public override void Dispose()
{
ProcessHandle.Dispose();
ProcessHandle = null;
SafeMemoryHandle.CloseHandle(ThreadHandle);
if (Asm != null)
{
Asm.Clear();
}
Asm = null;
base.Dispose();
}
public void ObjectMnemonics()
{
// Arrange
var fasm = new FasmNet();
// Act
fasm.AddLine("push eax");
fasm.AddLine("retn");
// Assert
Assert.AreEqual(String.Format("push eax{0}retn{0}", Environment.NewLine), fasm.Mnemonics);
}
internal static IntPtr InjectAsm(string[] parInstructions, string parPatchName)
{
if (Asm == null)
{
Asm = new FasmNet();
}
Asm.Clear();
Asm.AddLine("use32");
foreach (var x in parInstructions)
{
Asm.AddLine(x);
}
var byteCode = new byte[0];
try
{
byteCode = Asm.Assemble();
}
catch (FasmAssemblerException ex)
{
MessageBox.Show(
$"Error definition: {ex.ErrorCode}; Error code: {(int) ex.ErrorCode}; Error line: {ex.ErrorLine}; Error offset: {ex.ErrorOffset}; Mnemonics: {ex.Mnemonics}");
}
var start = Reader.Alloc(byteCode.Length);
Asm.Clear();
Asm.AddLine("use32");
foreach (var x in parInstructions)
{
Asm.AddLine(x);
}
byteCode = Asm.Assemble(start);
HookWardenMemScan.RemoveHack(start);
HookWardenMemScan.RemoveHack(parPatchName);
var originalBytes = Reader.ReadBytes(start, byteCode.Length);
if (parPatchName != "")
{
var parHack = new Hack(start,
byteCode,
originalBytes, parPatchName);
HookWardenMemScan.AddHack(parHack);
parHack.Apply();
}
else
{
Reader.WriteBytes(start, byteCode);
}
return(start);
}
public void ObjectAssembleWithOrigin()
{
// Arrange
var fasm = new FasmNet();
// Act
fasm.AddLine("use32");
fasm.AddLine("jmp {0}", 0x2000);
var asm = fasm.Assemble(new IntPtr(0x1000));
// Assert
CollectionAssert.AreEqual(new byte[] { 0xE9, 0xfb, 0x0f, 0x00, 0x00 }, asm);
}
private void AsmExecute(string asm)
{
// Assemble once to determine size
byte[] bytes = FasmNet.Assemble("use32\norg 0x0\n" + asm);
IntPtr insertPtr = Allocate((uint)bytes.Length);
// Then rebase and inject
// Note: you can't use String.Format here because IntPtr is not IFormattable
bytes = FasmNet.Assemble("use32\norg 0x" + insertPtr.ToString("X") + "\n" + asm);
Kernel32.WriteBytes(Handle, insertPtr, bytes);
Execute(insertPtr);
Free(insertPtr);
}
public byte[] Assemble(string asm, IntPtr baseAddress)
{
if (!attach)
{
asm = $"use32\norg {baseAddress}\n" + asm;
}
else
{
// Call mono_thread_attach first
asm = $"use32\norg {baseAddress}\npush {rootDomain}\ncall {threadAttach}\nadd esp, 4\n" + asm;
}
return(FasmNet.Assemble(asm));
}
/// <summary>
/// Initializes a new instance of the <see cref="ExternalProcessReader"/> class.
/// </summary>
/// <param name="proc">The proc.</param>
/// <remarks>Created 2012-04-24</remarks>
public ExternalProcessReader(Process proc) : base(proc)
{
if (IsProcessOpen)
{
ThreadHandle = Imports.OpenThread(0x0001F03FF, false, (uint)proc.Threads[0].Id);
WindowHandle = Process.MainWindowHandle;
Asm = new FasmNet();
}
else
{
throw new Exception("ProcessHandle is invalid or closed, are you sure you did everything right?");
}
}
public byte[] Compile(params object[] statements)
{
var asm = new FasmNet(100000, 100);
if (framework == TargetFramework.x86)
{
asm.AddLine("use32");
}
else
{
asm.AddLine("use64");
}
if (statements.Length == 0)
{
foreach (object op in operations)
{
if (op.GetType() == typeof(Operation))
{
asm.AddLine(((Operation)op).op);
}
else if (op.GetType() == typeof(string))
{
asm.AddLine((string)op);
}
else
{
throw new InvalidOperationException("Unsupported object in Compile");
}
}
return(asm.Assemble(Address));
}
foreach (object op in statements)
{
if (op.GetType() == typeof(Operation))
{
asm.AddLine(((Operation)op).op);
}
else if (op.GetType() == typeof(string))
{
asm.AddLine((string)op);
}
else
{
throw new InvalidOperationException("Unsupported object in Compile");
}
}
return(asm.Assemble(Address));
}
public void ObjectAddAndInsertLines()
{
// Arrange
var fasm = new FasmNet();
// Act
fasm.AddLine("push eax");
fasm.AddLine("pop {0}", "eax");
fasm.InsertLine(0, "use32");
var asm = fasm.Assemble();
// Assert
CollectionAssert.AreEqual(new byte[] { 0x50, 0x58 }, asm);
}
public virtual int GenerateStub(WindowsAssembly pE, ProtectionOptions options)
{
try
{
FasmNet fasmNet = new FasmNet(memorySize, 10); // if compilcation fails increase memorySize parameter
fasmNet.AddLine(Code);
generatedStub = fasmNet.Assemble(NextSectionRVA(pE.NtHeaders.OptionalHeader.SectionAlignment,
pE.SectionHeaders.Last()) +
(uint)pE.NtHeaders.OptionalHeader.ImageBase);
return(generatedStub.Length);
}
catch { }
return(-1);
}
public static void Jump(IntPtr from, IntPtr to)
{
byte[] hook = FasmNet.Assemble(new[]
{
"use32",
"org " + from,
"jmp " + to
});
uint dwOldProtection;
Kernel32.VirtualProtect(from, 5, 0x40, out dwOldProtection);
Marshal.Copy(hook, 0, from, 5);
Kernel32.VirtualProtect(from, 5, dwOldProtection, out dwOldProtection);
}
public void Assemble64BitWithArray()
{
// Arrange
var mnemonics = new[]
{
"use64",
"push rax"
};
// Act
var asm = FasmNet.Assemble(mnemonics);
// Assert
Assert.AreEqual(0x50, asm[0]);
}
/// <summary>
/// Makes use of FASM.NET in order to compile the supplied mnemonics.
/// </summary>
public static void Compile_X86_Mnemonics(byte[] Mnemonics, Socket SocketX)
{
// Deserialize X86 Mnemonics
string[] Mnemonics_X = Client_Functions.Deserialize_x86_ASM_Mnemonics(Mnemonics);
try
{
SocketX.Send(FasmNet.Assemble(Mnemonics_X)); // Try sending assembled data.
}
catch
{
SocketX.Send(new byte[1] {
(byte)0x90
}); // If assembly was unsuccessful, reply with NOP
}
}
public Byte[] Assemble(Boolean isProcess32Bit, String assembly, UInt64 baseAddress, out String message, out String innerMessage)
{
message = "Starting instruction assembly" + Environment.NewLine;
innerMessage = String.Empty;
if (assembly == null)
{
message += "No assembly code given" + Environment.NewLine;
return(null);
}
// Add header information about process
if (isProcess32Bit)
{
assembly = String.Format("use32\n" + "org 0x{0:X8}\n", baseAddress) + assembly;
}
else
{
assembly = String.Format("use64\n" + "org 0x{0:X16}\n", baseAddress) + assembly;
}
message += assembly + Environment.NewLine;
Byte[] result;
try
{
// Call C++ FASM wrapper which will call the 32-bit FASM library which can assemble all x86/x64 instructions
result = FasmNet.Assemble(assembly);
message += "Assembled byte results:" + Environment.NewLine;
foreach (Byte next in result)
{
message += next.ToString("X") + " ";
}
message += Environment.NewLine;
}
catch (Exception ex)
{
innerMessage = "Error:" + ex.ToString() + Environment.NewLine;
result = null;
}
return(result);
}
internal static IntPtr MakeCodeCave(string[] v)
{
IntPtr codeCave = Marshal.AllocHGlobal(128);
var preamble = new string[] {
"use32",
"org " + codeCave
};
var asm = preamble.Concat(v).ToArray();
byte[] code = FasmNet.Assemble(asm);
Marshal.Copy(code, 0, codeCave, code.Length);
// Make executable
uint dwOldProtection;
Kernel32.VirtualProtect(codeCave, (uint)code.Length, 0x40, out dwOldProtection);
return(codeCave);
}
internal static void Install(HookType hook)
{
var hookLocation1 = new IntPtr(0x005D53B1);
var hookLocation = new IntPtr(0x005D5590);
IntPtr codeCave2 = Marshal.AllocHGlobal(4);
IntPtr codeCave1 = Marshal.AllocHGlobal(128);
byte[] code1 = FasmNet.Assemble(new[]
{
"use32",
"org " + codeCave1,
"push esi",
"push edi",
"mov esi, dword[ebx+0x10]",
"mov dword[" + codeCave2 + "],esi",
"lea esi, dword[ebx+0x78]",
"jmp " + (hookLocation1 + 5)
});
Marshal.Copy(code1, 0, codeCave1, code1.Length);
HookHelper.Jump(hookLocation1, codeCave1);
IntPtr codeCave = Marshal.AllocHGlobal(128);
byte[] code = FasmNet.Assemble(new[]
{
"use32",
"org " + codeCave,
"push dword [ebp+0x8]",
"push dword [" + codeCave2 + "]",
"call " + Marshal.GetFunctionPointerForDelegate(hook),
"pop edi",
"pop esi",
"pop ebx",
"leave",
"retn 8"
});
Marshal.Copy(code, 0, codeCave, code.Length);
HookHelper.Jump(hookLocation, codeCave);
}
public void AssembleFile()
{
// Arrange
const string path = "file.asm";
// Act
using (var file = File.CreateText(path))
{
file.WriteLine("use32");
file.WriteLine("push eax");
}
var asm = FasmNet.AssembleFile(path);
File.Delete(path);
// Assert
Assert.AreEqual(0x50, asm[0]);
}
public void Hook()
{
IntPtr taskPtr = Marshal.AllocCoTaskMem(1024);
//
var hookedFuncBytes = FasmNet.Assemble(new[] {
"use32",
"pushad",
$"call {this.CallbackAddress - (int)taskPtr}",
"popad",
"call dword [edx+12]",
"pop ebp",
"ret 12"
});
WinAPI.VirtualProtect(taskPtr, hookedFuncBytes.Length, (int)WinAPI.Protection.PAGE_EXECUTE_READWRITE, out int x);
Memory.WriteBytes(taskPtr, hookedFuncBytes);
SetJump(taskPtr);
}
internal static void Install(HookType hook)
{
var hookLocation = new IntPtr(0x0A2B2E8);
IntPtr codeCave = Marshal.AllocHGlobal(128);
byte[] code = FasmNet.Assemble(new[]
{
"use32",
"org " + codeCave,
"pushad",
"call " + Marshal.GetFunctionPointerForDelegate(hook),
"popad",
"retn"
});
Marshal.Copy(code, 0, codeCave, code.Length);
Marshal.WriteIntPtr(hookLocation, codeCave);
}
public void AssembleWithError()
{
// Arrange
const string mnemonics = "use32\nretnj";
// Act
try
{
FasmNet.Assemble(mnemonics);
Assert.Fail("The above line must throw an error.");
}
catch (FasmAssemblerException ex)
{
// Assert
Assert.AreEqual(2, ex.ErrorLine, "The error does not indicate the correct line.");
Assert.AreEqual(6, ex.ErrorOffset, "The error does not indicate the correct offset.");
Assert.AreEqual(FasmErrors.IllegalInstruction, ex.ErrorCode, "The kind of the error was not found.");
Assert.AreEqual(mnemonics, ex.Mnemonics);
}
}
internal static void Install(HookType hook)
{
var hookLocation = new IntPtr(0x004078E1);
IntPtr codeCave = Marshal.AllocHGlobal(128);
byte[] code = FasmNet.Assemble(new[]
{
"use32",
"org " + codeCave,
"pushad",
"push edx",
"call " + Marshal.GetFunctionPointerForDelegate(hook),
"popad",
"call 0x00409880",
"jmp " + (hookLocation + 5)
});
Marshal.Copy(code, 0, codeCave, code.Length);
HookHelper.Jump(hookLocation, codeCave);
}
internal static void Install(HookType hook)
{
var hookLocation = new IntPtr(0x007B25F6);
IntPtr codeCave = Marshal.AllocHGlobal(128);
byte[] code = FasmNet.Assemble(new[]
{
"use32",
"org " + codeCave,
"mov dword[esi+0x88],ecx",
"pushad",
"push dword[esi+0x2C]",
"call " + Marshal.GetFunctionPointerForDelegate(hook),
"popad",
"jmp " + (hookLocation + 6)
});
Marshal.Copy(code, 0, codeCave, code.Length);
HookHelper.Jump(hookLocation, codeCave);
}
internal static void Install()
{
var hookLocation = new IntPtr(0x005D2EF1);
IntPtr codeCave = Marshal.AllocHGlobal(128);
_speedModifierLocation = Marshal.AllocHGlobal(4);
byte[] code = FasmNet.Assemble(new[]
{
"use32",
"org " + codeCave,
"mov ebx, dword[ecx*0x4+eax]",
"mov dword[" + _speedModifierLocation + "], ebx",
"test ebx, ebx",
"jmp " + (hookLocation + 5)
});
Marshal.Copy(code, 0, codeCave, code.Length);
HookHelper.Jump(hookLocation, codeCave);
}
/// <summary>
/// Assembles the received request and sends back information to the client.
/// </summary>
/// <param name="mnemonics">The assembly code to be assembled.</param>
/// <param name="clientSocket">The socket used for communication with the client. which sent the request.</param>
private static void Assemble(string[] mnemonics, ReloadedSocket clientSocket)
{
// Send back empty message struct
Message.MessageStruct messageStruct = new Message.MessageStruct
{
// Client will likely ignore this anyway (but shouldn't).
MessageType = ( ushort )MessageTypes.Assemble
};
// Try Assembly
// Assemble the bytes
try
{ messageStruct.Data = FasmNet.Assemble(mnemonics); }
// Failed to Assemble
// Return nop on failure.
catch
{ messageStruct.Data = new byte[1] {
0x90
}; }
// Return back.
clientSocket.SendData(messageStruct, false);
}
public void ObjectMnemonics()
{
// Arrange
var fasm = new FasmNet();
// Act
fasm.AddLine("push eax");
fasm.AddLine("retn");
// Assert
Assert.AreEqual(String.Format("push eax{0}retn{0}", Environment.NewLine), fasm.Mnemonics);
}
public void ObjectClear()
{
// Arrange
var fasm = new FasmNet();
// Act
fasm.AddLine("retn");
fasm.Clear();
fasm.AddLine("push eax");
fasm.AddLine("pop {0}", "eax");
fasm.InsertLine(0, "use32");
var asm = fasm.Assemble();
// Assert
CollectionAssert.AreEqual(new byte[] { 0x50, 0x58 }, asm);
}
public void ObjectAssembleWithOrigin()
{
// Arrange
var fasm = new FasmNet();
// Act
fasm.AddLine("use32");
fasm.AddLine("jmp {0}", 0x2000);
var asm = fasm.Assemble(new IntPtr(0x1000));
// Assert
CollectionAssert.AreEqual(new byte[] { 0xE9, 0xfb, 0x0f, 0x00, 0x00 }, asm);
}
private byte[] Assemble(string mnemonic, IntPtr baseAddress)
{
mnemonic = $"use32\norg 0x{(object)baseAddress.ToInt64():X8}\n" + mnemonic;
return(FasmNet.Assemble(mnemonic));
}
private static byte[] FasmNETAssemble(string[] source)
{
return(FasmNet.Assemble(source));
}
