-
-
[原创]x64下jmp远跳、远call的指令
-
发表于:
2016-1-25 10:40
9226
-
我一直在寻找能用,通用,简短的x64远跳河远call指令
现在用的跟大家分享一下,哪位大牛有更好的希望可以指点一下。
还有pushad/popad在x64下有什么好的替代品么?求指点。
远跳:
push 地址的低32位
mov dword ptr ss:[rsp+4],地址的高32位
ret
远call:
call @next //e8 00 00 00 00
@next:
add dword ptr ss:[rsp],12
push 地址的低32位
mov dword ptr ss:[rsp+4],地址的高32位
ret
所以其实本质上,远跳使用的还是push/ret的原理,远call使用的是push返回地址,再远跳到call的地址。
成品函数:
void CHook::WriteJMP_x64( DWORD_PTR dwFrom , DWORD_PTR dwTo )
{
DWORD_PTR dwAdr = dwFrom;
DWORD dwOldP;
VirtualProtect((LPVOID)dwAdr , 0x100 , PAGE_EXECUTE_READWRITE , &dwOldP);
*(BYTE*)dwAdr = 0x68;
dwAdr+=1;
*(DWORD32*)dwAdr = DWORD32(dwTo & 0xffffffff);
dwAdr+=4;
*(DWORD32*)dwAdr = DWORD32(0x042444c7);
dwAdr+=4;
*(DWORD32*)dwAdr = DWORD32(dwTo >> 32);
dwAdr+=4;
*(BYTE*)dwAdr = 0xc3;
//14 bytes
}
void CHook::WriteCall_x64( DWORD_PTR dwFrom , DWORD_PTR dwTo )
{
DWORD_PTR dwAdr = dwFrom;
DWORD dwOldP;
VirtualProtect((LPVOID)dwAdr , 0x100 , PAGE_EXECUTE_READWRITE , &dwOldP);
*(BYTE*)dwAdr = 0xE8;
dwAdr+=1;
*(DWORD*)dwAdr = DWORD32(0);
dwAdr+=4;
*(DWORD32*)dwAdr = DWORD32(0x12240483);
dwAdr+=4;
*(BYTE*)dwAdr = 0x68;
dwAdr+=1;
*(DWORD32*)dwAdr = DWORD32(dwTo & 0xffffffff);
dwAdr+=4;
*(DWORD32*)dwAdr = DWORD32(0x042444c7);
dwAdr+=4;
*(DWORD32*)dwAdr = DWORD32(dwTo >> 32);
dwAdr+=4;
*(BYTE*)dwAdr = 0xc3;
//23 bytes
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课