How do I attach to a process and read from specific instruction?

I'm trying to write a "shunt" for an existing application to spew out data so I can integrate it into some analysis I'm trying to perform, but I've hit a dead end. I've isolated the instruction I want to read from, but I'm not exactly sure how to accomplish this.

This is the instruction set I'm trying to isolate (specifically the value from 00412159):

00412153 - mov [eax+04],edx
00412156 - fld dword ptr [ecx+08]
00412159 - fstp dword ptr [eax+08]
0041215c - ret
0041215d - int 3

Results of three memory scans for the same variable resulted in the following results:

EAX=1798B4E0
ECX=0018D5C0
EDX=00000016

EAX=18D96298
ECX开发者_运维技巧=0018D5C0
EDX=00000016

EAX=18D3DCA8
ECX=0018D5C0
EDX=00000016

If I attach a debugger to the running program, the value I want is at EAX, but the value of EAX changes each time the target process is restarted.

Evidently what I'm running into is DMA (Dynamic Memory Access) aka Heap-Based Memory Allocation and this is causing the pointer mapping to be generated at runtime. My brief research into the subject is revealing that the two components I need to figure out are a static base pointer, and the offset used to reach the runtime pointer.

I've spent a total of 4 hours experiance with ASM, so that may be my problem, or I'm just tackling a problem that is currently out of my league. Any ideas on the best way to read the value from the instruction at 00412159 or a suggestion on how to find the base pointer and offset?

sorry for the late answer.

Basically the application dynamically allocates some memory when it starts. (think malloc or something like that in high-level programming)

If you find this allocation code, you can find the address of the start of the memory allocated and it's size which are I think important variables to know.

Then what you need to do with your debugger is to put a breakpoint at 00412159 then trace backward by going up in the code manually and find where EAX has been initialized with that dynamic address.

Other than that, defeating DMA has always been a matter of experience and debugging skills as each programs is different. If you post some assembly listing here I might be able to help you in the right direction.