flat assembler
Message board for the users of flat assembler.

Index > Windows > filli a x64 struc CONTEXT with getThreadContext does'nt work

Thread Post new topic Reply to topic

Joined: 30 Aug 2017
Posts: 1
blopblop 30 Aug 2017, 09:56

I would like to fill a x64 CONTEXT structure with the GetThreadContext, but it doesn't seem to work (despite it works well in MASM and for a 32bits PE).

The strucuture i define is like:
struct CONTEXT
               ContextFlags          dd ?
               Dr0                      dq ?
               Dr1                      dq ?
               Dr2                      dq ?
               Dr3                      dq ?
               Dr6                      dq ?
               Dr7                      dd ?
               ;FloatSave            dd ?
               SegGs                  dw ?
               SegFs                  dw ?
               SegEs                  dw ?
               SegDs                  dw ?
               SegCs                  dw ?
               SegSs                  dw ?
               EFlags                 dd ?
               Rdi                      dq ?
               Rsi                      dq ?
               Rbx                     dq ?
               Rdx                     dq ?
               Rcx                     dq ?
               Rax                     dq ?
               Rbp                     dq ?
               Rip                      dq ?
               Rsp                     dq ?
               R8                       dq ?
               R9                       dq ?
               R10                      dq ?
               R11                      dq ?
               R12                      dq ?
               R13                      dq ?
               R14                      dq ?
               R15                      dq ?

Then i call GetThreadContext like:
mov             [Context.ContextFlags], 00010007h
invoke GetThreadContext, [PrcInfo.hThread], Context

When i check into x64dbg, the return of RAX is 1, so the GetThreadContext works well.
But when i want to get the content of Rbx with:
mov             rbx, [Context.Rbx]

It fill the Rbx register with 0. WHY?

Maybe i don't use the structure correctly? In my MASM program, the structure was already defined so i don't had to write explicity it in my code.

Thanks in advance

Best regards
Post 30 Aug 2017, 09:56
View user's profile Send private message Reply with quote

Joined: 04 Mar 2016
Posts: 2019
Furs 30 Aug 2017, 10:28
My guess would be padding due to 64-bit pointers mixed with 32-bit data. For example, there's probably 4 useless bytes after ContextFlags to align Dr0 to 64-bit boundary.

Can you find the MASM source header that defines this struct? That would answer everything. (I don't have MASM / never did)
Post 30 Aug 2017, 10:28
View user's profile Send private message Reply with quote
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 19096
Location: In your JS exploiting you and your system
revolution 30 Aug 2017, 11:48
A short amount of searching tells me that MS publish the structure in WinNT.h but not on the website.

And that an SO answer gives a totally different structure than the one you list above.

None, one, or all of these may be the answer you needed.
Post 30 Aug 2017, 11:48
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum

Copyright © 1999-2023, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.