Exemplo n.º 1
0
        /// <summary>
        /// Resolves the function address if the specified address points to function type public symbol
        /// or returns specified address otherwise.
        /// </summary>
        /// <param name="process">The process.</param>
        /// <param name="address">The address.</param>
        /// <returns>Resolved function address.</returns>
        public static ulong ResolveFunctionAddress(Process process, ulong address)
        {
            bool rethrow = false;

            try
            {
                if (Context.SymbolProvider.IsFunctionAddressPublicSymbol(process, address))
                {
                    Module module = process.GetModuleByInnerAddress(address);

                    if (module != null && module.ClrModule == null)
                    {
                        const uint   length          = 5;
                        MemoryBuffer buffer          = Debugger.ReadMemory(process, address, length);
                        byte         jmpByte         = UserType.ReadByte(buffer, 0);
                        uint         relativeAddress = UserType.ReadUint(buffer, 1);

                        if (jmpByte != 0xe9)
                        {
                            rethrow = true;
                            throw new Exception("Unsupported jump instruction while resolving function address.");
                        }

                        return(address + relativeAddress + length);
                    }
                }
            }
            catch
            {
                if (rethrow)
                {
                    throw;
                }
            }

            return(address);
        }
Exemplo n.º 2
0
        /// <summary>
        /// Read unsigned integer from the specified address.
        /// </summary>
        /// <param name="address">The address.</param>
        /// <param name="bits">The number of bits to interpret.</param>
        /// <param name="bitsOffset">The offset in bits.</param>
        /// <returns>Unsigned integer read from the specified address.</returns>
        public uint ReadUint(ulong address, int bits = 32, int bitsOffset = 0)
        {
            MemoryBuffer buffer = Debugger.ReadMemory(this, address, 4);

            return(UserType.ReadUint(buffer, 0, bits, bitsOffset));
        }