public static ulong GetInstructionPointer(this ProcessThread thread, bool wow64Process)
{
var threadHandle = thread.GetNativeHandle(NT.ThreadAccess.GET_CONTEXT);
ulong instructionPointer = 0;
if (wow64Process)
{
NT.CONTEXT ctx = new NT.CONTEXT()
{
ContextFlags = NT.CONTEXT_FLAGS.CONTEXT_CONTROL
};
NT.GetThreadContext(threadHandle, ref ctx);
instructionPointer = ctx.Eip;
}
else
{
NT.CONTEXT64 ctx = new NT.CONTEXT64()
{
ContextFlags = NT.CONTEXT_FLAGS.CONTEXT_CONTROL
};
NT.GetThreadContext(threadHandle, ref ctx);
instructionPointer = ctx.Rip;
}
NT.CloseHandle(threadHandle);
return(instructionPointer);
}
public static ulong GetRealStartAddress(this ProcessThread thread)
{
var handle = thread.GetNativeHandle(NT.ThreadAccess.QUERY_INFORMATION);
ulong startAddress = 0;
NT.NtQueryInformationThread((IntPtr)handle, NT.ThreadInfoClass.ThreadQuerySetWin32StartAddress, new IntPtr(&startAddress), 8, IntPtr.Zero);
NT.CloseHandle(handle);
return(startAddress);
}