private bool IsJumpTargetInDifferentModule(long source, long target)
{
foreach (ProcessModule module in Process.GetCurrentProcess().Modules)
{
var range = new AddressRange((long)module.BaseAddress, (long)(module.BaseAddress + module.ModuleMemorySize));
if (range.Contains(source) && range.Contains(target))
{
return(false);
}
}
return(true);
}
private bool IsJumpTargetInAModule(long source, long target)
{
if (!_options.VerifyJumpTargetsModule)
{
return(false);
}
foreach (ProcessModule module in GetCachedModules())
{
var range = new AddressRange((long)module.BaseAddress, (long)(module.BaseAddress + module.ModuleMemorySize));
if (range.Contains(source) && range.Contains(target))
{
return(true);
}
}
return(false);
}
private bool IsJumpTargetInAModule(nuint source, nuint target)
{
if (!_options.VerifyJumpTargetsModule)
{
return(false);
}
foreach (ProcessModule module in GetCachedModules())
{
var range = new AddressRange(module.BaseAddress.ToUnsigned(), (module.BaseAddress + module.ModuleMemorySize).ToUnsigned());
if (range.Contains(source) && range.Contains(target))
{
return(true);
}
}
return(false);
}
/// <summary>
/// Creates patch for a relative jump, if necessary.
/// </summary>
private void PatchRelativeJump(Instruction instruction, ref AddressRange originalJmpTarget, long newJmpTarget, List <Patch> patches)
{
long jumpTargetAddress = (long)instruction.PC + GetOperandOffset(instruction.Operands[0]);
if (originalJmpTarget.Contains(jumpTargetAddress))
{
byte[] relativeJumpBytes = Utilities.AssembleRelativeJump((IntPtr)instruction.Offset, (IntPtr)newJmpTarget, Is64Bit());
patches.Add(new Patch((IntPtr)instruction.Offset, relativeJumpBytes));
}
}
/// <summary>
/// Creates patch for a relative jump, if necessary.
/// </summary>
private void PatchRelativeJump(Instruction instruction, ref AddressRange originalJmpTarget, nuint newJmpTarget, List <Patch> patches)
{
nuint jumpTargetAddress = (nuint)GetJumpTarget(instruction);
if (originalJmpTarget.Contains(jumpTargetAddress))
{
byte[] relativeJumpBytes = Utilities.AssembleRelativeJump((nuint)instruction.IP, newJmpTarget, _is64Bit);
patches.Add(new Patch((nuint)instruction.IP, relativeJumpBytes));
}
}
/// <summary>
/// Creates patch for a relative jump, if necessary.
/// </summary>
private void PatchRelativeJump(Instruction instruction, ref AddressRange originalJmpTarget, long newJmpTarget, List <Patch> patches)
{
long jumpTargetAddress = (long)instruction.PC + GetOperandOffset(instruction.Operands[0]);
if (originalJmpTarget.Contains(jumpTargetAddress))
{
// Edit: It's actually correct because FASM automatically adjusts for instruction length.
IntPtr newRelativeOffset = (IntPtr)(newJmpTarget - (long)instruction.Offset);
byte[] relativeJumpBytes = Utilities.AssembleRelativeJump(newRelativeOffset, Is64Bit());
patches.Add(new Patch((IntPtr)instruction.Offset, relativeJumpBytes));
}
}
/// <summary>
/// Creates patch for a RIP relative jump, if necessary.
/// </summary>
private void PatchRIPRelativeJump(Instruction instruction, ref AddressRange originalJmpTarget, nuint newJmpTarget, List <Patch> patches)
{
var jumpTargetAddress = GetRewriteRIPRelativeJumpTarget(instruction);
if (originalJmpTarget.Contains(jumpTargetAddress))
{
// newJmpTarget is guaranteed to be in range.
// Relative jump uses less bytes, so using it is also safe.
byte[] relativeJumpBytes = Utilities.AssembleRelativeJump((nuint)instruction.IP, newJmpTarget, _is64Bit);
patches.Add(new Patch((nuint)instruction.IP, relativeJumpBytes));
}
}
/// <summary>
/// Creates patch for a RIP relative jump, if necessary.
/// </summary>
private void PatchRIPRelativeJump(Instruction instruction, ref AddressRange originalJmpTarget, long newJmpTarget, List <Patch> patches)
{
IntPtr pointerAddress = (IntPtr)((long)instruction.PC + GetOperandOffset(instruction.Operands[0]));
CurrentProcess.Read(pointerAddress, out IntPtr jumpTargetAddress);
if (originalJmpTarget.Contains((long)jumpTargetAddress))
{
// newJmpTarget is guaranteed to be in range.
// Relative jump uses less bytes, so using it is also safe.
byte[] relativeJumpBytes = Utilities.AssembleRelativeJump((IntPtr)instruction.Offset, (IntPtr)newJmpTarget, Is64Bit());
patches.Add(new Patch((IntPtr)instruction.Offset, relativeJumpBytes));
}
}
/// <summary>
/// Creates patch for a push + return combo, if necessary.
/// </summary>
private void PatchPushReturn(Instruction instruction, ref AddressRange originalJmpTarget, long newJmpTarget, List <Patch> patches)
{
long jumpTargetAddress = GetOperandOffset(instruction.Operands[0]);
if (originalJmpTarget.Contains((long)jumpTargetAddress))
{
// Push + Return & JMP Absolute use the same number of bytes in X86. but not in X64.
// We must create a new Push + Return to an absolute jump.
byte[] absoluteJump = Utilities.AssembleAbsoluteJump((IntPtr)newJmpTarget, Is64Bit());
var buffer = Utilities.FindOrCreateBufferInRange(absoluteJump.Length);
var absoluteJmpPointer = buffer.Add(absoluteJump);
byte[] newPushReturn = Utilities.AssemblePushReturn(absoluteJmpPointer, Is64Bit());
patches.Add(new Patch((IntPtr)instruction.Offset, newPushReturn));
}
}
