If you're sure know what you're doing, just list down.
I can't really help, but I can say what you should know if you trying to inject pure assembler code like this.
First.
Code:
004619D6 |. 81C1 EC000000 ADD ECX,0EC
Bold-fonted thing is an address of instruction where it can be found at.
Italic-fonted thing is opcode and operand. Opcode is a number of processor instruction to run and operand is respectively data. In this instruction opcode will be
81C1, which means ADD reg,%something, (note that %something have size 32 bits or four bytes) and operand will be
EC000000, which is 00_00_00_EC in little-endian memory. In that case whole instruction will be
ADD ECX, 000000ECh. In hexview it will be as
81C1EC000000.
Underline-fonted thing is mnemonic code. Mnemocode is just representation of assembler instruction and data.
Hope it clear now.
So, next part
Code:
004619DC |. E8 8F501A00 CALL elementc.00606A70
004619DC -- address of instruction. Remember that as Instruction_address if you're still reading that.
E8 8F501A00 -- instruction
CALL Relative_32-bit_address with data 8F_50_1A_00 in little-endian, thus it
001A508Fh in human-friendly view. That is relative_32-bit_address to jump to.
As you see,
CALL elementc.00606A70 is referring to address
00606A70, so it be Destination.
Destination is calculated that way: Destination=Instruction_address+relative_32-bit_address+5 (apparently, instruction size). Or rather Destination=Instruction_address+5+relative_32-bit_address.
So in this case it will be
004619DC+
001A508F+5. Check this yourself.
What is the goal of previous paraghaph? Ha, it's easy.
You must be sure you calling right code.
So, there is some way to be sure.
- Write static code at constant address
Action Pattern:
- Get Process Handle
- WriteProcessMemory(ConstantAddress,YourCode,SizeOf(YourCode))
- CreateRemoteThread(ConstandAddress)
Advantages:
- Simple code.
- No need to change code in every injection.
Disadvantages:
- You need to choose carefully where to write code.
- Every time you want to change a place to inject you must rewrite code, recompute addresses etc.
- I can't think of any more in that early time. One cup of sleep is what I need.
- Compute address where to call every time you write your code into.
Action Pattern:
- Get Process Handle
- GivenAddress=VirtualAllocEx
- Relative_Address=Destination-5-GivenAddress (in your asm code).
- WriteProcessMemory(GivenAddress,YourCode,SizeOf(YourCode))
- CreateRemoteThread(GivenAddress)
Advantages:
- Simple code.
- No need to change code in every injection by hands.
- In your case (asm instruction constructor in library) it will do. Probably.
Disadvantages:
- Possibly a lot of recompute works, if you work with complete compiled code.
- A questionable measure with compiled code. You may mess up some things, and you probably will do.
- Write basefree, detached code.
Action Pattern:
- Get Process Handle
- GivenAddress=VirtualAllocEx.
- WriteProcessMemory(GivenAddress,YourCode,SizeOf(YourCode))
- CreateRemoteThread(GivenAddress)
Advantages:
- You'll be proud of yourself.
- Your code will be portable, running from any place.
Disadvantages:
- Hard.