afish/ByteToFunc.cs Secret

## ByteToFunc.cs
// Created by Adam Furmanek

using System;
using System.Collections.Generic;
using System.Linq;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;

namespace ByteToFunc
{
    // Flags for VirtualProtect method
    public enum Protection
    {
        PAGE_NOACCESS = 0x01,
        PAGE_READONLY = 0x02,
        PAGE_READWRITE = 0x04,
        PAGE_WRITECOPY = 0x08,
        PAGE_EXECUTE = 0x10,
        PAGE_EXECUTE_READ = 0x20,
        PAGE_EXECUTE_READWRITE = 0x40,
        PAGE_EXECUTE_WRITECOPY = 0x80,
        PAGE_GUARD = 0x100,
        PAGE_NOCACHE = 0x200,
        PAGE_WRITECOMBINE = 0x400
    }

    // Base type for stubbing to have runtime type checking
    public class BaseStub
    {
        public int Target;
    }

    public class FuncGenerator
    {
        // Method to unlock page for executing
        [DllImport("kernel32.dll", SetLastError = true)]
        static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, uint flNewProtect, out uint lpflOldProtect);

        // Unlocks page for executing
        private static void UnlockPage(int address)
        {
            uint old;
            VirtualProtect((IntPtr)address, 6, (uint)Protection.PAGE_EXECUTE_READWRITE, out old);
        }

        // Some internal storage for pinning
        private static IList<object> memory = new List<object>();
        private static IList<GCHandle> handles = new List<GCHandle>();

        // Pins array with code and returns address to the beginning of the array
        private static IntPtr Pin(object data)
        {
            memory.Add(data);
            var handle = GCHandle.Alloc(data);
            handles.Add(handle);

            return Marshal.ReadIntPtr(GCHandle.ToIntPtr(handle));
        }

        // Returns delegate of type T using class U for stubbing
        public static T Generate<T, U>(byte[] data) where U : BaseStub, new()
        {
            // Address of machine code in array
            // We omit first 8 bytes (array type and size)
            var arrayCodeAddress = ((int)Pin(data)) + 8;
            Console.WriteLine("Machine code in array address: " + arrayCodeAddress.ToString("X"));

            // Unlock page so we can execute code from it
            UnlockPage(arrayCodeAddress);

            // Fixing code of stub method Stub
            // Target points to the actual place with the code
            var oldTarget = new U {
                Target = arrayCodeAddress
            };
            var emitDelegate = Delegate.CreateDelegate(typeof(T), oldTarget, "Stub");

            var stubMethodHandle = typeof(U).GetMethod("Stub").MethodHandle;
            RuntimeHelpers.PrepareMethod(stubMethodHandle);
            var stubCodeAddress = stubMethodHandle.GetFunctionPointer();
            Console.WriteLine("Stub address: " + stubCodeAddress.ToString("X"));

            // Modifies stub method to do the absolute jump
            Marshal.WriteInt32(stubCodeAddress, unchecked((int)0xc30471ff)); // push dword ptr [ecx+4] ; retn

            // Returns delegate of correct type so we have runtime type checking
            return (T)(object)emitDelegate;
        }
    }

    // Stub for Action<int>
    // Each stub must have a non-static method called Stub with correct signature and at least 4 bytes of body
    public class ActionInt : BaseStub
    {
        public void Stub(int x)
        {
            Console.WriteLine("Original action stub");
        }
    }

    // Stub for Func<int, int>
    public class FuncInt : BaseStub
    {
        public int Stub(int x)
        {
            Console.WriteLine("Original func stub");
            return 0;
        }
    }

    public class Program
    {
        // Helper method just to show jumping
        public void MyWriteLine(int text)
        {
            // Type is ByteToFunc.ActionInt because we are jumping around in the code!
            Console.WriteLine("I'm in the MyWriteLine! And I am:\t\t" + GetType());
            Console.WriteLine(text);
            Console.WriteLine();
        }

        static void ActionTest()
        {
            var methodHandle = typeof(Program).GetMethod(nameof(Program.MyWriteLine), BindingFlags.Public | BindingFlags.Instance).MethodHandle;
            RuntimeHelpers.PrepareMethod(methodHandle);
            var methodAddress = methodHandle.GetFunctionPointer();
            Console.WriteLine("MyWriteLine address: " + methodAddress.ToString("X"));
            var address = BitConverter.GetBytes((int)methodAddress).ToArray();

            // Should jump to MyWriteLine and do some job
            Action<int> function = FuncGenerator.Generate<Action<int>, ActionInt>(
                new byte[]{
                    0x68, // push
                }
                .Concat(address)
                .Concat(new byte[]
                {
                    0xC3 //retn
                }).ToArray()
            );

            function(5);
        }

        static void FuncTest()
        {
            Func<int, int> function = FuncGenerator.Generate<Func<int, int>, FuncInt>(
                new byte[]{
                    0x89, 0xD0,         // mov eax, edx
                    0x83, 0xC0, 0x04,   // add eax, 4
                    0xc3                // retn
                }
            );

            // Should print 23 + 4 == 27
            Console.WriteLine(function(23));
        }

        static void Main(string[] args)
        {
            ActionTest();
            FuncTest();
            // To figure out machine code you can use this: https://defuse.ca/online-x86-assembler.htm
        }
    }
}
	// Created by Adam Furmanek

	using System;
	using System.Collections.Generic;
	using System.Linq;
	using System.Reflection;
	using System.Runtime.CompilerServices;
	using System.Runtime.InteropServices;

	namespace ByteToFunc
	{
	// Flags for VirtualProtect method
	public enum Protection
	{
	PAGE_NOACCESS = 0x01,
	PAGE_READONLY = 0x02,
	PAGE_READWRITE = 0x04,
	PAGE_WRITECOPY = 0x08,
	PAGE_EXECUTE = 0x10,
	PAGE_EXECUTE_READ = 0x20,
	PAGE_EXECUTE_READWRITE = 0x40,
	PAGE_EXECUTE_WRITECOPY = 0x80,
	PAGE_GUARD = 0x100,
	PAGE_NOCACHE = 0x200,
	PAGE_WRITECOMBINE = 0x400
	}

	// Base type for stubbing to have runtime type checking
	public class BaseStub
	{
	public int Target;
	}

	public class FuncGenerator
	{
	// Method to unlock page for executing
	[DllImport("kernel32.dll", SetLastError = true)]
	static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, uint flNewProtect, out uint lpflOldProtect);

	// Unlocks page for executing
	private static void UnlockPage(int address)
	{
	uint old;
	VirtualProtect((IntPtr)address, 6, (uint)Protection.PAGE_EXECUTE_READWRITE, out old);
	}

	// Some internal storage for pinning
	private static IList<object> memory = new List<object>();
	private static IList<GCHandle> handles = new List<GCHandle>();

	// Pins array with code and returns address to the beginning of the array
	private static IntPtr Pin(object data)
	{
	memory.Add(data);
	var handle = GCHandle.Alloc(data);
	handles.Add(handle);

	return Marshal.ReadIntPtr(GCHandle.ToIntPtr(handle));
	}

	// Returns delegate of type T using class U for stubbing
	public static T Generate<T, U>(byte[] data) where U : BaseStub, new()
	{
	// Address of machine code in array
	// We omit first 8 bytes (array type and size)
	var arrayCodeAddress = ((int)Pin(data)) + 8;
	Console.WriteLine("Machine code in array address: " + arrayCodeAddress.ToString("X"));

	// Unlock page so we can execute code from it
	UnlockPage(arrayCodeAddress);

	// Fixing code of stub method Stub
	// Target points to the actual place with the code
	var oldTarget = new U {
	Target = arrayCodeAddress
	};
	var emitDelegate = Delegate.CreateDelegate(typeof(T), oldTarget, "Stub");

	var stubMethodHandle = typeof(U).GetMethod("Stub").MethodHandle;
	RuntimeHelpers.PrepareMethod(stubMethodHandle);
	var stubCodeAddress = stubMethodHandle.GetFunctionPointer();
	Console.WriteLine("Stub address: " + stubCodeAddress.ToString("X"));

	// Modifies stub method to do the absolute jump
	Marshal.WriteInt32(stubCodeAddress, unchecked((int)0xc30471ff)); // push dword ptr [ecx+4] ; retn

	// Returns delegate of correct type so we have runtime type checking
	return (T)(object)emitDelegate;
	}
	}

	// Stub for Action<int>
	// Each stub must have a non-static method called Stub with correct signature and at least 4 bytes of body
	public class ActionInt : BaseStub
	{
	public void Stub(int x)
	{
	Console.WriteLine("Original action stub");
	}
	}

	// Stub for Func<int, int>
	public class FuncInt : BaseStub
	{
	public int Stub(int x)
	{
	Console.WriteLine("Original func stub");
	return 0;
	}
	}

	public class Program
	{
	// Helper method just to show jumping
	public void MyWriteLine(int text)
	{
	// Type is ByteToFunc.ActionInt because we are jumping around in the code!
	Console.WriteLine("I'm in the MyWriteLine! And I am:\t\t" + GetType());
	Console.WriteLine(text);
	Console.WriteLine();
	}

	static void ActionTest()
	{
	var methodHandle = typeof(Program).GetMethod(nameof(Program.MyWriteLine), BindingFlags.Public \| BindingFlags.Instance).MethodHandle;
	RuntimeHelpers.PrepareMethod(methodHandle);
	var methodAddress = methodHandle.GetFunctionPointer();
	Console.WriteLine("MyWriteLine address: " + methodAddress.ToString("X"));
	var address = BitConverter.GetBytes((int)methodAddress).ToArray();

	// Should jump to MyWriteLine and do some job
	Action<int> function = FuncGenerator.Generate<Action<int>, ActionInt>(
	new byte[]{
	0x68, // push
	}
	.Concat(address)
	.Concat(new byte[]
	{
	0xC3 //retn
	}).ToArray()
	);

	function(5);
	}

	static void FuncTest()
	{
	Func<int, int> function = FuncGenerator.Generate<Func<int, int>, FuncInt>(
	new byte[]{
	0x89, 0xD0, // mov eax, edx
	0x83, 0xC0, 0x04, // add eax, 4
	0xc3 // retn
	}
	);

	// Should print 23 + 4 == 27
	Console.WriteLine(function(23));
	}

	static void Main(string[] args)
	{
	ActionTest();
	FuncTest();
	// To figure out machine code you can use this: https://defuse.ca/online-x86-assembler.htm
	}
	}
	}