1

I need to locate an specific "struct" variable in the data section from an assembly. This structure is used for an specific System Function (Windows) "SetCommState()". I'm wondering how to locate the static data structure that are passed as argument to the function call.

I'm ussing x64dbg for the disassembly and have the posibility to use snowman also.

The specific "struct" is the one defined here (DCB used for serial ports configuration)

Improve this question
4
  • 2
    Can you view the application's imports? If so, then consider setting a BP on SetCommState() and observe the data that's passed to it when it breaks (which will be made more meaningful if you identify the calling convention). You could also look for cross-references (xrefs) to SetCommState() and glean what information you can from that. Commented Dec 5, 2018 at 18:06
  • 1
    if the structure is defined as local to a function like int foo() { DCB dcb .... SetCommState(handle , &dcb); ... } then it would be in stack you cannot get that statically if DCB is a global you can look at the disassembly and get the Address from the pushed arguments Commented Dec 5, 2018 at 20:24
  • @Biswapriyo I'm not sure about how to do this. On the other hand, 'dsasmblr'and 'blabb', yes, I can set a breakpoint. but I was wondering if it could be possible to find the static data in the code without debuging. I will check taking into account your comments. Thank you Commented Dec 6, 2018 at 0:07
  • @Biswapriyo a program that uses that function Commented Dec 12, 2018 at 11:11

1 Answer 1

Reset to default
2

For this case, here I compile the MS Docs example in 64 bit PE binary with gcc -ggdb command (or use gcc -S for the assembly file). Here is the assembly section of SetCommState function in Intel syntax:

mov dword ptr [rbp-44], 57600 ; dcb.BaudRate = CBR_57600 mov byte ptr [rbp-30], 8 ; dcb.ByteSize = 8 mov byte ptr [rbp-29], 0 ; dcb.Parity = NOPARITY mov byte ptr [rbp-28], 0 ; dcb.StopBits = ONESTOPBIT lea rdx, [rbp-48] ; lpDCB mov rax, [rbp-16] ; move the Handle returned by CreateFile mov rcx, rax ; hFile mov rax, cs:__imp_SetCommState call rax ; __imp_SetCommState ; call the SetCommState function mov [rbp-20], eax ; move return 32 bit integer value to stack

Here are the general steps you may follow to find any input variable of a function:

  1. Find the imported function in the assembly (here SetCommState)
  2. Find or guess the calling convention used in that function (here __fastcall)
  3. If any parameter is a structure type find the stack pointer and/or base pointer offsets before the function call (here [rbp-48]). It will be the first member of that structure type variable. Then follow the stack allocations one by one, you will get all the structure members which are changed/accessed (here [rbp-48], [rbp-44], [rbp-30] and so on).

To find the imported function (step #1) in x64dbg:

  • load the executable in x64dbg
  • Right click on the disassembly window > Search for > All modules > Intermodular calls.

intermodular_calls_in_x64dbg

Search the function name in search box below, here it will be SetCommState. x64dbg will show the specific address. Just double click on it and you can see the specific address. See this GitHub issue for reference.

Improve this answer
4
  • ok, In my case, it is a 32 bit application, so it can't use 64 bit registers. But I've got the general idea. Commented Dec 13, 2018 at 14:34
  • I'm having problems locating the code section (memory address to SetCommState using x64dbg Commented Dec 13, 2018 at 15:37
  • I'm in the process... Commented Dec 13, 2018 at 21:37
  • It worked, I used the content of [rdx] with a breackpoint in the "lea" instruction. Thank you. Commented Dec 13, 2018 at 22:15

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.