Stack memory location

[brixton]

Hi all,

I am (essentially) writing a debugger (of sorts, long story).  I am most interested in memory locations of the debugee.  I have gotten as far as reading the relevant DOS/PE headers and using this information I can correctly calculate the location of the start of writeable memory (global variables), but I am lost on calculating the location of the stack.  Is it a constant?  I debugged several applications with Olly and they all had an EBP of 0012FFF0, and ESP of 0012FFC4.

Any info appreciated.

Regards,

Tom

[Ghandi]

Don't hardcode any values/addresses like ESP/EBP, use GetThreadContext to retrieve the context (state) of the thread and then inside this structure will be the EBP/ESP register values. Imho if writing a debugger you need to be able to get and set the thread(s) context(s) to be able to handle events such as software breakpoints (read: Int3).

HR,
Ghandi

[brixton]

Hi Ghandi,

That helps me very much, thankyou.  As of yet, have not loaded the target binary as a child process so have not looked at this method, although I was aware I could extract the register values from a child process.  I was hoping I could somehow tease it out of the headers, as I could find most of the information I needed there (as I said, for instance, the RVA of data section once loaded).

Thankyou for your 'englightening' me  :U

Tom