示例#1
0
 public static extern bool GetThreadContext(IntPtr hThread, ref CONTEXT64 lpContext);
示例#2
0
        private static void Main(string[] args)
        {
            if (args.Length != 1)
            {
                Console.WriteLine($"Usage: {AppDomain.CurrentDomain.FriendlyName} pid|name");
                return;
            }

            Console.WriteLine($"Waiting for process by name or pid {args.First()} ...");
            Process process;

            do
            {
                process = Process.GetProcesses().FirstOrDefault(proc => Matches(proc, args.First()));
                Thread.Sleep(50);
            } while (process == null);

            Console.CursorVisible = false;

            var lastReport = string.Empty;
            var thisReport = new StringBuilder();

            while (!process.HasExited)
            {
                thisReport.AppendLine($"Watching process {process.ProcessName} ({process.Id} | {process.Id:X})");
                foreach (ProcessThread thread in process.Threads)
                {
                    thisReport.AppendLine($"Thread {thread.Id:X}");
                    var threadHandle = NativeFunctions.OpenThread(ThreadAccess.GET_CONTEXT, false, (uint)thread.Id);
                    if (threadHandle == IntPtr.Zero)
                    {
                        thisReport.AppendLine("- Access denied");
                        continue;
                    }

                    try
                    {
                        var context = new CONTEXT64 {
                            ContextFlags = (CONTEXT_FLAGS)0x10
                        };

                        if (!NativeFunctions.GetThreadContext(threadHandle, ref context))
                        {
                            thisReport.AppendLine("- Context protected");
                            continue;
                        }

                        thisReport.AppendLine($"- Dr0: {context.Dr0,16:X} {ParseDr7(context.Dr7, 0)}");
                        thisReport.AppendLine($"- Dr1: {context.Dr1,16:X} {ParseDr7(context.Dr7, 1)}");
                        thisReport.AppendLine($"- Dr2: {context.Dr2,16:X} {ParseDr7(context.Dr7, 2)}");
                        thisReport.AppendLine($"- Dr3: {context.Dr3,16:X} {ParseDr7(context.Dr7, 3)}");
                        thisReport.AppendLine($"- Dr6: {context.Dr6,16:X}");
                        thisReport.AppendLine($"- Dr7: {context.Dr7,16:X}");
                    }
                    finally
                    {
                        NativeFunctions.CloseHandle(threadHandle);
                    }
                }

                var reportString = thisReport.ToString();
                thisReport.Clear();
                if (reportString != lastReport)
                {
                    Console.Clear();
                    Console.Write(reportString);
                    lastReport = reportString;
                }

                Thread.Sleep(0);
            }
        }