I'm trying to log pointed instructions with ReadProcessMemory, in fact I use EIP register to get the next insctruction address. Next, I use distorm lib to display mnemonic. But ReadProcessMemory reads nothing.
void display_instruction(Debuggee* debuggee)
{
CONTEXT lcContext;
lcContext.ContextFlags = CONTEXT_ALL;
GetThreadContext(debuggee->debugEvent->u.CreateProcessInfo.hThread, &lcContext);
BYTE cInstruction = 0;
DWORD dwReadBytes;
ReadProcessMemory(debuggee->debugEvent->u.CreateProcessInfo.hProcess, (void*)&lcContext.Eip, &cInstruction, 1, &dwReadBytes);
decode((void*)cInstruction); //Distorm Mnemonic
printf("Instruction : 0x%03.3X , %d\n",cInstruction,dwReadBytes);
}
}
I need your help please !^^
This probably:
ReadProcessMemory(debuggee->debugEvent->u.CreateProcessInfo.hProcess,
(void*) &lcContext.Eip, // <
&cInstruction,
1,
&dwReadBytes);
should be:
ReadProcessMemory(debuggee->debugEvent->u.CreateProcessInfo.hProcess,
(void*) lcContext.Eip, // <
&cInstruction,
1,
&dwReadBytes);
as ReadProcessMemory expects the address in the virtual memory of the target process.
plus you can check the return value and the reason of failure.