 12:59

that tools which pause process at a user's wish and read some wanted register when soft will pass through a VA first time after process is resumed, not exist here. Please make it and share!

maktm · #10 09-19-2015, 13:49

I got lost after some posts but if your aim is to stop execution at one point with a HWBP/SWBP and read the registers you can use this procedure:

1. Set a hardware/software breakpoint at the virtual address by patching the byte or using debug registers

2. Set a new top-level handler ( https://msdn.microsoft.com/en-us/library/windows/desktop/ms680634(v=vs.85).aspx )

3. You get a context structure when the breakpoint hits so in your callback just handle it by reading the structure passed to the callback which is of type (struct _EXCEPTION_POINTERS *ExceptionInfo)

4. If you overwrote the byte by patching then you should rewrite the original byte in the hook and then replace it again for another breakpoint (if you want)

If you have problems you can ask here again

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Olly Registers Recorder	n0ital	General Discussion	5	04-07-2006 03:35

The Following 3 Users Gave Reputation+1 to Sir.V65j For This Useful Post:
anon_c (09-20-2014), chessgod101 (09-20-2014), Mahmoudnia (09-27-2014)

The Following User Says Thank You to Sir.V65j For This Useful Post:
anon_c (09-15-2015)

The Following 2 Users Say Thank You to Carbon For This Useful Post:
anon_c (09-15-2015), niculaita (06-30-2021)

The Following User Says Thank You to anon_c For This Useful Post:
niculaita (09-13-2015)

The Following 2 Users Say Thank You to maktm For This Useful Post:
Conquest (09-19-2015), niculaita (09-19-2015)