How to extract volatile method arguments from x64 programs

How to extract volatile method parameters of x64 programs one: background 1. Storytelling Recently, I often encounter feedback from friends on how to extract method parameters in the thread stack in the x64 environment. Friends who are familiar with the x64 calling protocol should know that under this protocol, the first four parameters of the method are passed in registers. For example, there are four registers rcx, rdx, r8d, r9d. Due to the temporary nature of the register value, its value is easily used by the subsequent logic. Is there any way to do this in this case? What about extracting it? To be honest, it all depends on luck. Why do you say that? If this is temporarily saved in the thread stack during the stack initialization process of the method, congratulations, you can successfully fish it out. Let’s talk in depth through a small case. Two: Case Analysis 1. A case demonstration For the convenience of description, here I use Marshal to allocate heap blocks on ntheap, and then extract the user handle of the Marshal.FreeHGlobal method. The reference code is as follows: static void Main(string[] args) { //1. Allocate heap blocks IntPtr ptr = Marshal.AllocHGlobal(sizeof(int)); Console.WriteLine(“ptr= 0x{0:X2}”,…