-
-
Notifications
You must be signed in to change notification settings - Fork 158
/
Copy pathContext64.cs
156 lines (134 loc) · 4.77 KB
/
Context64.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace SharpBlock {
public class Context64 : Context {
WinAPI.CONTEXT64 ctx = new WinAPI.CONTEXT64();
public override ulong Ip {
get => ctx.Rip; set => ctx.Rip = value;
}
protected override object ContextStruct { get => ctx; set => ctx = (WinAPI.CONTEXT64)value; }
public Context64(ContextFlags contextFlags) {
switch (contextFlags) {
case ContextFlags.All:
ctx.ContextFlags = WinAPI.CONTEXT64_FLAGS.CONTEXT64_ALL;
break;
case ContextFlags.Debug:
ctx.ContextFlags = WinAPI.CONTEXT64_FLAGS.CONTEXT64_DEBUG_REGISTERS;
break;
}
}
public override ulong GetCurrentReturnAddress(IntPtr hProcess) {
byte[] returnAddress = new byte[8];
IntPtr bytesRead;
WinAPI.ReadProcessMemory(hProcess, new IntPtr((long)ctx.Rsp), returnAddress,8, out bytesRead);
return BitConverter.ToUInt64(returnAddress, 0);
}
public override void SetResultRegister(ulong result) {
ctx.Rax = result;
}
public override void SetRegister(int index, long value) {
switch (index) {
case 0:
ctx.Rax = (ulong)value;
break;
case 1:
ctx.Rbx = (ulong)value;
break;
case 2:
ctx.Rcx = (ulong)value;
break;
case 3:
ctx.Rdx = (ulong)value;
break;
default:
throw new NotImplementedException();
}
}
public override long GetRegister(int index) {
switch (index) {
case 0:
return (long)ctx.Rax;
case 1:
return (long)ctx.Rbx;
case 2:
return (long)ctx.Rcx;
case 3:
return (long)ctx.Rdx;
default:
throw new NotImplementedException();
}
}
public override void PopStackPointer() {
ctx.Rsp += 8;
}
public override void EnableBreakpoint(IntPtr address, int index) {
switch (index) {
case 0:
ctx.Dr0 = (ulong)address.ToInt64();
break;
case 1:
ctx.Dr1 = (ulong)address.ToInt64();
break;
case 2:
ctx.Dr2 = (ulong)address.ToInt64();
break;
case 3:
ctx.Dr3 = (ulong)address.ToInt64();
break;
}
//Set bits 16-31 as 0, which sets
//DR0-DR3 HBP's for execute HBP
ctx.Dr7 = SetBits(ctx.Dr7, 16, 16, 0);
//Set DRx HBP as enabled for local mode
ctx.Dr7 = SetBits(ctx.Dr7, (index * 2), 1, 1);
ctx.Dr6 = 0;
}
public override void EnableSingleStep() {
ctx.Dr0 = ctx.Dr6 = ctx.Dr7 = 0;
ctx.EFlags |= (1 << 8);
}
public override void ClearBreakpoint(int index) {
//Clear the releveant hardware breakpoint
switch (index) {
case 0:
ctx.Dr0 = 0;
break;
case 1:
ctx.Dr1 = 0;
break;
case 2:
ctx.Dr2 = 0;
break;
case 3:
ctx.Dr3 = 0;
break;
}
//Clear DRx HBP to disable for local mode
ctx.Dr7 = SetBits(ctx.Dr7, (index * 2), 1, 0);
ctx.Dr6 = 0;
ctx.EFlags = 0;
}
protected override bool SetContext(IntPtr thread, IntPtr context) {
return WinAPI.SetThreadContext(thread, context);
}
protected override bool GetContext(IntPtr thread, IntPtr context) {
return WinAPI.GetThreadContext(thread, context);
}
public override long GetParameter(int index, IntPtr hProcess) {
switch (index) {
case 0:
return (long)ctx.Rcx;
case 1:
return (long)ctx.Rdx;
case 2:
return (long)ctx.R8;
case 3:
return (long)ctx.R9;
}
throw new NotImplementedException("Only 4 parameters or less currently supported");
}
}
}