C# (CSharp) AgentCore.Execution.Native.IO_STATUS_BLOCK Examples

Programming Language: C# (CSharp)

Class/Type: AgentCore.Execution.Native.IO_STATUS_BLOCK

Examples at hotexamples.com: 2

C# (CSharp) AgentCore.Execution.Native.IO_STATUS_BLOCK - 2 examples found. These are the top rated real world C# (CSharp) examples of AgentCore.Execution.Native.IO_STATUS_BLOCK extracted from open source projects. You can rate examples to help us improve the quality of examples.

Example #1

Show file

File: Map.cs Project: z3r0p3N/SharpC2

        /// <summary>
        /// Maps a DLL from disk into a Section using NtCreateSection.
        /// </summary>
        /// <author>The Wover (@TheRealWover), Ruben Boonen (@FuzzySec)</author>
        /// <param name="DLLPath">Full path fo the DLL on disk.</param>
        /// <returns>PE.PE_MANUAL_MAP</returns>
        public static PE.PE_MANUAL_MAP MapModuleFromDisk(string DLLPath)
        {
            // Check file exists
            if (!File.Exists(DLLPath))
            {
                throw new InvalidOperationException("Filepath not found.");
            }

            // Open file handle
            Execute.Native.UNICODE_STRING ObjectName = new Execute.Native.UNICODE_STRING();
            DynamicInvoke.Native.RtlInitUnicodeString(ref ObjectName, (@"\??\" + DLLPath));
            IntPtr pObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(ObjectName));

            Marshal.StructureToPtr(ObjectName, pObjectName, true);

            Execute.Native.OBJECT_ATTRIBUTES objectAttributes = new Execute.Native.OBJECT_ATTRIBUTES();
            objectAttributes.Length     = Marshal.SizeOf(objectAttributes);
            objectAttributes.ObjectName = pObjectName;
            objectAttributes.Attributes = 0x40; // OBJ_CASE_INSENSITIVE

            Execute.Native.IO_STATUS_BLOCK ioStatusBlock = new Execute.Native.IO_STATUS_BLOCK();

            IntPtr hFile = IntPtr.Zero;

            DynamicInvoke.Native.NtOpenFile(
                ref hFile,
                Execute.Win32.Kernel32.FileAccessFlags.FILE_READ_DATA |
                Execute.Win32.Kernel32.FileAccessFlags.FILE_EXECUTE |
                Execute.Win32.Kernel32.FileAccessFlags.FILE_READ_ATTRIBUTES |
                Execute.Win32.Kernel32.FileAccessFlags.SYNCHRONIZE,
                ref objectAttributes, ref ioStatusBlock,
                Execute.Win32.Kernel32.FileShareFlags.FILE_SHARE_READ |
                Execute.Win32.Kernel32.FileShareFlags.FILE_SHARE_DELETE,
                Execute.Win32.Kernel32.FileOpenFlags.FILE_SYNCHRONOUS_IO_NONALERT |
                Execute.Win32.Kernel32.FileOpenFlags.FILE_NON_DIRECTORY_FILE
                );

            // Create section from hFile
            IntPtr hSection = IntPtr.Zero;
            ulong  MaxSize  = 0;

            Execute.Native.NTSTATUS ret = DynamicInvoke.Native.NtCreateSection(
                ref hSection,
                (UInt32)Execute.Win32.WinNT.ACCESS_MASK.SECTION_ALL_ACCESS,
                IntPtr.Zero,
                ref MaxSize,
                Execute.Win32.WinNT.PAGE_READONLY,
                Execute.Win32.WinNT.SEC_IMAGE,
                hFile
                );

            // Map view of file
            IntPtr pBaseAddress = IntPtr.Zero;

            DynamicInvoke.Native.NtMapViewOfSection(
                hSection, (IntPtr)(-1), ref pBaseAddress,
                IntPtr.Zero, IntPtr.Zero, IntPtr.Zero,
                ref MaxSize, 0x2, 0x0,
                Execute.Win32.WinNT.PAGE_READWRITE
                );

            // Prepare return object
            PE.PE_MANUAL_MAP SecMapObject = new PE.PE_MANUAL_MAP
            {
                PEINFO     = DynamicInvoke.Generic.GetPeMetaData(pBaseAddress),
                ModuleBase = pBaseAddress
            };

            return(SecMapObject);
        }

Example #2

Show file

File: Native.cs Project: z3r0p3N/SharpC2

        public static IntPtr NtOpenFile(ref IntPtr FileHandle, Execute.Win32.Kernel32.FileAccessFlags DesiredAccess, ref Execute.Native.OBJECT_ATTRIBUTES ObjAttr, ref Execute.Native.IO_STATUS_BLOCK IoStatusBlock, Execute.Win32.Kernel32.FileShareFlags ShareAccess, Execute.Win32.Kernel32.FileOpenFlags OpenOptions)
        {
            // Craft an array for the arguments
            object[] funcargs =
            {
                FileHandle, DesiredAccess, ObjAttr, IoStatusBlock, ShareAccess, OpenOptions
            };

            Execute.Native.NTSTATUS retValue = (Execute.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtOpenFile", typeof(DELEGATES.NtOpenFile), ref funcargs);
            if (retValue != Execute.Native.NTSTATUS.Success)
            {
                throw new InvalidOperationException("Failed to open file, " + retValue);
            }


            FileHandle = (IntPtr)funcargs[0];
            return(FileHandle);
        }