I think MHS is a great tool, but there are some things that could use a little enhancement. For example the code injection:
- Code: Select all
004C3C12 | 89F2 | MOV EDX, ESI |
004C3C14 | C1FA 03 | SAR EDX, 3 |
004C3C17 | 89F1 | MOV ECX, ESI |
004C3C19 | 83E1 07 | AND ECX, 7 |
004C3C1C | B8 01000000 | MOV EAX, 1 |
004C3C21 | D3E0 | SHL EAX, CL |
004C3C23 | 08841A C8840200 | OR BYTE PTR [EDX+EBX+284C8], AL |
004C3C2A | 8B14B7 | MOV EDX, DWORD PTR [EDI+ESI*4] |
004C3C2D | A1 20732E02 | MOV EAX, DWORD PTR [22E7320] |
004C3C32 | 8994B0 E8840200 | MOV DWORD PTR [EAX+ESI*4+284E8], EDX | <-- Inject here
If I want to inject some code here I usually replace the last line with a jump to a code cave. The instruction is 7 bytes long so there is plenty of room for the jump. MHS replaces this line and nopes too much of the following instructions where there is no need for.
Could you tweak MHS so it overwrites only as much as needed?