public void CallCustomX86(Action <X86Writer> writeX86) { if (CodeHandle.IsClosed || CodeHandle.IsInvalid) { CompletelyReInitializeAndInjectCodeInNewLocation(); } Kernel.CheckAddress(CodeHandle.GetHandle().ToInt64(), FUNCTION_CALL_ASM_BUFFER_SIZE, "execute function"); Buffer_ParamPointerList.Clear(); AsmBuffer.Position = 0; X86Writer asm = new X86Writer(AsmBuffer, CodeHandle.GetHandle()); writeX86.Invoke(asm); if (WriteAsm((uint)CodeHandle.GetHandle(), AsmBuffer.ToArray(), (int)AsmBuffer.Position)) { var threadHandle = new SafeRemoteThreadHandle(CodeHandle); if (!threadHandle.IsClosed & !threadHandle.IsInvalid) { Kernel.WaitForSingleObject(threadHandle.GetHandle(), MAX_WAIT); } threadHandle.Close(); threadHandle.Dispose(); threadHandle = null; } }
public T CallIngameFuncReg <T>(Memloc functionAddress, IEnumerable <dynamic> args, dynamic eax = null, dynamic ecx = null, dynamic edx = null, dynamic ebx = null, dynamic esp = null, dynamic esi = null, dynamic edi = null) { if (CodeHandle.IsClosed || CodeHandle.IsInvalid) { CompletelyReInitializeAndInjectCodeInNewLocation(); } Kernel.CheckAddress(CodeHandle.GetHandle(), FUNCTION_CALL_ASM_BUFFER_SIZE, "execute function"); Buffer_ParamPointerList.Clear(); InitAsmBuffer(functionAddress, args, Buffer_ParamPointerList, eax, ecx, edx, ebx, esp, esi, edi); if (!InjectEntireCodeBuffer()) { Extra.Dbg.PrintErr("WARNING: CODE INJECT FAILURE"); } //luai.DebugUpdate() foreach (SafeRemoteHandle ptr in Buffer_ParamPointerList) { ptr.Dispose(); } Buffer_ResultBytes = ExecuteAsm(); Buffer_Result = GetFunctionCallResult <T>(Buffer_ResultBytes); foreach (SafeRemoteHandle ptr in Buffer_ParamPointerList) { ptr.Close(); ptr.Dispose(); } Buffer_ParamPointerList.Clear(); return(Buffer_Result); }
public void CallArrayOfBytes(byte[] asmBytes) { if (CodeHandle.IsClosed || CodeHandle.IsInvalid) { CompletelyReInitializeAndInjectCodeInNewLocation(); } if (WriteAsm((uint)CodeHandle.GetHandle().ToInt64(), asmBytes, asmBytes.Length)) { var threadHandle = new SafeRemoteThreadHandle(CodeHandle); if (!threadHandle.IsClosed & !threadHandle.IsInvalid) { Kernel.WaitForSingleObject(threadHandle.GetHandle(), MAX_WAIT); } threadHandle.Close(); threadHandle.Dispose(); threadHandle = null; } }
public T CallIngameFunc64 <T>(Memloc functionAddress, IEnumerable <dynamic> args) { if (CodeHandle.IsClosed || CodeHandle.IsInvalid) { CompletelyReInitializeAndInjectCodeInNewLocation(); } Kernel.CheckAddress(CodeHandle.GetHandle(), FUNCTION_CALL_ASM_BUFFER_SIZE, "execute function"); byte[] byt = InitAsm64Buffer(functionAddress, args, Buffer_ParamPointerList); if (!(WriteAsm(CodeHandle.GetHandle(), byt, byt.Length))) { Extra.Dbg.PrintErr("WARNING: CODE INJECT FAILURE"); } foreach (SafeRemoteHandle ptr in Buffer_ParamPointerList) { ptr.Dispose(); } Buffer_ResultBytes = ExecuteAsm(); Buffer_Result = GetFunctionCallResult <T>(Buffer_ResultBytes); foreach (SafeRemoteHandle ptr in Buffer_ParamPointerList) { ptr.Close(); ptr.Dispose(); } Buffer_ParamPointerList.Clear(); return(Buffer_Result); }
private byte[] InitAsm64Buffer(IntPtr funcAddr, IEnumerable <dynamic> parameters, List <SafeRemoteHandle> allocPtrList, dynamic rax = null, dynamic rcx = null, dynamic rdx = null, dynamic rbx = null, dynamic rsp = null, dynamic rsi = null, dynamic rdi = null) { var args = parameters.ToArray(); byte[] asm64 = { 0x9C, //pushfq 0x48, 0x81, 0xC4, 0x80, 0x00, 0x00, 0x00, //add rsp, 00000080 0x48, 0xBA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //mov rdx, 00 (0xA = rdx loc) 0x49, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //mov r8, 00 (20d) 0x49, 0xB9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //mov r9, 00 (30d) 0x48, 0xB9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //mov rcx, 00 (40d) 0x48, 0x89, 0x4C, 0x24, 0x20, //mov [rsp+28],rcx 0x48, 0xB9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //mov rcx, 00 (55d) 0x48, 0x89, 0x4C, 0x24, 0x28, //mov [rsp+28],rcx 0xFF, 0x15, 0x02, 0x00, 0x00, 0x00, 0xEB, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //call absolute address (76d) 0x48, 0xBB, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //mov val return address to rbx (81d) 0x48, 0x89, 0x03, //mov [rbx], rax 0x48, 0x81, 0xEC, 0x80, 0x00, 0x00, 0x00, //sub rsp, 00000080 0x9D, //popfq 0xC3 //retn }; /* * if (args.Length > 0) { Array.Copy(BitConverter.GetBytes((Int64)args[0]), 0, asm64, 0xA, 8); } * if (args.Length > 1) { Array.Copy(BitConverter.GetBytes((Int64)args[1]), 0, asm64, 20, 8); } * if (args.Length > 2) { Array.Copy(BitConverter.GetBytes((Int64)args[2]), 0, asm64, 30, 8); } * if (args.Length > 3) { Array.Copy(BitConverter.GetBytes((Int64)args[3]), 0, asm64, 40, 8); } * if (args.Length > 4) { Array.Copy(BitConverter.GetBytes((Int64)args[4]), 0, asm64, 55, 8); } */ //Fix this damn int conversion crap List <Int32> intargs = new List <Int32>(); for (int i = 0; i < (args.Count()); i++) { intargs.Add(ToInt32(args[i])); } if (intargs.Count() > 0) { Array.Copy(BitConverter.GetBytes(intargs[0]), 0, asm64, 0xA, 4); } if (intargs.Count() > 1) { Array.Copy(BitConverter.GetBytes(intargs[1]), 0, asm64, 20, 4); } if (intargs.Count() > 2) { Array.Copy(BitConverter.GetBytes(intargs[2]), 0, asm64, 30, 4); } if (intargs.Count() > 3) { Array.Copy(BitConverter.GetBytes(intargs[3]), 0, asm64, 40, 4); } if (intargs.Count() > 4) { Array.Copy(BitConverter.GetBytes(intargs[4]), 0, asm64, 55, 4); } Array.Copy(BitConverter.GetBytes((Int64)funcAddr), 0, asm64, 76, 8); Array.Copy(BitConverter.GetBytes(CodeHandle.GetHandle().ToInt64() + 0x200), 0, asm64, 86, 8); //Move rax to return address return(asm64); }
private void InitAsmBuffer(int funcAddr, IEnumerable <dynamic> parameters, List <SafeRemoteHandle> allocPtrList, dynamic eax = null, dynamic ecx = null, dynamic edx = null, dynamic ebx = null, dynamic esp = null, dynamic esi = null, dynamic edi = null) { var args = parameters.ToArray(); AsmBuffer.Position = 0; X86Writer asm = new X86Writer(AsmBuffer, CodeHandle.GetHandle()); //ASM START: asm.Push32(Reg32.EBP); asm.Mov32(Reg32.EBP, Reg32.ESP); asm.Push32(Reg32.EAX); for (int i = args.Length - 1; i >= 0; i += -1) { asm.Mov32(Reg32.EAX, SquashIntoDword(ref allocPtrList, args[i])); asm.Push32(Reg32.EAX); } if (eax != null) { asm.Mov32(Reg32.EAX, SquashIntoDword(ref allocPtrList, eax)); } if (ecx != null) { asm.Mov32(Reg32.ECX, SquashIntoDword(ref allocPtrList, ecx)); } if (edx != null) { asm.Mov32(Reg32.EDX, SquashIntoDword(ref allocPtrList, edx)); } if (ebx != null) { asm.Mov32(Reg32.EBX, SquashIntoDword(ref allocPtrList, ebx)); } if (esp != null) { asm.Mov32(Reg32.ESP, SquashIntoDword(ref allocPtrList, esp)); } if (esi != null) { asm.Mov32(Reg32.ESI, SquashIntoDword(ref allocPtrList, esi)); } if (edi != null) { asm.Mov32(Reg32.EDI, SquashIntoDword(ref allocPtrList, edi)); } //CALL LUA FUNCTION: asm.Call(new IntPtr(funcAddr)); AsmLocAfterLuaFunctionCall = new MoveableAddressOffset(this, asm.Position); //SET RETURN POS: asm.Mov32(Reg32.EBX, CodeHandle.GetHandle().ToInt32() + FUNC_RETURN_ADDR_OFFSET); asm.Mov32(new Addr(Reg32.EBX, 0), Reg32.EAX); //mov [ebx], eax asm.Pop32(Reg32.EAX); for (int i = args.Length - 1; i >= 0; i += -1) { asm.Pop32(Reg32.EAX); } asm.Mov32(Reg32.ESP, Reg32.EBP); asm.Pop32(Reg32.EBP); asm.Retn(); }