/// <summary>
/// Program entry point.
/// </summary>
/// <param name="args">Command line arguments.</param>
static void Main(string[] args)
{
Span <byte> asm = stackalloc byte[10] {
0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, // MOV RAX, GS:[0x60]
0xC3 // RET
};
IntPtr PEBAddressPtr = IntPtr.Zero;
lock (Mutex) {
using MemoryMappedFile MemoryMap = MemoryMappedFile.CreateNew(null, asm.Length, MemoryMappedFileAccess.ReadWriteExecute);
MemoryMappedViewAccessor MemoryMapAccessor = MemoryMap.CreateViewAccessor(0, asm.Length, MemoryMappedFileAccess.ReadWriteExecute);
// Get address of the memory region
IntPtr RWXRegionAddressPtr = MemoryMapAccessor.SafeMemoryMappedViewHandle.DangerousGetHandle();
Debug.Assert(RWXRegionAddressPtr != IntPtr.Zero, "[-] Error while retrieving the address of the RWX memory region.");
// Inject code
Marshal.Copy(asm.ToArray(), 0, RWXRegionAddressPtr, asm.Length);
Debug.Assert(Marshal.ReadByte(RWXRegionAddressPtr, 0) == 0x65, "[-] Error while injecting code.");
Debug.Assert(Marshal.ReadByte(RWXRegionAddressPtr, 9) == 0xC3, "[-] Error while injecting code.");
// Get delegate
GetPEBDelegate GetPEB = Marshal.GetDelegateForFunctionPointer <GetPEBDelegate>(RWXRegionAddressPtr);
PEBAddressPtr = GetPEB();
Debug.Assert(PEBAddressPtr != IntPtr.Zero, "[-] Error while retrieving the address of the PEB structure.");
}
// Pull the structure out of memory
PEB _PEB = Marshal.PtrToStructure <PEB>(PEBAddressPtr);
Debug.Assert(_PEB.Equals(default(PEB)), "[-] Error while pulling out the structure from memory");
}
}
/// <summary>
/// Program entry point.
/// </summary>
/// <param name="args">Command line arguments.</param>
static void Main(string[] args)
{
Span <byte> asm = stackalloc byte[10] {
0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, // MOV RAX, GS:[0x60]
0xC3 // RET
};
// Allocate memory
IntPtr lpAddress = VirtualAlloc(IntPtr.Zero, asm.Length, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
Debug.Assert(lpAddress != IntPtr.Zero, "[-] Error while allocating memory: kernl32!VirtualAlloc.");
// Write asm in memory
Marshal.Copy(asm.ToArray(), 0, lpAddress, asm.Length);
// Change memory permissions
Int32 lpflOldProtect = 0;
bool success = VirtualProtect(lpAddress, asm.Length, PAGE_EXECUTE_READ, ref lpflOldProtect);
Debug.Assert(success || lpflOldProtect == 4, "[-] Error while changing the memory permissions of the allocation memory.");
// Create delegate
GetPEBDelegate GetPEB = Marshal.GetDelegateForFunctionPointer <GetPEBDelegate>(lpAddress);
IntPtr PEBAddressPtr = GetPEB();
Debug.Assert(PEBAddressPtr != IntPtr.Zero, "[-] Error while retrieving the address of the PEB structure.");
// Pull the structure out of memory
PEB _PEB = Marshal.PtrToStructure <PEB>(PEBAddressPtr);
Debug.Assert(_PEB.Equals(default(PEB)), "[-] Error while pulling out the structure from memory");
}
}
/// <summary>
/// Program entry point.
/// </summary>
/// <param name="args">Command line arguments.</param>
static void Main(string[] args)
{
// Find the method
MethodInfo method = typeof(JITCompilation.Program).GetMethod(nameof(JITCompilation.Program.Stub), BindingFlags.NonPublic | BindingFlags.Static);
Debug.Assert(method != null, "[-] Can't find the method to JIT compile.");
// JIT compile the method
IntPtr ManagedMethodPtr = method.MethodHandle.GetFunctionPointer();
if (Util.IsByteCallProcedure(ManagedMethodPtr))
{
RuntimeHelpers.PrepareMethod(method.MethodHandle);
Debug.Assert(Util.IsByteJmpProcedure(ManagedMethodPtr), "[-] Error while JIT compiling the method.");
}
// Get the address of the un-managed function
UInt64 offset = (UInt64)ManagedMethodPtr - (UInt64)Marshal.ReadInt32(ManagedMethodPtr, 1);
while (offset % 16 != 0)
{
offset++;
}
IntPtr UnmanagedMethodPtr = (IntPtr)offset;
Debug.Assert(UnmanagedMethodPtr != IntPtr.Zero, "[-] Error while retrieving address of the un-managed method.");
// Inject and execute the code
IntPtr PEBAddressPtr = IntPtr.Zero;
lock (Mutex) {
Span <byte> asm = stackalloc byte[10] {
0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, // MOV RAX, GS:[0x60]
0xC3 // RET
};
Marshal.Copy(asm.ToArray(), 0, UnmanagedMethodPtr, asm.Length);
Debug.Assert(Marshal.ReadByte(UnmanagedMethodPtr, 0) == 0x65, "[-] Error while overwriting un-managed method code.");
Debug.Assert(Marshal.ReadByte(UnmanagedMethodPtr, 9) == 0xC3, "[-] Error while overwriting un-managed method code.");
GetPEBDelegate GetPEB = Marshal.GetDelegateForFunctionPointer <GetPEBDelegate>(UnmanagedMethodPtr);
PEBAddressPtr = GetPEB();
Debug.Assert(PEBAddressPtr != IntPtr.Zero, "[-] Error while retrieving the address of the PEB structure.");
};
// Pull the structure out of memory
PEB _PEB = Marshal.PtrToStructure <PEB>(PEBAddressPtr);
Debug.Assert(_PEB.Equals(default(PEB)), "[-] Error while pulling out the structure from memory");
}
