EIP

NTDEV
1

is there a way in C to get the current instruction pointer? or do I have to
mix assembly and C

2

Bedanto wrote:

is there a way in C to get the current instruction pointer? or do I
have to mix assembly and C

If you think about it, this is a fairly silly question. An instruction
always knows its own address. In C, you can certainly get the address
of the start of the function:

int WhoAmI()
{
return (int)(void *)WhoAmI;
}

In MASM, you could just say
mov eax, $
but the inline assembler doesn’t understand the “$” symbol.

Why do you think you need this?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

3

Well, you cannot get current EIP directly in x86 assembly either…

Some architectures (for example, ARM) allow you to play around with instruction pointer directly from the code, but x86 is not among them. The trick is to call the next instruction, effectively pushing EIP pointing to the next instruction on top of the stack. You can try more or less the same approach in C, but be aware of possible compiler tricks. Therefore, if you want to do it in C you have to specify appropriate compiler settings

In any case, why do you think you need it???

Anton Bassov

4

i wil be publically thrashed if I tell u :slight_smile:

actually i should.

was trying to figure out if there is a way to translate the wow64 pointers
to normal win64 virtual addresses. is there a windows API?

On Sat, Aug 29, 2009 at 12:50 AM, wrote:

> Well, you cannot get current EIP directly in x86 assembly either…
>
> Some architectures (for example, ARM) allow you to play around with
> instruction pointer directly from the code, but x86 is not among them. The
> trick is to call the next instruction, effectively pushing EIP pointing to
> the next instruction on top of the stack. You can try more or less the same
> approach in C, but be aware of possible compiler tricks. Therefore, if you
> want to do it in C you have to specify appropriate compiler settings
>
> In any case, why do you think you need it???
>
>
> Anton Bassov
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

5

Can you tell us a little bit more about what you’re doing?

  • S

From: Bedanto
Sent: Friday, August 28, 2009 12:24
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] EIP

i wil be publically thrashed if I tell u :slight_smile:

actually i should.

was trying to figure out if there is a way to translate the wow64 pointers to normal win64 virtual addresses. is there a windows API?

On Sat, Aug 29, 2009 at 12:50 AM, > wrote:
Well, you cannot get current EIP directly in x86 assembly either…

Some architectures (for example, ARM) allow you to play around with instruction pointer directly from the code, but x86 is not among them. The trick is to call the next instruction, effectively pushing EIP pointing to the next instruction on top of the stack. You can try more or less the same approach in C, but be aware of possible compiler tricks. Therefore, if you want to do it in C you have to specify appropriate compiler settings

In any case, why do you think you need it???

Anton Bassov


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

6

nothing much, i want to get the actual virt add for a process running in
wow64 from a driver.

On Sat, Aug 29, 2009 at 1:53 AM, Skywing wrote:

> Can you tell us a little bit more about what you’re doing?
>
> - S
>
> ------------------------------
> From: Bedanto
> Sent: Friday, August 28, 2009 12:24
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] EIP
>
> i wil be publically thrashed if I tell u :slight_smile:
>
> actually i should.
>
> was trying to figure out if there is a way to translate the wow64 pointers
> to normal win64 virtual addresses. is there a windows API?
>
> On Sat, Aug 29, 2009 at 12:50 AM, wrote:
>
>> Well, you cannot get current EIP directly in x86 assembly either…
>>
>> Some architectures (for example, ARM) allow you to play around with
>> instruction pointer directly from the code, but x86 is not among them. The
>> trick is to call the next instruction, effectively pushing EIP pointing to
>> the next instruction on top of the stack. You can try more or less the same
>> approach in C, but be aware of possible compiler tricks. Therefore, if you
>> want to do it in C you have to specify appropriate compiler settings
>>
>> In any case, why do you think you need it???
>>
>>
>> Anton Bassov
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

7

To do what? “Nothing much” doesn’t really help address what the underlying issue you’re trying to solve is.

  • S

From: Bedanto
Sent: Friday, August 28, 2009 13:43
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] EIP

nothing much, i want to get the actual virt add for a process running in wow64 from a driver.

On Sat, Aug 29, 2009 at 1:53 AM, Skywing > wrote:
Can you tell us a little bit more about what you’re doing?

- S

________________________________
From: Bedanto >
Sent: Friday, August 28, 2009 12:24
To: Windows System Software Devs Interest List >
Subject: Re: [ntdev] EIP

i wil be publically thrashed if I tell u :slight_smile:

actually i should.

was trying to figure out if there is a way to translate the wow64 pointers to normal win64 virtual addresses. is there a windows API?

On Sat, Aug 29, 2009 at 12:50 AM, > wrote:
Well, you cannot get current EIP directly in x86 assembly either…

Some architectures (for example, ARM) allow you to play around with instruction pointer directly from the code, but x86 is not among them. The trick is to call the next instruction, effectively pushing EIP pointing to the next instruction on top of the stack. You can try more or less the same approach in C, but be aware of possible compiler tricks. Therefore, if you want to do it in C you have to specify appropriate compiler settings

In any case, why do you think you need it???

Anton Bassov


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

8

> was trying to figure out if there is a way to translate the wow64 pointers to normal win64 virtual addresses.

The only thing I am just unable to understand is how EIP as it is known to a program in_compatibility_mode may possibly help you here…

In fact, it defeats the very idea of emulation - after all, a program in emulated environment is not supposed to
even know that its host environment is emulated, and, hence, a program that runs in compatibility mode does not know anything about 64-bit extensions pretty much the same way a program that runs in 8086 virtual mode does not know anything about virtual memory and paging…

Anton Bassov

9

Bedanto wrote:

nothing much, i want to get the actual virt add for a process running in
wow64 from a driver.

There is no translation going on here. In a WOW64 process, the 32-bit processing simply goes on in the first 4GB of the virtual address space. In the context of a 32-bit process, your driver can use the 32-bit pointers, and everything works just fine.

Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

10

In case you still want to read the instruction pointer, this function will
do the trick:

#pragma auto_inline(off)
PVOID
GetInstructionPointer(
) {
return _ReturnAddress();
}
#pragma auto_inline(on)

  • Cay

On Fri, 28 Aug 2009 20:53:20 +0200, Bedanto wrote:
> is there a way in C to get the current instruction pointer? or do I have
> to
> mix assembly and C