Change the way return values are obtained from the target process

warbler · warbler · commit 752a6f46ae5a · 2019-03-23T21:12:16.000+01:00
diff --git a/src/SharpMonoInjector/Assembler.cs b/src/SharpMonoInjector/Assembler.cs
@@ -54,6 +54,12 @@ public void AddRsp(byte arg)
             _asm.Add(arg);
         }
 
+        public void MovRaxTo(IntPtr dest)
+        {
+            _asm.AddRange(new byte[] { 0x48, 0xA3 });
+            _asm.AddRange(BitConverter.GetBytes((long)dest));
+        }
+
         public void Push(IntPtr arg)
         {
             _asm.Add((int)arg < 128 ? (byte)0x6A : (byte)0x68);
@@ -77,6 +83,12 @@ public void AddEsp(byte arg)
             _asm.Add(arg);
         }
 
+        public void MovEaxTo(IntPtr dest)
+        {
+            _asm.Add(0xA3);
+            _asm.AddRange(BitConverter.GetBytes((int)dest));
+        }
+
         public void Return()
         {
             _asm.Add(0xC3);
diff --git a/src/SharpMonoInjector/Injector.cs b/src/SharpMonoInjector/Injector.cs
@@ -308,7 +308,11 @@ private void CloseAssembly(IntPtr assembly)
 
         private IntPtr Execute(IntPtr address, params IntPtr[] args)
         {
-            byte[] code = Assemble(address, args);
+            IntPtr retValPtr = Is64Bit
+                ? _memory.AllocateAndWrite((long)0)
+                : _memory.AllocateAndWrite(0);
+
+            byte[] code = Assemble(address, retValPtr, args);
             IntPtr alloc = _memory.AllocateAndWrite(code);
 
             IntPtr thread = Native.CreateRemoteThread(
@@ -322,23 +326,24 @@ private IntPtr Execute(IntPtr address, params IntPtr[] args)
             if (result == WaitResult.WAIT_FAILED)
                 throw new InjectorException("Failed to wait for a remote thread", new Win32Exception(Marshal.GetLastWin32Error()));
 
-            if (!Native.GetExitCodeThread(thread, out IntPtr exitCode))
-                throw new InjectorException("Failed to get the exit code of a remote thread", new Win32Exception(Marshal.GetLastWin32Error()));
+            IntPtr ret = Is64Bit
+                ? (IntPtr)_memory.ReadLong(retValPtr)
+                : (IntPtr)_memory.ReadInt(retValPtr);
 
-            if ((long)exitCode == 0x00000000C0000005)
+            if ((long)ret == 0x00000000C0000005)
                 throw new InjectorException($"An access violation occurred while executing {Exports.First(e => e.Value == address).Key}()");
 
-            return exitCode;
+            return ret;
         }
 
-        private byte[] Assemble(IntPtr address, IntPtr[] args)
+        private byte[] Assemble(IntPtr functionPtr, IntPtr retValPtr, IntPtr[] args)
         {
             return Is64Bit
-                ? Assemble64(address, args)
-                : Assemble86(address, args);
+                ? Assemble64(functionPtr, retValPtr, args)
+                : Assemble86(functionPtr, retValPtr, args);
         }
 
-        private byte[] Assemble86(IntPtr address, IntPtr[] args)
+        private byte[] Assemble86(IntPtr functionPtr, IntPtr retValPtr, IntPtr[] args)
         {
             Assembler asm = new Assembler();
 
@@ -352,15 +357,16 @@ private byte[] Assemble86(IntPtr address, IntPtr[] args)
             for (int i = args.Length - 1; i >= 0; i--)
                 asm.Push(args[i]);
 
-            asm.MovEax(address);
+            asm.MovEax(functionPtr);
             asm.CallEax();
             asm.AddEsp((byte)(args.Length * 4));
+            asm.MovEaxTo(retValPtr);
             asm.Return();
 
             return asm.ToByteArray();
         }
 
-        private byte[] Assemble64(IntPtr address, IntPtr[] args)
+        private byte[] Assemble64(IntPtr functionPtr, IntPtr retValPtr, IntPtr[] args)
         {
             Assembler asm = new Assembler();
 
@@ -372,7 +378,7 @@ private byte[] Assemble64(IntPtr address, IntPtr[] args)
                 asm.CallRax();
             }
 
-            asm.MovRax(address);
+            asm.MovRax(functionPtr);
 
             for (int i = 0; i < args.Length; i++) {
                 switch (i) {
@@ -393,6 +399,7 @@ private byte[] Assemble64(IntPtr address, IntPtr[] args)
 
             asm.CallRax();
             asm.AddRsp(40);
+            asm.MovRaxTo(retValPtr);
             asm.Return();
 
             return asm.ToByteArray();
diff --git a/src/SharpMonoInjector/Memory.cs b/src/SharpMonoInjector/Memory.cs
@@ -48,6 +48,11 @@ public int ReadInt(IntPtr address)
             return BitConverter.ToInt32(ReadBytes(address, 4), 0);
         }
 
+        public long ReadLong(IntPtr address)
+        {
+            return BitConverter.ToInt64(ReadBytes(address, 8), 0);
+        }
+
         public byte[] ReadBytes(IntPtr address, int size)
         {
             byte[] bytes = new byte[size];
diff --git a/src/SharpMonoInjector/Native.cs b/src/SharpMonoInjector/Native.cs
@@ -135,9 +135,5 @@ public static class Native
 
         [DllImport("kernel32.dll", SetLastError = true)]
         public static extern WaitResult WaitForSingleObject(IntPtr hHandle, int dwMilliseconds);
-
-        [DllImport("kernel32.dll", SetLastError = true)]
-        [return: MarshalAs(UnmanagedType.Bool)]
-        public static extern bool GetExitCodeThread(IntPtr hThread, out IntPtr lpExitCode);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,12 @@ public void AddRsp(byte arg)`
`54`	`54`	`_asm.Add(arg);`
`55`	`55`	`}`
`56`	`56`
	`57`	`+ public void MovRaxTo(IntPtr dest)`
	`58`	`+ {`
	`59`	`+ _asm.AddRange(new byte[] { 0x48, 0xA3 });`
	`60`	`+ _asm.AddRange(BitConverter.GetBytes((long)dest));`
	`61`	`+ }`
	`62`	`+`
`57`	`63`	`public void Push(IntPtr arg)`
`58`	`64`	`{`
`59`	`65`	`_asm.Add((int)arg < 128 ? (byte)0x6A : (byte)0x68);`
`@@ -77,6 +83,12 @@ public void AddEsp(byte arg)`
`77`	`83`	`_asm.Add(arg);`
`78`	`84`	`}`
`79`	`85`
	`86`	`+ public void MovEaxTo(IntPtr dest)`
	`87`	`+ {`
	`88`	`+ _asm.Add(0xA3);`
	`89`	`+ _asm.AddRange(BitConverter.GetBytes((int)dest));`
	`90`	`+ }`
	`91`	`+`
`80`	`92`	`public void Return()`
`81`	`93`	`{`
`82`	`94`	`_asm.Add(0xC3);`
Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,11 @@ public int ReadInt(IntPtr address)`
`48`	`48`	`return BitConverter.ToInt32(ReadBytes(address, 4), 0);`
`49`	`49`	`}`
`50`	`50`
	`51`	`+ public long ReadLong(IntPtr address)`
	`52`	`+ {`
	`53`	`+ return BitConverter.ToInt64(ReadBytes(address, 8), 0);`
	`54`	`+ }`
	`55`	`+`
`51`	`56`	`public byte[] ReadBytes(IntPtr address, int size)`
`52`	`57`	`{`
`53`	`58`	`byte[] bytes = new byte[size];`
Original file line number	Diff line number	Diff line change
`@@ -135,9 +135,5 @@ public static class Native`
`135`	`135`
`136`	`136`	`[DllImport("kernel32.dll", SetLastError = true)]`
`137`	`137`	`public static extern WaitResult WaitForSingleObject(IntPtr hHandle, int dwMilliseconds);`
`138`		`-`
`139`		`- [DllImport("kernel32.dll", SetLastError = true)]`
`140`		`- [return: MarshalAs(UnmanagedType.Bool)]`
`141`		`- public static extern bool GetExitCodeThread(IntPtr hThread, out IntPtr lpExitCode);`
`142`	`138`	`}`
`143`	`139`	`}`