Skip to content

Commit d93bc9e

Browse files
KN4CK3RKN4CK3R
committed
Added InstructionData.Address.
1 parent 37f91bb commit d93bc9e

4 files changed

Lines changed: 45 additions & 28 deletions

File tree

NativeCore/ReClassNET_Plugin.hpp

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -132,6 +132,7 @@ struct EnumerateProcessData
132132

133133
struct InstructionData
134134
{
135+
RC_Pointer Address;
135136
int Length;
136137
uint8_t Data[15];
137138
int StaticInstructionBytes;

NativeCore/Shared/DistormHelper.cpp

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -113,6 +113,7 @@ _CodeInfo CreateCodeInfo(const RC_Pointer address, const RC_Size length, const R
113113

114114
void FillInstructionData(const RC_Pointer address, const _DInst& instruction, const _DecodedInst& instructionInfo, const bool determineStaticInstructionBytes, InstructionData* data)
115115
{
116+
data->Address = reinterpret_cast<RC_Pointer>(instruction.addr);
116117
data->Length = instructionInfo.size;
117118
std::memcpy(data->Data, address, instructionInfo.size);
118119

@@ -156,6 +157,8 @@ bool DisassembleInstructionsImpl(const RC_Pointer address, const RC_Size length,
156157
_DInst decodedInstructions[MaxInstructions] = {};
157158
unsigned count = 0;
158159

160+
auto instructionAddress = static_cast<uint8_t*>(address);
161+
159162
while (true)
160163
{
161164
const auto res = distorm_decompose(&info, decodedInstructions, MaxInstructions, &count);
@@ -170,20 +173,22 @@ bool DisassembleInstructionsImpl(const RC_Pointer address, const RC_Size length,
170173
distorm_format(&info, &decodedInstructions[i], &instructionInfo);
171174

172175
InstructionData data;
173-
FillInstructionData(address, decodedInstructions[i], instructionInfo, determineStaticInstructionBytes, &data);
176+
FillInstructionData(instructionAddress, decodedInstructions[i], instructionInfo, determineStaticInstructionBytes, &data);
174177

175178
if (callback(&data) == false)
176179
{
177180
return true;
178181
}
182+
183+
instructionAddress += decodedInstructions[i].size;
179184
}
180185

181186
if (res == DECRES_SUCCESS || count == 0)
182187
{
183188
return true;
184189
}
185190

186-
const auto offset = decodedInstructions[count - 1].addr - info.codeOffset;
191+
const auto offset = static_cast<unsigned>(decodedInstructions[count - 1].addr - info.codeOffset);
187192

188193
info.codeOffset += offset;
189194
info.code += offset;

ReClass.NET/Core/DataExchange.cs

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,8 @@ public struct EnumerateRemoteModuleData
6464
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode, Pack = 1)]
6565
public struct InstructionData
6666
{
67+
public IntPtr Address;
68+
6769
public int Length;
6870

6971
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 15)]

ReClass.NET/Memory/Disassembler.cs

Lines changed: 35 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -85,13 +85,7 @@ public IEnumerable<DisassembledInstruction> DisassembleCode(IntPtr address, int
8585
break;
8686
}
8787

88-
yield return new DisassembledInstruction
89-
{
90-
Address = virtualAddress,
91-
Length = instruction.Length,
92-
Data = instruction.Data,
93-
Instruction = instruction.Instruction
94-
};
88+
yield return new DisassembledInstruction(ref instruction);
9589

9690
eip += instruction.Length;
9791
virtualAddress += instruction.Length;
@@ -102,8 +96,8 @@ public IEnumerable<DisassembledInstruction> DisassembleCode(IntPtr address, int
10296
/// <param name="process">The process to read from.</param>
10397
/// <param name="address">The address of the code.</param>
10498
/// <param name="maxLength">The maximum maxLength of the code.</param>
105-
/// <returns>A list of <see cref="DisassembledInstruction"/>.</returns>
106-
public IEnumerable<DisassembledInstruction> RemoteDisassembleFunction(RemoteProcess process, IntPtr address, int maxLength)
99+
/// <returns>A list of <see cref="DisassembledInstruction"/> which belong to the function.</returns>
100+
public IList<DisassembledInstruction> RemoteDisassembleFunction(RemoteProcess process, IntPtr address, int maxLength)
107101
{
108102
Contract.Requires(process != null);
109103
Contract.Ensures(Contract.Result<IEnumerable<DisassembledInstruction>>() != null);
@@ -116,8 +110,8 @@ public IEnumerable<DisassembledInstruction> RemoteDisassembleFunction(RemoteProc
116110
/// <summary>Disassembles the code in the given data.</summary>
117111
/// <param name="data">The data to disassemble.</param>
118112
/// <param name="virtualAddress">The virtual address of the code. This allows to decode instructions located anywhere in memory even if they are not at their original place.</param>
119-
/// <returns>A list of <see cref="DisassembledInstruction"/>.</returns>
120-
public IEnumerable<DisassembledInstruction> DisassembleFunction(byte[] data, IntPtr virtualAddress)
113+
/// <returns>A list of <see cref="DisassembledInstruction"/> which belong to the function.</returns>
114+
public IList<DisassembledInstruction> DisassembleFunction(byte[] data, IntPtr virtualAddress)
121115
{
122116
Contract.Requires(data != null);
123117
Contract.Ensures(Contract.Result<IEnumerable<DisassembledInstruction>>() != null);
@@ -140,14 +134,27 @@ public IEnumerable<DisassembledInstruction> DisassembleFunction(byte[] data, Int
140134
/// <param name="address">The address of the code.</param>
141135
/// <param name="maxLength">The maxLength of the code.</param>
142136
/// <param name="virtualAddress">The virtual address of the code. This allows to decode instructions located anywhere in memory even if they are not at their original place.</param>
143-
/// <returns>A list of <see cref="DisassembledInstruction"/>.</returns>
144-
public IEnumerable<DisassembledInstruction> DisassembleFunction(IntPtr address, int maxLength, IntPtr virtualAddress)
137+
/// <returns>A list of <see cref="DisassembledInstruction"/> which belong to the function.</returns>
138+
public IList<DisassembledInstruction> DisassembleFunction(IntPtr address, int maxLength, IntPtr virtualAddress)
145139
{
146140
Contract.Ensures(Contract.Result<IEnumerable<DisassembledInstruction>>() != null);
147141

142+
var instructions = new List<DisassembledInstruction>();
143+
148144
// Read until first CC.
149-
return DisassembleCode(address, maxLength, virtualAddress)
150-
.TakeWhile(i => !(i.Length == 1 && i.Data[0] == 0xCC));
145+
coreFunctions.DisassembleCode(address, maxLength, virtualAddress, false, (ref InstructionData data) =>
146+
{
147+
if (data.Length == 1 && data.Data[0] == 0xCC)
148+
{
149+
return false;
150+
}
151+
152+
instructions.Add(new DisassembledInstruction(ref data));
153+
154+
return true;
155+
});
156+
157+
return instructions;
151158
}
152159

153160
/// <summary>Tries to find and disassembles the instruction prior to the given address.</summary>
@@ -201,13 +208,7 @@ private DisassembledInstruction GetPreviousInstruction(IntPtr address, IntPtr vi
201208

202209
if (currentAddress == address)
203210
{
204-
return new DisassembledInstruction
205-
{
206-
Address = virtualAddress - instruction.Length,
207-
Length = instruction.Length,
208-
Data = instruction.Data,
209-
Instruction = instruction.Instruction
210-
};
211+
return new DisassembledInstruction(ref instruction);
211212
}
212213
}
213214

@@ -274,13 +275,21 @@ public IntPtr RemoteGetFunctionStartAddress(RemoteProcess process, IntPtr addres
274275

275276
public class DisassembledInstruction
276277
{
277-
public IntPtr Address;
278-
public int Length;
279-
public byte[] Data;
280-
public string Instruction;
278+
public IntPtr Address { get; set; }
279+
public int Length { get; set; }
280+
public byte[] Data { get; set; }
281+
public string Instruction { get; set; }
281282

282283
public bool IsValid => Length > 0;
283284

285+
public DisassembledInstruction(ref InstructionData data)
286+
{
287+
Address = data.Address;
288+
Length = data.Length;
289+
Data = data.Data;
290+
Instruction = data.Instruction;
291+
}
292+
284293
public override string ToString() => $"{Address.ToString(Constants.StringHexFormat)} - {Instruction}";
285294
}
286295
}

0 commit comments

Comments
 (0)