def __relocateblock(self, block, sourceaddress, destinationaddress):
blocklength = len(block)
result = []
sourceoffset = destoffset = 0
currentaddress = destinationaddress
for sourceinstruction in ia32.disassemble(block):
sourcelength = len(''.join(sourceinstruction))
destinstruction = sourceinstruction
if ia32.isRelativeBranch(sourceinstruction) or ia32.isRelativeCall(
sourceinstruction):
branchoffset = ia32.getRelativeAddress(
currentaddress, sourceinstruction) - currentaddress
targetoffset = sourceoffset + branchoffset
if (targetoffset < 0) or (targetoffset >= blocklength):
operand = sourceaddress + targetoffset
destinstruction = ia32.setRelativeAddress(
currentaddress, sourceinstruction, operand)
destinstruction = ia32.promoteBranch(destinstruction, 4)
pass
destinstruction = ''.join(destinstruction)
result.append(destinstruction)
destoffset += len(destinstruction)
return ''.join(result)
def __calculateblocksize(self, block):
'''return the maximum size required for a block'''
result = 0
for n in ia32.disassemble(block):
if ia32.isRelativeBranch(n) or ia32.isRelativeCall(n):
n = ia32.promoteBranch(n, 4)
instructionlength = len(''.join(n))
result += instructionlength
return result
def __calculateblocksize(self, block):
'''return the maximum size required for a block'''
result = 0
for n in ia32.disassemble(block):
if ia32.isRelativeBranch(n) or ia32.isRelativeCall(n):
n = ia32.promoteBranch(n, 4)
instructionlength = len(''.join(n))
result += instructionlength
return result
def __relocateblock(self, block, sourceaddress, destinationaddress):
blocklength = len(block)
result = []
sourceoffset = destoffset = 0
currentaddress = destinationaddress
for sourceinstruction in ia32.disassemble(block):
sourcelength = len(''.join(sourceinstruction))
destinstruction = sourceinstruction
if ia32.isRelativeBranch(sourceinstruction) or ia32.isRelativeCall(sourceinstruction):
branchoffset = ia32.getRelativeAddress(currentaddress, sourceinstruction) - currentaddress
targetoffset = sourceoffset + branchoffset
if (targetoffset < 0) or (targetoffset >= blocklength):
operand = sourceaddress + targetoffset
destinstruction = ia32.setRelativeAddress(currentaddress, sourceinstruction, operand)
destinstruction = ia32.promoteBranch(destinstruction,4)
pass
destinstruction = ''.join(destinstruction)
result.append(destinstruction)
destoffset += len(destinstruction)
return ''.join(result)
def __updatebranch(self, address, instruction, target):
newinstruction = ia32.promoteBranch(instruction, 4)
return ia32.promoteBranch(
ia32.setRelativeAddress(address, newinstruction, target), 4)
def __createbranch(self, address, opcode, target):
res = ia32.setOpcode(ia32.new(), opcode)
res = ia32.setRelativeAddress(address, res, target)
res = ia32.promoteBranch(res, 4)
return res
77350113 5b pop ebx
77350114 59 pop ecx
77350115 6a00 push 0
77350117 51 push ecx
77350118 e873fd0000 call ntdll!ZwContinue (7735fe90)
"""
"""
relocated
ntdll!KiUserExceptionDispatcher+0xf:
7735010f e9fafe4e89 jmp 0084000e
77350114 59 pop ecx
77350115 6a00 push 0
77350117 51 push ecx
77350118 e873fd0000 call ntdll!ZwContinue (7735fe90)
"""
"""
hook
00840000 0ac0 or al,al
*00840002 0f841b01b176 je ntdll!KiUserExceptionDispatcher+0x23 (77350123)
00840008 5b pop ebx
00840009 e90601b176 jmp ntdll!KiUserExceptionDispatcher+0x14 (77350114)
0084000e 90 nop
0084000f e9ecffffff jmp 00840000
"""
if True:
currentaddress = 0x840002
sourceinstruction = ia32.decode('\x74\x0c')
operand = 0x7735011f
n = ia32.setRelativeAddress(currentaddress, sourceinstruction, operand)
promoted = ia32.promoteBranch(n, 4)
def __updatebranch(self, address, instruction, target):
newinstruction = ia32.promoteBranch(instruction, 4)
return ia32.promoteBranch(ia32.setRelativeAddress(address, newinstruction, target), 4)
def __createbranch(self, address, opcode, target):
res = ia32.setOpcode( ia32.new(), opcode )
res = ia32.setRelativeAddress(address, res, target)
res = ia32.promoteBranch(res, 4)
return res
77350115 6a00 push 0
77350117 51 push ecx
77350118 e873fd0000 call ntdll!ZwContinue (7735fe90)
"""
"""
relocated
ntdll!KiUserExceptionDispatcher+0xf:
7735010f e9fafe4e89 jmp 0084000e
77350114 59 pop ecx
77350115 6a00 push 0
77350117 51 push ecx
77350118 e873fd0000 call ntdll!ZwContinue (7735fe90)
"""
"""
hook
00840000 0ac0 or al,al
*00840002 0f841b01b176 je ntdll!KiUserExceptionDispatcher+0x23 (77350123)
00840008 5b pop ebx
00840009 e90601b176 jmp ntdll!KiUserExceptionDispatcher+0x14 (77350114)
0084000e 90 nop
0084000f e9ecffffff jmp 00840000
"""
if True:
currentaddress = 0x840002
sourceinstruction = ia32.decode('\x74\x0c')
operand = 0x7735011f
n = ia32.setRelativeAddress(currentaddress, sourceinstruction, operand)
promoted = ia32.promoteBranch(n, 4)
