public StackCall(IntPtr hProcess, ulong AddrPC, ulong AddrReturn, int ThreadId)
{
this.ThreadId = ThreadId;
this.AddrPC = AddrPC;
this.AddrReturn = AddrReturn;
System.Text.StringBuilder ReturnedString = new System.Text.StringBuilder(256);
IntPtr PcOffset = (IntPtr)Functions.UlongToLong(AddrPC);
Psapi.GetMappedFileNameW(hProcess, PcOffset, ReturnedString, (uint)ReturnedString.Capacity);
this.MappedFile = ReturnedString.ToString();
IMAGEHLP_SYMBOL64 PcSymbol = Functions.GetSymbolFromAddress(hProcess, AddrPC);
this.Symbol = new string(PcSymbol.Name);
}
public static IMAGEHLP_SYMBOL64 GetSymbolFromAddress(IntPtr hProcess, ulong Address)
{
//Initialize params for SymGetSymFromAddr64
IMAGEHLP_SYMBOL64 Symbol = new IMAGEHLP_SYMBOL64();
Symbol.SizeOfStruct = (uint)Marshal.SizeOf(Symbol);
Symbol.MaxNameLength = 33;
IntPtr lpSymbol = Marshal.AllocHGlobal(Marshal.SizeOf(Symbol));
Marshal.StructureToPtr(Symbol, lpSymbol, false);
ulong Offset = 0;
DbgHelp.SymGetSymFromAddr64(hProcess, Address, Offset, lpSymbol);
Symbol = (IMAGEHLP_SYMBOL64)Marshal.PtrToStructure(lpSymbol, typeof(IMAGEHLP_SYMBOL64));
Marshal.FreeHGlobal(lpSymbol);
return(Symbol);
}
public static extern bool SymGetSymFromAddr64(IntPtr hProcess, ulong address, ref ulong displacement, ref IMAGEHLP_SYMBOL64 symbol);