Obtaining CPU Register State

A debugger must be able to capture the state of the CPU registers at any given point and time. This allows us to determine the state of the stack when an exception occurs, where the instruction pointer is currently executing, and other useful tidbits of information. We first must obtain a handle to the currently executing thread in the debuggee, which is achieved by using the OpenThread()^[10] function. It looks like the following:

HANDLE WINAPI OpenThread(
    DWORD dwDesiredAccess,
    BOOL bInheritHandle,
    DWORD dwThreadId
);

This looks much like its sister function OpenProcess(), except this time we pass it a thread identifier (TID) instead of a process identifier.

We must obtain a list of all the threads that are executing ...

Get Gray Hat Python now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Gray Hat Python by

Obtaining CPU Register State

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly