-
-
[原创]x64下jmp远跳、远call的指令
-
发表于: 2016-1-25 10:40
-
我一直在寻找能用,通用,简短的x64远跳河远call指令
现在用的跟大家分享一下,哪位大牛有更好的希望可以指点一下。
还有pushad/popad在x64下有什么好的替代品么?求指点。
远跳:
远call:
所以其实本质上,远跳使用的还是push/ret的原理,远call使用的是push返回地址,再远跳到call的地址。
成品函数:
现在用的跟大家分享一下,哪位大牛有更好的希望可以指点一下。
还有pushad/popad在x64下有什么好的替代品么?求指点。
远跳:
1 2 3 | push 地址的低32位mov dword ptr ss:[rsp+4],地址的高32位ret |
远call:
1 2 3 4 5 6 | call @next //e8 00 00 00 00@next:add dword ptr ss:[rsp],12push 地址的低32位mov dword ptr ss:[rsp+4],地址的高32位ret |
所以其实本质上,远跳使用的还是push/ret的原理,远call使用的是push返回地址,再远跳到call的地址。
成品函数:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | void CHook::WriteJMP_x64( DWORD_PTR dwFrom , DWORD_PTR dwTo ){ DWORD_PTR dwAdr = dwFrom; DWORD dwOldP; VirtualProtect((LPVOID)dwAdr , 0x100 , PAGE_EXECUTE_READWRITE , &dwOldP); *(BYTE*)dwAdr = 0x68; dwAdr+=1; *(DWORD32*)dwAdr = DWORD32(dwTo & 0xffffffff); dwAdr+=4; *(DWORD32*)dwAdr = DWORD32(0x042444c7); dwAdr+=4; *(DWORD32*)dwAdr = DWORD32(dwTo >> 32); dwAdr+=4; *(BYTE*)dwAdr = 0xc3;//14 bytes}void CHook::WriteCall_x64( DWORD_PTR dwFrom , DWORD_PTR dwTo ){ DWORD_PTR dwAdr = dwFrom; DWORD dwOldP; VirtualProtect((LPVOID)dwAdr , 0x100 , PAGE_EXECUTE_READWRITE , &dwOldP); *(BYTE*)dwAdr = 0xE8; dwAdr+=1; *(DWORD*)dwAdr = DWORD32(0); dwAdr+=4; *(DWORD32*)dwAdr = DWORD32(0x12240483); dwAdr+=4; *(BYTE*)dwAdr = 0x68; dwAdr+=1; *(DWORD32*)dwAdr = DWORD32(dwTo & 0xffffffff); dwAdr+=4; *(DWORD32*)dwAdr = DWORD32(0x042444c7); dwAdr+=4; *(DWORD32*)dwAdr = DWORD32(dwTo >> 32); dwAdr+=4; *(BYTE*)dwAdr = 0xc3;//23 bytes} |
