public static bool Hook(ProcessMemory memory, IntPtr funcAddr, TrampolineHeap heap) { var objectCode = _nops.ToArray(); var trampolineAddr = heap.Allocate((uint)objectCode.Length); var jmpToTrampoline = CreateJmpRel32((uint)funcAddr, (uint)trampolineAddr); var originalCode = memory.ReadBytes(funcAddr, 0x100); var dasm = IA32Disassembler.Disassemble(originalCode); var matches = dasm .TakeWhile(x => ((Opcode[])Enum.GetValues(typeof(Opcode))).Contains(x.Opcode.Opcode)) .ToArray(); var matchSum = matches.Sum(x => x.Size); var sum = 0; dasm.TakeWhile(x => (sum += x.Size) < jmpToTrampoline.Length).ToArray(); if (matchSum < sum) { return(false); } var originalCodeCopy = originalCode.ToArray(); Array.Resize(ref originalCode, sum); originalCodeCopy = originalCodeCopy.Skip(originalCode.Length).ToArray(); //0x10 8B 4C 24 14 8B 7C 24 0C 8B if (originalCodeCopy[0] == 0x10 && originalCodeCopy[1] == 0x8B && originalCodeCopy[2] == 0x4C && originalCodeCopy[3] == 0x24 && originalCodeCopy[4] == 0x14 && originalCodeCopy[5] == 0x8B && originalCodeCopy[6] == 0x7C && originalCodeCopy[7] == 0x24 && originalCodeCopy[8] == 0x0C && originalCodeCopy[9] == 0x8B) { Console.WriteLine(); } const int originalCodeOffset = 0x10; originalCode.CopyTo(objectCode, originalCodeOffset); var jmpToFuncOffset = (uint)originalCodeOffset + (uint)originalCode.Length + 0x4; //objectCode[(uint)originalCodeOffset + (uint)originalCode.Length + 1] = 0xCC; var jmpToFunc = CreateJmpRel32( (uint)trampolineAddr + jmpToFuncOffset, (uint)funcAddr + (uint)originalCode.Length); jmpToFunc.CopyTo(objectCode, jmpToFuncOffset); memory.Write(trampolineAddr, objectCode); memory.Write(funcAddr, jmpToTrampoline); return(true); }
public bool SetBreakpoint(IntPtr address) { if (BreakpointTable.ContainsKey(address)) { return(false); } var buffer = mem.ReadBytes(address, 0x1); BreakpointTable.Add(address, buffer[0]); HitTable.Add(address, 0); mem.Write(address, new byte[] { 0xCC }); return(true); }
public List <uint> GetFunctionPointers(int count) { var pointers = new List <uint>(); var reader = new ProcessMemory(Process); var context = ProcessMemory.GetContext(ThreadId); //var pointers = new List<uint> { context.Eip }; uint[] stack = null; var ptr = IntPtr.Zero; try { ptr = (IntPtr)context.Esp; } catch { } if (ptr != IntPtr.Zero) { stack = reader.ReadUInt32s(ptr, count / 4); } if (stack == null) { return(null); } foreach (var p in GetIntPtrs(stack)) { var bytes = reader.ReadBytes(p, 0x20); if (bytes == null || //IsStackAddress(context, (uint)p) || !reader.IsExecutable(p)) { continue; } pointers.Add((uint)p); //var dasm = new DiStormWrapper().Disassemble(bytes); } return(pointers); }