In most cases programs allocate objects dynamically from the heap and these objects reference each other with pointers. Maybe what you are searching for is pointed by a pointer that is pointed by another pointer and so on. You have to find the root pointer in order to dereference the other pointers. Finding the root pointer can be tricky. If you are lucky then there is a global variable somewhere that contains the root pointer. in this case you should query the base address of the exe or dll for example with
EnumProcessModules()[
^] or a similar function and you will find the global variable relative to one of the loaded modules. In worst case the root pointer is for example on the stack of the
main()
function in which case you have to enumerate the threads of the process, you have to find the main thread somehow, you have to query the context of the main thread (
GetThreadContext()[
^]: registers, including esp the stack pointer ) and then somehow you have to find the pointer in the stack (for example by searchgin some kind of patterns around the stack). But such a pointer can be stored in a lot of places, for example TLS, or what if I "hide" my root pointer for example by passing the pointer to a system call like SetWindowLongPtr and later I query the pointer with GetWindowLongPtr??? In this case you may have to inject code into the app and extract the ptr there... This task can be quite complicated and sometimes the solution is very dirty.