[C/C++] Dynamically Executed Code

[Torpedoes]

Here's a technique which I learned about during my reverse engineering adventures that I thought you guys might enjoy as well. I got interested in trying this out after I reverse engineered a Unity game and noticed it had a lot of runtime generated native code. A lot of other software does this but I imagine not many of you have tried it yourselves.

In essence this prints out Hello World! but it does so in a runtime generated fashion. The values in the mystery variable are pre-assembled x86 instructions defining a function which get written to executable memory and invoked. This mystery code can come from anywhere including over the internet, auto-assembled from a scripting language and so on and can be used in anti-cheating, malware, scripting, etc. Go ahead and try this out today if you haven't already, it's pretty fun!

Code:

#include <stdio.h>
#include <Windows.h>

typedef int (__cdecl *PRINTF)
   (const char* _Format, ...);
typedef void (*Mystery) (PRINTF p);

void main (void)
{
	const char mystery[] =
	{
		0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x10,
		0xC6, 0x45, 0xF0, 0x48, 0xC6, 0x45,
		0xF1, 0x65, 0xC6, 0x45, 0xF2, 0x6C,
		0xC6, 0x45, 0xF3, 0x6C, 0xC6, 0x45,
		0xF4, 0x6F, 0xC6, 0x45, 0xF5, 0x20,
		0xC6, 0x45, 0xF6, 0x57, 0xC6, 0x45,
		0xF7, 0x6F, 0xC6, 0x45, 0xF8, 0x72,
		0xC6, 0x45, 0xF9, 0x6C, 0xC6, 0x45,
		0xFA, 0x64, 0xC6, 0x45, 0xFB, 0x21,
		0xC6, 0x45, 0xFC, 0x0A, 0xC6, 0x45,
		0xFD, 0x00, 0x8D, 0x45, 0xF0, 0x50,
		0xFF, 0x55, 0x08, 0x83, 0xC4, 0x04,
		0x8B, 0xE5, 0x5D, 0xC3, 0x00, 0x00,
	};

	DWORD old;
	VirtualProtect ((LPVOID) mystery,
		sizeof (mystery),
		PAGE_EXECUTE_READWRITE, &old);

	((Mystery) mystery) (printf);
}

Code:

void Mystery (PRINTF p)
{
	const char text[] =
	{
		'H', 'e', 'l', 'l', 'o', ' ',
		'W', 'o', 'r', 'l', 'd', '!',
		'\n', '\0',
	};

	p (text);
}

[bestBotter]

Thanks for sharing, it's a nice post man!

[nrgetikz]

I use the library AsmJit to implement JIT compilation or generate functions at runtime (https://github.com/kobalicek/asmjit). Comes in handy when you don't want to pre-generate the shell code.

Code:

  // Create JitRuntime and X86 Compiler.
  JitRuntime runtime;
  X86Compiler c(&runtime);

  // Build function having two arguments and a return value of type 'int'.
  // First type in function builder describes the return value. kFuncConvHost
  // tells compiler to use a host calling convention.
  c.addFunc(kFuncConvHost, FuncBuilder2<int, int, int>());

  // Create 32-bit variables (virtual registers) and assign some names to
  // them. Using names is purely optional and only greatly helps while
  // debugging.
  X86GpVar a(c, kVarTypeInt32, "a");
  X86GpVar b(c, kVarTypeInt32, "b");

  // Tell asmjit to use these variables as function arguments.
  c.setArg(0, a);
  c.setArg(1, b);

  // a = a + b;
  c.add(a, b);

  // Tell asmjit to return 'a'.
  c.ret(a);

  // Finalize the current function.
  c.endFunc();

  // Now the Compiler contains the whole function, but the code is not yet
  // generated. To tell compiler to generate the function make() has to be
  // called.

  // Make uses the JitRuntime passed to Compiler constructor to allocate a
  // buffer for the function and make it executable.
  void* funcPtr = c.make();

  // In order to run 'funcPtr' it has to be casted to the desired type.
  // Typedef is a recommended and safe way to create a function-type.
  typedef int (*FuncType)(int, int);

  // Using asmjit_cast is purely optional, it's basically a C-style cast
  // that tries to make it visible that a function-type is returned.
  FuncType func = asmjit_cast<FuncType>(funcPtr);

  // Finally, run it and do something with the result...
  int x = func(1, 2);
  printf("x=%d\n", x); // Outputs "x=3".

  // The function will remain in memory after Compiler is destroyed, but
  // will be destroyed together with Runtime. This is just simple example
  // where we can just destroy both at the end of the scope and that's it.
  // However, it's a good practice to clean-up resources after they are
  // not needed and using runtime.release() is the preferred way to free
  // a function added to JitRuntime.
  runtime.release((void*)func);

  // Runtime and Compiler will be destroyed at the end of the scope.
  return 0;

[Torpedoes]

I use the library AsmJit to implement JIT compilation or generate functions at runtime (https://github.com/kobalicek/asmjit). Comes in handy when you don't want to pre-generate the shell code.

Yep I heard about AsmJIT before, I only wish I had a project that could make use of it. The whole technique is quite amazing.