|
+1 [22.08.2015 21:27] ops244 1420.80 +285
никак, можно функцию ток, помоему, смотря какой язык ещё
Добавлено спустя 02 минуты 54 секунды
public void Call(IntPtr injAddress, IntPtr callAddress, params int[] funcArgs){var tHandle = OpenThread(ThreadAccess.All, false, this.Process.Threads[0].Id);if (SuspendThread(tHandle) == 0xFFFFFFFF)throw new Win32Exception();var cnoontext = new Cnoontext { CnoontextFlags = CnoontextFlags.Control };if (!GetThreadCnoontext(tHandle, ref cnoontext))throw new Win32Exception();var retaddr = Write(0xDEAD);var bytes = new List();#region ASM// push eip (stored refernse to next inctruction)bytes.Add(0x68);bytes.AddRange(BitConverter.GetBytes(cnoontext.Eip));// pushad (stored general registers)bytes.Add(0x60);// pushfd (stored flags)bytes.Add(0x9C);// pushed to the stack function argumentsfor (int i = funcArgs.Length - 1; i >= 0; --i){// push param_addressbytes.Add(0x68);bytes.AddRange(BitConverter.GetBytes(funcArgs[i]));}// mov eax, callAddressbytes.Add(0xB8);bytes.AddRange(BitConverter.GetBytes(callAddress.ToInt32()));// call eaxbytes.Add(0xFF);bytes.Add(0xD0);// add esp, arg_count * pointersize (__cdecl correct stack)bytes.Add(0x83);bytes.Add(0xC4);bytes.Add((byte)(funcArgs.Length * IntPtr.Size));// mov [retaddr], eaxbytes.Add(0xA3);bytes.AddRange(BitConverter.GetBytes(retaddr.ToInt32()));// popfd (restore flags)bytes.Add(0x9D);// popad (restore general registers)bytes.Add(0x61);// retnbytes.Add(0xC3);#endregionvar oldProtect = MemoryProtection.ReadOnly;// Save original code and disable protectvar oldCode = this.ReadBytes(injAddress, bytes.Count);if (!VirtualProtectEx(this.Process.Handle, injAddress, bytes.Count, MemoryProtection.ExecuteReadWrite, out oldProtect))throw new Win32Exception();this.Write(injAddress, bytes.ToArray());cnoontext.Eip = (uint)injAddress.ToInt32();if (!SetThreadCnoontext(tHandle, ref cnoontext) || ResumeThread(tHandle) == 0xFFFFFFFF)throw new Win32Exception();for (int i = 0; i < 0x100; ++i){System.Threading.Thread.Sleep(15);if (this.Read(retaddr) != 0xDEAD)break;}// restore protection and original codethis.Write(injAddress, oldCode);if (!FlushInstructionCache(this.Process.Handle, injAddress, bytes.Count))throw new Win32Exception();if (!VirtualProtectEx(this.Process.Handle, injAddress, bytes.Count, oldProtect, out oldProtect))throw new Win32Exception();this.Free(retaddr);}
|