flat assembler
Message board for the users of flat assembler.

flat assembler > Windows > filli a x64 struc CONTEXT with getThreadContext does'nt work

Author
Thread Post new topic Reply to topic
blopblop



Joined: 30 Aug 2017
Posts: 1
Hello,

I would like to fill a x64 CONTEXT structure with the GetThreadContext, but it doesn't seem to work (despite it works well in MASM and for a 32bits PE).

The strucuture i define is like:
Code:
struct CONTEXT ContextFlags dd ? Dr0 dq ? Dr1 dq ? Dr2 dq ? Dr3 dq ? Dr6 dq ? Dr7 dd ? ;FloatSave dd ? SegGs dw ? SegFs dw ? SegEs dw ? SegDs dw ? SegCs dw ? SegSs dw ? EFlags dd ? Rdi dq ? Rsi dq ? Rbx dq ? Rdx dq ? Rcx dq ? Rax dq ? Rbp dq ? Rip dq ? Rsp dq ? R8 dq ? R9 dq ? R10 dq ? R11 dq ? R12 dq ? R13 dq ? R14 dq ? R15 dq ? ends


Then i call GetThreadContext like:
Code:
mov [Context.ContextFlags], 00010007h invoke GetThreadContext, [PrcInfo.hThread], Context


When i check into x64dbg, the return of RAX is 1, so the GetThreadContext works well.
But when i want to get the content of Rbx with:
Code:
mov rbx, [Context.Rbx]


It fill the Rbx register with 0. WHY?

Maybe i don't use the structure correctly? In my MASM program, the structure was already defined so i don't had to write explicity it in my code.

Thanks in advance

Best regards
Post 30 Aug 2017, 09:56
View user's profile Send private message Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1172
My guess would be padding due to 64-bit pointers mixed with 32-bit data. For example, there's probably 4 useless bytes after ContextFlags to align Dr0 to 64-bit boundary.

Can you find the MASM source header that defines this struct? That would answer everything. (I don't have MASM / never did)
Post 30 Aug 2017, 10:28
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15871
Location: 162173 Ryugu
A short amount of searching tells me that MS publish the structure in WinNT.h but not on the website.

And that an SO answer gives a totally different structure than the one you list above.

None, one, or all of these may be the answer you needed.
Post 30 Aug 2017, 11:48
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >

Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 2004-2018, Tomasz Grysztar.

Powered by rwasa.