Calculate CALL offset

Question

I'm trying to call a process function in C# by creating an array of bytes, allocating memory, writing to allocated memory, then Creating Remote thread. As far as I know it's the usual way to execute shellcode through a process.

          void WalkFunc()
    {
        byte[] asm = new byte[]
        {
            0x6A, 0x01, //PUSH 1
            0x31, 0xC9, //XOR ECX, ECX
            0xBA, 0x10, 0x00, 0x10, 0x00, //MOV EDX,00+10+00+10
            0xA1, 0xB0, 0x01, 0x83, 0x00, //MOV EAX,DWORD PTR DS:[8301B0]
            0xE8, 0x??, 0x??, 0x??, 0x??, //CALL 0x005378E4
            0xC3 //RETN
        };

        Process proc = Process.GetProcessesByName("process")[0];
        IntPtr hHandle = OpenProcess((int)ProcessAccessFlags.All, false, proc.Id);

        IntPtr hAlloc = VirtualAllocEx(hHandle, IntPtr.Zero, (uint)asm.Length, AllocationType.Commit, MemoryProtection.ExecuteReadWrite);

        UIntPtr bytesWritten = UIntPtr.Zero;

        WriteProcessMemory(hHandle, hAlloc, asm, (uint) asm.Length, out bytesWritten);

        uint iThreadId = 0;

        IntPtr hThread = CreateRemoteThread(hHandle, IntPtr.Zero, 0, hAlloc, IntPtr.Zero, 0, out iThreadId);

    }

As you can see, I'm unable to find the call offset. Indeed, after reading information, I got that call has no static offset so I have to calculate the jump address which is, if I'm not wrong, CALL . In my opinio, my TO is 0x005378E4. But I don't get how to find my FROM knowing that

VirtualAllocEx is assigning an address I can not predict at run time.

Thanks

Answer 1

Direct call uses a rel32 displacement from the end of the call instruction.

You know the address of asm[] because you allocated it. (It's not a compile-time constant because you're using dynamic allocation, so you'll have to use the pointer you get from new).

You tagged this [C++] where pointer math is easy. Just cast to intptr_t and subtract to get a 2's complement integer (because this code only works when compiled on x86 so you can assume that), and check that it's small enough to fit before casting to int32_t. Store that into the array. (You might want to define it as a packed struct, or just use memcpy.)

But your code is [c#]. IDK how to get the raw pointer value as an integer there. It's apparently possible with unsafe. If you can statically allocate your block, that might be easier; you could have the linker do the relocation at link time to reach the given absolute address. (except you'd need to get a relocation generated, so it would just be a lot easier to put your "data" in a separate .asm file. You can still put it in the read-write data section, rather than code, but you could use asm mnemonics to write the code and let the assembler generate a relocation for an absolute call target.

---

You can use an indirect jump with the absolute target address in a register or memory. This is also required anyway if it turns out your block of memory is more than 2GB away from your target (in 64-bit mode).

You might do this just to make your code position-independent so it doesn't need to be fixed up after finding where it's loaded.

; don't forget to save/restore esi around this
mov   esi, 0x005378E4       ; pick any reg the callee won't look at.  save/restore if necessary
call  esi

Or if you can't disturb registers

push   0x005378E4       ; before pushing args so the callee sees the same stack/
push   1
call   [esp+4]

32-bit mode does have a call ptr16:32 direct far call, but don't use that because you'd have to know the correct cs segment descriptor to hard-code. (i.e. the current one). It's also slow, and isn't even available in 64-bit mode, so just don't.