/// <summary> /// Program entry point. /// </summary> /// <param name="args">Command line arguments.</param> static void Main(string[] args) { Span <byte> asm = stackalloc byte[10] { 0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, // MOV RAX, GS:[0x60] 0xC3 // RET }; IntPtr PEBAddressPtr = IntPtr.Zero; lock (Mutex) { using MemoryMappedFile MemoryMap = MemoryMappedFile.CreateNew(null, asm.Length, MemoryMappedFileAccess.ReadWriteExecute); MemoryMappedViewAccessor MemoryMapAccessor = MemoryMap.CreateViewAccessor(0, asm.Length, MemoryMappedFileAccess.ReadWriteExecute); // Get address of the memory region IntPtr RWXRegionAddressPtr = MemoryMapAccessor.SafeMemoryMappedViewHandle.DangerousGetHandle(); Debug.Assert(RWXRegionAddressPtr != IntPtr.Zero, "[-] Error while retrieving the address of the RWX memory region."); // Inject code Marshal.Copy(asm.ToArray(), 0, RWXRegionAddressPtr, asm.Length); Debug.Assert(Marshal.ReadByte(RWXRegionAddressPtr, 0) == 0x65, "[-] Error while injecting code."); Debug.Assert(Marshal.ReadByte(RWXRegionAddressPtr, 9) == 0xC3, "[-] Error while injecting code."); // Get delegate GetPEBDelegate GetPEB = Marshal.GetDelegateForFunctionPointer <GetPEBDelegate>(RWXRegionAddressPtr); PEBAddressPtr = GetPEB(); Debug.Assert(PEBAddressPtr != IntPtr.Zero, "[-] Error while retrieving the address of the PEB structure."); } // Pull the structure out of memory PEB _PEB = Marshal.PtrToStructure <PEB>(PEBAddressPtr); Debug.Assert(_PEB.Equals(default(PEB)), "[-] Error while pulling out the structure from memory"); } }
/// <summary> /// Program entry point. /// </summary> /// <param name="args">Command line arguments.</param> static void Main(string[] args) { Span <byte> asm = stackalloc byte[10] { 0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, // MOV RAX, GS:[0x60] 0xC3 // RET }; // Allocate memory IntPtr lpAddress = VirtualAlloc(IntPtr.Zero, asm.Length, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); Debug.Assert(lpAddress != IntPtr.Zero, "[-] Error while allocating memory: kernl32!VirtualAlloc."); // Write asm in memory Marshal.Copy(asm.ToArray(), 0, lpAddress, asm.Length); // Change memory permissions Int32 lpflOldProtect = 0; bool success = VirtualProtect(lpAddress, asm.Length, PAGE_EXECUTE_READ, ref lpflOldProtect); Debug.Assert(success || lpflOldProtect == 4, "[-] Error while changing the memory permissions of the allocation memory."); // Create delegate GetPEBDelegate GetPEB = Marshal.GetDelegateForFunctionPointer <GetPEBDelegate>(lpAddress); IntPtr PEBAddressPtr = GetPEB(); Debug.Assert(PEBAddressPtr != IntPtr.Zero, "[-] Error while retrieving the address of the PEB structure."); // Pull the structure out of memory PEB _PEB = Marshal.PtrToStructure <PEB>(PEBAddressPtr); Debug.Assert(_PEB.Equals(default(PEB)), "[-] Error while pulling out the structure from memory"); } }
/// <summary> /// Program entry point. /// </summary> /// <param name="args">Command line arguments.</param> static void Main(string[] args) { // Find the method MethodInfo method = typeof(JITCompilation.Program).GetMethod(nameof(JITCompilation.Program.Stub), BindingFlags.NonPublic | BindingFlags.Static); Debug.Assert(method != null, "[-] Can't find the method to JIT compile."); // JIT compile the method IntPtr ManagedMethodPtr = method.MethodHandle.GetFunctionPointer(); if (Util.IsByteCallProcedure(ManagedMethodPtr)) { RuntimeHelpers.PrepareMethod(method.MethodHandle); Debug.Assert(Util.IsByteJmpProcedure(ManagedMethodPtr), "[-] Error while JIT compiling the method."); } // Get the address of the un-managed function UInt64 offset = (UInt64)ManagedMethodPtr - (UInt64)Marshal.ReadInt32(ManagedMethodPtr, 1); while (offset % 16 != 0) { offset++; } IntPtr UnmanagedMethodPtr = (IntPtr)offset; Debug.Assert(UnmanagedMethodPtr != IntPtr.Zero, "[-] Error while retrieving address of the un-managed method."); // Inject and execute the code IntPtr PEBAddressPtr = IntPtr.Zero; lock (Mutex) { Span <byte> asm = stackalloc byte[10] { 0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, // MOV RAX, GS:[0x60] 0xC3 // RET }; Marshal.Copy(asm.ToArray(), 0, UnmanagedMethodPtr, asm.Length); Debug.Assert(Marshal.ReadByte(UnmanagedMethodPtr, 0) == 0x65, "[-] Error while overwriting un-managed method code."); Debug.Assert(Marshal.ReadByte(UnmanagedMethodPtr, 9) == 0xC3, "[-] Error while overwriting un-managed method code."); GetPEBDelegate GetPEB = Marshal.GetDelegateForFunctionPointer <GetPEBDelegate>(UnmanagedMethodPtr); PEBAddressPtr = GetPEB(); Debug.Assert(PEBAddressPtr != IntPtr.Zero, "[-] Error while retrieving the address of the PEB structure."); }; // Pull the structure out of memory PEB _PEB = Marshal.PtrToStructure <PEB>(PEBAddressPtr); Debug.Assert(_PEB.Equals(default(PEB)), "[-] Error while pulling out the structure from memory"); }