private T MAKECALL <T>(CALLTYPE type, UInt32 thisPtr, UInt32 fcallArg, UInt32 funcPtr, CallValue[] args) where T : CallValue, new() { if (funcPtr == 0) { throw new Exception("Funcptr not found"); } T returnValue = new T(); List <byte> list = new List <byte>(); list.Add(0x60);//pushad int argsCount = 0; //Argumente pushen if (args != null) { for (int i = args.Length - 1; i >= 0; i--) { for (int i2 = args[i].getCallParam().Count - 1; i2 >= 0; i2--) { argsCount++; list.Add(0x68); list.AddRange(args[i].getCallParam()[i2]); } } } //This-Pointer in ecx schreiben if (type == CALLTYPE.THISCALL || type == CALLTYPE.FASTCALL) { list.Add(0xB9); list.AddRange(BitConverter.GetBytes(thisPtr)); } //Fastcall pointer in edx schreiben if (type == CALLTYPE.FASTCALL) { list.Add(0xBA); list.AddRange(BitConverter.GetBytes(fcallArg)); } uint length = (uint)(list.Count + 1 + 4 + 1 + 1); if (returnValue.ValueLength() != 0) { length += 1 + returnValue.ValueLength(); } if (type == CALLTYPE.CDECLCALL) { length += 3; } IntPtr baseadress = Alloc(length); IntPtr returnAddress = IntPtr.Zero; if (returnValue.ValueLength() != 0) { returnAddress = Alloc(returnValue.ValueLength()); } //call list.Add(0xE8); list.AddRange(BitConverter.GetBytes((uint)(funcPtr - (baseadress.ToInt32() + list.Count) - 4))); // - Aktuelle Addresse - 4 //Return schreiben if (returnValue.ValueLength() != 0) { list.Add(0xA3); list.AddRange(BitConverter.GetBytes((uint)returnAddress.ToInt32())); } if (type == CALLTYPE.CDECLCALL) { list.AddRange(new byte[] { 0x83, 0xC4 }); list.Add((byte)(argsCount * 4)); } list.Add(0x61); //popad list.Add(0xC3); //RTN //Write the new function Write(list.ToArray(), baseadress.ToInt32()); //Call the new function if (process_thisprocess) { call mc = (call)Marshal.GetDelegateForFunctionPointer(baseadress, typeof(call)); mc(); } else { uint threadID; IntPtr hThread = Kernel.Process.CreateRemoteThread(Handle, IntPtr.Zero, 0, baseadress, IntPtr.Zero, 0, out threadID); WaitForThreadToExit(hThread); CloseHandle(hThread); } //Bisschen aufräumen Free(baseadress, length); if (returnValue.ValueLength() != 0) { returnValue.Initialize(this, ReadInt(returnAddress.ToInt32()));//Adresse in der die return Value gespeichert wurde Free(returnAddress, returnValue.ValueLength()); return(returnValue); } else { return(null); } }
private static T MAKECALL <T>(CALLTYPE type, int thisPtr, int fcallArg, int funcPtr, params CallValue[] args) where T : CallValue, new() { if (funcPtr == 0) { throw new Exception("Process.MAKECALL: Method-pointer not found"); } List <byte> list = new List <byte>(); list.Add(0x60);//pushad int argsCount = 0; //Argumente pushen if (args != null) { for (int i = args.Length - 1; i >= 0; i--) { CallValue arg = args[i]; if (arg != null) { List <byte[]> callParams = args[i].GetCallParams(); for (int i2 = callParams.Count - 1; i2 >= 0; i2--) { argsCount++; list.Add(0x68); list.AddRange(callParams[i2]); } } } } //This-Pointer in ecx schreiben if (type == CALLTYPE.THISCALL || type == CALLTYPE.FASTCALL) { list.Add(0xB9); list.AddRange(BitConverter.GetBytes(thisPtr)); } //Fastcall pointer in edx schreiben if (type == CALLTYPE.FASTCALL) { list.Add(0xBA); list.AddRange(BitConverter.GetBytes(fcallArg)); } T returnValue = new T(); uint length = (uint)(list.Count + 1 + 4 + 1 + 1); if (returnValue.ValueLength() != 0) { length += 1 + returnValue.ValueLength(); } if (type == CALLTYPE.CDECLCALL) { length += 3; } IntPtr baseadress = Alloc(length); IntPtr returnAddress = IntPtr.Zero; if (returnValue.ValueLength() != 0) { returnAddress = Alloc(returnValue.ValueLength()); } //call list.Add(0xE8); list.AddRange(BitConverter.GetBytes(funcPtr - (baseadress.ToInt32() + list.Count) - 4)); // - Aktuelle Addresse - 4 //Return schreiben if (returnValue.ValueLength() != 0) { list.Add(0xA3); list.AddRange(BitConverter.GetBytes((uint)returnAddress.ToInt32())); } if (type == CALLTYPE.CDECLCALL) { list.AddRange(new byte[] { 0x83, 0xC4 }); list.Add((byte)(argsCount * 4)); } list.Add(0x61); //popad list.Add(0xC3); //RTN //Write the new function Write(baseadress.ToInt32(), list.ToArray()); //Call the new function call mc = (call)Marshal.GetDelegateForFunctionPointer(baseadress, typeof(call)); mc(); //Bisschen aufräumen Free(baseadress, length); if (returnValue.ValueLength() != 0) { returnValue.Initialize(returnAddress.ToInt32());//Adresse in der die return Value gespeichert wurde Free(returnAddress, returnValue.ValueLength()); return(returnValue); } else { return(null); } }