libmem
libmem copied to clipboard
Published
20 hours ago •
rdbo
rdbo
64-bit targets where the jump distance bigger than 2GB
Question:libmem.alloc_memory_ex When allocating virtual memory in a 64-bit program, the Windows system will automatically allocate it to a farther place, causing the jmp instruction to be too long. Can this be optimized? Programming language: Python
Problem description:
- Assume the current instruction is:
notepad++.exe+3A - 00 00 - add [rax],al
notepad++.exe+3C - 28 01 - sub [rcx],al
notepad++.exe+3E - 00 00 - add [rax],al
notepad++.exe+40 - 0E - push cs
notepad++.exe+41 - 1F - pop ds
notepad++.exe+42 - BA 0E00B409 - mov edx,09B4000E
notepad++.exe+47 - CD 21 - int 21
notepad++.exe+49 - B8 014CCD21 - mov eax,21CD4C01
notepad++.exe+4E - 54 - push rsp
- The address obtained by using the
alloc_memory_exfunction is:0x1d0f84c0000
000001D0F84D0000 | 0000 | ADD BYTE PTR DS:[RAX],AL
- Use
hook_code_exfunction to hook,The assembly instructions become:
notepad++.exe+3A - FF25 00000000 00004DF8D0010000 - jmp 1D0F84D0000
notepad++.exe+48 - 90 - nop
notepad++.exe+49 - B8 014CCD21 - mov eax,21CD4C01
notepad++.exe+4E - 54 - push rsp
- 👆The problem is that the
jmpcommand uses 14 bytes to complete:FF25 00000000 00004DF8D0010000
Extended description:
- The
allocfunction in CE can specify anAllocateNearThisAddressparameter. If specified, memory space will be allocated near this address. - At this time, since the address distance is very close, the
jmpinstruction only needs 5 bytes:E9 6EFFFEFF - As shown below:
//////////////////// Before hook
notepad++.exe+8D - 30 EC - xor ah,ch
notepad++.exe+8F - 5E - pop rsi
notepad++.exe+90 - 66 8E 4A E6 - mov cs,[rdx-1A]
//////////////////// After hook
notepad++.exe+8D - E9 6EFFFEFF - jmp 7FF7B8D90000
notepad++.exe+92 - 90 - nop
So is there any way, when applying for memory, to apply for memory near the specified memory, just like CE's alloc function?
Thank you
