Skip to content

Commit 5a6ca41

Browse files
KN4CK3RKN4CK3R
committed
Added GetPreviousInstruction.
1 parent 7f43ebb commit 5a6ca41

File tree

1 file changed

+71
-0
lines changed

1 file changed

+71
-0
lines changed

Memory/Disassembler.cs

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,77 @@ public List<DisassembledInstruction> DisassembleRemoteCode(RemoteProcess process
5757

5858
return instructions;
5959
}
60+
61+
public DisassembledInstruction GetPreviousInstruction(RemoteProcess process, IntPtr address)
62+
{
63+
var buffer = process.ReadRemoteMemory(address - 80, 80);
64+
65+
var handle = GCHandle.Alloc(buffer, GCHandleType.Pinned);
66+
try
67+
{
68+
var eip = handle.AddrOfPinnedObject();
69+
var end = eip + 80;
70+
var virtualAddress = address;
71+
72+
var instruction = new InstructionData();
73+
74+
var x = GetPreviousInstructionHelper(process, end, 80, ref instruction);
75+
if (x != end)
76+
{
77+
x = GetPreviousInstructionHelper(process, end, 40, ref instruction);
78+
if (x != end)
79+
{
80+
x = GetPreviousInstructionHelper(process, end, 20, ref instruction);
81+
if (x != end)
82+
{
83+
x = GetPreviousInstructionHelper(process, end, 10, ref instruction);
84+
if (x != end)
85+
{
86+
for (var i = 1; i < 20; ++i)
87+
{
88+
x = end - i;
89+
if (process.NativeHelper.DisassembleCode(x, end.Sub(x).ToInt32(), virtualAddress, out instruction))
90+
{
91+
break;
92+
}
93+
}
94+
}
95+
}
96+
}
97+
}
98+
99+
return new DisassembledInstruction
100+
{
101+
Address = address - instruction.Length,
102+
Length = instruction.Length,
103+
Instruction = instruction.Instruction
104+
};
105+
}
106+
finally
107+
{
108+
if (handle.IsAllocated)
109+
{
110+
handle.Free();
111+
}
112+
}
113+
}
114+
115+
private IntPtr GetPreviousInstructionHelper(RemoteProcess process, IntPtr address, int distance, ref InstructionData instruction)
116+
{
117+
var x = address - distance;
118+
while (x.CompareTo(address) == -1) // aka x < address
119+
{
120+
if (process.NativeHelper.DisassembleCode(x, address.Sub(x).ToInt32(), IntPtr.Zero, out instruction))
121+
{
122+
x += instruction.Length;
123+
}
124+
else
125+
{
126+
break;
127+
}
128+
}
129+
return x;
130+
}
60131
}
61132

62133
public class DisassembledInstruction

0 commit comments

Comments
 (0)