private RemoteExecution(Context c, AssemblySnippet asm)
{
Thread = 0;
Context = c;
FlagAddress = NativeFunctions.VirtualAllocEx(c.Handle, 0, 4, NativeFunctions.AllocationType.Commit, NativeFunctions.MemoryProtection.ExecuteReadWrite);
int z = 0;
NativeFunctions.WriteProcessMemory(Context.Handle, FlagAddress, ref z, 4, 0);
Address = NativeFunctions.VirtualAllocEx(c.Handle, 0, 1024, NativeFunctions.AllocationType.Commit, NativeFunctions.MemoryProtection.ExecuteReadWrite);
List <byte> code = new List <byte>();
byte[] b = asm.GetByteCode(Address);
code.AddRange(b);
code.AddRange(Assembler.Assemble("inc [0x" + FlagAddress.ToString("X8") + "]", 0));
code.AddRange(Assembler.Assemble("ret", 0));
NativeFunctions.WriteProcessMemory(c.Handle, Address, code.ToArray(), code.Count, 0);
}
/// <summary>
/// 这个函数被lock了,无法被多个线程同时调用,预防了一些错误
/// </summary>
/// <param name="Context"></param>
/// <param name="snippet"></param>
/// <param name="targetAddr"></param>
/// <param name="once"></param>
/// <param name="execRaw"></param>
/// <param name="codeSize"></param>
/// <returns></returns>
public static Tuple <int, int, int, byte[]> Inject(Context Context, AssemblySnippet snippet, int targetAddr, bool once, bool execRaw = true, int codeSize = 1024)
{
lock (thisLock)
{
int codeAddr = NativeFunctions.VirtualAllocEx(Context.Handle, 0, codeSize, NativeFunctions.AllocationType.Commit, NativeFunctions.MemoryProtection.ExecuteReadWrite);
int compAddr = NativeFunctions.VirtualAllocEx(Context.Handle, 0, codeSize, NativeFunctions.AllocationType.Commit, NativeFunctions.MemoryProtection.ExecuteReadWrite);
int flagAddr = 0;
AssemblySnippet a = AssemblySnippet.FromEmpty();
a.Content.Add(Instruction.Create("__$$__:")); //very begin
a.Content.Add(Instruction.Create("mov dword ptr [" + compAddr + "],1"));
if (once)
{
flagAddr = NativeFunctions.VirtualAllocEx(Context.Handle, 0, codeSize, NativeFunctions.AllocationType.Commit, NativeFunctions.MemoryProtection.ExecuteReadWrite);
NativeFunctions.WriteProcessMemory(Context.Handle, flagAddr, ref once, 4, 0);
a.Content.Add(Instruction.Create("cmp dword ptr [" + flagAddr + "],0"));
a.Content.Add(Instruction.Create("jle jalkjflakjl"));
}
a.Content.Add(snippet);
if (once)
{
a.Content.Add(Instruction.Create("dec dword ptr [" + flagAddr + "]"));
a.Content.Add(Instruction.Create("jalkjflakjl:"));
}
byte[] code = new byte[32];
NativeFunctions.ReadProcessMemory(Context.Handle, targetAddr, code, code.Length, 0);
byte[] headBytes = GetHeadBytes(code);
NativeFunctions.WriteProcessMemory(Context.Handle, codeAddr, ref flagAddr, 4, 0);
NativeFunctions.WriteProcessMemory(Context.Handle, codeAddr + 4, ref compAddr, 4, 0);
int addr = codeAddr + CodeOffset;
byte[] snippetBytes = a.GetByteCode(addr);
NativeFunctions.WriteProcessMemory(Context.Handle, addr, snippetBytes, snippetBytes.Length, 0);
addr += snippetBytes.Length;
if (execRaw)
{
NativeFunctions.WriteProcessMemory(Context.Handle, addr, headBytes, headBytes.Length, 0);
addr += headBytes.Length;
}
byte[] compBytes = Assembler.Assemble("mov dword ptr [" + compAddr + "],0", addr);
NativeFunctions.WriteProcessMemory(Context.Handle, addr, compBytes, compBytes.Length, 0);
addr += compBytes.Length;
byte[] jmpBackBytes = Assembler.Assemble("jmp " + (targetAddr + headBytes.Length), addr);
NativeFunctions.WriteProcessMemory(Context.Handle, addr, jmpBackBytes, jmpBackBytes.Length, 0);
addr += jmpBackBytes.Length;
byte[] jmpToBytesRaw = Assembler.Assemble("jmp " + (codeAddr + CodeOffset), targetAddr);
byte[] jmpToBytes = new byte[headBytes.Length];
for (int i = 0; i < 5; i++)
{
jmpToBytes[i] = jmpToBytesRaw[i];
}
for (int i = 5; i < headBytes.Length; i++)
{
jmpToBytes[i] = 0x90; //nop
}
//Console.WriteLine(codeAddr.ToString("X8"));
//Console.ReadKey();
NativeFunctions.WriteProcessMemory(Context.Handle, targetAddr, jmpToBytes, jmpToBytes.Length, 0);
return(new Tuple <int, int, int, byte[]>(codeAddr, flagAddr, compAddr, headBytes));
}
}
