This project was started because I was bored to do all these useless things (like allocate memory, create opcode for injection etc.) again and again. So i wrote this UDF for Code-Cave-Injection.
Just to sum up in a few words what a Code-Cave can do:
A Code-Cave enables you to insert some ASM-Code into an running process, which then gets executed by the process. On that way you are able to read the value of every register at any time, which is not always possible with Pointer and/or Addresses.
This UDF is really easy to use. I think the explanations were not really needed but to be sure I wrote them.
There is also a Example of how to use this UDF.
To get able to use that UDF you have to copy the complete content of the "Includes"-Directory to the AutoIt-Includes-Directory.
You have to execute the AutoIt-Script as x86 Script and you also have to compile it as x86-Exe. Otherwise AutoIt-Script will crash.
Dieses Projekt ist eigentlich nur entstanden, weil Ich es satt hatte dieselben Schritte in AutoIt wieder und wieder zu machen (Speicher Platz reservieren, ASM-Code injizieren, usw.)
Um in ein paar Worten zusammen zu fassen was ein Code-Cave kann:
Ein Code-Cave erlaubt es deinem Programm Assembler-Code in ein andere Programm zu injizieren, welcher von diesem Programm dann ausgeführt wird.
Auf diesem Weg hat man die Möglichkeit die Werte in den Registern zu jeder Zeit auszulesen, was nicht immer nur mit Pointern/Addressen alleine möglich ist.
Diese UDF sollte sehr leicht zu benutzen sein. Ich habe aber trotzdem Erklärungen zu den Funktionen geschrieben, damit es jeder versteht.
Im Anhang ist auch ein Beispiel enthalten wie man die UDF verwenden könnte.
Um die UDF benutzen zu können muss der komplette Inhalt des "Includes"-Ordners (also auch FASM.au3 usw.) in das Includes-Verzeichnis von AutoIt verschoben werden.
Das AutoIt-Skript muss mit x86 compiliert werden und auch mit x86 Bit ausgeführt werden.
Source-Code (only the CCInject.au3 you need to download complete Attachment and the other Includes to use these functions):
;================================================================================== ; Function: _MemoryManipulationOpen($iv_Pid[, $iv_DesiredAccess[, $iv_InheritHandle]]) ; Description: Opens a process and enables all possible access rights to the ; process. The Process ID of the process is used to specify which ; process to open. You must call this function before calling ; _MemoryClose(), _MemoryRead(), or _MemoryWrite(). ; Parameter(s): $iv_Pid - The Process ID of the program you want to open. ; $iv_DesiredAccess - (optional) Set to 0x1F0FFF by default, which ; enables all possible access rights to the ; process specified by the Process ID. ; $iv_InheritHandle - (optional) If this value is TRUE, all processes ; created by this process will inherit the access ; handle. Set to 1 (TRUE) by default. Set to 0 ; if you want it FALSE. ; Requirement(s): None. ; Return Value(s): On Success - Returns an array containing the Dll handle and an ; open handle to the specified process. ; On Failure - Returns 0 ; @Error - 0 = No error. ; 1 = Invalid $iv_Pid. ; 2 = Failed to open Kernel32.dll. ; 3 = Failed to open the specified process. ; Author(s): Nomad ; Note(s): ;==================================================================================
Func _MemoryManipulationOpen($iv_pid, $iv_desiredaccess = 2035711, $if_inherithandle = 1) If Not ProcessExists($iv_pid) Then SetError(1) Return 0 EndIf Local $ah_handle[2] = [DllOpen("kernel32.dll")] If @error Then SetError(2) Return 0 EndIf Local $av_openprocess = DllCall($ah_handle[0], "int", "OpenProcess", "int", $iv_desiredaccess, "int", $if_inherithandle, "int", $iv_pid) If @error Then DllClose($ah_handle[0]) SetError(3) Return 0 EndIf $ah_handle[1] = $av_openprocess[0] Return $ah_handle EndFunc ;==>_MemoryManipulationOpen
#region Memory-Manipulation by Shadow992 (elitepvpers.com)
;================================================================================== ; Function: _MemoryBytesWrite($ah_handle, $iadresse, $v_data) ; Description: Writes some specified Opcode to the process specified at specfied address. ; Parameter(s): $ah_handle - A handle returned by _MemoryOpen (Nomad.au3) ; or _MemoryManipulationOpen (CCInject.au3) ; $iadress - Address where the bytes should be written to ; $v_data - The byte which should be written to specified address. ; Requirement(s): None. ; Return Value(s): On Success - Returns the bytes which were at the specified addresse ; before this function was executed. ; On Failure - Returns 0 ; @Error - 0 = No error. ; 1 = $ah_handle is not an array ; 2 = Failed to create $v_buffer_write. ; 3 = Failed to create $v_buffer_read. ; Author(s): Shadow992 ; Note(s): ;==================================================================================
Func _MemoryBytesWrite($ah_handle, $iadress, $v_data) If $v_data <> "" Then Local $isplit = StringRegExp(StringReplace($v_data, " ", ""), "(..)", 3) Local $code = ""
If Not IsArray($ah_handle) Then SetError(1) Return 0 EndIf
Local $v_buffer_write = DllStructCreate("byte") If @error Then SetError(2) Return 0 EndIf
Local $v_buffer_read = DllStructCreate("byte") If @error Then SetError(3) Return 0 EndIf
Local $ptr_write = DllStructGetPtr($v_buffer_write) Local $struct_size_write = DllStructGetSize($v_buffer_write)
Local $ptr_read = DllStructGetPtr($v_buffer_read) Local $struct_size_read = DllStructGetSize($v_buffer_read)
;================================================================================== ; Function: _MemorySearchForBytes($ah_handle, $bytes [, $iv_addrStart[, $iv_addrEnd[, $mask[, $finds[, $after[, $istep]]]]]]) ; Description: Search for specified bytes in an specified process. ; Parameter(s): $ah_handle - A handle returned by _MemoryOpen (Nomad.au3) ; or _MemoryManipulationOpen (CCInject.au3) ; $bytes - bytes which should be searched in process. ; If the bytes which should be found are not known, ; then use ?? instead of byte. ; The Search-Engine of this function uses StringRegExp, ; so it is possible to use also regular expressions. ; $iv_addrStart - (optional) The address where search should be started. ; $iv_addrEnd - (optional) The address where search should end. ; $mask - (optional) This is made for the Pattern-Function of Olly Dbg, ; just copy mask of pattern function into $mask. ; $finds - (optional) This number indicates how much addresses ; where $bytes were found should be returned. ; $after - (optional) This indicates if the addresses are returned before $bytes were found (=False) or after $bytes were found (=True). ; $istep - (optional) This indicates the step which is used by ReadProcessMemory to search trough memory. ; Requirement(s): None. ; Return Value(s): On Success - Returns an array containing $finds addresses where the bytes were found. ; On Failure - Returns 0 ; @Error - 0 = No error. ; 1 = $ah_handle is not an array ; 2 = Failed to create $v_buffer. ; Author(s): Shadow992 ; Note(s): ; Example(s): _MemorySearchForBytes($ah_handle, "909090????90??") ;==================================================================================
Func _MemorySearchForBytes($ah_handle, $bytes, $iv_addrStart = -1, $iv_addrEnd = 0x0FFFFFFF, $mask = "", $finds = 1, $after = True, $istep = 500000) If $iv_addrEnd > 0x7FFFFFFF Then $iv_addrEnd = 0x7FFFFFFF If $iv_addrStart < 0 Then $iv_addrStart = 0x00400000
If Not IsArray($ah_handle) Then SetError(1) Return 0 EndIf
If $mask <> "" Then Local $splited = StringRegExp($bytes, "(..)", 3) Local $splited2 = StringSplit($mask, "", 2) $bytes = "" For $i = 0 To UBound($splited2) - 1 If $splited2[$i] = "?" Then $bytes &= "??" Else $bytes &= $splited[$i] EndIf Next EndIf
;================================================================================== ; Function: _AllocateMemoryForArray($ah_handle, $size[, $type]) ; Description: Allocates memory for an array in a specified process. ; Parameter(s): $ah_handle - A handle returned by _MemoryOpen (Nomad.au3) ; or _MemoryManipulationOpen (CCInject.au3) ; $size - The size of the array. ; $type - (optional) Type of Array (C-Style). ; Requirement(s): None. ; Return Value(s): On Success - Returns an array containing infos about allocated memory. ; On Failure - Returns 0 ; @Error - 0 = No error. ; 1 = $ah_handle is not an array ; 2 = Failed to allocate memory at specified process. ; Author(s): Shadow992 ; Note(s): ;==================================================================================
If Not IsArray($ah_handle) Then SetError(1) Return 0 EndIf
If $size <= 0 Then $size = 1
Local $info[5] If $type = "byte" Or $type = "char" Then $info[0] = _AllocateMemory($ah_handle, $size) $info[1] = 1 ElseIf $type = "short" Or $type = "word" Then $info[0] = _AllocateMemory($ah_handle, 2 * $size) $info[1] = 2 Else $info[0] = _AllocateMemory($ah_handle, 4 * $size) $info[1] = 4 EndIf $info[2] = $size $info[3] = $type $info[4] = 1
If $info[0] = -2 Then SetError(2) Return 0 EndIf
Return $info EndFunc ;==>_AllocateMemoryForArray
;================================================================================== ; Function: _AllocateMemoryFor2DArray($ah_handle, $size1,$size2,[, $type]) ; Description: Allocates memory for a 2D-array in a specified process. ; Parameter(s): $ah_handle - A handle returned by _MemoryOpen (Nomad.au3) ; or _MemoryManipulationOpen (CCInject.au3) ; $size1 - The size of the 1. dimension of array. ; $size2 - The size of the 2. dimension of array. ; $type - (optional) Type of Array (C-Style). ; Requirement(s): None. ; Return Value(s): On Success - Returns an array containing infos about allocated memory. ; On Failure - Returns 0 ; @Error - 0 = No error. ; 1 = $ah_handle is not an array ; 2 = Failed to allocate memory at specified process. ; Author(s): Shadow992 ; Note(s): Will allocate memory on this way: $array[$size1][$size2] ;==================================================================================
If Not IsArray($ah_handle) Then SetError(1) Return 0 EndIf
If $size1 <= 0 Then $size1 = 1 If $size2 <= 0 Then $size2 = 1
Local $info[5] If $type = "byte" Or $type = "char" Then $info[0] = _AllocateMemory($ah_handle, $size1*$size2) $info[1] = 1 ElseIf $type = "short" Or $type = "word" Then $info[0] = _AllocateMemory($ah_handle, 2 * $size1*$size2) $info[1] = 2 Else $info[0] = _AllocateMemory($ah_handle, 4 * $size1*$size2) $info[1] = 4 EndIf $info[2] = $size2 $info[3] = $type $info[4] = $size1
If $info[0] = -2 Then SetError(2) Return 0 EndIf
Return $info EndFunc ;==>_AllocateMemoryForArray
;================================================================================== ; Function: _AllocateMemoryForVariable($ah_handle [, $type]) ; Description: Allocates memory for a variable in a specified process. ; Parameter(s): $ah_handle - A handle returned by _MemoryOpen (Nomad.au3) ; or _MemoryManipulationOpen (CCInject.au3) ; $type - (optional) Type of Array (C-Style). ; Requirement(s): None. ; Return Value(s): On Success - Returns an array containing infos about allocated memory. ; On Failure - Returns 0 ; @Error - 0 = No error. ; 1 = $ah_handle is not an array ; 2 = Failed to allocate memory at specified process. ; Author(s): Shadow992 ; Note(s): ;==================================================================================
;================================================================================== ; Function: _ReadMemoryVariable($ah_handle, $allocated_var) ; Description: Reads value of specified variable. ; Parameter(s): $ah_handle - A handle returned by _MemoryOpen (Nomad.au3) ; or _MemoryManipulationOpen (CCInject.au3) ; $allocated_var - Handle returned by _AllocateMemoryForVariable. ; Requirement(s): None. ; Return Value(s): On Success - Returns value which is stored in variable. ; On Failure - Returns 0 ; @Error - 0 = No error. ; 1 = $ah_handle is not an array. ; 2 = $allocated_var is not an array. ; Author(s): Shadow992 ; Note(s): ;================================================================================== Func _ReadMemoryVariable($ah_handle, $allocated_var) If IsArray($allocated_var) = 0 Then SetError(2) Return 0 EndIf
If Not IsArray($ah_handle) Then SetError(1) Return 0 EndIf
Local $v_buffer = DllStructCreate($allocated_var[3]) Local $read_var
;================================================================================== ; Function: _ReadMemoryArray($ah_handle, $allocated_array) ; Description: Reads values of specified array. ; Parameter(s): $ah_handle - A handle returned by _MemoryOpen (Nomad.au3) ; or _MemoryManipulationOpen (CCInject.au3) ; $allocated_array - Handle returned by _AllocateMemoryForArray. ; Requirement(s): None. ; Return Value(s): On Success - Returns an array containing values which are stored in array. ; On Failure - Returns 0 ; @Error - 0 = No error. ; 1 = $ah_handle is not an array. ; 2 = $allocated_array is not an array. ; Author(s): Shadow992 ; Note(s): ;================================================================================== Func _ReadMemoryArray($ah_handle, $allocated_array) If IsArray($allocated_array) = 0 Then SetError(1) Return 0 EndIf
If Not IsArray($ah_handle) Then SetError(2) Return 0 EndIf
Local $v_buffer = DllStructCreate($allocated_array[3] & "[" & $allocated_array[2] & "]") Local $read_array[$allocated_array[2]]
For $i = 0 To $allocated_array[2] - 1 $read_array[$i] = DllStructGetData($v_buffer, 1, $i) Next
Return $read_array EndFunc ;==>_ReadMemoryArray
;================================================================================== ; Function: _CreateASM_CopyRegisterToVariable($allocated_var [, $register = "eax"[, $copy_address = 1[, $create_opcode = 0]]]) ; Description: Creates ASM-Code/Opcode for copying register to specified variable. ; Parameter(s): $allocated_var - Handle returned by _AllocateMemoryForVariable. ; $register - (optional) Register which should be copied to variable. ; $copy_address - (optional) Specifies if address of $register should be copied (=1) ; or the value at the address in $register (=0). ; $create_opcode - (optional) Specifies if Opcode (=1) should be returned or ASM-Code (=0) should be returned. ; Requirement(s): FASM.au3 ; Return Value(s): On Success - Returns the code specified by $create_opcode. ; On Failure - Returns 0 ; @Error - 0 = No error. ; 1 = $allocated_array is not an array. ; Author(s): Shadow992 ; Note(s): ;==================================================================================
Func _CreateASM_CopyRegisterToVariable($allocated_var, $register = "eax", $copy_address = 1, $create_opcode = 0) If IsArray($allocated_var) = 0 Then SetError(1) Return 0 EndIf
Local $temp_register = "edx"
If $temp_register = $register Then $temp_register = "ebx" EndIf
If $create_opcode = 1 Then Local $splited = StringSplit($code, @CRLF, 2)
Local $Fasm = FasmInit() FasmReset($Fasm) FasmAdd($Fasm, "use32")
For $i = 0 To UBound($splited) - 1 If $splited[$i] <> "" Then $splited[$i] = StringReplace(StringReplace($splited[$i], @LF, ""), @CR, "") FasmAdd($Fasm, $splited[$i]) EndIf Next
;================================================================================== ; Function: _CreateASM_CopyRegisterToArray($allocated_array [, $register = "eax"[, $offset = 0[, $create_opcode = 0]]]) ; Description: Creates ASM-Code/Opcode for copying register to specified array. ; Parameter(s): $allocated_array - Handle returned by _AllocateMemoryForArray. ; $register - (optional) Register which should be copied to array. ; $offset - (optional) Specifies the offset of $register which should be copied. ; $create_opcode - (optional) Specifies if Opcode (=1) should be returned or ASM-Code (=0) should be returned. ; Requirement(s): FASM.au3 ; Return Value(s): On Success - Returns the code specified by $create_opcode. ; On Failure - Returns 0 ; @Error - 0 = No error. ; 1 = $allocated_array is not an array. ; Author(s): Shadow992 ; Note(s): ;==================================================================================
If $create_opcode = 1 Then Local $splited = StringSplit($code, @CRLF, 2)
Local $Fasm = FasmInit() FasmReset($Fasm) FasmAdd($Fasm, "use32")
For $i = 0 To UBound($splited) - 1 If $splited[$i] <> "" Then $splited[$i] = StringReplace(StringReplace($splited[$i], @LF, ""), @CR, "") FasmAdd($Fasm, $splited[$i]) EndIf Next
;================================================================================== ; Function: _AllocateMemory($ah_handle, $bytes) ; Description: Allocates memory in a specified process. ; Parameter(s): $ah_handle - A handle returned by _MemoryOpen (Nomad.au3) ; or _MemoryManipulationOpen (CCInject.au3) ; $bytes - The amount of memory in bytes which should be allocated. ; Requirement(s): ; Return Value(s): On Success - Returns the base address of allocated memory. ; On Failure - Returns -1 ; @Error - 0 = No error. ; 1 = $ah_handle is not an array. ; Author(s): Shadow992 ; Note(s): ;==================================================================================
Func _AllocateMemory($ah_handle, $bytes) If Not IsArray($ah_handle) Then SetError(1) Return -1 EndIf
;================================================================================== ; Function: _InjectOpcodeAtAddress($memopen, $des_address, $size, $opcodes) ; Description: Injects an Code-Cave with specified Opcodes at an specified address. ; The Opcodes which was at $des_address are restored and will be executed ; even with active Code-Cave. ; Parameter(s): $memopen - A handle returned by _MemoryOpen (Nomad.au3) ; or _MemoryManipulationOpen (CCInject.au3) ; $des_address - Address where Opcode should be injected. ; $size - Size of bytes used at $des_address (min. 5 bytes) to get complete command. ; $opcodes - The Opcode which should be injected into process. ; Requirement(s): ; Return Value(s): On Success - Returns array of information: ; 0 - Code-Cave's baseaddress ; 1 - Old Opcode at Code-Cave's address (should be 0000...) ; 2 - Opcode which was injected ; 3 - Opcode which was at $des_address ; 4 - New Opcode which is now at $des_address ; On Failure - Returns -1 ; @Error - 0 = No error. ; 1 = $size is less than 5. ; Author(s): Shadow992 ; Note(s): ;==================================================================================
;================================================================================== ; Function: _InjectASMAtAddress($memopen, $des_address, $size, $asm) ; Description: Injects an Code-Cave with specified ASM-Code at an specified address. ; The Opcodes which was at $des_address are restored and will be executed ; even with active/injected Code-Cave. ; Parameter(s): $memopen - A handle returned by _MemoryOpen (Nomad.au3) ; or _MemoryManipulationOpen (CCInject.au3) ; $des_address - Address where ASM-Code should be injected. ; $size - Size of bytes used at $des_address (min. 5 bytes) to get complete command. ; $asm - The ASM-Code which should be injected into process. ; Requirement(s): FASM.au3 ; Return Value(s): On Success - Returns array of information: ; 0 - Code-Cave's baseaddress ; 1 - Old Opcode at Code-Cave's address (should be 0000...) ; 2 - Opcode which was injected ; 3 - Opcode which was at $des_address ; 4 - New Opcode which is now at $des_address ; On Failure - Returns -1 ; @Error - 0 = No error. ; 1 = $size is less than 5. ; 2 = ASM-Code could not be compiled successfully. ; Author(s): Shadow992 ; Note(s): The ASM-Commands in $asm have to be seperated by @CRLF or ";". ;==================================================================================
Local $splited = StringSplit($asm, ";" & @CRLF, 2)
Local $Fasm = FasmInit() FasmReset($Fasm) FasmAdd($Fasm, "use32")
For $i = 0 To UBound($splited) - 1 If $splited[$i] <> "" Then FasmAdd($Fasm, $splited[$i]) EndIf Next
Local $bytecode = FasmGetBinary($Fasm)
If $bytecode <> "" Then Return _InjectOpcodeAtAddress($memopen, $des_address, $size, $bytecode) Else SetError(2) Return -1 EndIf EndFunc ;==>_InjectASMAtAddress
;================================================================================== ; Function: _ConvertHexToBytes($hex [, $len]) ; Description: Converts a Hex-Value to Bytes used as Opcode. ; Parameter(s): $hex - Hex-Value ; $len - Length which the Opcode should have got. ; Requirement(s): ; Return Value(s): On Success - Returns Opcode specified by $hex. ; Author(s): Shadow992 ; Note(s): ;==================================================================================
While StringLen($hex) <> $len And StringLen($hex) < $len $hex = "0" & $hex WEnd
Local $splited = StringRegExp($hex, "(..)", 3)
For $i = UBound($splited) - 1 To 0 Step -1 $bytes &= $splited[$i] Next
Return $bytes EndFunc ;==>_ConvertHexToBytes
;================================================================================== ; Function: _ReadMemoryArrayString($ah_handle, $allocated_array) ; Description: Reads values of specified array. ; Parameter(s): $ah_handle - A handle returned by _MemoryOpen (Nomad.au3) ; or _MemoryManipulationOpen (CCInject.au3) ; $allocated_array - Handle returned by _AllocateMemoryForArray. ; Requirement(s): None. ; Return Value(s): On Success - Returns an string containing values which are stored in allocated array. ; This function was made for copying string array to AutoIt-String. ; On Failure - Returns 0 ; @Error - 0 = No error. ; 1 = $ah_handle is not an array. ; 2 = $allocated_array is not an array. ; Author(s): Shadow992 ; Note(s): ;==================================================================================
Func _ReadMemoryArrayString($ah_handle, $allocated_array) If IsArray($allocated_array) = 0 Then SetError(1) Return 0 EndIf
If Not IsArray($ah_handle) Then SetError(2) Return 0 EndIf
Local $v_buffer = DllStructCreate($allocated_array[3] & "[" & $allocated_array[2] & "]") Local $read_string=""
;================================================================================== ; Function: _ReadMemory2DArrayString($ah_handle, $allocated_array[,$index]) ; Description: Reads values of specified array and returns values of 2. Dimension of array as a string. ; Parameter(s): $ah_handle - A handle returned by _MemoryOpen (Nomad.au3) ; or _MemoryManipulationOpen (CCInject.au3) ; $allocated_array - Handle returned by _AllocateMemoryForArray. ; $index - (optional) The index of the 1. dimension ; Requirement(s): None. ; Return Value(s): On Success - Returns an string containing values which are stored in allocated array. ; This function was made for copying string array to AutoIt-String. ; On Failure - Returns 0 ; @Error - 0 = No error. ; 1 = $ah_handle is not an array. ; 2 = $allocated_array is not an array. ; Author(s): Shadow992 ; Note(s): ;==================================================================================
Func _ReadMemory2DArrayString($ah_handle, $allocated_array,$index=0) If IsArray($allocated_array) = 0 Then SetError(2) Return 0 EndIf
If Not IsArray($ah_handle) Then SetError(1) Return 0 EndIf
Local $v_buffer = DllStructCreate($allocated_array[3] & "[" & $allocated_array[2] & "]") Local $read_string=""
;================================================================================== ; Function: _CreateASM_CopyRegisterTo2DArray($allocated_array [, $register = "eax"[,$index = 0[, $offset = 0[, $create_opcode = 0]]]]) ; Description: Creates ASM-Code/Opcode for copying register to specified 2D-array. ; Parameter(s): $allocated_array - Handle returned by _AllocateMemoryForArray. ; $register - (optional) Register which should be copied to array. ; $index - (optional) Index of 1. Dimension which should be returned. ; $offset - (optional) Specifies the offset of $register which should be copied. ; $create_opcode - (optional) Specifies if Opcode (=1) should be returned or ASM-Code (=0) should be returned. ; Requirement(s): FASM.au3 ; Return Value(s): On Success - Returns the code specified by $create_opcode. ; On Failure - Returns 0 ; @Error - 0 = No error. ; 1 = $allocated_array is not an array. ; Author(s): Shadow992 ; Note(s): ;==================================================================================
Func _CreateASM_CopyRegisterTo2DArray($allocated_array, $register = "eax",$index=0, $offset = 0, $create_opcode = 0) If IsArray($allocated_array) = 0 Then SetError(1) Return 0 EndIf
If $offset = 0 Then $offset = $allocated_array[1] EndIf
Local $count_register = "ecx" Local $temp_register = "edx"
If $count_register = $register Then $count_register = "ebx" ElseIf $temp_register = $register Then $temp_register = "ebx" EndIf
If $create_opcode = 1 Then Local $splited = StringSplit($code, @CRLF, 2)
Local $Fasm = FasmInit() FasmReset($Fasm) FasmAdd($Fasm, "use32")
For $i = 0 To UBound($splited) - 1 If $splited[$i] <> "" Then $splited[$i] = StringReplace(StringReplace($splited[$i], @LF, ""), @CR, "") FasmAdd($Fasm, $splited[$i]) EndIf Next
;================================================================================== ; Function: _CreateASM_CopyRegisterTo2DArrayEx($allocated_array, $var_to_hold_last_address [, $register = "eax"[, $offset = 0[, $create_opcode = 0]]]) ; Description: Creates ASM-Code/Opcode for copying register to specified 2D-array. ; The created ASM/Opcode always copies register to the next array index, ; increasing index for each loop by 1, if ASM-Code reaches end of array, ; the ASM-Code will set index to 0 again. ; $array[0]=register_first_execution ; $array[1]=register_second_execution ; ... ; $array[size_of_array]=register_size_of_array_execution ; $array[0]=register_x_execution ; ... ; ; Parameter(s): $allocated_array - Handle returned by _AllocateMemoryForArray. ; $var_to_hold_last_address - Handle returned by _AllocateMemoryForVariable, variable must be of type int. ; $register - (optional) Register which should be copied to array. ; $delimiter - (optional) Specifies which delimiter should end the string, ; must be the asc-code of the character which should be used as delimiter. ; $offset - (optional) Specifies the offset of $register which should be copied. ; $create_opcode - (optional) Specifies if Opcode (=1) should be returned or ASM-Code (=0) should be returned. ; Requirement(s): FASM.au3 ; Return Value(s): On Success - Returns the code specified by $create_opcode. ; On Failure - Returns 0 ; @Error - 0 = No error. ; 1 = $allocated_array is not an array. ; 2 = $var_to_hold_last_address is not an array. ; Author(s): Shadow992 ; Note(s): ;==================================================================================
Func _CreateASM_CopyRegisterTo2DArrayEx($allocated_array, $var_to_hold_last_address,$register = "eax",$delimiter=-1, $offset = 0, $create_opcode = 0) If IsArray($allocated_array) = 0 Then SetError(1) Return 0 EndIf
If IsArray($var_to_hold_last_address) = 0 Then SetError(2) Return 0 EndIf
If $offset = 0 Then $offset = $allocated_array[1] EndIf
Local $count_register = "ecx" Local $temp_register = "edx" Local $var_register = "esi"
If $count_register = $register Then $count_register = "ebx" ElseIf $temp_register = $register Then $temp_register = "ebx" ElseIf $var_register = $register Then $var_register = "ebx" EndIf
If $create_opcode = 1 Then Local $splited = StringSplit($code, @CRLF, 2)
Local $Fasm = FasmInit() FasmReset($Fasm) FasmAdd($Fasm, "use32")
For $i = 0 To UBound($splited) - 1 If $splited[$i] <> "" Then $splited[$i] = StringReplace(StringReplace($splited[$i], @LF, ""), @CR, "") FasmAdd($Fasm, $splited[$i]) EndIf Next
;================================================================================== ; Function: MemoryReset2DArray($ah_handle,$allocated_array,$index) ; Description: Resets value of specified 2D-array at specified index. ; Parameter(s): $ah_handle - A handle returned by _MemoryOpen (Nomad.au3) ; or _MemoryManipulationOpen (CCInject.au3) ; $allocated_array - Handle returned by _AllocateMemoryForArray. ; $index - The 1. dimension index which should be reseted. ; Requirement(s): None. ; Return Value(s): On Success - Returns 1 ; On Failure - Returns 0 ; @Error - 0 = No error. ; 1 = $ah_handle is not an array. ; 2 = $allocated_array is not an array. ; Author(s): Shadow992 ; Note(s): ;==================================================================================
If IsArray($ah_handle) = 0 Then SetError(1) Return 0 EndIf
If IsArray($allocated_array) = 0 Then SetError(2) Return 0 EndIf
Local $v_buffer_write = DllStructCreate("byte") Local $ptr_write = DllStructGetPtr($v_buffer_write) Local $struct_size_write = DllStructGetSize($v_buffer_write)
nette idee ich würde aber mal sagen dass man code caves doch besser in c++ machen sollte, das geht in einer dll so schön, da brauch man kein autoit
aber respekt für die idee und gute umsetzung, freue mich auf weitere sachen von dir
Das ändert nichts am Prinzip, denn in C++ würdest du auch nur die entsprechenden WinApi-Funktionen callen und eventuell mit Inline-ASM arbeiten. Aber die Aufgabe bleibt dieselbe, nämlich den Code-Cave in ASM/Opcode schreiben. Von daher macht das wirklich keinen Unterschied.
Ob man einfach so eine komplette Dll als Code Cave setzen kann darüber bin ich mir nicht sicher. Könnte aber durchaus sein.
Eine komplette DLL (mit Header, etc) ist meines Wissens nach nicht so leicht realisierbar. Du müsstest dazu noch das machen, was normalerweise die LoadLibrary Funktion übernimmt (base relocations und IAT fixen und noch irgendwas ka). Ist sicherlich auch machbar, aber eben nicht so einfach.
Wenn es dich weiterhin interessieren sollte, google einfach "Manual Mapping" oder dergleichen.
Ich weiß das Thema ist schon etwas älter.
Aber würde mich mal Interessieren einen beispielsweise 4zeiler zu sehen.
Was du da machst ist ein bisschen "lasch".
Also man sieht nicht alle möglichkeiten.
Würde mich mal freuen zu sehen was damit alles möglich ist.
Wie will man Beispielsweise nen Backjump setzen?
Ich weiß das Thema ist schon etwas älter.
Aber würde mich mal Interessieren einen beispielsweise 4zeiler zu sehen.
Was du da machst ist ein bisschen "lasch".
Also man sieht nicht alle möglichkeiten.
Würde mich mal freuen zu sehen was damit alles möglich ist.
Wie will man Beispielsweise nen Backjump setzen?
was soll denn bitte ein "backjump" sein?....
jumps kannst du entweder aus der aktuellen, und zieladresse berechnen, oder du löst das ganze über einen push und ein return...
return kann man ja einfach übersetzen in:
Code:
jmp pop
dementsprechend ist
Code:
jmp x == push x; ret
was aufgrund des stack zugriffs natürlich ineffizienter ist... aber so kann man sich halt berechnungen ersparen.
Ich weiß das Thema ist schon etwas älter.
Aber würde mich mal Interessieren einen beispielsweise 4zeiler zu sehen.
Was du da machst ist ein bisschen "lasch".
Also man sieht nicht alle möglichkeiten.
Würde mich mal freuen zu sehen was damit alles möglich ist.
Wie will man Beispielsweise nen Backjump setzen?
Möglich ist damit prinzipiell alles, vorausgesetzt man kann den ASM-Code dazu schreiben, selbst interne Funktionsaurufe sind möglich, genau so wie komplette DLLs in den Cave zu schreiben. Die DLLs müssen dann halt nur dementpsrechend gemappt werden.
[C#] Managed Memory Manipulation 05/31/2009 - CO2 Programming - 1 Replies Just something someone may find usefull its all done by some guy called Shynd
I would rather not post a link to the site I found it on cuz no offence to anyone
I dont wont It flooded by pvpleechers. Anyway hope someone finds a use for it.
If it should be removed just lemme know.
Shynd:
ps. any questions about this dont ask me cuz I r one of the Low IQers.
Mit Dll Injection Memory verändern? 05/09/2007 - General Coding - 7 Replies Tag...
Ich habe mir so überlegt ob man eine Dll schrieben könnte die den Memoryinhalt verändert?
Z.b nehmen wir mal Cheatengine und ein Spiel.
Nun Suche ich z.b die Ammoadresse wenn ich sie gefunden habe kann ich die Value ja freezen und natürlich ändern.
Und dies möchte ich halt ohne die Cheatengine machen halt mit einer Dll.
Geht das überhaupt?
Und die 2te Frage...
Wenn ich jetzt ein Trainer erstellt habe, nun ihn im Game benutze aber dann von Gameguard gekickt werde.
![[Release] UDF for Easy Code-Cave injection and Memory Manipulation](https://www.elitepvpers.com/forum/iconimages/autoit/release-udf-easy-code-cave-injection-memory-manipulation_ltr.gif){kind=small}
