public static string FormatContextDiffReflection(Win32Imports.ContextX64 context, Win32Imports.ContextX64 oldContext, DecodedInst oldInstruction) { var registers = ""; // log only changed registers and operands foreach (var field in typeof(Win32Imports.ContextX64).GetFields(BindingFlags.Instance | BindingFlags.NonPublic | BindingFlags.Public)) { // log registers that changed var reg = field.Name.ToUpper(); if (reg.Equals("RIP")) { continue; } string oldValue; try { oldValue = field.GetValue(oldContext).ToString(); } catch { oldValue = "?"; } string value; try { value = field.GetValue(context).ToString(); } catch { value = "?"; } if (!oldValue.Equals(value)) { oldValue = FormatValue(UInt64.Parse(oldValue)); value = FormatValue(UInt64.Parse(value)); registers += $" {reg}={oldValue}->{value}"; } else { // log operand registers var ops = oldInstruction.Operands; var reg32 = Regex.Replace(reg, "^R", "E"); var reg16 = Regex.Replace(reg, "^R", ""); int n; if (ops.Contains(reg) || ops.Contains(reg32) || (!Int32.TryParse(reg16, out n) && ops.Contains(reg16))) { value = FormatValue(UInt64.Parse(value)); registers += $" {reg}={value}"; } } } return(registers); }
public static extern void distorm_format(ref CodeInfo ci, ref DInst di, ref DecodedInst result);