def __relocateblock(self, block, sourceaddress, destinationaddress): blocklength = len(block) result = [] sourceoffset = destoffset = 0 currentaddress = destinationaddress for sourceinstruction in ia32.disassemble(block): sourcelength = len(''.join(sourceinstruction)) destinstruction = sourceinstruction if ia32.isRelativeBranch(sourceinstruction) or ia32.isRelativeCall( sourceinstruction): branchoffset = ia32.getRelativeAddress( currentaddress, sourceinstruction) - currentaddress targetoffset = sourceoffset + branchoffset if (targetoffset < 0) or (targetoffset >= blocklength): operand = sourceaddress + targetoffset destinstruction = ia32.setRelativeAddress( currentaddress, sourceinstruction, operand) destinstruction = ia32.promoteBranch(destinstruction, 4) pass destinstruction = ''.join(destinstruction) result.append(destinstruction) destoffset += len(destinstruction) return ''.join(result)
def __relocateblock(self, block, sourceaddress, destinationaddress): blocklength = len(block) result = [] sourceoffset = destoffset = 0 currentaddress = destinationaddress for sourceinstruction in ia32.disassemble(block): sourcelength = len(''.join(sourceinstruction)) destinstruction = sourceinstruction if ia32.isRelativeBranch(sourceinstruction) or ia32.isRelativeCall(sourceinstruction): branchoffset = ia32.getRelativeAddress(currentaddress, sourceinstruction) - currentaddress targetoffset = sourceoffset + branchoffset if (targetoffset < 0) or (targetoffset >= blocklength): operand = sourceaddress + targetoffset destinstruction = ia32.setRelativeAddress(currentaddress, sourceinstruction, operand) destinstruction = ia32.promoteBranch(destinstruction,4) pass destinstruction = ''.join(destinstruction) result.append(destinstruction) destoffset += len(destinstruction) return ''.join(result)
def __updatebranch(self, address, instruction, target): newinstruction = ia32.promoteBranch(instruction, 4) return ia32.promoteBranch( ia32.setRelativeAddress(address, newinstruction, target), 4)
def __createbranch(self, address, opcode, target): res = ia32.setOpcode(ia32.new(), opcode) res = ia32.setRelativeAddress(address, res, target) res = ia32.promoteBranch(res, 4) return res
77350113 5b pop ebx 77350114 59 pop ecx 77350115 6a00 push 0 77350117 51 push ecx 77350118 e873fd0000 call ntdll!ZwContinue (7735fe90) """ """ relocated ntdll!KiUserExceptionDispatcher+0xf: 7735010f e9fafe4e89 jmp 0084000e 77350114 59 pop ecx 77350115 6a00 push 0 77350117 51 push ecx 77350118 e873fd0000 call ntdll!ZwContinue (7735fe90) """ """ hook 00840000 0ac0 or al,al *00840002 0f841b01b176 je ntdll!KiUserExceptionDispatcher+0x23 (77350123) 00840008 5b pop ebx 00840009 e90601b176 jmp ntdll!KiUserExceptionDispatcher+0x14 (77350114) 0084000e 90 nop 0084000f e9ecffffff jmp 00840000 """ if True: currentaddress = 0x840002 sourceinstruction = ia32.decode('\x74\x0c') operand = 0x7735011f n = ia32.setRelativeAddress(currentaddress, sourceinstruction, operand) promoted = ia32.promoteBranch(n, 4)
def __updatebranch(self, address, instruction, target): newinstruction = ia32.promoteBranch(instruction, 4) return ia32.promoteBranch(ia32.setRelativeAddress(address, newinstruction, target), 4)
def __createbranch(self, address, opcode, target): res = ia32.setOpcode( ia32.new(), opcode ) res = ia32.setRelativeAddress(address, res, target) res = ia32.promoteBranch(res, 4) return res
77350115 6a00 push 0 77350117 51 push ecx 77350118 e873fd0000 call ntdll!ZwContinue (7735fe90) """ """ relocated ntdll!KiUserExceptionDispatcher+0xf: 7735010f e9fafe4e89 jmp 0084000e 77350114 59 pop ecx 77350115 6a00 push 0 77350117 51 push ecx 77350118 e873fd0000 call ntdll!ZwContinue (7735fe90) """ """ hook 00840000 0ac0 or al,al *00840002 0f841b01b176 je ntdll!KiUserExceptionDispatcher+0x23 (77350123) 00840008 5b pop ebx 00840009 e90601b176 jmp ntdll!KiUserExceptionDispatcher+0x14 (77350114) 0084000e 90 nop 0084000f e9ecffffff jmp 00840000 """ if True: currentaddress = 0x840002 sourceinstruction = ia32.decode('\x74\x0c') operand = 0x7735011f n = ia32.setRelativeAddress(currentaddress, sourceinstruction, operand) promoted = ia32.promoteBranch(n, 4)