private bool IsJumpTargetInDifferentModule(long source, long target) { foreach (ProcessModule module in Process.GetCurrentProcess().Modules) { var range = new AddressRange((long)module.BaseAddress, (long)(module.BaseAddress + module.ModuleMemorySize)); if (range.Contains(source) && range.Contains(target)) { return(false); } } return(true); }
private bool IsJumpTargetInAModule(long source, long target) { if (!_options.VerifyJumpTargetsModule) { return(false); } foreach (ProcessModule module in GetCachedModules()) { var range = new AddressRange((long)module.BaseAddress, (long)(module.BaseAddress + module.ModuleMemorySize)); if (range.Contains(source) && range.Contains(target)) { return(true); } } return(false); }
private bool IsJumpTargetInAModule(nuint source, nuint target) { if (!_options.VerifyJumpTargetsModule) { return(false); } foreach (ProcessModule module in GetCachedModules()) { var range = new AddressRange(module.BaseAddress.ToUnsigned(), (module.BaseAddress + module.ModuleMemorySize).ToUnsigned()); if (range.Contains(source) && range.Contains(target)) { return(true); } } return(false); }
/// <summary> /// Creates patch for a relative jump, if necessary. /// </summary> private void PatchRelativeJump(Instruction instruction, ref AddressRange originalJmpTarget, long newJmpTarget, List <Patch> patches) { long jumpTargetAddress = (long)instruction.PC + GetOperandOffset(instruction.Operands[0]); if (originalJmpTarget.Contains(jumpTargetAddress)) { byte[] relativeJumpBytes = Utilities.AssembleRelativeJump((IntPtr)instruction.Offset, (IntPtr)newJmpTarget, Is64Bit()); patches.Add(new Patch((IntPtr)instruction.Offset, relativeJumpBytes)); } }
/// <summary> /// Creates patch for a relative jump, if necessary. /// </summary> private void PatchRelativeJump(Instruction instruction, ref AddressRange originalJmpTarget, nuint newJmpTarget, List <Patch> patches) { nuint jumpTargetAddress = (nuint)GetJumpTarget(instruction); if (originalJmpTarget.Contains(jumpTargetAddress)) { byte[] relativeJumpBytes = Utilities.AssembleRelativeJump((nuint)instruction.IP, newJmpTarget, _is64Bit); patches.Add(new Patch((nuint)instruction.IP, relativeJumpBytes)); } }
/// <summary> /// Creates patch for a relative jump, if necessary. /// </summary> private void PatchRelativeJump(Instruction instruction, ref AddressRange originalJmpTarget, long newJmpTarget, List <Patch> patches) { long jumpTargetAddress = (long)instruction.PC + GetOperandOffset(instruction.Operands[0]); if (originalJmpTarget.Contains(jumpTargetAddress)) { // Edit: It's actually correct because FASM automatically adjusts for instruction length. IntPtr newRelativeOffset = (IntPtr)(newJmpTarget - (long)instruction.Offset); byte[] relativeJumpBytes = Utilities.AssembleRelativeJump(newRelativeOffset, Is64Bit()); patches.Add(new Patch((IntPtr)instruction.Offset, relativeJumpBytes)); } }
/// <summary> /// Creates patch for a RIP relative jump, if necessary. /// </summary> private void PatchRIPRelativeJump(Instruction instruction, ref AddressRange originalJmpTarget, nuint newJmpTarget, List <Patch> patches) { var jumpTargetAddress = GetRewriteRIPRelativeJumpTarget(instruction); if (originalJmpTarget.Contains(jumpTargetAddress)) { // newJmpTarget is guaranteed to be in range. // Relative jump uses less bytes, so using it is also safe. byte[] relativeJumpBytes = Utilities.AssembleRelativeJump((nuint)instruction.IP, newJmpTarget, _is64Bit); patches.Add(new Patch((nuint)instruction.IP, relativeJumpBytes)); } }
/// <summary> /// Creates patch for a RIP relative jump, if necessary. /// </summary> private void PatchRIPRelativeJump(Instruction instruction, ref AddressRange originalJmpTarget, long newJmpTarget, List <Patch> patches) { IntPtr pointerAddress = (IntPtr)((long)instruction.PC + GetOperandOffset(instruction.Operands[0])); CurrentProcess.Read(pointerAddress, out IntPtr jumpTargetAddress); if (originalJmpTarget.Contains((long)jumpTargetAddress)) { // newJmpTarget is guaranteed to be in range. // Relative jump uses less bytes, so using it is also safe. byte[] relativeJumpBytes = Utilities.AssembleRelativeJump((IntPtr)instruction.Offset, (IntPtr)newJmpTarget, Is64Bit()); patches.Add(new Patch((IntPtr)instruction.Offset, relativeJumpBytes)); } }
/// <summary> /// Creates patch for a push + return combo, if necessary. /// </summary> private void PatchPushReturn(Instruction instruction, ref AddressRange originalJmpTarget, long newJmpTarget, List <Patch> patches) { long jumpTargetAddress = GetOperandOffset(instruction.Operands[0]); if (originalJmpTarget.Contains((long)jumpTargetAddress)) { // Push + Return & JMP Absolute use the same number of bytes in X86. but not in X64. // We must create a new Push + Return to an absolute jump. byte[] absoluteJump = Utilities.AssembleAbsoluteJump((IntPtr)newJmpTarget, Is64Bit()); var buffer = Utilities.FindOrCreateBufferInRange(absoluteJump.Length); var absoluteJmpPointer = buffer.Add(absoluteJump); byte[] newPushReturn = Utilities.AssemblePushReturn(absoluteJmpPointer, Is64Bit()); patches.Add(new Patch((IntPtr)instruction.Offset, newPushReturn)); } }