; this section is returned if contextflags contains the value context_integer
regesi dd ?
regebx dd ?
regedx dd ?
regecx dd ?
regeax dd ?
; this section is returned if contextflags contains the value context_control
regeip dd ?
regcs dd ?
regflag dd ?
regesp dd ?
regss dd ?
; this section is returned if contextflags contains the value context_extended_registers
as you can observe, the members of this structures are mimics of the real processor's registers. before you can use this structure, you need to specify which groups of registers you want to read/write in contextflags member. for example, if you want to read/write all registers, you must specify context_full in contextflags. if you want only to read/write regebp, regeip, regcs, regflag, regesp or regss, you must specify context_control in contextflags.
one thing you must remember when using the context structure: it must be aligned on dword boundary else you'd get strange results under nt. you must put "align dword" just above the line that declares it, like this:
align dword
mycontext context <>
example:
the first example demonstrates the use of debugactiveprocess. first, you need to run a target named win.exe which goes in an infinite loop just before the window is shown on the screen. then you run the example, it will attach itself to win.exe and modify the code of win.exe such that win.exe exits the infinite loop and shows its own window.
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
includelib \masm32\lib\user32.lib
.data
appname db "win32 debug example no.2",0
classname db "simplewinclass",0
searchfail db "cannot find the target process",0
targetpatched db "target patched!",0
buffer dw 9090h
.data?
dbevent debug_event <>
processid dd ?
threadid dd ?
align dword
context context <>
.code
start:
invoke findwindow, addr classname, null
.if eax!=null
invoke getwindowthreadprocessid, eax, addr processid
mov threadid, eax
invoke debugactiveprocess, processid
.while true
invoke waitfordebugevent, addr dbevent, infinite
.break .if dbevent.dwdebugeventcode==exit_process_debug_event
.if dbevent.dwdebugeventcode==create_process_debug_event
mov context.contextflags, context_control
invoke getthreadcontext,dbevent.u.createprocessinfo.hthread, addr context
invoke writeprocessmemory, dbevent.u.createprocessinfo.hprocess, context.regeip ,addr buffer, 2, null
invoke messagebox, 0, addr targetpatched, addr appname, mb_ok+mb_iconinformation
.elseif dbevent.dwdebugeventcode==exception_debug_event
.if dbevent.u.exception.pexceptionrecord.exceptioncode==exception_breakpoint
invoke continuedebugevent, dbevent.dwprocessid,dbevent.dwthreadid, dbg_continue
.continue
.endif
.endif
invoke continuedebugevent, dbevent.dwprocessid, dbevent.dwthreadid, dbg_exception_not_handled
.endw
.else
