public unsafe bool GetThreadContext(uint threadID, uint contextFlags, uint contextSize, byte[] context)
{
this.LoadThreads();
if (!_threadIDs.Contains(threadID) || contextSize != AMD64Context.Size)
{
return(false);
}
IntPtr ptrContext = Marshal.AllocHGlobal(sizeof(AMD64Context));
AMD64Context *ctx = (AMD64Context *)ptrContext;
ctx->ContextFlags = contextFlags;
IntPtr ptr = Marshal.AllocHGlobal(sizeof(RegSetX64));
try
{
ptrace(PTRACE_GETREGS, (int)threadID, IntPtr.Zero, ptr);
RegSetX64 r = Marshal.PtrToStructure <RegSetX64>(ptr);
CopyContext(ctx, ref r);
Marshal.Copy(ptrContext, context, 0, sizeof(AMD64Context));
}
finally
{
Marshal.FreeHGlobal(ptr);
Marshal.FreeHGlobal(ptrContext);
}
return(true);
}
public unsafe bool GetThreadContext(uint threadID, uint contextFlags, uint contextSize, IntPtr context)
{
this.LoadThreads();
if (!_threadIDs.Contains(threadID) || contextSize != AMD64Context.Size)
{
return(false);
}
AMD64Context *ctx = (AMD64Context *)context.ToPointer();
ctx->ContextFlags = (int)contextFlags;
IntPtr ptr = Marshal.AllocHGlobal(sizeof(RegSetX64));
try
{
ulong ret = ptrace(PTRACE_GETREGS, (int)threadID, IntPtr.Zero, ptr);
if (ret != 0)
{
//Console.WriteLine($"PTRACE_GETREGS returns {ret:x} for {threadID}");
}
RegSetX64 r = Marshal.PtrToStructure <RegSetX64>(ptr);
CopyContext(ctx, ref r);
}
finally
{
Marshal.FreeHGlobal(ptr);
}
return(true);
}
public unsafe bool CopyContext(uint contextFlags, uint contextSize, void *context)
{
if (contextSize < AMD64Context.Size)
{
return(false);
}
AMD64Context *ctx = (AMD64Context *)context;
ctx->ContextFlags = AMD64Context.ContextControl | AMD64Context.ContextInteger | AMD64Context.ContextSegments;
ctx->R15 = R15;
ctx->R14 = R14;
ctx->R13 = R13;
ctx->R12 = R12;
ctx->Rbp = Rbp;
ctx->Rbx = Rbx;
ctx->R11 = R11;
ctx->R10 = R10;
ctx->R9 = R9;
ctx->R8 = R8;
ctx->Rax = Rax;
ctx->Rcx = Rcx;
ctx->Rdx = Rdx;
ctx->Rsi = Rsi;
ctx->Rdi = Rdi;
ctx->Rip = Rip;
ctx->Rsp = Rsp;
ctx->Cs = (ushort)CS;
ctx->Ds = (ushort)DS;
ctx->Ss = (ushort)SS;
ctx->Fs = (ushort)FS;
ctx->Gs = (ushort)GS;
return(true);
}
private unsafe void CopyContext(AMD64Context *ctx, ref RegSetX64 registerSet)
{
ctx->R15 = registerSet.R15;
ctx->R14 = registerSet.R14;
ctx->R13 = registerSet.R13;
ctx->R12 = registerSet.R12;
ctx->Rbp = registerSet.Rbp;
ctx->Rbx = registerSet.Rbx;
ctx->R11 = registerSet.R11;
ctx->R10 = registerSet.R10;
ctx->R9 = registerSet.R9;
ctx->R8 = registerSet.R8;
ctx->Rax = registerSet.Rax;
ctx->Rcx = registerSet.Rcx;
ctx->Rdx = registerSet.Rdx;
ctx->Rsi = registerSet.Rsi;
ctx->Rdi = registerSet.Rdi;
ctx->Rip = registerSet.Rip;
ctx->Rsp = registerSet.Rsp;
}
public unsafe bool GetThreadContext(uint threadID, uint contextFlags, uint contextSize, IntPtr context)
{
if (contextSize != AMD64Context.Size)
{
return(false);
}
InitThreads();
AMD64Context *ctx = (AMD64Context *)context.ToPointer();
ctx->ContextFlags = (int)contextFlags;
if (_threads.TryGetValue(threadID, out ElfPRStatus status))
{
CopyContext(ctx, ref status.RegisterSet);
return(true);
}
return(false);
}
public bool GetThreadContext(uint threadID, uint contextFlags, Span <byte> context)
{
// We need to set the ContextFlags field to be the value of contextFlags. For AMD64, that field is
// at offset 0x30. For all other platforms that field is at offset 0. We test here whether the context
// is large enough to write the flags and then assign the value based on the architecture's offset.
bool amd64 = Architecture == Architecture.X64;
if (context.Length < 4 || (amd64 && context.Length < 0x34))
{
return(false);
}
if (amd64)
{
fixed(byte *ptr = context)
{
AMD64Context *ctx = (AMD64Context *)ptr;
ctx->ContextFlags = contextFlags;
}
}
else
{
fixed(byte *ptr = context)
{
uint *intPtr = (uint *)ptr;
*intPtr = contextFlags;
}
}
using SafeWin32Handle thread = OpenThread(ThreadAccess.THREAD_ALL_ACCESS, true, threadID);
if (thread.IsInvalid)
return(false);
fixed(byte *ptr = context)
return(GetThreadContext(thread.DangerousGetHandle(), new IntPtr(ptr)));
}
public unsafe bool GetThreadContext(uint threadID, uint contextFlags, uint contextSize, byte[] context)
{
if (contextSize != AMD64Context.Size)
{
return(false);
}
InitThreads();
if (_threads.TryGetValue(threadID, out ElfPRStatus status))
{
fixed(byte *ptr = context)
{
AMD64Context *ctx = (AMD64Context *)ptr;
ctx->ContextFlags = (int)contextFlags;
CopyContext(ctx, ref status.RegisterSet);
return(true);
}
}
return(false);
}
// TODO: Support other architectures
int GetRegister(string register, out ulong value)
{
value = 0;
int hr = GetCurrentThreadSystemId(IntPtr.Zero, out uint threadId);
if (hr != 0)
{
return(hr);
}
byte[] buffer = new byte[AMD64Context.Size];
if (!_dataReader.GetThreadContext(threadId, uint.MaxValue, (uint)AMD64Context.Size, buffer))
{
return(E_FAIL);
}
fixed(byte *ptr = buffer)
{
AMD64Context *context = (AMD64Context *)ptr;
switch (register.ToLower())
{
case "rax":
value = context->Rax;
break;
case "rbx":
value = context->Rbx;
break;
case "rcx":
value = context->Rcx;
break;
case "rdx":
value = context->Rdx;
break;
case "rsi":
value = context->Rsi;
break;
case "rdi":
value = context->Rdi;
break;
case "r8":
value = context->R8;
break;
case "r9":
value = context->R9;
break;
case "r10":
value = context->R10;
break;
case "r11":
value = context->R11;
break;
case "r12":
value = context->R12;
break;
case "r13":
value = context->R13;
break;
case "r14":
value = context->R14;
break;
case "r15":
value = context->R15;
break;
case "rip":
value = context->Rip;
break;
case "rsp":
value = context->Rsp;
break;
case "rbp":
value = context->Rbp;
break;
default:
return(E_FAIL);
}
}
return(S_OK);
}
