2

I'm trying to get the value of another process' EBP register on windows7 64 bits.
for this I'm using GetThreadContext like this: 

static CONTEXT threadContext;
memset(&threadContext, 0, sizeof(CONTEXT));
threadContext.ContextFlags = CONTEXT_FULL;
bool contextOk = GetThreadContext(threadHandle, &threadContext);

The EIP value seems ok, but EBP = 0. I tried using also WOW64_GetThreadContext but it didn't help... GetLastError() returns 0 so it's supposed to be ok. I do suspend this thread with SuspendThread and It DOESN'T happen every time I sample the thread.

What could cause this?

Idov
  • 5,006
  • 17
  • 69
  • 106
  • Do you know "You cannot get a valid context for a running thread. Use the `SuspendThread` function to suspend the thread before calling `GetThreadContext`."? MSDN – Tony The Lion Sep 15 '11 at 15:50
  • Since you have the process (or at least the thread) suspended, maybe you could attach a real debugger to it and see what *it* says EBP is. – Rob Kennedy Sep 15 '11 at 16:31
  • I just tried it but apperantly VS express cannot attach to a suspended or already debugged process :/ – Idov Sep 15 '11 at 16:37

1 Answers1

2

One possible cause is that the register's value really is zero at the time you inspect it. It's a general-purpose register, so the program can set it to whatever value it wants.

Rob Kennedy
  • 161,384
  • 21
  • 275
  • 467
  • Isn't it supposed to hold the start of the function? – Idov Sep 15 '11 at 15:55
  • 1
    On the x86, there are (essentially) two stack frame layouts: EBP frames and FPO frames. In an EBP frame, EBP points to the previous EBP, EBP+4 points to the return address, and EBP+8 points to the first stack passed argument. In an FPO frame, EBP isn't used as a "frame pointer" and instead is a general purpose register. So, it really depends on the target function. – snoone Sep 15 '11 at 16:10
  • But the project I read the thread context from is not using the "Omit Frame Pointer" optimization. – Idov Sep 15 '11 at 16:25
  • 1
    You have no idea exactly where you'll freeze the thread context. It certainly isn't guaranteed to be executing code from that project. Could just as well be Windows code. – Hans Passant Sep 15 '11 at 18:50