В этой теме нет ответов

[movsd]

Я видел много пример сплайсинга, но никогда - для х64 систем на FASM. Надеюсь это поможет низкоуровневым кодерам скорее перейти на х64 системы.

format PE64 GUI
include 'win64a.inc'
section '.Oil' code readable executable
entry Start
macro InjectSplicing newProc, oldProc, TrampCodeBuff, OldCodeBuff, iBytes
{
mov rax, newProc
lea rdx, [TrampCodeBuff]
mov Byte [rdx], 048h
mov Byte [rdx+01h], 0b8h
mov QWord [rdx+02h], rax
mov Byte [rdx+0ah], 050h
mov Byte [rdx+0bh], 0c3h
invoke ReadProcessMemory, INVALID_HANDLE_VALUE, oldProc, OldCodeBuff, 0ch, iBytes
invoke WriteProcessMemory, INVALID_HANDLE_VALUE, oldProc, TrampCodeBuff, 0ch, iBytes
}
Start:
invoke MessageBoxA, 0, szMessage, szMessage, 0
InjectSplicing NewMessageBoxA,[MessageBoxA], TrampCodeMBA, OldCodeMBA, iWritten
invoke MessageBoxA, 0, szMessage, szMessage, 0
invoke WriteProcessMemory, INVALID_HANDLE_VALUE, [MessageBoxA], OldCodeMBA, 0ch, iWritten
invoke MessageBoxA, 0, szMessage, szMessage, 0
invoke ExitProcess, 0h
proc NewMessageBoxA P1, P2, P3, P4
local Result dq ?
mov [P1], rcx
mov [P2], rdx
mov [P3], r8
mov [P4], r9
invoke WriteProcessMemory, INVALID_HANDLE_VALUE, [MessageBoxA], OldCodeMBA, 0ch, iWritten
sub rsp, 020h
mov rcx, [P1]
mov r9, [P4]
mov rdx, szMessageHacked
mov r8, rdx
push .NextStepCTP
push  [MessageBoxA]
ret  0h
.NextStepCTP:
add rsp, 020h
mov [Result], rax
invoke WriteProcessMemory, INVALID_HANDLE_VALUE, [MessageBoxA], TrampCodeMBA, 0ch, iWritten
mov rax, [Result]
ret
endp

section '.DATA' data readable writeable
iWritten dq 0h
OldCodeMBA db 0ch dup (?)
TrampCodeMBA db 0ch dup (?)
szMessage db 'Matrix is anywere',0
szMessageHacked db 'I hacked your MessageBox!',0h
section '.IDATA' import data readable writeable
library kernel, 'kernel32.dll',\
  user, 'user32.dll'

import kernel,\
  ReadProcessMemory, 'ReadProcessMemory',\
  WriteProcessMemory, 'WriteProcessMemory',\
  ExitProcess, 'ExitProcess'
 
import user,\
  MessageBoxA, 'MessageBoxA'