Hi,
I want to get the current value of the EIP register with assembly language. Is that possible?
Thanks.
This approach has a subtle issue. Modern processors try to predict return addresses - a call which is not paired with a return messes up the prediction. See http://blogs.msdn.com/b/oldnewthing/archive/2004/12/16/317157.aspx
Paul Baker
2010-10-31 08:54:14
@Paul Baker usually it isn't a critical issue. For example `call @f / db '123',0 / @@:` is a common practice
Abyx
2010-10-31 09:01:48
call foo, pop eax, push eax, ret
Jens Björnhager
2010-10-31 13:35:47
@Jens Björnhager it's infinite loop. `call foo / foo: pop eax / add eax, bar-foo / push eax / ret / bar:`
Abyx
2010-10-31 14:46:13
@Abyx Then at least you know at which EIP your program is stuck! :)
Jens Björnhager
2010-10-31 20:53:15
If foo isn't inline, then you won't get stuck and will get the EIP of **the next* instruction.
Jens Björnhager
2010-10-31 20:54:59
+2
A:
Since EIP is the program counter, there's no way to access it directly (i.e. it can't be used as the source of a MOV instruction).
There are two ways to access it indirectly:
- Use an interrupt and get the saved
EIPfrom the stack, - Use a specially crafted function that fetches its return address (the saved
EIP) from the stack.
See http://www.programmersheaven.com/mb/x86_asm/357735/357735/get-the-value-of-eip/#357740.
Frédéric Hamidi
2010-10-31 08:49:24
+6
A:
Assuming 32-bit x86, use the following function:
get_eip: mov eax, [esp]
ret
Then, to get the value of EIP in EAX, simply:
call get_eip
Paul Baker
2010-10-31 08:49:54