C# Class GrayStorm.assemblyControlFlow

显示文件 Open project: GrayKernel/GrayStorm

Public Methods

Method Description
PatternAt ( byte source, byte pattern ) : int
replaceDwordCall ( IntPtr methodPointer ) : void

At the time of a call the dword register is called as such 0xFF call dword [00189AC4h] which is 6 bytes of 0xFF,0x15,0xC4,0x9A,0x18,0x0 I can then select the immediate value and use that as a selector to find the index into memory to set up a new relative call. Once the index in memory is located, I can use manipulation of the long type to calculate a new offset. I then place that offset into the location of the 0xFF by replacing the sequence with a "call immediate/0xE8" instruction.
replaceE8Call ( IntPtr methodPointer ) : void

Replace a 0xE8 call dstAddress - methodFunPtr + callOffset + byteOffset = new destination address

Method Details

PatternAt() public static method

public static PatternAt ( byte source, byte pattern ) : int
source byte
pattern byte
return int

replaceDwordCall() public static method

At the time of a call the dword register is called as such 0xFF call dword [00189AC4h] which is 6 bytes of 0xFF,0x15,0xC4,0x9A,0x18,0x0 I can then select the immediate value and use that as a selector to find the index into memory to set up a new relative call. Once the index in memory is located, I can use manipulation of the long type to calculate a new offset. I then place that offset into the location of the 0xFF by replacing the sequence with a "call immediate/0xE8" instruction.
public static replaceDwordCall ( IntPtr methodPointer ) : void
methodPointer System.IntPtr
return void

replaceE8Call() public static method

Replace a 0xE8 call dstAddress - methodFunPtr + callOffset + byteOffset = new destination address
public static replaceE8Call ( IntPtr methodPointer ) : void
methodPointer System.IntPtr
return void