News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Walking the Stack of Child Process (Windows)

Started by baltoro, October 23, 2008, 11:36:04 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

baltoro

October 23, 2008, 11:36:04 PM
I'm writing a Windows application using Visual C++ NET Standard as my IDE, and just for fun, I'm writing support components in assembly language in order to learn the basics (I'm a novice assembly programmer).
What I have done is load a selected executable (using the Windows API, CreateProcess), to give me access to the Child Process's virtual memory. I got this idea from "Windows Internals", in which the author states: "...if a process creates a child process, by default, it has the right to manipulate the child process's virtual memory. Thereafter, the parent process can allocate, deallocate, read and write memory on behalf of the child process by calling virtual memory services and passing a handle to the child process as an argument. This is key for implementing debuggers because debuggers must be able to read and write to the memory of the process being debugged."
What I'd like to do is read the resident stack memory of the child process, and write it out to a text file. The general concept, eventually, is to create a process that will analyze a loaded executable and in particular, it's stack data for dysfunctional code structures, malformed and illegal constructs and security vulnerabilities.
So, the recommended way to access the stack of a child process is with Windows APIs, VirtualQueryEx and ReadProcessMemory, but, I'm wondering if this can be done in assembly language. If I attempt to walk the stack by using the current EBP register value as my guide, I'm fairly sure I'm waking the stack of the parent process. What I don't understand is how to convert a virtual address into a physical address, and use this to access the stack of the child process.
Or, am I looking at this the wrong way? I'd appreciate any suggestions.
Baltoro

donkey

#1
October 24, 2008, 02:24:49 AM
Well if you're debugging the process, the stack is easy to locate it is found in the thread information block, offset 4 is the top of the stack and offset 8 is the base of the stack, this is true of both the TEB (NT) and TIB (9x)...

http://www.microsoft.com/msj/archive/S2CE.aspx
"Ahhh, what an awful dream. Ones and zeroes everywhere...[shudder] and I thought I saw a two." -- Bender
"It was just a dream, Bender. There's no such thing as two". -- Fry
-- Futurama

Donkey's Stable

baltoro

#2
October 24, 2008, 03:39:44 PM
donkey,
Thanks a million,...I'd completely forgotten about the TEB. And thanks for the Matt Pietrek article.
Excellent.
Baltoro
Print
Go Up Pages1
User actions