private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo) { NktStackTrace stack = hookCallInfo.StackTrace(); NktProcessMemory memory = _spyMgr.ProcessMemoryFromPID(_process.Id); UInt32 StackOpcodeSize = 50; byte[] StackOpcode = new byte[StackOpcodeSize]; for (UInt32 n = 0; n < StackOpcodeSize; n++) { StackOpcode[n] = (byte)memory.Read((IntPtr)((UInt64)stack.Address(0) - StackOpcodeSize + n), eNktDboFundamentalType.ftUnsignedByte); } UInt64 actualAddr = (UInt64)hookCallInfo.get_Register(eNktRegister.asmRegEip); UInt64 nInstrSize = (UInt64)GetInstrSize(StackOpcode, StackOpcodeSize); UInt64 callingAddr = (UInt64)stack.Address(0) - nInstrSize; string str = "From: 0x" + callingAddr.ToString("x") + " To: 0x" + actualAddr.ToString("x") + "\n"; Output(str, false); actualAddr -= SecStartAddress; callingAddr -= SecStartAddress; CROSSREF crossref = new CROSSREF(); crossref.From = callingAddr; crossref.To = actualAddr; CrossRefSet.Add(crossref); }
private void Form1_FormClosing(object sender, FormClosingEventArgs e) { string[] Args = Environment.GetCommandLineArgs(); FileStream stream; BinaryWriter writer; string strfile = Path.GetDirectoryName(Args[0]) + "\\CrossRef.dat"; stream = File.Open(strfile, FileMode.Create); writer = new BinaryWriter(stream); for (int n = 0; n < CrossRefSet.Count; n++) { CROSSREF crossref = CrossRefSet.ElementAt(n); writer.Write((Int32)crossref.From); writer.Write((Int32)crossref.To); } writer.Flush(); stream.Close(); }