Home/ Questions/Q 8422133
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T03:21:18+00:00

I would like to attach to a running process using WinDbg, and modify a

  • 0

I would like to attach to a running process using WinDbg, and modify a certain function’s code to simply return on invocation (for educational purposes).

I have used the following commands:

uf dll!name

This gives me a disassembly of the function.

I have picked a specific address at a certain location and modified it to ret:

ew addr c3

This crashes every time, what am i doing wrong?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You need to make sure you do the appropriate clean up so the stack is left in a proper state. Depending on the calling convention the method usually pushes stuff on the stack as part of the prologue. This must be undone as part of the epilogue.

    Here’s an example of changing a JIT compiled method using WinDbg.

    The code:

    namespace ConsoleApplication1
{
    class Program
    {
        static void Main(string[] args)
        {
            Message();
            Console.ReadLine();
            Message();
            Console.WriteLine("done");
        }

        private static void Message()
        {
            Console.WriteLine("message");
        }
    }
}

    I compiled this as Debug to prevent the compiler from inlining the calls to Message.

    Then I ran the executable and attached the debugger at the call to ReadLine.

    For managed code I need to use SOS.dll to locate the JIT compiled code. So I loaded SOS and found the address for the code as follows.

    0:004> .loadby sos clr
0:004> !name2ee *!ConsoleApplication1.Program
Module:      04a11000
Assembly:    mscorlib.dll
--------------------------------------
Module:      001b2e94
Assembly:    ConsoleApplication1.exe
Token:       02000002
MethodTable: 001b37b4
EEClass:     001b125c
Name:        ConsoleApplication1.Program
0:004> !dumpmt -md 001b37b4
EEClass:         001b125c
Module:          001b2e94
Name:            ConsoleApplication1.Program
mdToken:         02000002
File:            c:\temp\ConsoleApplication1\ConsoleApplication1\bin\Debug\ConsoleApplication1.exe
BaseSize:        0xc
ComponentSize:   0x0
Slots in VTable: 7
Number of IFaces in IFaceMap: 0
--------------------------------------
MethodDesc Table
   Entry MethodDe    JIT Name
04d14960 04a16728 PreJIT System.Object.ToString()
04d08790 04a16730 PreJIT System.Object.Equals(System.Object)
04d08360 04a16750 PreJIT System.Object.GetHashCode()
04d016f0 04a16764 PreJIT System.Object.Finalize()
001bc019 001b37ac   NONE ConsoleApplication1.Program..ctor()
002a0050 001b3794    JIT ConsoleApplication1.Program.Main(System.String[])
002a00a8 001b37a0    JIT ConsoleApplication1.Program.Message()
0:004> !u 001b37a0    
Normal JIT generated code
ConsoleApplication1.Program.Message()
Begin 002a00a8, size 21
*** WARNING: Unable to verify checksum for c:\temp\ConsoleApplication1\ConsoleApplication1\bin\Debug\ConsoleApplication1.exe

c:\temp\ConsoleApplication1\ConsoleApplication1\Program.cs @ 20:
002a00a8 55              push    ebp        <-- prologue
002a00a9 8bec            mov     ebp,esp    
002a00ab 833d60311b0000  cmp     dword ptr ds:[1B3160h],0   <-- start of method
002a00b2 7405            je      ConsoleApplication1!ConsoleApplication1.Program.Message()+0x11 (002a00b9)
002a00b4 e8fb6ff570      call    clr!JIT_DbgIsJustMyCode (711f70b4)
002a00b9 90              nop

c:\temp\ConsoleApplication1\ConsoleApplication1\Program.cs @ 21:
002a00ba 8b0d34217403    mov     ecx,dword ptr ds:[3742134h] ("message")
002a00c0 e82bd3ad04      call    mscorlib_ni!System.Console.WriteLine(System.String) (04d7d3f0)
002a00c5 90              nop

c:\temp\ConsoleApplication1\ConsoleApplication1\Program.cs @ 22:
002a00c6 90              nop
002a00c7 5d              pop     ebp   <-- epilogue
002a00c8 c3              ret

    Then I opened the Memory window and pointed it to 002a00ab which is the first part of the actual method body of Message and changed the two opcodes to 5d and c3 for pop edb and ret respectively. If I skipped the pop edb part the stack would be messed up and I would get an exception.

    I hit Go and the application continued without printing “message” a second time.

    • 0