C# Remote Codecave Injection x64
Below is an implementation to perform a remote codecave injection onto a x64 process using c#. Since x64 does not offer jmp absolute_addr
anymore, we will have to do it using 2 steps – mov rax, addr
and jmp rax
In your codecave, you will have to remember to do two things – executing the original memory code, before jumping back to original code.
// 12 bytes byte[] patch = { 0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov rax, absolute addr 0xFF, 0xE0 // jmp rax }; public IntPtr Codecave_x64(IntPtr hProcess, IntPtr addressToHook, IntPtr gotoAddress, int numOfBytes) { byte[] gotoAddressBytes = BitConverter.GetBytes((long)gotoAddress.ToInt64()); Array.Copy(gotoAddressBytes, 0, patch, 2, 8); // Write bytes for hook uint oldProtect; VirtualProtectEx(hProcess, addressToHook, (UInt32)patch.Length, (uint)Protection.PAGE_EXECUTE_READWRITE, out oldProtect); WriteBuffer(hProcess, addressToHook, patch); // Fill Nops if (numOfBytes > patch.Length) { for (int i = 0; i < patch.Length - numOfBytes; i++) { WriteByte(addressToHook + patch.Length + i, 0x90); } } VirtualProtectEx(hProcess, addressToHook, (UInt32)patch.Length, oldProtect, out oldProtect); return IntPtr.Zero; }
Be First to Comment