Following struct pointers
I'm learning about reversing. I've attached OllyDbg to a program that uses WSASendTo (from WS2_32.dll), and breaks at the call to WSASendTo. When the call is made, the stack looks like the following:
According to MSDN, that second argument is a pointer to "an array of WSABUF structures" shown below:
So my question is this: how do I follow the pointers in memory to see the data in memory? Below is a view in OllyDbg of the memory location 0x1970F6B8 (which represents the WSABUF struct referenced from the stack), but from there on, I don't know how this struct is layed out in memory to grab the "char FAR *buf" pointer and find its contents in memory.
I've read that the layout of a struct in memory can be compiler-dependent. If so, how does a reverse engineer (or the CPU) determine where the contents of a struct actually exist?
how do I follow the pointers in memory to see the data in memory?
I think you should be able to just right-click on the pointer and choose "Follow in Dump".
Then you can choose 4-byte layout in the dump and again follow the buf pointer via the same procedure. Note that the first word in the __WSABuf struct is the length, so you want the second one (in this case, the address is 0x16450370).
I've read that the layout of a struct in memory can be compiler-dependent.
Yes, the compiler has a certain freedom about how it aligns the struct members.
However, the layout of the ABI structures has to be standardized somehow, to ensure interoperability. I don't know how the WinAPI does this in their header files, maybe using some kind of compiler-specific pragmas controlling the alignment. Or maybe they just assume that the compiler does it like MSVC would do it.
- Why does 1.0/100.0 == 0.1/10.0 give True?
- How to organize the receive msg and user current input in C network such that it's clean
- Using inclusive scan syntax in OpenMP in the C language
- Unable to understand context in book "OOP in C" by Axel Schreiner
- How to dereference member from struct in which the definition is hid from user?
- variable-length array in struct with TI compiler in C (socket programming)
- A faster way to test 32bpp DDBs for a valid Alpha channel
- How can I compile the zephyr example-application as a freestanding application?
- Why does my forked process sometimes overwrite data in a file?
- Why in C can I initialize more values than the size of an array?
- _Generic in C needs typecasting?
- Declaring/defining an unused variable changes the output from an unrelated variable
- How to use gdb to explore the stack/heap?
- How can I read an input string of unknown length?
- Confused by difference between expression inside if and expression outside if
- Fast Arc Cos algorithm?
- Discrepancy of `unsigned long` size between llvm and gcc in riscv32
- GCC (C) - error: 'x' redeclared as different kind of symbol
- Why does GCC’s static analyser falsely warn that a pointer to an allocated memory block itself stored in an allocated memory block may leak?
- c language gcc compiler *.i file #3 "" 2 what is this?
- How to make clang compile to llvm IR
- Hashtable implementation in C
- EFI variables or config file on the EFI partition for EFI application?
- Pack high bit of every byte in ARM, for 64 bytes like AVX512 vpmovb2m?
- Calling an external C function (in a shared lib) from Perl with Inline::C does not work
- Can a C program detect if its own source code has been modified?
- Is this declaration UB?
- Eclipse C/C++ how to find variable belongs to which struct quickly
- Is this truly best way to delete last element in C?
- flint/arb.h: No such file or directory