예제 #1
0
        /// <summary>
        /// Reads the X86 structure.
        /// </summary>
        /// <param name="pointer">The pointer.</param>
        private static ThreadContext ReadX86Structure(IntPtr pointer)
        {
            CONTEXT_X86 structure = (CONTEXT_X86)Marshal.PtrToStructure(pointer, typeof(CONTEXT_X86));

            return(new ThreadContext()
            {
                InstructionPointer = structure.Eip,
                StackPointer = structure.Esp,
                FramePointer = structure.Ebp,
                Bytes = ReadBytes(pointer, typeof(CONTEXT_X86)),
            });
        }
예제 #2
0
        internal static nuint GetInstructionPointer(Win32Thread thread)
        {
            var arch = RuntimeInformation.ProcessArchitecture;

            unsafe
            {
                if (arch == Architecture.X86)
                {
                    var context = new CONTEXT_X86();
                    context.ContextFlags = CONTEXT_CONTROL;
                    var success = GetThreadContext_X86(thread.Handle, &context);
                    ErrorOnFalse(success);
                    return(context.Eip);
                }
                else
                {
                    throw new NotImplementedException($"Architecture {arch} does not support thread context querying");
                }
            }
        }
예제 #3
0
        private static void ModifyThreadContext(IntPtr threadHandle, int?instructionPointerOffset, bool?trapFlag)
        {
            var arch = RuntimeInformation.ProcessArchitecture;

            unsafe
            {
                if (arch == Architecture.X86)
                {
                    var context = new CONTEXT_X86();
                    context.ContextFlags = CONTEXT_CONTROL;
                    var success = GetThreadContext_X86(threadHandle, &context);
                    ErrorOnFalse(success);
                    if (instructionPointerOffset != null)
                    {
                        context.Eip = (uint)((int)context.Eip + instructionPointerOffset.Value);
                    }
                    if (trapFlag != null)
                    {
                        if (trapFlag.Value)
                        {
                            context.EFlags |= TRAP_FLAG_X86;
                        }
                        else
                        {
                            context.EFlags &= ~TRAP_FLAG_X86;
                        }
                    }
                    success = SetThreadContext_X86(threadHandle, &context);
                    ErrorOnFalse(success);
                }
                else
                {
                    throw new NotImplementedException($"Architecture {arch} does not support thread context modification");
                }
            }
        }
예제 #4
0
        /// <summary>
        /// Reads the X86 structure.
        /// </summary>
        /// <param name="pointer">The pointer.</param>
        private static ThreadContext ReadX86Structure(IntPtr pointer)
        {
            CONTEXT_X86 structure = (CONTEXT_X86)Marshal.PtrToStructure(pointer, typeof(CONTEXT_X86));

            return(new WindowsThreadContext(structure.Eip, structure.Esp, structure.Ebp, ReadBytes(pointer, typeof(CONTEXT_X86))));
        }