C#的理论:写JMP在ASM一个codecave [英] C# Theoretical: Write a JMP to a codecave in asm
问题描述
让我们假设我分配在我的codecave使用放在 VirtualAllocEx的(返回地址)的地址,我写我的code成地址使用 WriteProcessMemory的()。
Lets assume I've allocated the address where my codecave is placed using VirtualAllocEx (it returns the address) and I write my code into that address using WriteProcessMemory().
这里的问题:
我怎样写跳转到我的codecave?我知道,跳跃开始以 E9 ,但我怎么通过 VirtualAllocEx的返回的地址转换成正确的UInt32的(DWORD),所以调试器/编译器会明白的指令?
How do I write a jump to my codecave? I know that jumps start with "E9", but how do I convert the address returned by VirtualAllocEx into a correct UInt32 (dword) so the debugger/compiler will understand the instruction?
例如:
我在地址 00402020 (原生应用程序的OEP)。我写了一个跳转到 004028CF (空位置) JMP 004028CF 。字节指令如下:
I'm at address 00402020 (OEP of the native app). I write a jump to 004028CF (empty place) "JMP 004028CF". The instruction in bytes looks like this:
CPU Disasm
Address Hex dump Command Comments
00402020 E9 AA080000 JMP 004028CF
E9 是我们如何表示JMP。什么是 AA080000 ,我怎么产生的?
"E9" is how we indicate a JMP. What about "AA080000", how do I generate this?
我需要做类似这样的东西,我可以初始化一个JMP到我的codecave,这将是位于由返回地址VirtualAllocEx的()。
I need to do something similar so I can initialize a JMP to my codecave, which will be located at an address returned by VirtualAllocEx().
任何帮助将感激AP preciated!
Any help will be gratefully appreciated!
先谢谢了。
推荐答案
E9是相对跳转所以后来的32位只是一个偏移到当前的指令指针。请参见英特尔®64和IA-32架构软件开发人员手册卷2A:指令集参考, AM 页549ff了解详情。欲了解更多信息,请参阅英特尔®64和IA-32架构软件开发人员手册。
E9 is a relative jump so the later 32 bits are just an offset to the current instruction pointer. See Intel® 64 and IA-32 Architectures Software Developer’s Manual Volume 2A: Instruction Set Reference, A-M pages 549ff for details. For more information see Intel® 64 and IA-32 Architectures Software Developer's Manuals.
于是运code从00402020跳到004028CF应该是以下几点。
So the opcode to jump from 00402020 to 004028CF should be the following.
E9 00 00 08 AA
Offset = DestinationAddress - CurrentInstructionPointer
000008AA = 004028CF - 00402025
当执行跳转指令时,指令指针已经设置为下一条指令。这样的偏移跳转指令和在当前指令指针值由5不同。
When the jump instruction is executed, the instruction pointer is already set to the next instruction. So the offset of the jump instruction and the current instruction pointer value differ by 5.
CurrentInstructionPointer = AddressOfJumpInstruction + 5
更新
有关当前指令指针值修正错误。由于JN。
Corrected error about the current instruction pointer value. Thanks jn.
这篇关于C#的理论:写JMP在ASM一个codecave的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
