tags:

views:

632

answers:

1
+2  Q: 

C# Theoretical: Write a JMP to a codecave in asm

Lets assume I've allocated the address where my codecave is placed using VirtualAllocEx (it returns the address) and I write my code into that address using WriteProcessMemory().

Here's the question:

How do I write a jump to my codecave? I know that jumps start with "E9", but how do I convert the address returned by VirtualAllocEx into a correct UInt32 (dword) so the debugger/compiler will understand the instruction?

For example:

I'm at address 00402020 (OEP of the native app). I write a jump to 004028CF (empty place) "JMP 004028CF". The instruction in bytes looks like this:

CPU Disasm
Address   Hex dump      Command                                  Comments
00402020  E9 AA080000   JMP 004028CF

"E9" is how we indicate a JMP. What about "AA080000", how do I generate this?

I need to do something similar so I can initialize a JMP to my codecave, which will be located at an address returned by VirtualAllocEx().

Any help will be gratefully appreciated!

Thanks in advance.

+2  A: 

E9 is a relative jump so the later 32 bits are just an offset to the current instruction pointer. See Intel® 64 and IA-32 Architectures Software Developer’s Manual Volume 2A: Instruction Set Reference, A-M pages 549ff for details. For more information see Intel® 64 and IA-32 Architectures Software Developer's Manuals.

So the opcode to jump from 00402020 to 004028CF should be the following.

    E9  00 00 08 AA

Offset   = DestinationAddress - CurrentInstructionPointer
000008AA = 004028CF           - 00402025

When the jump instruction is executed, the instruction pointer is already set to the next instruction. So the offset of the jump instruction and the current instruction pointer value differ by 5.

CurrentInstructionPointer = AddressOfJumpInstruction + 5

UPDATE

Corrected error about the current instruction pointer value. Thanks jn.

Daniel Brückner  2009-04-24 18:35:06
I'm asking how to convert "004028CF" to "AA080000",How do I convert the destination address into those 32 bits so the instrction becomes valid?
John  2009-04-24 18:38:51
You could have told me "Destination address -(minus) current address" instead giving me that pdf of 600 pages.However,As previously I mentioned,I appreciate any of your efforts,so I accept your answer.Thanks!
John  2009-04-24 18:42:08
@Daniel: what you are saying here is wrong! The correct formula for this case is: to - from - 5
jn_  2009-04-24 18:47:21
If thought "E9 is a relative jump so the later 32 bits are just an offset to the current instruction pointer." clearifies the meaning. ^^ I was a bit confused about your AA080000 because it does not match the difference and I wanted to assert that I am right before I add an example.
Daniel Brückner  2009-04-24 18:49:25
Actually,you're wrong!Its AA,not AF.The jmp has length 5 bytes,it starts to count after those 5 bytes,so AF-5 = AA.Correct? ;)
John  2009-04-24 18:51:41
Yes correct, as I pointed out in my comment
jn_  2009-04-24 18:53:40
Thanks jn. Verified in the manual and updated answer. I have not done assembler coding for a while ... begining to forget and cannot rember what push SP pushes on the stack, too. SP or SP + 4?
Daniel Brückner  2009-04-24 19:01:21
ESP (on x86) always points to the last recently pushed item on the stack. When you push an item to the stack, ESP is decremented first, and then the parameter is stored at [ESP].
jn_  2009-04-24 19:06:36

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?