1

I have this code that is supposed to insert the address of my function into memory by using LEA and then Calling it but when I do this it insert the correct function address using LEA but something completely different. How would I change the code down below to lea rax to the correct function?

BYTE orig[] = { 0x48, 0x8D, 0x04, 0x25 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00, 0x00, 0x00, 0x00, 0xFF, 0xD0 };
BYTE shell_code[] = { 0x48, 0x8D, 0x04, 0x25 }; //lea rax

memcpy((PVOID)((ULONG_PTR)orig), &shell_code, sizeof(shell_code));
uintptr_t hook_address = reinterpret_cast<uintptr_t>(kernel_function_address);
memcpy((PVOID)((ULONG_PTR)orig + sizeof(shell_code)), &hook_address, sizeof(void*));

This is the output:
Output

But the function address should be something more similar to:
this

I would appreciate any help possible, thank you!

Peter Cordes
  • 245,674
  • 35
  • 423
  • 606
Okrus Nakamoto
  • 21
  • 4
  • If you don't want an absolute `[disp32]` addressing mode, don't use one. Perhaps you want a `mov reg, imm64` instruction so you can fill in a 64-bit absolute address? (a `void*` / `uintptr_t`) – Peter Cordes May 08 '21 at 18:53
  • @PeterCordes I would've used `mov` but for this project I can't so I thought `LEA` would be a good alternative – Okrus Nakamoto May 08 '21 at 18:57
  • 1
    LEA doesn't have a form that can take a 64-bit absolute immediate, so no, it isn't. If it's in range for a `rel32`, you could use a RIP-relative addressing mode. – Peter Cordes May 08 '21 at 19:07
  • @PeterCordes how could I use RIP-relative addressing in this situation? – Okrus Nakamoto May 08 '21 at 20:22
  • By calculating `hook_address - (orig + 7)` and copying that int32_t into the rel32, if the displacement doesn't overflow an `int32_t`. (i.e. if `(int32_t)x == x`, for a `ptrdiff_t x`). Exactly like you'd [calculate a `call rel32`](https://stackoverflow.com/questions/47494744/how-does-work-in-nasm-exactly), but for the end of a 7-byte `lea rax, [RIP+rel32]`. Semi-related: [Handling calls to (potentially) far away ahead-of-time compiled functions from JITed code](https://stackoverflow.com/q/54947302) – Peter Cordes May 08 '21 at 20:26
  • @PeterCordes Thank you, but I seem to have a problem when calculating the first bit. I get the error that `expression must have arithmetic or unscoped enum typ` so I can't add 7 to the entire orig. I'm sorry if I'm being annoying but I would really appreciate help, thank you! – Okrus Nakamoto May 08 '21 at 20:48

0 Answers0