How can I inject 32-bit CodeCave into a 64-bit application?

Question

How can I inject 32-bit CodeCave into a 64-bit application?

I've seen some implementations like this:

App.exe+CA5F6 - 4C 89 15 D37D5B01     - mov [App.exe+16823D0],r10
App.exe+CA5FD - E9 FE59CA82           - jmp 7FF748DA0000
App.exe+CA602 - 90                    - nop 
App.exe+CA603 - 90                    - nop 
App.exe+CA604 - 4C 03 C1              - add r8,rcx

Then I follow this address and see this:

7FF748D9FFFF -                       - ?? 
7FF748DA0000 - FF25 00000000 00001A0500000000 - jmp 051A0000
7FF748DA000E - 00 00                 - add [rax],al

I follow this address:

051A0000 - 50                    - push rax
051A0001 - 53                    - push rbx
051A0002 - 52                    - push rdx
051A0003 - 4D 63 82 94000000     - movsxd  r8,dword ptr [r10+00000094]

How did he do it? How should I implement this in C#?

I can inject CodeCave, but if the application is 64-bit then it will always refer to a 64-bit address, how can I inject CodeCave so it will refer to a 32-bit address?

Answer 1

.NET MSIL is bitness agnostic. The same MSIL can be run as x32 or x64. Or even x128 or x16 if we ever get a runtime for those binarities.

Non .NET/native is generally designed for a very specific binarity. You got two ways to deal with the inevitable conflicts:

1. Yet set the CPU Target of the .NEt Programm to allow only x32 or x64 execution for your MSIL. Note that generally x64 is prefereable whenever availible and x32 should not be used anymore for the whole process. Also you may have to deal with one code that needs x32 and one that needs x64.
2. You wrap the code that has the "wrong" binarity into a helper process. Your main process and the helper talk via any of the IPC approaches - you get to "pick your poison" here. That way the code can run as it is designed, while your process is not tied to it's binarity.