Closed
CodeCave jump address
04/05/2017 16:18
HaMaDa..#1
04/05/2017 18:17
Shadow992#2
Have a look at: [Only registered and activated users can see links. Click Here To Register...]Quote:
Hi,
After allocating memory into an process and writing memory how can i jump to the address at the end of the injection ?
using ret didn't help
I just wanted to know how to calculate the address and the allocating memory page address
Thanks.
Especially at function "_InjectOpcodeAtAddress($memopen, $des_address, $size, $opcodes)":
PHP Code:
;==================================================================================
; Function: _InjectOpcodeAtAddress($memopen, $des_address, $size, $opcodes)
; Description: Injects an Code-Cave with specified Opcodes at an specified address.
; The Opcodes which was at $des_address are restored and will be executed
; even with active Code-Cave.
; Parameter(s): $memopen - A handle returned by _MemoryOpen (Nomad.au3)
; or _MemoryManipulationOpen (CCInject.au3)
; $des_address - Address where Opcode should be injected.
; $size - Size of bytes used at $des_address (min. 5 bytes) to get complete command.
; $opcodes - The Opcode which should be injected into process.
; Requirement(s):
; Return Value(s): On Success - Returns array of information:
; 0 - Code-Cave's baseaddress
; 1 - Old Opcode at Code-Cave's address (should be 0000...)
; 2 - Opcode which was injected
; 3 - Opcode which was at $des_address
; 4 - New Opcode which is now at $des_address
; On Failure - Returns -1
; @Error - 0 = No error.
; 1 = $size is less than 5.
; Author(s): Shadow992
; Note(s):
;==================================================================================
Func _InjectOpcodeAtAddress($memopen, $des_address, $size, $opcodes)
$opcodes = StringReplace($opcodes, " ", "")
$opcodes = StringReplace($opcodes, "0x", "")
If $size < 5 Then
SetError(1)
Return -1
EndIf
Local $old_opcode[5], $temp, $code_cave_address = 0
Local $code_cave_address_bytes, $bytes_for_code_cave
Local $nops = ""
For $i = 5 To $size - 1
$nops &= "90"
Next
$len = StringLen($opcodes) / 2 + 5 + $size
$code_cave_address = _AllocateMemory($memopen, $len + 1)
$temp = $code_cave_address - $des_address - 5
$code_cave_address_bytes = _ConvertHexToBytes(Hex($temp), 8)
$old_opcode[3] = _MemoryBytesWrite($memopen, $des_address, "E9" & $code_cave_address_bytes & $nops)
$old_opcode[1] = _MemoryBytesWrite($memopen, $code_cave_address, $old_opcode[3] & $opcodes & "E9" & _ConvertHexToBytes(Hex(($des_address + $size) - ($code_cave_address + StringLen($opcodes) / 2 + 5 + StringLen($old_opcode[3]) / 2)), 8))
$old_opcode[2] = $old_opcode[3] & $opcodes & "E9" & _ConvertHexToBytes(Hex(($des_address + $size) - ($code_cave_address + StringLen($opcodes) / 2 + 5 + StringLen($old_opcode[3]) / 2)), 8)
$old_opcode[4] = "E9 " & $code_cave_address_bytes & $nops
$old_opcode[0] = Hex($code_cave_address)
Return $old_opcode
EndFunc ;==>_InjectOpcodeAtAddress
04/05/2017 23:11
gοd#3
That's no solution, that's complete bullshit. Just stop trying to do your copypasta everywhere. I'm not even sure if you even knew yourself what you were trying to do.Quote:
So for everyone is having the same problem as me , the solution is :
[..]
using a return for a jmp gg wp.Quote:
you should at least know what a return does from general coding and how it isnt related to jumping, instead it is to calls.
04/06/2017 01:10
HaMaDa..#4
Quote:
using a return for a jmp gg wp.
you should at least know what a return does from general coding and how it isnt related to jumping, instead it is to calls.
I asked for an help with something iam trying to do and i was having this problem so where's the copypaste and i know what iam doingQuote:
and actually i didn't use return for the jmp ofc, yes i know i wrote that ret didn't help but i didn't even explain.
even asking for an help is leeching for you?
You never faced any problem ? thanks anyway
04/06/2017 02:54
αℓєχмєη10#5
You need to know like subtract size. They are simple things the Google
use calculator programmer.
Value = HEX - HEX = size
JMP_Opcode = $hAddress - $hAddress_Alloc - Value
use calculator programmer.
Value = HEX - HEX = size
JMP_Opcode = $hAddress - $hAddress_Alloc - Value
PHP Code:
$JMP_Opcode = Byte_Reverse(Calc(Dec($hAddress_Alloc)-$Value, $hAddress,1)) ;JUMP hAddress
Global $shellcode = "0xE9" & $JMP_Opcode
FUNC Byte_Reverse($SBYTES)
LOCAL $SREVERSED = ""
FOR $I = STRINGLEN($SBYTES) - 1 TO 1 STEP -2
$SREVERSED &= STRINGMID($SBYTES, $I, 2)
NEXT
RETURN $SREVERSED
ENDFUNC
Func Calc($dwCall, $dwAddress, $i = 0)
If Not IsInt($dwCall) Then $dwCall = Dec(StringReplace($dwCall, "0x", ""))
If Not IsInt($dwAddress) Then $dwAddress = Dec(StringReplace($dwAddress, "0x", ""))
If $i = 1 Then
Local $tmp = $dwCall
$dwCall = $dwAddress
$dwAddress = $tmp
EndIf
EndFunc
PHP Code:
$Handle = OpenProcess(0x1F0FFF,False,ProcessExists($Process))
DETOUR($Handle,$hAddress,$hAddress_Alloc,0x5)
CloseHandle($Handle)
Func DETOUR($hProcess,$lpSource, $lpDestination, $iSize)
Local Const $NOP = 0x90
Local Const $JMP = 0xE9
if $iSize < 5 then ;Size must be bigger than 5
SetError(1) ;atleast 5 Bytes are needed for a JMP
Return -1
EndIf
for $i = 0 to $iSize - 1
WriteProcessMemory($hProcess,$lpSource + $i, $NOP, 'byte') ;NOP all bytes
Next
;Write the detour
WriteProcessMemory($hProcess,$lpSource, $JMP, 'byte') ;JUMP
$lpStruc = DllStructCreate("DWORD Offset") ;For Overflow reasons
DllStructSetData($lpStruc,"Offset",$lpDestination-$lpSource-5)
WriteProcessMemory($hProcess,$lpSource + 1,DllStructGetData($lpStruc,"Offset"),'dword')
Return 0
EndFunc
Func WriteProcessMemory($hProcess, $lpBaseAddress, $Value, $Type = 'dword')
$dsBuffer = DllStructCreate($Type)
DllStructSetData($dsBuffer, 1, $Value)
DllCall('kernel32.dll', 'bool', 'WriteProcessMemory', 'handle', $hProcess, 'ptr', $lpBaseAddress, 'ptr', DllStructGetPtr($dsBuffer), 'int', DllStructGetSize($dsBuffer), 'int', 0)
EndFunc ;==>WriteProcessMemory
Func OpenProcess($dwAccess, $bInheritHandle, $dwProcessId)
$ret = DllCall('kernel32.dll', 'dword', 'OpenProcess', 'dword', $dwAccess, 'bool', $bInheritHandle, 'dword', $dwProcessId)
Return $ret[0]
EndFunc ;==>OpenProcess
Func CloseHandle($hObject)
$ret = DllCall('kernel32.dll', 'bool', 'CloseHandle', 'handle', $hObject)
Return $ret[0]
EndFunc ;==>CloseHandle
04/06/2017 03:29
gοd#6
why do you then need to copy shadows "_ConvertHexToBytes" function, instead of doing your own one? can you even explain what the code does? and I dont mean just saying "it converts hex vars to bytes"Quote:
why do you write it in your post then? sounds to me like you were just trying out random stuff without even knowing what it's for.Quote:
Looking at your stuff: Your code is awful. Instead of "focusing" on memory right now, please just try to do decent code/scripting. Dont just do the stuff, instead try to understand. In my opinion, it would really help you out. I know you for a while now, even longer than you think and even longer than this account exists.Quote:
You never faced any problem ? thanks anyway