internal Module(ForeignPtr @base, SafeFileHandle handle)
{
Contract.Assert(@base.Address> 0);
this.@base = @base;
this.handle = handle;
if (!handle.IsInvalid)
this.imagePath = Kernel32.GetFinalPathNameByHandle(handle.DangerousGetHandle(), 0);
}
public DebugEventResponse OnModuleUnloaded(int threadID, ForeignPtr @base)
{
Module module;
if (owner.modulesByBaseAddress.TryRemove(@base, out module))
{
return owner.RaiseEvent(owner.ModuleUnloaded, new ModuleEventArgs(module));
}
else
{
Contract.Assert(false, "Mismatched unload dll message.");
return DebugEventResponse.ContinueUnhandled;
}
}
private static async Task Run()
{
var nasmInsnsEntries = new List<NasmInsnsEntry>();
foreach (var line in File.ReadAllLines("insns.dat", Encoding.ASCII))
{
if (NasmInsns.IsIgnoredLine(line)) continue;
nasmInsnsEntries.Add(NasmInsns.ParseLine(line));
}
var instructionDecoder = new InstructionDecoder(
new NasmInstructionDecoderLookup(nasmInsnsEntries), CodeContext.Protected_Default32);
var notepadProcess = Process.Start(@"C:\Windows\SysWow64\notepad.exe");
var notepadDebugger = await ProcessDebugger.AttachAsync(notepadProcess.Id, initialBreak: false);
await Task.Delay(TimeSpan.FromSeconds(2));
var brokenThread = await notepadDebugger.BreakAsync();
var context = brokenThread.GetContext(X86.CONTEXT_ALL);
var ip = new ForeignPtr(context.Eip);
var instruction = Decode(instructionDecoder, notepadDebugger, ip);
}
public void WriteMemory(IntPtr source, ForeignPtr dest, int count)
{
UIntPtr countWritten;
CheckWin32(WriteProcessMemory(debugInfo.hProcess, (IntPtr)dest.Address, source, (UIntPtr)count, out countWritten));
if (countWritten != (UIntPtr)count) throw new InvalidOperationException();
}
public void ReadMemory(ForeignPtr source, IntPtr dest, int count)
{
UIntPtr countRead;
CheckWin32(ReadProcessMemory(debugInfo.hProcess, (IntPtr)source.Address, dest, (UIntPtr)count, out countRead));
if (countRead != (UIntPtr)count) throw new InvalidOperationException();
}
private static Instruction Decode(InstructionDecoder decoder, ProcessDebugger debugger, ForeignPtr ptr)
{
var reader = new BinaryReader(debugger.OpenMemory(ptr));
while (decoder.Feed(reader.ReadByte())) { }
return decoder.GetInstruction();
}
public ThreadCreatedEventArgs(Thread thread, ForeignPtr entryPoint)
{
Contract.Requires(thread != null);
this.Thread = thread;
this.EntryPoint = entryPoint;
}
public DebugEventResponse OnThreadCreated(int threadID, ForeignPtr entryPoint)
{
var thread = new Thread(owner, threadID);
bool added = owner.threadsByID.TryAdd(threadID, thread);
Contract.Assert(added);
return owner.RaiseEvent(owner.ThreadCreated, new ThreadCreatedEventArgs(thread, entryPoint));
}
public DebugEventResponse OnModuleLoaded(int threadID, ForeignPtr @base, SafeFileHandle handle)
{
var module = new Module(@base, handle);
owner.modulesByBaseAddress.TryAdd(module.Base, module);
return owner.RaiseEvent(owner.ModuleLoaded, new ModuleEventArgs(module));
}
