/// <summary> /// Resolves the function address if the specified address points to function type public symbol /// or returns specified address otherwise. /// </summary> /// <param name="process">The process.</param> /// <param name="address">The address.</param> /// <returns>Resolved function address.</returns> public static ulong ResolveFunctionAddress(Process process, ulong address) { bool rethrow = false; try { if (Context.SymbolProvider.IsFunctionAddressPublicSymbol(process, address)) { Module module = process.GetModuleByInnerAddress(address); if (module != null && module.ClrModule == null) { const uint length = 5; MemoryBuffer buffer = Debugger.ReadMemory(process, address, length); byte jmpByte = UserType.ReadByte(buffer, 0); uint relativeAddress = UserType.ReadUint(buffer, 1); if (jmpByte != 0xe9) { rethrow = true; throw new Exception("Unsupported jump instruction while resolving function address."); } return(address + relativeAddress + length); } } } catch { if (rethrow) { throw; } } return(address); }
/// <summary> /// Read unsigned integer from the specified address. /// </summary> /// <param name="address">The address.</param> /// <param name="bits">The number of bits to interpret.</param> /// <param name="bitsOffset">The offset in bits.</param> /// <returns>Unsigned integer read from the specified address.</returns> public uint ReadUint(ulong address, int bits = 32, int bitsOffset = 0) { MemoryBuffer buffer = Debugger.ReadMemory(this, address, 4); return(UserType.ReadUint(buffer, 0, bits, bitsOffset)); }