Running proccess EAX info

[SebWynne]

How can I access the eax info from a running process.

If I debug a process with Visual C++ I can monitor the eax (EAX = 7FFDF000). I have a module within the process already. What I wish to do is be able to monitor that value from within my dll via script.

Sorry if that is confusing but I'm new to programming.

[torfil]

What do you need to do that for?
And what "script" are you talking about?

[SebWynne]

What do you need to do that for?

To monitor if/when that value changes. For my purposes I need to know when/if that value changes when other code is injected into the running process. I need to do this within my dll and not via the debugger.

And what "script" are you talking about?

Sorry I meant within my dll.

[MrViggy]

You could probably use assembly:

http://msdn.microsoft.com/library/de...gref___asm.asp

I've never had an occasion to use inline assembly, so I can't be much more help. Sorry.

Viggy

[torfil]

To monitor if/when that value changes. For my purposes I need to know when/if that value changes when other code is injected into the running process. I need to do this within my dll and not via the debugger.

Hmm... but that value will change millions (billions?) of times a second just executing regular code.
Maybe you're interested in if it changes at just one particular spot in the code?

[SebWynne]

Could be .......lol. Like I said I'm just beginning and the debugging caught my eye.

Let me give you the scenario. I start my process. Attach the Visual's debugger to the running process. Then in the registers window

Code:

EAX = 7FFDF000 EBX = 00000001
 ECX = 00000002 EDX = 00000003
 ESI = 00000004 EDI = 00000005
 EIP = 77F7F570 ESP = 13C2FFCC
 EBP = 13C2FFF4 EFL = 00000246 CS = 001B
 DS = 0023 ES = 0023 SS = 0023 FS = 0038
 GS = 0000 OV=0 UP=0 EI=1 PL=0 ZR=1 AC=0
 PE=1 CY=0
 ST0 = +0.00000000000000000e+0000
 ST1 = +0.00000000000000000e+0000
 ST2 = +0.00000000000000000e+0000
 ST3 = -2.27815662770729050e+3699
 ST4 = +0.00000000000000000e+0000
 ST5 = +4.97102867689378760e+3046
 ST6 = +0.00000000000000000e+0000
 ST7 = +0.00000000000000000e+0000
 CTRL = 027F STAT = 0000 TAGS = FFFF
 EIP = 00000000 CS = 0000 DS = 0000
 EDO = 00000000

Now if I inject another dll into that process (this is what I want to detect happening) The values change.

Code:

EAX = 16530000 EBX = 00000000
 ECX = 0013F590 EDX = 00000000
 ESI = 00000000 EDI = 0013F670
 EIP = 7FFE0304 ESP = 0013F630
 EBP = 0013F688 EFL = 00000202 CS = 001B
 DS = 0023 ES = 0023 SS = 0023 FS = 003B
 GS = 0000 OV=0 UP=0 EI=1 PL=0 ZR=0 AC=0
 PE=0 CY=0
 ST0 = 1#SNAN                    
 ST1 = -2.00642990112304687e+0002
 ST2 = +0.00000000000000000e+0000
 ST3 = +6.40529312500000000e+0005
 ST4 = +0.00000000000000000e+0000
 ST5 = +8.90398630872368800e-0003
 ST6 = +7.76268035794297900e-0003
 ST7 = +7.76268029585480690e+0000
 CTRL = 037F STAT = 0120 TAGS = FFFF
 EIP = 77C4B139 CS = 001B DS = 0023
 EDO = 0013E4AC

Now while the process is running without injecting a dll the values never change. So maybe we are talking about two different things......or I'm lost :P

[torfil]

Now while the process is running without injecting a dll the values never change. So maybe we are talking about two different things......or I'm lost :P

Well, I think you will see the values change all the time if you stepped through code. For example, the return value of a function is placed in the eax register. So it will change after every function call.
The debugger won't show changes while the program is running (e.g. when you are not stopped in the debugger)... at least I don't think it will. I'm not sure why you do see it change only when a dll is loaded (unless you are stopped in the debugger at that point).

Anyway, if what you want to detect is a dll being loaded, the EAX register is not the way. Offhand I don't know of a way, but I'm sure there is one. You might try hooking the LoadLibrary API... LoadLibary is what gets called to load a dll. I've never hooked an API before, but a google search brought up this:

http://www.codeproject.com/system/hooksys.asp