News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Recovering registers

Started by Parse, December 30, 2004, 02:45:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Parse

December 30, 2004, 02:45:08 PM
When you call LoadLibrary, the dll calls its dllMain with a parameter: DLL_PROCESS_ATTACH. At that time, is it possible to recover the registers of the calling process? What edi points to, what eax holds, etc.

tenkey

#1
December 31, 2004, 03:15:37 AM
The short answer is NO.

LoadLibrary has no obligation to give your DLL a way to get the register values it (LoadLibrary) has received.
A programming language is low level when its programs require attention to the irrelevant.
Alan Perlis, Epigram #8

hutch--

#2
December 31, 2004, 03:42:55 AM
If you wrote the DLL yourself, you could at the start of the LibMain push all of the registers and save them to GLOBAL variables that you can access later with a call to the DLL but if you did not write it yourself, you are in trouble.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

Ghirai

#3
December 31, 2004, 09:14:27 AM
If you didn't write the dll, you cand always find some caves and add some extra code to fit your needs  ;)
MASM32 Project/RadASM mirror - http://ghirai.com/hutch/mmi.html

Parse

#4
December 31, 2004, 11:19:57 PM
hm.. let me rephrase, when you call LoadLibrary, is the DllMain procedure in a seperate thread? if

Code Select

push esi <--- That's the register I want
push dllname
call [LoadLibraryA]


now in the library

Code Select

DllEntry proc hInstance:HINSTANCE, Reason:dword, Reserve:dword
.if Reason == DLL_PROCESS_ATTACH
  pop esi <--- it's not what I pushed in the calling process
.endif
ret
DllEntry endp

raymond

#5
January 01, 2005, 02:22:57 AM
Even if it was in the same thread, the values on the stack would have been the stack frame (and maybe LOCAL variables and preserved registers also), the return address, and the pushed parameters before you would even find the value of the pushed ESI.

Raymond
When you assume something, you risk being wrong half the time
http://www.ray.masmcode.com

Parse

#6
January 01, 2005, 03:24:44 AM
but if I keep poping I would eventually find it?

hutch--

#7
January 01, 2005, 03:27:03 AM
Parse,

Always remember that you must balance the stack or you can end up in big trouble.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

tenkey

#8
January 01, 2005, 06:53:41 AM Last Edit: January 01, 2005, 07:05:07 AM by tenkey
Quote from: Parse on January 01, 2005, 03:24:44 AM
but if I keep poping I would eventually find it?

"Stack mining" is a very bad practice. Much code in Windows is in C, and adding new variables, deleting old variables, calling new subroutines, a new optimizing compiler, all will change where any data is located relative to your DLL. Critical upgrades may add stack variables that are used to address some security issue.

And stack data is definitely not register data.

If you want to give values to your DLL reliably, then you must send it via a function argument. If you need to call an initialization function after loading a DLL, then that's the way you must do it.
A programming language is low level when its programs require attention to the irrelevant.
Alan Perlis, Epigram #8
Print
Go Up Pages1
User actions