Suppose I have a function called "Overflow" in a DLL called "Overflow.dll" but I don't have its PDBs.
I know I can get the address it starts in with "GetProcAddress", but can I get somehow the address where it ends or its size?
(C++ in windows)
The reason I ask this is that I have an address and I want to know if it is inside my specific function. So I assume (and please correct me if I'm wrong) that the address is in my function if:
StartAddress <= My Address <= EndAddress
thanks :)
So I assume (and please correct me if I'm wrong)
I'm "correcting". The issue is that it's extremely unlikely that your function has no function calls inside of itself. For example, the position could be inside of a printf call called by your function, but the instruction pointer would not be in your function itself.
You could implement a parser for x86 instructions that looks for the return instruction to find the end address, assuming you know there is only one return in the function. If you don't know that there's only one return, then you need the PDBs.
Related
I was writing some logging logic and wanted to make some indentations. The easiest way to understand whether any function call was present or if some function has finished is to look at the current address of the stack/frame. Let's suppose that stack grows upside down. Then if the stack address in the log() call is smaller than during the previous call, we can increase the indent since some function call was present. I know there are functions like backtrace() that know how to dump it, or you can use some assembly. However, I remember reading about external variables that can be used to retrieve this information. Can someone name these variables or give a reference where I can find them (as far as I remember, it was in some computer systems book like "Computer Systems: A Programmer's Perspective "). Otherwise, what is the most convenient/fast way of getting this information?
Update: I have accidentally found the link I was referring to - Print out value of stack pointer
TLDR: There is no portable way to do what I have described...
This method is highly nonportable and will break under various transformations, but if you're just using it for debug logging it might be suitable.
The easiest way to get something resembling the current stack frame address is just take the address of any automatic-storage (local, non-static) variable. If you want a baseline to compare it against, save the address of some local in main or similar to a global variable. If your program is or might be multi-threaded, use a thread-local variable for this if needed.
I'm trying to modify/replace the parameter value of a function. Here's the stack and the highlighted location is the target.
(esp + 8) (struct sockaddr)
I'm executing inline assembly with a hooked function. Should I modify/replace the value once it is already on stack or before the params are even pushed?
Anything I should be aware of?
If you're hooking a function, it means that your own function was called with the original parameters and you may forward these parameters (changed or not) to the original function at some point. It's generally easier to change the parameters you receive without copying and pass them along. If you're doing user-land to user-land or kernel-land to kernel-land hooking, then you may NOT want to touch the original process/kernel memory pointers - copy for safety.
I'm new to c++ and Access. I'm working with a project calls dll (compiled by c++) from Access.
I want to understand how are the parameters passed into the dll.
The input data for dll is prepared in Access, and we call the dll from Access.
We associate "RunFunction" with the dll we want to call.
The line in Access calls the dll:
Results = RunFunction(Data.age, Data.calendar, Data.timesheet, Data.extra)
The cpp code that complies the dll:
double __stdcall RunFunction(double * iData, double(*iCalendar)[100], double(*iTimesheet)[100])
First question, from the cpp code, I found the *iData(in c++) actually contains all info from Data (in Access).
Why it could happen? I thought only Data.age is passed into *iData, not the whole Data?
Second question, the the RunFunction from Access has four input parameters, while c++ only takes three, why it doesn't this cause any issue?
First, consider that inside Access the value of Data.age might be inside a buffer containing the entire record or some other structure. So when the address of that one value is passed to you in C++, you can explore neighboring addresses and see what’s in it. Don’t do that!
Second, look at the way __stdcall works. It was designed in the early days of C when function arguments were not checked at all! You can pass fewer or more parameters on the caller side and not mess up the stack. If you pass extra, no big deal. If you leave off some, then using the rightmost names in the function will give garbage values and witing to them can cause all sorts of problems including clobbering the return address.
The title is not that clear, and if anybody has a better suggestion please tell me.
Now to business:
I am activating a class' method.
m_someObject.Clear();
The problem is that when I look at the address of m_someObject before the call I get that it is located in a certain address, and when I enter the Clear method with the debugger I get that this variable is located in another address.
The result is that after returning from Clear method it doesn't seem to have affected
m_someObject instance which called it.
Does anybody have any idea what could cause this kind of behavior?
Working on Microsoft Visual Studio 2010 64-bit.
Probably you pass m_someObject as a value to some other function (and thus get a copy) and execute Clear() only on copy. This way you will not notice a change on original object.
Can you please check if you have two different variables with the same name? One defined in the immediate scope and another one, maybe in the global scope?
The most common reason is Multiple Inheritance. Unlike C# and Java, in C++ a class can have multiple base classes. Obviously, not all can be located at offset 0. This means that this has to be adjusted if you're using a method from a base class that's located at a non-zero offset.
Well, apparently the debugger was lying.. I wasn't aware of this, but apparently some of the code was compiled in release mode. Conclusion - Debugger No, printf - Yes.
I have one clarification
What is the difference between calling a function through function pointer and calling a function directly by name ?
Anybody help me in this.
There is no difference in the actual call. Parameters are passed the same way, the function runs the same way, and the return value comes back the same way.
The only difference is that you can make the function pointer point somewhere else.
There is no difference except that a compiler/linker calculates exactly what address to transfer control of the program to when you call a function by name and hardcodes that value into the code, whereas with function pointers, the computer must use the pointer to calculate where to transfer control to at runtime.
No difference (except that calling by name will always call the same function, and pointer can be changed to point to different functions).
While the direct use of function pointers does not have any cost, you should bear in mind that function pointers aren't compile time constants, so it maybe has a cost to read them. So if you have a function pointer inside a class and use that to emulate polymorphic behavior, you won't get any speedup at all.