Beispiel #1
0
        private T MAKECALL <T>(CALLTYPE type, UInt32 thisPtr, UInt32 fcallArg, UInt32 funcPtr, CallValue[] args) where T : CallValue, new()
        {
            if (funcPtr == 0)
            {
                throw new Exception("Funcptr not found");
            }
            T returnValue = new T();

            List <byte> list = new List <byte>();

            list.Add(0x60);//pushad

            int argsCount = 0;

            //Argumente pushen
            if (args != null)
            {
                for (int i = args.Length - 1; i >= 0; i--)
                {
                    for (int i2 = args[i].getCallParam().Count - 1; i2 >= 0; i2--)
                    {
                        argsCount++;
                        list.Add(0x68);
                        list.AddRange(args[i].getCallParam()[i2]);
                    }
                }
            }



            //This-Pointer in ecx schreiben
            if (type == CALLTYPE.THISCALL || type == CALLTYPE.FASTCALL)
            {
                list.Add(0xB9);
                list.AddRange(BitConverter.GetBytes(thisPtr));
            }

            //Fastcall pointer in edx schreiben
            if (type == CALLTYPE.FASTCALL)
            {
                list.Add(0xBA);
                list.AddRange(BitConverter.GetBytes(fcallArg));
            }


            uint length = (uint)(list.Count + 1 + 4 + 1 + 1);

            if (returnValue.ValueLength() != 0)
            {
                length += 1 + returnValue.ValueLength();
            }

            if (type == CALLTYPE.CDECLCALL)
            {
                length += 3;
            }


            IntPtr baseadress = Alloc(length);

            IntPtr returnAddress = IntPtr.Zero;

            if (returnValue.ValueLength() != 0)
            {
                returnAddress = Alloc(returnValue.ValueLength());
            }


            //call
            list.Add(0xE8);
            list.AddRange(BitConverter.GetBytes((uint)(funcPtr - (baseadress.ToInt32() + list.Count) - 4))); // - Aktuelle Addresse - 4

            //Return schreiben
            if (returnValue.ValueLength() != 0)
            {
                list.Add(0xA3);
                list.AddRange(BitConverter.GetBytes((uint)returnAddress.ToInt32()));
            }

            if (type == CALLTYPE.CDECLCALL)
            {
                list.AddRange(new byte[] { 0x83, 0xC4 });
                list.Add((byte)(argsCount * 4));
            }

            list.Add(0x61); //popad
            list.Add(0xC3); //RTN

            //Write the new function
            Write(list.ToArray(), baseadress.ToInt32());

            //Call the new function
            if (process_thisprocess)
            {
                call mc = (call)Marshal.GetDelegateForFunctionPointer(baseadress, typeof(call));
                mc();
            }
            else
            {
                uint   threadID;
                IntPtr hThread = Kernel.Process.CreateRemoteThread(Handle, IntPtr.Zero, 0, baseadress, IntPtr.Zero, 0, out threadID);
                WaitForThreadToExit(hThread);
                CloseHandle(hThread);
            }

            //Bisschen aufräumen
            Free(baseadress, length);

            if (returnValue.ValueLength() != 0)
            {
                returnValue.Initialize(this, ReadInt(returnAddress.ToInt32()));//Adresse in der die return Value gespeichert wurde
                Free(returnAddress, returnValue.ValueLength());
                return(returnValue);
            }
            else
            {
                return(null);
            }
        }
Beispiel #2
0
        private static T MAKECALL <T>(CALLTYPE type, int thisPtr, int fcallArg, int funcPtr, params CallValue[] args) where T : CallValue, new()
        {
            if (funcPtr == 0)
            {
                throw new Exception("Process.MAKECALL: Method-pointer not found");
            }

            List <byte> list = new List <byte>();

            list.Add(0x60);//pushad

            int argsCount = 0;

            //Argumente pushen
            if (args != null)
            {
                for (int i = args.Length - 1; i >= 0; i--)
                {
                    CallValue arg = args[i];
                    if (arg != null)
                    {
                        List <byte[]> callParams = args[i].GetCallParams();
                        for (int i2 = callParams.Count - 1; i2 >= 0; i2--)
                        {
                            argsCount++;
                            list.Add(0x68);
                            list.AddRange(callParams[i2]);
                        }
                    }
                }
            }

            //This-Pointer in ecx schreiben
            if (type == CALLTYPE.THISCALL || type == CALLTYPE.FASTCALL)
            {
                list.Add(0xB9);
                list.AddRange(BitConverter.GetBytes(thisPtr));
            }

            //Fastcall pointer in edx schreiben
            if (type == CALLTYPE.FASTCALL)
            {
                list.Add(0xBA);
                list.AddRange(BitConverter.GetBytes(fcallArg));
            }

            T returnValue = new T();

            uint length = (uint)(list.Count + 1 + 4 + 1 + 1);

            if (returnValue.ValueLength() != 0)
            {
                length += 1 + returnValue.ValueLength();
            }

            if (type == CALLTYPE.CDECLCALL)
            {
                length += 3;
            }


            IntPtr baseadress = Alloc(length);

            IntPtr returnAddress = IntPtr.Zero;

            if (returnValue.ValueLength() != 0)
            {
                returnAddress = Alloc(returnValue.ValueLength());
            }

            //call
            list.Add(0xE8);
            list.AddRange(BitConverter.GetBytes(funcPtr - (baseadress.ToInt32() + list.Count) - 4)); // - Aktuelle Addresse - 4

            //Return schreiben
            if (returnValue.ValueLength() != 0)
            {
                list.Add(0xA3);
                list.AddRange(BitConverter.GetBytes((uint)returnAddress.ToInt32()));
            }

            if (type == CALLTYPE.CDECLCALL)
            {
                list.AddRange(new byte[] { 0x83, 0xC4 });
                list.Add((byte)(argsCount * 4));
            }

            list.Add(0x61); //popad
            list.Add(0xC3); //RTN

            //Write the new function
            Write(baseadress.ToInt32(), list.ToArray());

            //Call the new function
            call mc = (call)Marshal.GetDelegateForFunctionPointer(baseadress, typeof(call));

            mc();

            //Bisschen aufräumen
            Free(baseadress, length);

            if (returnValue.ValueLength() != 0)
            {
                returnValue.Initialize(returnAddress.ToInt32());//Adresse in der die return Value gespeichert wurde
                Free(returnAddress, returnValue.ValueLength());
                return(returnValue);
            }
            else
            {
                return(null);
            }
        }