/// <summary>
/// Program entry point.
/// </summary>
/// <param name="args">Command line arguments.</param>
static void Main(string[] args)
{
Span <byte> asm = stackalloc byte[10] {
0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, // MOV RAX, GS:[0x60]
0xC3 // RET
};
IntPtr PEBAddressPtr = IntPtr.Zero;
lock (Mutex) {
using MemoryMappedFile MemoryMap = MemoryMappedFile.CreateNew(null, asm.Length, MemoryMappedFileAccess.ReadWriteExecute);
MemoryMappedViewAccessor MemoryMapAccessor = MemoryMap.CreateViewAccessor(0, asm.Length, MemoryMappedFileAccess.ReadWriteExecute);
// Get address of the memory region
IntPtr RWXRegionAddressPtr = MemoryMapAccessor.SafeMemoryMappedViewHandle.DangerousGetHandle();
Debug.Assert(RWXRegionAddressPtr != IntPtr.Zero, "[-] Error while retrieving the address of the RWX memory region.");
// Inject code
Marshal.Copy(asm.ToArray(), 0, RWXRegionAddressPtr, asm.Length);
Debug.Assert(Marshal.ReadByte(RWXRegionAddressPtr, 0) == 0x65, "[-] Error while injecting code.");
Debug.Assert(Marshal.ReadByte(RWXRegionAddressPtr, 9) == 0xC3, "[-] Error while injecting code.");
// Get delegate
GetPEBDelegate GetPEB = Marshal.GetDelegateForFunctionPointer <GetPEBDelegate>(RWXRegionAddressPtr);
PEBAddressPtr = GetPEB();
Debug.Assert(PEBAddressPtr != IntPtr.Zero, "[-] Error while retrieving the address of the PEB structure.");
}
// Pull the structure out of memory
PEB _PEB = Marshal.PtrToStructure <PEB>(PEBAddressPtr);
Debug.Assert(_PEB.Equals(default(PEB)), "[-] Error while pulling out the structure from memory");
}
}
/// <summary>
/// Program entry point.
/// </summary>
/// <param name="args">Command line arguments.</param>
static void Main(string[] args)
{
Span <byte> asm = stackalloc byte[10] {
0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, // MOV RAX, GS:[0x60]
0xC3 // RET
};
// Allocate memory
IntPtr lpAddress = VirtualAlloc(IntPtr.Zero, asm.Length, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
Debug.Assert(lpAddress != IntPtr.Zero, "[-] Error while allocating memory: kernl32!VirtualAlloc.");
// Write asm in memory
Marshal.Copy(asm.ToArray(), 0, lpAddress, asm.Length);
// Change memory permissions
Int32 lpflOldProtect = 0;
bool success = VirtualProtect(lpAddress, asm.Length, PAGE_EXECUTE_READ, ref lpflOldProtect);
Debug.Assert(success || lpflOldProtect == 4, "[-] Error while changing the memory permissions of the allocation memory.");
// Create delegate
GetPEBDelegate GetPEB = Marshal.GetDelegateForFunctionPointer <GetPEBDelegate>(lpAddress);
IntPtr PEBAddressPtr = GetPEB();
Debug.Assert(PEBAddressPtr != IntPtr.Zero, "[-] Error while retrieving the address of the PEB structure.");
// Pull the structure out of memory
PEB _PEB = Marshal.PtrToStructure <PEB>(PEBAddressPtr);
Debug.Assert(_PEB.Equals(default(PEB)), "[-] Error while pulling out the structure from memory");
}
}