public Payload(uint payloadPointer, ImportTrampoline originalCreateFileATrampoline, string prefix, uint originalFreePointer, uint findReturnAddress)
{
OriginalCreateFileATrampoline = originalCreateFileATrampoline;
OriginalCreateFileAPointer = payloadPointer + (uint)Marshal.OffsetOf <Payload>(nameof(OriginalCreateFileATrampoline));
PrefixCreateFileA = prefix;
PrefixCreateFileAPointer = payloadPointer + (uint)Marshal.OffsetOf <Payload>(nameof(PrefixCreateFileA));
OriginalFreePointer = originalFreePointer;
FindReturnAddress = findReturnAddress;
HookReturnAddress = findReturnAddress + 0x16;
HookCreateFileA = new byte[]
{
0xc8, 0x00, 0x10, 0x00, 0x53, 0x57, 0x56, 0xe8,
0x00, 0x00, 0x00, 0x00, 0x5b, 0x81, 0xe3, 0x00,
0xf0, 0xff, 0xff, 0x8d, 0xbd, 0x00, 0xf0, 0xff,
0xff, 0x8b, 0x73, 0x04, 0xac, 0xaa, 0x84, 0xc0,
0x75, 0xfa, 0x4f, 0x8b, 0x75, 0x08, 0xac, 0xaa,
0x84, 0xc0, 0x75, 0xfa, 0x8d, 0x85, 0x00, 0xf0,
0xff, 0xff, 0xff, 0x75, 0x20, 0xff, 0x75, 0x1c,
0xff, 0x75, 0x18, 0xff, 0x75, 0x14, 0xff, 0x75,
0x10, 0xff, 0x75, 0x0c, 0x50, 0xff, 0x13, 0x83,
0xf8, 0xff, 0x75, 0x17, 0xff, 0x75, 0x20, 0xff,
0x75, 0x1c, 0xff, 0x75, 0x18, 0xff, 0x75, 0x14,
0xff, 0x75, 0x10, 0xff, 0x75, 0x0c, 0xff, 0x75,
0x08, 0xff, 0x13, 0x5e, 0x5f, 0x5b, 0xc9, 0xc2,
0x1c, 0x00
};
Array.Resize(ref HookCreateFileA, 128);
HookFree = new byte[]
{
0xc8, 0x00, 0x00, 0x00, 0x53, 0x56, 0xe8, 0x00,
0x00, 0x00, 0x00, 0x5b, 0x81, 0xe3, 0x00, 0xf0,
0xff, 0xff, 0x8b, 0x73, 0x0c, 0x89, 0xe8, 0x05,
0x80, 0x01, 0x00, 0x00, 0x83, 0xe8, 0x04, 0x39,
0xe8, 0x74, 0x09, 0x3b, 0x30, 0x75, 0xf5, 0x8b,
0x73, 0x10, 0x89, 0x30, 0x8b, 0x43, 0x08, 0x5e,
0x5b, 0xc9, 0xff, 0xe0
};
Array.Resize(ref HookFree, 128);
}
public void Patch(LeagueProcess league)
{
uint createFileARefPointer = this.CreateFileARefOffset + league.Base;
uint createFileAPointer = this.CreateFileAOffset + league.Base;
uint returnAddress = this.ReturnAddressOffset + league.Base;
uint freePointer = this.FreePointerOffset + league.Base;
uint freeFunction = this.FreeFunctionOffset + league.Base;
// wait untill CreateFileA has been used and unpacmaned
league.WaitPointerEquals(createFileARefPointer, createFileAPointer);
// wait until free pointer has been set
league.WaitPointerNonZero(freePointer);
// read trampoline shellcode that league creates for CreateFileA
uint createFileATrampolinePointer = league.Read <uint>(createFileAPointer);
ImportTrampoline originalCreateFileATrampoline = league.Read <ImportTrampoline>(createFileATrampolinePointer);
uint payloadPointer = league.AllocateMemory(0x1000);
Payload payload = new Payload(
payloadPointer: payloadPointer,
originalCreateFileATrampoline: originalCreateFileATrampoline,
prefix: PrefixNormalized,
originalFreePointer: freeFunction,
findReturnAddress: returnAddress
);
uint hookCreateFileAPointer = payload.HookCreateFileAPointer(payloadPointer);
uint hookFreePointer = payload.HookFreePointer(payloadPointer);
ImportTrampoline hookCreateFileATrampoline = new ImportTrampoline(hookCreateFileAPointer);
league.Write(payloadPointer, payload);
league.MarkMemoryExecutable(payloadPointer, 0x1000);
// write hooks
league.Write(freePointer, hookFreePointer);
league.Write(createFileATrampolinePointer, hookCreateFileATrampoline);
}
