GetThreadContext CONTEXT structure problem with masm

Started by white scorpion, December 16, 2007, 09:07:20 PM

Previous topic - Next topic

white scorpion

Hi all,

It's been a while since I've last been here, unfortunately I was too busy to do anything with my drive to code :(

A few days ago I finally managed to get some spare time again so I started coding again.
Although I really had to get into it again, I'm getting the hang of it again..

Nevertheless I still encountered a problem...

I'm trying to get the thread context of the main thread of my application, but for some reason when debugging the application it doesn't return any values to the CONTEXT structure given to GetThreadContext as parameter.

Here's the responsible code:


.data?

myctx      CONTEXT <>

.code

invoke SuspendThread,hThread
invoke GetThreadContext, hThread, addr myctx


although this function does return a non-zero value indicating that the function is successful, when I actually look in the memory location of myctx after this function it's completely empty.
Besides that, according to the msdn the members of the structure can be retrieved by looking in winnt.h, the only value which I can use without getting an assembler error is myctx.ContextFlags.

All others give an error like this:

error A2006: undefined symbol : Eip

or

error A2166: structure field expected


I can imagine this wouldn't be the names of the members of the structure defined for masm since it might give problems with the rest of the code (at least, that's what I'm understanding from the latter error when calling mov eax,myctx.Edi for example), but I've been looking through the .inc files of the masm package as well and can't find any other names.

Does this mean that we cannot use this structure for GetThreadContext or that we should define one ourselves?
If so, how do I know which member is which?

Thanks in advance!

Kind regards,

Mark Vogels

ic2

One thing iI think you may forgot for a minute...


.data is  <>

.data

myctx      CONTEXT <>
;.........................................

.data?  Should be <?>

.data?

myctx      CONTEXT <?>

white scorpion

To tell you the truth, I've never done it otherwise.
I've always declared a structure in data?
but never did I use <?> behind the structure. just <>
This didn't matter as far as I can tell, but maybe it does now.

But does that mean I need to declare this structure under .data instead of .data?

Tx

ic2

QuoteBut does that mean I need to declare this structure under .data instead of .data?

I think this can go under .data and .const with no problems <>

It don't matter where you declare the data as long as it  declare the way an assembler expect it to be.


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Now I just tested my own code and your are right.  It don't seem to matter.  But i had big problems in the pass that brought me to this conclusion, for some reason...

Someone here got to know better.  Now we both need a little help  :eek :dazzled:

Anyway, I'm going to play with some Threading code just to see if i can run up on something for you.  I don't know much about it but it can't be that difficult to figure out I got examples everywhere..

ic2

Just did a little search... This is way out of my brain range.

http://www.asmcommunity.net/board/index.php?PHPSESSID=d36h9jsbtvcfemilaebhkhhc30&topic=18042.0

QuoteI know that in order to get GetThreadContext to work I need to set the thread security rights to THREAD_GET_CONTEXT. I found the proper page on MSDN, but all they say there is that I should use SetSecurityInfo.

Heavy

drizz

Hi

1) CONTEXT structure MUST be aligned!! it's a good practise to align all your data on appropriate boundary.

2) Use a descent ide like RadAsm that has code completition and you won't have such problems.
(of course structure names are adjusted for masm32 so they don't interfere with masm keywords)
The truth cannot be learned ... it can only be recognized.

white scorpion

Stupid me for not using RadAsm for this.
I have Radasm installed and I use it quite often, but since I was coding for more then 12 hours yesterday I decided to use notepad++ for asm editor since it's a bit softer on the eyes compared to the default radasm scheme.

Thanks for the reply ;)

One thing, what do you mean with:

Quote1) CONTEXT structure MUST be aligned!! it's a good practise to align all your data on appropriate boundary.

English isn't my native language so I might misunderstand this...

@ic2, I don't believe the security would be the problem since I'm testing the code with THREAD_ALL_ACCESS for OpenThread.
This should be sufficient access to get the context IMO, but I could be wrong here.
I will test it later today when I'm home again.

Thanks for your replies guys!

RuiLoureiro

Hi white scorpion,
                         The structure members of CONTEXT are defined in masm32\include\windows.inc.
They are:


CONTEXT STRUCT
  ContextFlags  DWORD      ?
  iDr0          DWORD      ?
  iDr1          DWORD      ?
  iDr2          DWORD      ?
  iDr3          DWORD      ?
  iDr6          DWORD      ?
  iDr7          DWORD      ?
  FloatSave     FLOATING_SAVE_AREA <>
  regGs         DWORD      ?
  regFs         DWORD      ?
  regEs         DWORD      ?
  regDs         DWORD      ?
  regEdi        DWORD      ?
  regEsi        DWORD      ?
  regEbx        DWORD      ?
  regEdx        DWORD      ?
  regEcx        DWORD      ?
  regEax        DWORD      ?
  regEbp        DWORD      ?
  regEip        DWORD      ?
  regCs         DWORD      ?
  regFlag       DWORD      ?
  regEsp        DWORD      ?
  regSs         DWORD      ?
  ExtendedRegisters db MAXIMUM_SUPPORTED_EXTENSION dup(?)
CONTEXT ENDS


              I dont know much more about this matter.
Rui

drizz

Quote from: white scorpion on December 17, 2007, 03:57:07 PMEnglish isn't my native language so I might misunderstand this...
Neither is it mine  :lol
look at the picture -> "align 16"
The truth cannot be learned ... it can only be recognized.

white scorpion

Thanks RuiLoureiro!

@Drizz, why 16? because of 16 entries?

Btw, I've found the solution (or at least A solution):

mov myctx.ContextFlags, CONTEXT_CONTROL
invoke GetThreadContext,hThread


apparently when adding CONTEXT_CONTROL in the structure before calling GetThreadContext solves the problem ;)

ToutEnMasm

The solution is in the SDK,surely in winhelp
Quote
GetThreadContext

The GetThreadContext function retrieves the context of the specified thread.


BOOL GetThreadContext(
  HANDLE hThread,
  LPCONTEXT lpContext
);

Parameters
hThread
[in] Handle to the thread whose context is to be retrieved. The handle must have THREAD_GET_CONTEXT access to the thread. For more information, see Thread Security and Access Rights.
WOW64:  The handle must also have THREAD_QUERY_INFORMATION access.
lpContext
[in, out] Pointer to the CONTEXT structure that receives the appropriate context of the specified thread. The value of the ContextFlags member of this structure specifies which portions of a thread's context are retrieved. The CONTEXT structure is highly processor specific. Refer to the WinNt.h header file for processor-specific definitions of this structures and any alignment requirements
The value of the ContextFlags member of this structure specifies which portions of a thread's context are retrieved


drizz

Quote from: white scorpion on December 19, 2007, 05:18:53 PM@Drizz, why 16? because of 16 entries?
it doesn't have to be 16 it has to be multiple of 4,...(4, 8 or 16)
The truth cannot be learned ... it can only be recognized.

white scorpion

ToutEnMasm, that explains. I've found some code on the net which sets CONTEXT_CONTROL and that provided me with the values of the registers.

@drizz, I'm still confused when to use the align statement, but I guess that's just my ignorance ;)
I'll see if I can find it in some sort of tutorial ....

ToutEnMasm

Winhelp,downloadable here:
Quote
http://www.masm32.com/board/index.php?topic=1588.msg12009#msg12009
This will answer your questions.Defined value of THREAD_.... are all in windows.inc.
Alignement modifie the adress of the structure to be a multiple of 16,8,4,2,1
This is needed by the system to be faster.
You can add this in two ways:

CONTEXT STRUCT 16
...
ENDS

or
.data
align 16
context CONTEXT <>








drizz

Quote from: white scorpion on December 20, 2007, 06:13:57 AM@drizz, I'm still confused when to use the align statement, but I guess that's just my ignorance ;)
I'll see if I can find it in some sort of tutorial ....
look here: http://www.songho.ca/misc/alignment/dataalign.html

but CONTEXT is special case because windows stores fpu/register state to it, and it must be aligned...
The truth cannot be learned ... it can only be recognized.