Windows API one-day training (84) flushinstructioncache Function

Windows API one-day training (84) flushinstructioncache Function

General programs are compiled before running, so there are few opportunities to modify commands, but there are a lot of use in the anti-validation solution of the software. After modifying the command, how can I let the CPU execute the new command? In this way, you need to use the flushinstructioncache function to overwrite the data in the cache to the main memory, so that the CPU can reload new commands to execute new commands. Next we will learn how to use this function to jump to a static function for execution, rather than directly calling this function.

The flushinstructioncache function declaration is as follows:

Winbaseapi
Bool
Winapi
Flushinstructioncache (
_ In handle hprocess,
_ In_bcount_opt (dwsize) lpcvoid lpbaseaddress,
_ In size_t dwsize
);
Hprocess is the process handle.
Lpbaseaddress is the start address of the memory to be synchronized.
Dwsize is the size of the memory to be synchronized.

An example of calling a function is as follows:
#001 // declare the function type.
#002 typedef void (* testfun) (void );
#003
#004 // define the structure of the modified Code.
#005 # pragma pack (push, 1)
#006 struct thunkcode
#007 {
#008 byte m_jmp; // JMP testfun, jump command.
#009 DWORD m_relproc; // relative JMP, relative jump position.
#010 };
#011 # pragma pack (POP)
#012
#013 // test the dynamic modification of instruction data in the memory.
#014 // Cai junsheng 2007/12/06 QQ: 9073204 Shenzhen
#015 class cflush
#016 {
#017 public:
#018 // Save the memory for dynamically modifying the code.
#019 thunkcode m_thunk;
#020
#021 // initialize the jump code.
#022 void Init (testfun pfun, void * pthis)
#023 {
#024 // set the jump pointer.
#025 m_thunk.m_jmp = 0xe9;
#026
#027 // set the relative address of the jump.
#028 m_thunk.m_relproc = (INT) pfun-(INT) This + sizeof (m_thunk ));
#029
#030 // write the buffer data in the CPU to the master memory.
#031 flushinstructioncache (getcurrentprocess (),
#032 & m_thunk, sizeof (m_thunk ));
#033}
#034
#035 // real-run function.
#036 static void testfun (void)
#037 {
#038 outputdebugstring (_ T ("cflush dynamic modification code run/R/N "));
#039}
#040
#041 };
#042

This class is called as follows:
#001 // test run.
#002 cflush flushtest;
#003
#004 flushtest. INIT (flushtest. testfun, & flushtest );
#005 testfun ptestfun = (testfun) & (flushtest. m_thunk );
#006 ptestfun ();