7 thoughts on “Video Tutorial – Writing Code Caves

  1. I wrote a C# injector of this, one method using your code cave, the other, allocating memory:

    private void static_inject_btn_Click(object sender, EventArgs e)
    {
    RWM = new RWMemory(“Winmine__XP”);

    byte[] Injected_code =
    {
    0x60,//PUSHAD
    0xC1, 0xE1, 0x05,//SHL ECX,5
    0x8D, 0x94, 0x08, 0x40, 0x53, 0x00, 0x01,//LEA EDX,DWORD PTR DS:[EAX+ECX+1005340]
    0xF6, 0x02, 0x8F,//TEST BYTE PTR DS:[EDX],8F
    0x61,//POPAD
    0x0F, 0x85, 0x45, 0xEE, 0xFF, 0xFF,//JNZ 010038B6
    0x51,//PUSH ECX
    0x50,//PUSH EAX
    0xE8, 0x9A, 0xEA, 0xFF, 0xFF,//CALL 01003512
    0xE9, 0x39, 0xEE, 0xFF, 0xFF//JMP 010038B6
    };

    byte[] JMP_to_loc =
    {
    0xE9, 0xA8, 0x11, 0x00, 0x00,//JMP 01004A5C
    0x90,//NOP
    0x90//NOP
    };

    if (RWM.WriteMemBytes((IntPtr)0x01004A5C, Injected_code))
    RWM.WriteMemBytes((IntPtr)0x010038AF, JMP_to_loc);
    }

    private void dynamic_inject_btn_Click(object sender, EventArgs e)
    {
    RWM = new RWMemory(“Winmine__XP”);
    int StartHere = 0x010038AF;
    int ReturnHere = 0x010038B6;

    int JumpHere = (int)RWM.AllocateMemory(0x21);//size of injected code

    byte[] JMP_to_code = BitConverter.GetBytes(JumpHere – (StartHere + 5));
    byte[] JNZ_Return = BitConverter.GetBytes(ReturnHere – (JumpHere + 21));
    byte[] CALL_Func = BitConverter.GetBytes(0x01003512 – (JumpHere + 28));
    byte[] JMP_Return = BitConverter.GetBytes(ReturnHere – (JumpHere + 33));

    byte[] Injected_code =
    {
    0x60,//PUSHAD
    0xC1, 0xE1, 0x05,//SHL ECX,5
    0x8D, 0x94, 0x08, 0x40, 0x53, 0x00, 0x01,//LEA EDX,DWORD PTR DS:[EAX+ECX+1005340]
    0xF6, 0x02, 0x8F,//TEST BYTE PTR DS:[EDX],8F
    0x61,//POPAD
    0x0F, 0x85, JNZ_Return[0], JNZ_Return[1], JNZ_Return[2], JNZ_Return[3],//JNZ 010038B6
    0x51,//PUSH ECX
    0x50,//PUSH EAX
    0xE8, CALL_Func[0], CALL_Func[1], CALL_Func[2], CALL_Func[3],//CALL 01003512
    0xE9, JMP_Return[0], JMP_Return[1], JMP_Return[2], JMP_Return[3]//JMP 010038B6
    };

    byte[] JMP_to_loc =
    {
    0xE9, JMP_to_code[0], JMP_to_code[1], JMP_to_code[2], JMP_to_code[3],//JMP to injceted code
    0x90,//NOP
    0x90//NOP
    };

    if (RWM.WriteMemBytes((IntPtr)JumpHere, Injected_code))
    RWM.WriteMemBytes((IntPtr)StartHere, JMP_to_loc);

    }

  2. I’ve also been trying to get my C# dll injector working for a while now but no luck so far. Do you know how to make a C# dll injector for windows 7 x64?

Leave a message

Your email address will not be published. Required fields are marked *

*