1

I have this code for my Win32 application:

class Foo {
public: 
    string mystring;    
    __declspec(dllexport) void foo();
};

void Foo::foo(){

    printf("foo called");

}

int _tmain(int argc, _TCHAR* argv[])
{
    Foo foo;
    foo.mystring =  "all your base are belong to us";

    return 0;
}

If I know have the image base address of this Win32 in memory:

  • Given that I have the image base address how can I get the Foo class instance offset
  • Given that I have the image base address of the win32 application in memory, how can I get the offset address for the variable mystring
  • Acquiring the function address of the function foo() was fairly easy, I was able to do that, and even call the function from another process. However, I am not sure how to get (at least read) the address of variables.

The idea is that I will execute this program, then some other program gets the image base address of this application then will try to read variables inside the said application.

unkulunkulu
  • 11,576
  • 2
  • 31
  • 49
quarks
  • 33,478
  • 73
  • 290
  • 513
  • 3
    Well, the variable may get optimized out. Frankly speaking, the whole class and even the whole program may be optimized out :) – Vlad Jun 21 '12 at 11:46
  • 1
    In your case, the only instance of `Foo` is on stack, so you might need to look there. Again, provided that the compiler didn't optimize out the field `mystring`, which is only written and never read. (If I were a compiler, I would do it, certainly.) – Vlad Jun 21 '12 at 11:49
  • @Vlad, why optimize out written-to only values? assigning to them could have side-effects, you never know. – unkulunkulu Jun 21 '12 at 11:57
  • @unkulunkulu: The compiler knows the source code of `std::string`, so it can check that writing into it has no side effects. (And if there _were_ side effects, the program doesn't depend on them, so perhaps they may be safely neglected.) – Vlad Jun 21 '12 at 12:04
  • @Vlad, ok, let's put in another way. Could you tell me of a compiler that does this? I.e. removes fields from classes? Not to mention that in this case this field is public. – unkulunkulu Jun 21 '12 at 12:07
  • @unkulunkulu: `g++ -O3` sometimes removes the whole classes. This is something called "whole program optimization": no matter if something is public if no code actually uses it. – Vlad Jun 21 '12 at 12:08
  • @Vlad, I wonder how this can be checked, are you saying that printing `sizeof(Foo)` will print too little numbers? I can believe that it removes code (not exported for example), but I have never seen removing class's fields and cannot see such a posibility, 'cause external code can explicitly access `Foo`'s fields. – unkulunkulu Jun 21 '12 at 12:13
  • @unkulunkulu: if the compiler sees the _whole_ program (which is the case for the OP's code), it can see whether any code actually accesses `Foo`'s fields. In the case of original program, it's clearly not. :) So the compiler can remove the first two lines of `_tmain` without changing the program's _observable behaviour_. – Vlad Jun 21 '12 at 12:15
  • @Vlad where does a compiler put references to the variables of a class? So I can cast a pointer to that address, is it generally possible? – quarks Jun 22 '12 at 05:16
  • @xybrek: (disclaimer) well, it depends on the compiler, the compiler can do access the members of the class any way it prefers. The usual way is that the compiler just _knows_ the offset from the object pointer to the member variable, and uses this offset as a hardcoded constant when accessing the members (like `mov ax, [bx+6]`, where `bx` holds the object address, and 6 is the offset known to the compiler). – Vlad Jun 22 '12 at 11:19
  • @xybrek: the problem is that C++ doesn't have a standard on binary representation, therefore the compiler may do whatever it wants to. See, for example, [this SO answer](http://stackoverflow.com/a/7492291/276994) for some discussion on the topic. – Vlad Jun 22 '12 at 11:23

0 Answers0