コード例 #1
0
        private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
        {
            NktStackTrace    stack  = hookCallInfo.StackTrace();
            NktProcessMemory memory = _spyMgr.ProcessMemoryFromPID(_process.Id);

            UInt32 StackOpcodeSize = 50;

            byte[] StackOpcode = new byte[StackOpcodeSize];

            for (UInt32 n = 0; n < StackOpcodeSize; n++)
            {
                StackOpcode[n] = (byte)memory.Read((IntPtr)((UInt64)stack.Address(0) - StackOpcodeSize + n), eNktDboFundamentalType.ftUnsignedByte);
            }

            UInt64 actualAddr  = (UInt64)hookCallInfo.get_Register(eNktRegister.asmRegEip);
            UInt64 nInstrSize  = (UInt64)GetInstrSize(StackOpcode, StackOpcodeSize);
            UInt64 callingAddr = (UInt64)stack.Address(0) - nInstrSize;

            string str = "From: 0x" + callingAddr.ToString("x") + "    To: 0x" + actualAddr.ToString("x") + "\n";

            Output(str, false);

            actualAddr  -= SecStartAddress;
            callingAddr -= SecStartAddress;

            CROSSREF crossref = new CROSSREF();

            crossref.From = callingAddr;
            crossref.To   = actualAddr;
            CrossRefSet.Add(crossref);
        }
コード例 #2
0
        private void Form1_FormClosing(object sender, FormClosingEventArgs e)
        {
            string[] Args = Environment.GetCommandLineArgs();

            FileStream   stream;
            BinaryWriter writer;

            string strfile = Path.GetDirectoryName(Args[0]) + "\\CrossRef.dat";

            stream = File.Open(strfile, FileMode.Create);
            writer = new BinaryWriter(stream);

            for (int n = 0; n < CrossRefSet.Count; n++)
            {
                CROSSREF crossref = CrossRefSet.ElementAt(n);
                writer.Write((Int32)crossref.From);
                writer.Write((Int32)crossref.To);
            }

            writer.Flush();
            stream.Close();
        }
コード例 #3
0
ファイル: Form1.cs プロジェクト: jevey/vtbl-ida-pro-plugin 
        private void OnFunctionCalled(NktHook hook, NktProcess process, NktHookCallInfo hookCallInfo)
        {
            NktStackTrace stack = hookCallInfo.StackTrace();
            NktProcessMemory memory = _spyMgr.ProcessMemoryFromPID(_process.Id);

            UInt32 StackOpcodeSize = 50;
            byte[] StackOpcode = new byte[StackOpcodeSize];

            for (UInt32 n = 0; n < StackOpcodeSize; n++)
            {
                StackOpcode[n] = (byte)memory.Read((IntPtr)((UInt64)stack.Address(0) - StackOpcodeSize + n), eNktDboFundamentalType.ftUnsignedByte);
            }

            UInt64 actualAddr = (UInt64)hookCallInfo.get_Register(eNktRegister.asmRegEip);
            UInt64 nInstrSize = (UInt64)GetInstrSize(StackOpcode, StackOpcodeSize);
            UInt64 callingAddr = (UInt64)stack.Address(0) - nInstrSize;

            string str = "From: 0x" + callingAddr.ToString("x") + "    To: 0x" + actualAddr.ToString("x") + "\n";
            Output(str, false);

            actualAddr -= SecStartAddress;
            callingAddr -= SecStartAddress;
            
            CROSSREF crossref = new CROSSREF();
            crossref.From = callingAddr;
            crossref.To = actualAddr;
            CrossRefSet.Add(crossref);
        }