/* Build Shellcode */
private void BuildGetProcAddress86()
{
// GetProcAddress(long hModule, char* lpProcName)
// lpParameter: Address of first struct member.
// Using stdcall calling convention.
long getProcAddressAddress = Kernel32Handle + _getProcAddressOffset;
IntPtr getProcAddressPtr = _privateBuffer.Add(ref getProcAddressAddress);
long dummy = 0;
_getProcAddressReturnValuePtr = (long)_privateBuffer.Add(ref dummy);
string[] getProcAddress =
{
$"use32",
"mov eax, dword [esp + 4]", // CreateRemoteThread lpParameter
"push dword [eax + 8]", // lpProcName
"push dword [eax + 0]", // hModule
$"call dword [dword 0x{getProcAddressPtr.ToString("X")}]",
$"mov dword [dword 0x{_getProcAddressReturnValuePtr.ToString("X")}], eax",
"ret 4" // Restore stack ptr. (Callee cleanup)
};
byte[] bytes = _assembler.Assemble(getProcAddress);
_getProcAddressShellPtr = (long)_privateBuffer.Add(bytes);
}
/* Building Functions */
public void BuildReturnFive()
{
string[] returnFiveFunction = new string[]
{
$"{_use32}",
$"mov {_eax}, {Five}",
$"ret"
};
// Note: We are deliberately creating in 32bit range because later down the road we'll be patching push + ret.
var result = _assembler.Assemble(returnFiveFunction);
var buffer = Utilities.FindOrCreateBufferInRange(result.Length);
ReturnFive = buffer.Add(result);
}
private IntPtr CreateAsmFunction(string[] function)
{
var result = _assembler.Assemble(function);
var address = _memory.Allocate(result.Length);
_memory.WriteRaw(address, result);
return(address);
}
/* Build Jump methods for Patching */
private void BuildRelativeJmp()
{
var minMax = Utilities.GetRelativeJumpMinMax((long)_dummyFunctions.ReturnFive);
var buffer = Utilities.FindOrCreateBufferInRange(32, minMax.min, minMax.max);
long jmpSource = (long)buffer.Properties.WritePointer;
long jmpTarget = (long)_dummyFunctions.ReturnFive;
var relativeJmp = new string[]
{
$"{_use32}",
$"jmp {jmpTarget - jmpSource}"
};
var asm = _assembler.Assemble(relativeJmp);
_relativeJmpLength = asm.Length;
_relativeJmpPtr = buffer.Add(asm);
}
/* Building functions to hook. */
private void BuildAdd()
{
string[] addFunction = new string[]
{
$"{_use32}",
$"push {_ebp}",
$"mov {_ebp}, {_esp}",
$"mov {_eax}, {_edx}", // Right Parameter
$"add {_eax}, {_ecx}", // Left Parameter
$"pop {_ebp}",
$"ret"
};
var result = _assembler.Assemble(addFunction);
Add = _memory.Allocate(result.Length);
_memory.WriteRaw(Add, result);
}
/* Building functions to hook. */
private void BuildAdd(IMemoryAllocator alloc)
{
int wordSize = IntPtr.Size;
string[] addFunction = new string[]
{
$"{_use32}",
$"push {_ebp}",
$"mov {_ebp}, {_esp}",
$"mov {_eax}, [{_ebp} + {wordSize * 2}]", // Left Parameter
$"mov {_ecx}, [{_ebp} + {wordSize * 3}]", // Right Parameter
$"add {_eax}, {_ecx}",
$"pop {_ebp}",
$"ret"
};
var result = _assembler.Assemble(addFunction);
Add = alloc.Allocate(result.Length);
_memory.WriteRaw(Add, result);
}
private void BuildAdd()
{
string[] addFunction = new string[]
{
$"use64",
$"lea eax, [rcx+rdx]",
$"ret",
};
var result = _assembler.Assemble(addFunction);
Add = _memory.Allocate(result.Length);
_memory.WriteRaw(Add, result);
}
private void BuildAdd()
{
string[] addFunction = new string[]
{
$"use32",
$"mov eax, [esp+8]", // Right Parameter
$"add eax, [esp+4]", // Left Parameter
$"ret 8",
};
var result = _assembler.Assemble(addFunction);
Add = _memory.Allocate(result.Length);
_memory.WriteRaw(Add, result);
}
private void BuildNativeFunction()
{
int wordSize = IntPtr.Size;
string[] addFunction = new string[]
{
$"{_use32}",
$"push {_ebp}",
$"mov {_ebp}, {_esp}",
$"mov {_eax}, [{_ebp} + {wordSize * 2}]", // Left Parameter
$"mov {_ecx}, [{_ebp} + {wordSize * 3}]", // Right Parameter
$"add {_eax}, {_ecx}",
$"pop {_ebp}",
$"ret"
};
var result = _assembler.Assemble(addFunction);
var func = _memory.Allocate(result.Length);
_memory.WriteRaw(func, result);
_nativeFunctions.Add(func);
}
