Esempi in C# (CSharp) per TEB

Esempio n. 1

File: Thread_Info.cs Progetto: Andy53/ERC.Xdbg

 private void PopulateTEBStruct32(byte[] tebBytes)
 {
     Teb = new TEB();
     Teb.CurrentSehFrame   = (IntPtr)BitConverter.ToInt32(tebBytes, 0x0);
     Teb.TopOfStack        = (IntPtr)BitConverter.ToInt32(tebBytes, 0x4);
     Teb.BottomOfStack     = (IntPtr)BitConverter.ToInt32(tebBytes, 0x8);
     Teb.SubSystemTeb      = (IntPtr)BitConverter.ToInt32(tebBytes, 0xC);
     Teb.FiberData         = (IntPtr)BitConverter.ToInt32(tebBytes, 0x10);
     Teb.ArbitraryDataSlot = (IntPtr)BitConverter.ToInt32(tebBytes, 0x14);
     Teb.Teb = (IntPtr)BitConverter.ToInt32(tebBytes, 0x18);
     Teb.EnvironmentPointer    = (IntPtr)BitConverter.ToInt32(tebBytes, 0x1C);
     Teb.Identifiers.ProcessId = (IntPtr)BitConverter.ToInt32(tebBytes, 0x20);
     Teb.Identifiers.ThreadId  = (IntPtr)BitConverter.ToInt32(tebBytes, 0x24);
     Teb.RpcHandle             = (IntPtr)BitConverter.ToInt32(tebBytes, 0x28);
     Teb.Tls                   = (IntPtr)BitConverter.ToInt32(tebBytes, 0x2C);
     Teb.Peb                   = (IntPtr)BitConverter.ToInt32(tebBytes, 0x30);
     Teb.LastErrorNumber       = BitConverter.ToInt32(tebBytes, 0x34);
     Teb.CriticalSectionsCount = BitConverter.ToInt32(tebBytes, 0x38);
     Teb.CsrClientThread       = (IntPtr)BitConverter.ToInt32(tebBytes, 0x3C);
     Teb.Win32ThreadInfo       = (IntPtr)BitConverter.ToInt32(tebBytes, 0x40);
     Teb.Win32ClientInfo       = new byte[4];
     Array.Copy(tebBytes, 0x44, Teb.Win32ClientInfo, 0, 4);
     Teb.WoW64Reserved            = (IntPtr)BitConverter.ToInt32(tebBytes, 0xC0);
     Teb.CurrentLocale            = (IntPtr)BitConverter.ToInt32(tebBytes, 0xC4);
     Teb.FpSoftwareStatusRegister = (IntPtr)BitConverter.ToInt32(tebBytes, 0xC8);
     Teb.SystemReserved1          = new byte[216];
     Array.Copy(tebBytes, 0xCC, Teb.SystemReserved1, 0, 216);
     Teb.ExceptionCode          = (IntPtr)BitConverter.ToInt32(tebBytes, 0x1A4);
     Teb.ActivationContextStack = new byte[4];
     Array.Copy(tebBytes, 0x1A8, Teb.ActivationContextStack, 0, 4);
     Teb.SpareBytes = new byte[24];
     Array.Copy(tebBytes, 0x1BC, Teb.SpareBytes, 0, 24);
     Teb.SystemReserved2 = new byte[40];
     Array.Copy(tebBytes, 0x1D4, Teb.SystemReserved2, 0, 40);
     Teb.GdiTebBatch = new byte[1248];
     Array.Copy(tebBytes, 0x1FC, Teb.GdiTebBatch, 0, 1248);
     Teb.GdiRegion              = (IntPtr)BitConverter.ToInt32(tebBytes, 0x6DC);
     Teb.GdiPen                 = (IntPtr)BitConverter.ToInt32(tebBytes, 0x6E0);
     Teb.GdiBrush               = (IntPtr)BitConverter.ToInt32(tebBytes, 0x6E4);
     Teb.RealProcessId          = BitConverter.ToInt32(tebBytes, 0x6E8);
     Teb.RealThreadId           = BitConverter.ToInt32(tebBytes, 0x6EC);
     Teb.GdiCachedProcessHandle = (IntPtr)BitConverter.ToInt32(tebBytes, 0x6F0);
     Teb.GdiClientProcessId     = (IntPtr)BitConverter.ToInt32(tebBytes, 0x6F4);
     Teb.GdiClientThreadId      = (IntPtr)BitConverter.ToInt32(tebBytes, 0x6F8);
     Teb.GdiThreadLocalInfo     = (IntPtr)BitConverter.ToInt32(tebBytes, 0x6FC);
     Teb.UserReserved1          = new byte[20];
     Array.Copy(tebBytes, 0x700, Teb.UserReserved1, 0, 20);
     Teb.GlReserved1 = new byte[1248];
     Array.Copy(tebBytes, 0x714, Teb.GlReserved1, 0, 1248);
     Teb.LastStatusValue     = BitConverter.ToInt32(tebBytes, 0xBF4);
     Teb.StaticUnicodeString = new byte[214];
     Array.Copy(tebBytes, 0xBF8, Teb.StaticUnicodeString, 0, 214);
     Teb.DeallocationStack = (IntPtr)BitConverter.ToInt32(tebBytes, 0xE0C);
     Teb.TlsSlots          = new byte[100];
     Array.Copy(tebBytes, 0xE10, Teb.TlsSlots, 0, 100);
     Teb.TlsLinks        = BitConverter.ToInt32(tebBytes, 0xF10);
     Teb.Vdm             = (IntPtr)BitConverter.ToInt32(tebBytes, 0xF18);
     Teb.RpcReserved     = (IntPtr)BitConverter.ToInt32(tebBytes, 0xF1C);
     Teb.ThreadErrorMode = (IntPtr)BitConverter.ToInt32(tebBytes, 0xF28);
 }

Esempio n. 2

File: Thread_Info.cs Progetto: Andy53/ERC.Xdbg

 private void PopulateTEBStruct64(byte[] tebBytes)
 {
     Teb = new TEB();
     Teb.CurrentSehFrame   = (IntPtr)BitConverter.ToInt64(tebBytes, 0x0);
     Teb.TopOfStack        = (IntPtr)BitConverter.ToInt64(tebBytes, 0x8);
     Teb.BottomOfStack     = (IntPtr)BitConverter.ToInt64(tebBytes, 0x10);
     Teb.SubSystemTeb      = (IntPtr)BitConverter.ToInt64(tebBytes, 0x18);
     Teb.FiberData         = (IntPtr)BitConverter.ToInt64(tebBytes, 0x20);
     Teb.ArbitraryDataSlot = (IntPtr)BitConverter.ToInt64(tebBytes, 0x28);
     Teb.Teb = (IntPtr)BitConverter.ToInt64(tebBytes, 0x30);
     Teb.EnvironmentPointer    = (IntPtr)BitConverter.ToInt64(tebBytes, 0x38);
     Teb.Identifiers.ProcessId = (IntPtr)BitConverter.ToInt64(tebBytes, 0x40);
     Teb.Identifiers.ThreadId  = (IntPtr)BitConverter.ToInt64(tebBytes, 0x48);
     Teb.RpcHandle             = (IntPtr)BitConverter.ToInt64(tebBytes, 0x50);
     Teb.Tls                   = (IntPtr)BitConverter.ToInt64(tebBytes, 0x58);
     Teb.Peb                   = (IntPtr)BitConverter.ToInt64(tebBytes, 0x60);
     Teb.LastErrorNumber       = BitConverter.ToInt32(tebBytes, 0x68);
     Teb.CriticalSectionsCount = BitConverter.ToInt32(tebBytes, 0x6C);
     Teb.CsrClientThread       = (IntPtr)BitConverter.ToInt64(tebBytes, 0x70);
     Teb.Win32ThreadInfo       = (IntPtr)BitConverter.ToInt64(tebBytes, 0x78);
     Teb.Win32ClientInfo       = new byte[4];
     Array.Copy(tebBytes, 0x80, Teb.Win32ClientInfo, 0, 4);
     Teb.CurrentLocale            = (IntPtr)BitConverter.ToInt64(tebBytes, 0x84);
     Teb.FpSoftwareStatusRegister = (IntPtr)BitConverter.ToInt64(tebBytes, 0x8C);
     Teb.SystemReserved1          = new byte[216];
     Array.Copy(tebBytes, 0x94, Teb.SystemReserved1, 0, 216);
     Teb.ExceptionCode          = (IntPtr)BitConverter.ToInt64(tebBytes, 0x16C);
     Teb.ActivationContextStack = new byte[4];
     Array.Copy(tebBytes, 0x174, Teb.ActivationContextStack, 0, 4);
     Teb.SpareBytes = new byte[24];
     Array.Copy(tebBytes, 0x178, Teb.SpareBytes, 0, 24);
     Teb.SystemReserved2 = new byte[40];
     Array.Copy(tebBytes, 0x190, Teb.SystemReserved2, 0, 40);
     Teb.GdiTebBatch = new byte[1248];
     Array.Copy(tebBytes, 0x1b8, Teb.GdiTebBatch, 0, 1248);
     Teb.GdiRegion              = (IntPtr)BitConverter.ToInt64(tebBytes, 0x698);
     Teb.GdiPen                 = (IntPtr)BitConverter.ToInt64(tebBytes, 0x6A0);
     Teb.GdiBrush               = (IntPtr)BitConverter.ToInt64(tebBytes, 0x6A8);
     Teb.RealProcessId          = BitConverter.ToInt32(tebBytes, 0x6B0);
     Teb.RealThreadId           = BitConverter.ToInt32(tebBytes, 0x6B4);
     Teb.GdiCachedProcessHandle = (IntPtr)BitConverter.ToInt64(tebBytes, 0x6B8);
     Teb.GdiClientProcessId     = (IntPtr)BitConverter.ToInt64(tebBytes, 0x6C0);
     Teb.GdiClientThreadId      = (IntPtr)BitConverter.ToInt64(tebBytes, 0x6C8);
     Teb.GdiThreadLocalInfo     = (IntPtr)BitConverter.ToInt64(tebBytes, 0x6D0);
     Teb.UserReserved1          = new byte[20];
     Array.Copy(tebBytes, 0x6D8, Teb.UserReserved1, 0, 20);
     Teb.GlReserved1 = new byte[1248];
     Array.Copy(tebBytes, 0x6EC, Teb.GlReserved1, 0, 1248);
     Teb.LastStatusValue     = BitConverter.ToInt32(tebBytes, 0x1250);
     Teb.StaticUnicodeString = new byte[214];
     Array.Copy(tebBytes, 0x1258, Teb.StaticUnicodeString, 0, 214);
     Teb.DeallocationStack = (IntPtr)BitConverter.ToInt64(tebBytes, 0x1478);
     Teb.TlsSlots          = new byte[520];
     Array.Copy(tebBytes, 0x1480, Teb.TlsSlots, 0, 520);
     Teb.TlsLinks        = BitConverter.ToInt64(tebBytes, 0x1680);
     Teb.Vdm             = (IntPtr)BitConverter.ToInt64(tebBytes, 0x1688);
     Teb.RpcReserved     = (IntPtr)BitConverter.ToInt64(tebBytes, 0x1690);
     Teb.ThreadErrorMode = (IntPtr)BitConverter.ToInt64(tebBytes, 0x1698);
 }