Beraphin
Reputation: 63
IDAPYTHON got wrong data from memory
I wrote a script to show the second param of NtQueryInformationProcess.however,I always got wrong data,it seems like the memory wasn't freshed and what I got was old data.Here is my code:
from idaapi import *
NtQueryInformationProcess=0x7798E740
class HookNQIP(DBG_Hooks):
def dbg_bpt(self,tid,ea):
if ea==NtQueryInformationProcess:
print 'ProcessInformationClass:',hex(Dword(GetRegValue('ESP')+8))
AddBpt(NtQueryInformationProcess)
func=HookNQIP()
func.hook()
IDA 6.9 on Win10-64,thx
Upvotes: 2
Views: 451
Answers (2)
Orwellophile
Reputation: 13933
That would be rather slow compared to:
idc.read_dbg_dword(address)
Upvotes: 0
Beraphin
Reputation: 63
It's my fault to ask this question while here is an answer: IDA Python - Why My code return incorrect ESP Value?
So the solution is adding code RefreshDebuggerMemory() to fresh memory
In fact I've search word 'fresh' in idapython's docs,but there is too many things on that page so I've got nothing cause I closed that page before all the things were loaded,that's really a mistake.
Upvotes: 2
Related Questions
- Extracting IDA view-A data or Assembly from IDApython
- IDA Pro: How to reduce memory snapshot size by removing everything but code?
- Why the function got by idapython is not the same as displayed in function window using IDA?
- Disassmbling with IDA python for extract instruction
- disassembly of small hexa fragment in IDA pro
- Changes to the program. IDA disassembler
- ida pro decompiling incorrect result
- Need Help in C++ Disasm
- Assembling error in IDA Pro 6.1
- Reverse Engineer Simple Application with IDA Pro 5