Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

64-bit targets where the jump distance bigger than 2GB #256

Open
Jai-wei opened this issue Sep 13, 2024 · 0 comments
Open

64-bit targets where the jump distance bigger than 2GB #256

Jai-wei opened this issue Sep 13, 2024 · 0 comments

Comments

@Jai-wei
Copy link

Jai-wei commented Sep 13, 2024

Questionlibmem.alloc_memory_ex When allocating virtual memory in a 64-bit program, the Windows system will automatically allocate it to a farther place, causing the jmp instruction to be too long. Can this be optimized? Programming language: Python

Problem description

  1. Assume the current instruction is:
notepad++.exe+3A - 00 00                 - add [rax],al
notepad++.exe+3C - 28 01                 - sub [rcx],al
notepad++.exe+3E - 00 00                 - add [rax],al
notepad++.exe+40 - 0E                    - push cs
notepad++.exe+41 - 1F                    - pop ds
notepad++.exe+42 - BA 0E00B409           - mov edx,09B4000E
notepad++.exe+47 - CD 21                 - int 21
notepad++.exe+49 - B8 014CCD21           - mov eax,21CD4C01
notepad++.exe+4E - 54                    - push rsp
  1. The address obtained by using the alloc_memory_ex function is: 0x1d0f84c0000
000001D0F84D0000 | 0000      | ADD BYTE PTR DS:[RAX],AL
  1. Use hook_code_ex function to hook,The assembly instructions become:
notepad++.exe+3A - FF25 00000000 00004DF8D0010000 - jmp 1D0F84D0000
notepad++.exe+48 - 90                    - nop 
notepad++.exe+49 - B8 014CCD21           - mov eax,21CD4C01
notepad++.exe+4E - 54                    - push rsp
  1. 👆The problem is that the jmp command uses 14 bytes to complete: FF25 00000000 00004DF8D0010000

Extended description

  • The alloc function in CE can specify an AllocateNearThisAddress parameter. If specified, memory space will be allocated near this address.
  • At this time, since the address distance is very close, the jmp instruction only needs 5 bytes: E9 6EFFFEFF
  • As shown below:
//////////////////// Before hook
notepad++.exe+8D - 30 EC                 - xor ah,ch
notepad++.exe+8F - 5E                    - pop rsi
notepad++.exe+90 - 66 8E 4A E6           - mov cs,[rdx-1A]

//////////////////// After hook
notepad++.exe+8D - E9 6EFFFEFF           - jmp 7FF7B8D90000
notepad++.exe+92 - 90                    - nop

So is there any way, when applying for memory, to apply for memory near the specified memory, just like CE's alloc function?

Thank you
@Jai-wei Jai-wei changed the title 64-bit targets where the jump distance bigger than 2GB otherwise 64-bit targets where the jump distance bigger than 2GB Sep 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Jai-wei