C# Remote Codecave Injection x64
Below is an implementation to perform a remote codecave injection onto a x64 process using c#. Since x64 does not offer
jmp absolute_addr
anymore, we will have to do it using 2 steps –
mov rax, addr
and
jmp rax
In your codecave, you will have to remember to do two things – executing the original memory code, before jumping back to original code.
// 12 bytes
byte[] patch = {
0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov rax, absolute addr
0xFF, 0xE0 // jmp rax
};
public IntPtr Codecave_x64(IntPtr hProcess, IntPtr addressToHook, IntPtr gotoAddress, int numOfBytes)
{
byte[] gotoAddressBytes = BitConverter.GetBytes((long)gotoAddress.ToInt64());
Array.Copy(gotoAddressBytes, 0, patch, 2, 8);
// Write bytes for hook
uint oldProtect;
VirtualProtectEx(hProcess, addressToHook, (UInt32)patch.Length, (uint)Protection.PAGE_EXECUTE_READWRITE, out oldProtect);
WriteBuffer(hProcess, addressToHook, patch);
// Fill Nops
if (numOfBytes > patch.Length)
{
for (int i = 0; i < patch.Length - numOfBytes; i++)
{
WriteByte(addressToHook + patch.Length + i, 0x90);
}
}
VirtualProtectEx(hProcess, addressToHook, (UInt32)patch.Length, oldProtect, out oldProtect);
return IntPtr.Zero;
}
Be First to Comment