public static string FormatContextDiffReflection(Win32Imports.ContextX64 context, Win32Imports.ContextX64 oldContext, DecodedInst oldInstruction)
{
var registers = "";
// log only changed registers and operands
foreach (var field in typeof(Win32Imports.ContextX64).GetFields(BindingFlags.Instance |
BindingFlags.NonPublic |
BindingFlags.Public))
{
// log registers that changed
var reg = field.Name.ToUpper();
if (reg.Equals("RIP"))
{
continue;
}
string oldValue;
try {
oldValue = field.GetValue(oldContext).ToString();
} catch {
oldValue = "?";
}
string value;
try {
value = field.GetValue(context).ToString();
} catch {
value = "?";
}
if (!oldValue.Equals(value))
{
oldValue = FormatValue(UInt64.Parse(oldValue));
value = FormatValue(UInt64.Parse(value));
registers += $" {reg}={oldValue}->{value}";
}
else
{
// log operand registers
var ops = oldInstruction.Operands;
var reg32 = Regex.Replace(reg, "^R", "E");
var reg16 = Regex.Replace(reg, "^R", "");
int n;
if (ops.Contains(reg) || ops.Contains(reg32) || (!Int32.TryParse(reg16, out n) && ops.Contains(reg16)))
{
value = FormatValue(UInt64.Parse(value));
registers += $" {reg}={value}";
}
}
}
return(registers);
}
public static extern void distorm_format(ref CodeInfo ci, ref DInst di, ref DecodedInst result);
