Continuing my reverse engineering education I've often wanted to be able to copy portions of x86 assembly code and call it from a high level language of my choice for testing.
Does anyone know of a method of calling a sequence of x86 instructions from within a C# method? I know that this can be done using C++ but I'm curious if it can be done in C#?
Note: I'm not talking about executing MSIL instructions. I'm talking about executing a series of raw x86 assembly instructions.
I believe, you can add a managed C++ project to your solution and expose method with usage of asm instructions. You can reference that project from any .Net project (not just C#), so you can call that method from there.
No, but you can write assembly in C++ and call it from C#. See this example.
Yes.
Just use P/Invoke on winapi functions.
WriteProcessMemory or find the pointer to your buffer. Enable the execute bit on page (don't remember the function for this).
CreateThread on the pointer. WaitForObject (if you want it to be single threaded).
Just to counter Brian's claim, rewritten code from leppie's answer link:
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
namespace DynamicX86
{
class Program
{
const uint PAGE_EXECUTE_READWRITE = 0x40;
const uint MEM_COMMIT = 0x1000;
[DllImport("kernel32.dll", SetLastError = true)]
static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
private delegate int IntReturner();
static void Main(string[] args)
{
List<byte> bodyBuilder = new List<byte>();
bodyBuilder.Add(0xb8);
bodyBuilder.AddRange(BitConverter.GetBytes(42));
bodyBuilder.Add(0xc3);
byte[] body = bodyBuilder.ToArray();
IntPtr buf = VirtualAlloc(IntPtr.Zero, (uint)body.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(body, 0, buf, body.Length);
IntReturner ptr = (IntReturner)Marshal.GetDelegateForFunctionPointer(buf, typeof(IntReturner));
Console.WriteLine(ptr());
}
}
}
There exist libraries to do this more easily than marshaling function pointers by hand: