x64 and GetThreadContext() problems [Archive] - RCE Messageboard's Regroupment

View Full Version : x64 and GetThreadContext() problems

Harding

October 30th, 2007, 14:26

First of all I have been searching and searching and talking to people but none seems to know. I have read (and posted) on: http://www.nynaeve.net/?p=129
But I'm duping my question here if anyone knows (I'm really not keen on the idea of reimplementing Wow64GetThreadContext()).

Scenario: I am coding a custom debugger and it works fine under x86. I move the files to my x64 computer (Windows XP x64) and it fails on GetThreadContext() with a ACCESS_DENIED error.

I have read http://msdn2.microsoft.com/en-us/library/ms679362.aspx (MSDN for GetThreadContext()) and I do have THREAD_QUERY_INFORMATION (actually as you will se in the code snippet I open the thread with THREAD_ALL_ACCESS | THREAD_QUERY_INFORMATION to be on the safe side.)

Wow64GetThreadContext() does only exist in Vista so I can't use that one.

Here is a part of the code that gets called when I hit a INT3:

Code:

hThreadHandle = OpenThread(THREAD_ALL_ACCESS | THREAD_QUERY_INFORMATION, FALSE, debugEvent.dwThreadId);

processContext.ContextFlags = CONTEXT_ALL;

DWORD lastError = GetThreadContext(hThreadHandle, &processContext);

processContext.Eip = (DWORD)debugEvent.u.Exception.ExceptionRecord.ExceptionAddress;

SetThreadContext(hThreadHandle, &processContext);

CloseHandle(hThreadHandle);

WriteProcessMemory(processInfo.hProcess, (LPVOID)(Iter->breakAtAddress), &(Iter->byteBefore), 1, NULL);

Do anyone have any idea on how to get this one working under x64?

LLXX

October 31st, 2007, 18:18

Does the thread have the required access rights? Have you tried tracing into the API to see where it determines you are denied access?

Last resort: Ask Oleh Yuschuk.

Harding

November 1st, 2007, 12:09

After long waiting time I got this response from Microsoft:

Quote:

Hello
Yes, this is a known issue and I’m afraid that there is no solution.
Scott White

--------------------------------------------------------------------------------

From: XXX [mailto:xx]
Sent: Tuesday, October 30, 2007 11:45 AM
To: Documentation Feedback
Subject: Documentation feedback [debug\base]: GetThreadContext RELEASE: (10/1/2007)

I'm porting a x86 version of a debugger to x64 but I'm having some serious problems.

I run Windows XP x64 SP2. I use VS 2005 and code in VC++.

I compile the code for x86 and run it on a x86 target. (Works fine on my pure x86 system)

When I set a INT3 and the debugger breaks on it (debugEvent.u.Exception.ExceptionRecord.ExceptionAddress shows correct address)

I try to read the registers with the following code:
hThreadHandle = OpenThread(THREAD_ALL_ACCESS, FALSE, debugEvent.dwThreadId);
processContext.ContextFlags = CONTEXT_ALL;
DWORD lastError = GetThreadContext(hThreadHandle, &processContext); // This one failswith a ACCESS_DENIED (error code 5)
processContext.Eip = (DWORD)debugEvent.u.Exception.ExceptionRecord.ExceptionAddress;
SetThreadContext(hThreadHandle, &processContext);
CloseHandle(hThreadHandle);

Me sad Panda

reverser

November 1st, 2007, 14:25

Nynaeve posted the solution.
http://www.nynaeve.net/?p=191

Harding

November 2nd, 2007, 03:51

ah yes, somehow I managed to remove that line in my post that said that Skywing had written a blog about it :-)

I'm going to work with it today and if something useful comes out, I will post it here.