Get address of a struct

ragdog · April 15, 2011, 03:24:10 PM

How i can get all address of an struct give a tool for it?

example

TEB STRUCT
Tib NT_TIB <> ; 000h <<<<<<<<
EnvironmentPointer PVOID ? ; 01Ch <<<<
. . . .
TEB ENDS

qWord · April 15, 2011, 03:27:37 PM

?

Code Select

...
.data
    teb TEB <>
.code
    lea eax,teb
    ; or 
    lea eax,teb.Tib
    ; or
    lea eax,teb.EnvironmentPointer
...

redskull · April 15, 2011, 03:30:43 PM

OFFSET will also work to get the relative positions, as in:

mov eax, OFFSET TEB.EnvironmentPointer

-r

dedndave · April 15, 2011, 03:47:42 PM

i think he's asking for the offset relative to the beginning of the structure

Code Select

mov eax,offset TEB.EnvironmentPointer-offset TEB
not sure how well that will work, as TEB is a structure definition
OFFSET wants to deal with absolutes

redskull · April 15, 2011, 03:57:28 PM

Works fine for me:

Code Select

 .386
.model flat, stdcall
option casemap :none   ; case sensitive


FOO STRUCT
    foo1 DWORD 0
    foo2 WORD 0
    foo3 DWORD 0
FOO ENDS

.code

start:

mov eax, OFFSET FOO.foo1
mov eax, OFFSET FOO.foo2
mov eax, OFFSET FOO.foo3


end start

Code Select

00401000 > $ B8 00000000    MOV EAX,0
00401005   . B8 04000000    MOV EAX,4
0040100A   . B8 06000000    MOV EAX,6

dedndave · April 15, 2011, 03:59:24 PM

cool Red :U

jj2007 · April 15, 2011, 04:17:44 PM

If you continue typing superfluous stuff, you are a candidate for Repetitive Stress Injury

mov eax, FOO.foo2

redskull · April 15, 2011, 04:43:10 PM

Eh, I prefer a coding style the emphasizes the difference between a memory bus access and an immediete value. Besides, I have bigger problems when it comes to risky behaviors for Repetitive Stress Injury :green2

jj2007 · April 15, 2011, 04:56:53 PM

Quote from: redskull on April 15, 2011, 04:43:10 PM
Eh, I prefer a coding style the emphasizes the difference between a memory bus access and an immediete value.

That's what I proposed. mov eax, RECT.top is nothing more than an immediate value called DWORD aka 4...
For me, offset means global variable... but I realise this is excellent stuff for a little flame war :bg

ragdog · April 15, 2011, 05:07:45 PM

I mean to skip in a value of this structur

example:

mov esi,offset TEB STRUCT
mov eax, [esi+01Ch]

Now is the question to get this address 01Ch .... of a structur

jj2007 · April 15, 2011, 05:21:11 PM

Quote from: ragdog on April 15, 2011, 05:07:45 PM
I mean to skip in a value of this structur

example:

mov esi,offset TEB STRUCT
mov eax, [esi+01Ch]

Now is the question to get this address 01Ch .... of a structur

Code Select

mov esi, offset MyRECT
mov eax,  [esi.RECT.right]
lea edx, [esi.RECT.right]
mov ecx, [edx]
.if ecx==eax
  MsgBox "Bingo", "Hi", MB_OK
.endif

ragdog · April 15, 2011, 05:29:15 PM

Skip to a structur if not this problem i mean only this address

01Ch
012Fh
..
..
.

mov esi,offset TEB STRUCT
mov eax, [esi+01Ch]

in eax is now EnvironmentPointer

I mean only this hex address to get from a structur

dedndave · April 15, 2011, 05:50:01 PM

Red has it right
it is important to understand the difference between a structure type definition and a data definition, though

Code Select

;structure type definition

SomeStruc STRUCT
  Member0 dd ?
  Member1 dd ?
SomeStruc ENDS

        .DATA?

;data definition

ss SomeStruc <>

        .CODE

        mov     eax,offset SomeStruc.Member1   ;4
        mov     eax,offset ss.Member1          ;address of ss+4

you can describe the structure type in the data section which does both, too
this can be the source of some confusion

News:

Get address of a struct