0

Im trying to read a instruction from another processes memory and get the operands dynamically. For example if the instruction is MOV how can i know that it has 2 operands?

The process is x64

I tried getting the bytes using ReadProcessMemory but i dont know how many bytes to read for.

Improve this question
6
  • 8
    You need to read the Intel manuals to get to know the encoding used for the instructions. A fair bit of warning: It's not trivial. Commented May 2, 2024 at 17:58
  • Either you wrestle through the intel assembly manuals, or you use a library like capstone. Commented May 2, 2024 at 17:59
  • 2
    Intel PIN and/or the XED disassembler library have C++ interfaces to disassembling / decoding instructions. intelxed.github.io x86 machine code is a byte stream: you have to process the byte you read to know how many more to read. Commented May 2, 2024 at 18:00
  • I believe I used zydis once for disassembling. Commented May 2, 2024 at 18:26
  • How many bytes read from another process - usually near page size ( 0x1000) and cache memory local for not read for every single instruction. How then disasm instructions, another question Commented May 2, 2024 at 18:28
Related questions
2451
Why are elementwise additions much faster in separate loops than in a combined loop?
1915
Why should I use a pointer rather than the object itself?
1656
Replacing a 32-bit loop counter with 64-bit introduces crazy performance deviations with _mm_popcnt_u64 on Intel CPUs
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.