public static ulong GetKernelBase()
{
ulong buffer;
uint bufferSize = 2048;
buffer = (ulong)Marshal.AllocHGlobal((int)bufferSize);
uint status = NT.NtQuerySystemInformation(11 /*SystemModuleInformation*/, buffer, (uint)bufferSize, out bufferSize);
if (status == 0xC0000004L /*STATUS_INFO_LENGTH_MISMATCH*/)
{
Marshal.FreeHGlobal((IntPtr)buffer);
buffer = (ulong)Marshal.AllocHGlobal((int)bufferSize);
status = NT.NtQuerySystemInformation(11 /*SystemModuleInformation*/, buffer, (uint)bufferSize, out bufferSize);
}
if (status != 0)
{
throw new Exception("GetKernelBase Failed");
}
NT._RTL_PROCESS_MODULES *modulesPointer = (NT._RTL_PROCESS_MODULES *)buffer;
return((ulong)modulesPointer->Modules.ImageBase);
}
public rpn_inst(NT v)
{
m_cmd = rpn_cmd.PUSH_CONST;
m_param.val = v;
}
public async Task <IActionResult> Edit(int id, [Bind("Noticiasid,Topicosid")] NT nT)
{
if (id != nT.Topicosid)
{
return(RedirectToAction("Index"));
}
if (ModelState.IsValid)
{
try
{
db.Update(nT);
await db.SaveChangesAsync();
}
catch (DbUpdateConcurrencyException)
{
if (!NTExists(nT.Topicosid))
{
return(RedirectToAction("Index"));
}
else
{
throw;
}
}
return(RedirectToAction(nameof(Index)));
}
ViewData["Noticiasid"] = new SelectList(db.Noticias, "Id", "Id", nT.Noticiasid);
ViewData["Topicosid"] = new SelectList(db.Topicos, "Id", "Id", nT.Topicosid);
return(View(nT));
}
public AST_Logic(SourceLocation loc, NT operation, int memberCount, int count, AST_Node condition, AST_Node a, AST_Node b)
: base(loc, operation, a, b, true)
{
this.memberCount = memberCount;
this.condition = condition;
this.count = count;
}
public Enclosure(NT t, AST_Node n, SymbolTable s, int e)
{
scope = s;
type = t;
node = n;
end = e;
}
public static ulong GetPebAddress(this Process process)
{
NT.PROCESS_BASIC_INFORMATION pbi = new NT.PROCESS_BASIC_INFORMATION();
NT.NtQueryInformationProcess(process.Handle, 0, &pbi, pbi.Size, IntPtr.Zero);
return(pbi.PebBaseAddress);
}
public static NT.MEMORY_BASIC_INFORMATION VirtualQuery(this Process process, ulong memoryPointer)
{
var structSize = (uint)Marshal.SizeOf(typeof(NT.MEMORY_BASIC_INFORMATION));
NT.VirtualQueryEx(process.Handle, memoryPointer, out NT.MEMORY_BASIC_INFORMATION mem, structSize);
return(mem);
}
private void IssueClientFrameProcessRequests(Socket inHandler)
{
while (true)
{
var nextFrameRange = GetNextFrameRange();
// If there are no more frames to process, exit loop allow connections to be closed
if (nextFrameRange.Length == 0)
{
// Send frame indices to be processed
NT.SendInt(inHandler, 0);
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine($"Frames left to process: {nextFrameRange.Length}");
Console.ResetColor();
break;
}
NT.SendIntCollections(inHandler, nextFrameRange);
// Receive processed frame data
var processOutput = NT.ReceiveIntCollections(inHandler);
// Save process output to database
SaveFrameBlocks(processOutput.collections);
}
}
public AST_Operation(SourceLocation loc, NT operation, AST_Node a, AST_Node b, bool leftToRight)
: base(loc, operation)
{
this.leftToRight = leftToRight;
this.a = a;
this.b = b;
}
private void ReceiveFrameProcessRequests(Socket inHandler)
{
while (true)
{
var frameRangeToProcess = NT.ReceiveIntCollections(inHandler);
if (frameRangeToProcess.receivedSuccessfully)
{
foreach (var arr in frameRangeToProcess.collections)
{
_engine.IdentifyDifferences(arr);
}
}
else
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine($"Frame range to process count: {frameRangeToProcess.collections.Count}");
Console.ResetColor();
break;
}
// Process data for frame range
var processedData = _engine.GetDifferenceBlocks();
// Send processed results back to server
NT.SendIntCollections(inHandler, processedData);
}
}
public UInt32 MapImage(string imageName, byte[] rawImage)
{
Log.LogInfo($"Mapping {imageName}");
// GET HEADERS
Tools.GetImageHeaders(rawImage, out NT.IMAGE_DOS_HEADER dosHeader, out NT.IMAGE_FILE_HEADER fileHeader, out NT.IMAGE_OPTIONAL_HEADER64 optionalHeader);
// CREATE A MEMORY SECTION IN TARGET PROCESS
UInt32 sectionHandle = (UInt32)TargetProcess.CreateSection(NT.MemoryProtection.ExecuteReadWrite, optionalHeader.SizeOfImage);
// MAP THE SECTION INTO BOTH OUR OWN AND THE TARGET PROCESS
// THIS WILL RESULT IN A MIRRORED MEMORY SECTION, WHERE EVERY CHANGE
// TO THE LOCAL SECTION WILL ALSO CHANGE IN THE TARGET PROCESS
// AND VICE VERSA
UInt32 remoteImage = (UInt32)TargetProcess.MapSection(sectionHandle, NT.MemoryProtection.ExecuteReadWrite);
UInt32 localImage = (UInt32)Process.GetCurrentProcess().MapSection(sectionHandle, NT.MemoryProtection.ExecuteReadWrite);
// SAVE MAPPED EXECUTABLES IN A LIST
// SO WE CAN RECURSIVELY MAP DEPENDENCIES, AND THEIR DEPENDENCIES
// WITHOUT BEING STUCK IN A LOOP :)
MappedModules[imageName] = remoteImage;
MappedRawImages[imageName] = rawImage;
// ADD LOADER REFERENCE
if (imageName == Options.LoaderImagePath)
{
if (Options.CreateLoaderReference)
{
AddLoaderEntry(imageName, remoteImage);
}
}
else // ALWAYS CREATE REFERENCE FOR DEPENDENCIES
{
AddLoaderEntry(imageName, remoteImage);
}
// COPY HEADERS TO SECTION
Marshal.Copy(rawImage, 0, (IntPtr)localImage, (int)optionalHeader.SizeOfHeaders);
// DO THE ACTUAL MANUALMAPPING
this.WriteImageSections(rawImage, dosHeader, localImage, fileHeader.NumberOfSections);
this.RelocateImageByDelta(localImage, remoteImage, optionalHeader);
this.FixImportTable(localImage, optionalHeader);
// NUKE HEADERS
// TODO: DONT WRITE THEM IN THE FIRST PLACE
if (Options.EraseHeaders)
{
byte[] headerBuffer = new byte[(int)optionalHeader.SizeOfHeaders];
NTM.RandomEngine.NextBytes(headerBuffer);
Marshal.Copy(headerBuffer, 0, (IntPtr)localImage, (int)optionalHeader.SizeOfHeaders);
}
NT.CloseHandle(sectionHandle);
Process.GetCurrentProcess().UnmapSection(localImage);
return(remoteImage);
}
public static void UpdateDynamicData()
{
NT._OSVERSIONINFOEXW osvi = new NT._OSVERSIONINFOEXW()
{
dwOSVersionInfoSize = (uint)Marshal.SizeOf(typeof(NT._OSVERSIONINFOEXW))
};
NT.RtlGetVersion(&osvi);
g_VersionLong = (osvi.dwMajorVersion << 16) | (osvi.dwMinorVersion << 8) | osvi.wServicePackMajor;
switch (g_VersionLong)
{
case 0x060101 /*win 7*/:
g_IsWindows7Machine = true;
g_OffsetDirectoryTable = 0x028;
g_OffsetProcessId = 0x180;
g_OffsetProcessLinks = 0x188;
g_OffsetObjectTable = 0x200;
break;
case 0x060200 /*win 8*/:
case 0x060300 /*win 8.1*/:
g_OffsetDirectoryTable = 0x028;
g_OffsetProcessId = 0x2e0;
g_OffsetProcessLinks = 0x2e8;
g_OffsetObjectTable = 0x408;
break;
case 0x0A0000 /*win 10*/:
{
switch (osvi.dwBuildNumber)
{
case 10240:
case 10586:
case 14393:
g_OffsetDirectoryTable = 0x028;
g_OffsetProcessId = 0x2E8;
g_OffsetProcessLinks = 0x2F0;
g_OffsetObjectTable = 0x418;
break;
case 15063:
case 16299:
g_OffsetDirectoryTable = 0x028;
g_OffsetProcessId = 0x2E0;
g_OffsetProcessLinks = 0x2E8;
g_OffsetObjectTable = 0x418;
break;
default:
throw new Exception("Unsupported dwBuildNumber");
}
break;
}
default:
throw new Exception("Unsupported version_long");
}
}
public static byte[] ReadRawMemory(this Process process, ulong memoryPointer, int size)
{
byte[] buffer = new byte[size];
if (!NT.ReadProcessMemory(process.Handle, memoryPointer, buffer, buffer.Length, 0))
{
throw new Exception($"ReadRawMemory - ReadProcessMemory() failed - {Marshal.GetLastWin32Error().ToString("x2")}");
}
return(buffer);
}
private static byte *FindKernelProcedure(string szName)
{
ulong ntoskrnlHandle = NT.LoadLibrary("ntoskrnl.exe");
ulong kernelBase = GetKernelBase();
ulong functionPointer = NT.GetProcAddress(ntoskrnlHandle, szName);
return((byte *)(functionPointer - ntoskrnlHandle + kernelBase));
}
public static NT.MemoryProtection VirtualProtect(this Process process, ulong memoryPointer, int size, NT.MemoryProtection newProtect)
{
if (!NT.VirtualProtectEx(process.Handle, memoryPointer, size, newProtect, out NT.MemoryProtection oldProtect))
{
throw new Exception($"VirtualProtect - VirtualProtectEx() failed - {Marshal.GetLastWin32Error().ToString("x2")}");
}
return(oldProtect);
}
/// <summary>
/// Trigger a "Blue Screen Of Death" (BSOD)
/// </summary>
public static void TriggerBSOD()
{
bool bool_0;
uint uint_0;
// enable shutdown privilege
_ = NT.RtlAdjustPrivilege(NT.PRIVILEGE_SE_SHUTDOWN_NAME, true, false, out bool_0);
// trigger bsod
_ = NT.NtRaiseHardError(NT.STATUS_ACCESS_DENIED, 0, 0, IntPtr.Zero, NT.HARDWARE_RESPONSE_OPTION_SHUTDOWN_SYSTEM, out uint_0);
}
public Operator(byte precedence, byte valCount, bool leftToRight, NT operation, bool isSpecial = false, SourceLocation location = new SourceLocation())
{
this.canStillDefine = false;
this.operatorIndex = 0;
this.leftToRight = leftToRight;
this.precedence = precedence;
this.operation = operation;
this.isSpecial = isSpecial;
this.location = location;
this.valCount = valCount;
}
public static void WriteRawMemory(this Process process, byte[] buffer, ulong memoryPointer)
{
//NT.MemoryProtection oldProtect = process.VirtualProtect(memoryPointer, buffer.Length, NT.MemoryProtection.ExecuteReadWrite);
if (!NT.WriteProcessMemory(process.Handle, memoryPointer, buffer, (uint)buffer.Length, 0))
{
throw new Exception($"WriteBuffer - WriteProcessMemory() failed - {Marshal.GetLastWin32Error().ToString("x2")}");
}
//process.VirtualProtect(memoryPointer, buffer.Length, oldProtect);
}
public static ulong MapSection(this Process process, ulong sectionHandle, NT.MemoryProtection memoryProtection)
{
ulong memoryPointer = 0;
var result = NT.NtMapViewOfSection(sectionHandle, process.Handle, ref memoryPointer, 0, 0, 0, out uint viewSize, 2, 0, memoryProtection);
if (result != 0)
{
throw new Exception($"MapSection - NtMapViewOfSection() failed - {result.ToString("x2")}");
}
return(memoryPointer);
}
public async Task <IActionResult> Create([Bind("Noticiasid,Topicosid")] NT nT)
{
if (ModelState.IsValid)
{
db.Add(nT);
await db.SaveChangesAsync();
return(RedirectToAction(nameof(Index)));
}
ViewData["Noticiasid"] = new SelectList(db.Noticias, "Id", "Id", nT.Noticiasid);
ViewData["Topicosid"] = new SelectList(db.Topicos, "Id", "Id", nT.Topicosid);
return(View(nT));
}
public override string ToString()
{
return(NV.ToString()
+ NR.ToString()
+ NC.ToString()
+ NL.ToString()
+ N_BPT.ToString()
+ N_UPT.ToString()
+ NOA.ToString()
+ NT.ToString()
+ NIOA.ToString()
+ NTR.ToString());
}
private void AdicionarNaoTerminalOnClick(object sender, RoutedEventArgs e)
{
if (!_gramatica.NaoTerminais.Any(t => t.Valor == textBoxNaoTerminal.Text))
{
var nt = new NT(textBoxNaoTerminal.Text);
_gramatica.NaoTerminais.Add(nt);
PrintarGramatica();
_producoes.Add(nt);
}
labelProducoes.Visibility = Visibility.Visible;
textBoxNaoTerminal.Clear();
}
private (bool sucessfulInitiaition, double similarityThreshold, int miniBatchSize, string fileLocation) ServerInitiation(Socket inHandler)
{
string _fileLocation = null;
var _initiationSuccessful = false;
double _similarityThreshold = 0.0;
int _miniBatchSize = 0;
// Handshake Loop - Abort if loop fails 10 times
for (var i = 0; i < 10; i++)
{
// Receive filename from server
var _fileName = NT.ReceiveString(inHandler);
// Echo video filename to server
NT.SendString(inHandler, _fileName);
// Receive file location from server
_fileLocation = NT.ReceiveString(inHandler);
// Echo file location
NT.SendString(inHandler, _fileLocation);
// Receive similarity threshold from server
_similarityThreshold = NT.ReceiveDouble(inHandler);
// Echo similarity threshold
NT.SendDouble(inHandler, _similarityThreshold);
// Receive mini batch size from server
_miniBatchSize = NT.ReceiveInt(inHandler);
// Echo mini batch size
NT.SendInt(inHandler, _miniBatchSize);
// Send file checksum to ensure both machines are referring to same file
NT.SendString(inHandler, "file checksum test");
// Receive "file good" confirmation from server
var response = NT.ReceiveString(inHandler);
if (response == "OK")
{
// Send machine name to server
NT.SendString(inHandler, "client_name");
_initiationSuccessful = true;
break;
}
}
// Proceed to connection handler stage 2
return(_initiationSuccessful, _similarityThreshold, _miniBatchSize, _fileLocation);
}
public static ulong GetModuleByName(this Process process, string moduleName)
{
ulong[] moduleHandleArray = new ulong[1000];
fixed(ulong *hMods = moduleHandleArray)
{
if (NT.EnumProcessModules(process.Handle, (ulong)hMods, (uint)(sizeof(ulong) * moduleHandleArray.Length), out uint cbNeeded) > 0)
{
for (int moduleIndex = 0; moduleIndex < cbNeeded / sizeof(ulong); moduleIndex++)
{
string name = NTM.GetModuleBaseName(process.Handle, moduleHandleArray[moduleIndex]);
if (String.Equals(name, moduleName, StringComparison.InvariantCultureIgnoreCase))
{
return(moduleHandleArray[moduleIndex]);
}
}
}
}
return(0);
}
public static Dictionary <string, ulong> GetModules(this Process process)
{
var result = new Dictionary <string, ulong>();
ulong[] moduleHandleArray = new ulong[1000];
fixed(ulong *hMods = moduleHandleArray)
{
if (NT.EnumProcessModules(process.Handle, (ulong)hMods, (uint)(sizeof(ulong) * moduleHandleArray.Length), out uint cbNeeded) > 0)
{
for (int moduleIndex = 0; moduleIndex < cbNeeded / sizeof(ulong); moduleIndex++)
{
string name = NTM.GetModuleBaseName(process.Handle, moduleHandleArray[moduleIndex]);
result[name.ToLower()] = moduleHandleArray[moduleIndex];
//if (String.Equals(name, moduleName, StringComparison.InvariantCultureIgnoreCase))
// return moduleHandleArray[moduleIndex];
}
}
}
return(result);
}
public static ulong AllocateMemory(this Process process, uint length, NT.AllocationType allocationType, NT.MemoryProtection memoryProtection) => NT.VirtualAllocEx(process.Handle, 0, length, allocationType, memoryProtection);
public override void ToJSON(JObject ParentObject)
{
//! the data should be stored this way in the DB and not transformed into it, but we can't do this in Magnolia because of design mode and field type shenanigans
/*
* data is coming from the server in two dictionaries: a mapping of value to string, and an array of held permissions
* Options: {
* 'nt_1_Create': 'Role',
* 'nt_1_tab_1_View': 'Role, Role',
* ...
* }
* Values: [
* 'nt_1_Create',
* 'nt_1_tab_5_Create',
* ...
* ]
*
* We need it in the format: Options: [
* { name: 'Role',
* Create: true,
* Edit: true,
* Delete: true,
* View: true,
* Children: [
* { name: 'Role Tab',
* Create: true,
* Edit: true,
* Delete: true,
* View: true,
* leaf: true
* }]
* },
* ...
* ]
*
*/
ParentObject[_ValueSubField.ToXmlNodeName(true)] = Value.ToString();
JObject OptionsArray = new JObject();
ParentObject["options"] = OptionsArray;
//first build the skeleton of the object we want to return
foreach (CswNbtMetaDataNodeType NT in _CswNbtResources.MetaData.getNodeTypes())
{
JObject NewNT = new JObject();
NewNT["itemname"] = NT.NodeTypeName;
NewNT["create"] = false;
NewNT["edit"] = false;
NewNT["view"] = false;
NewNT["delete"] = false;
NewNT["itemid"] = NT.NodeTypeId;
JArray Children = new JArray();
foreach (CswNbtMetaDataNodeTypeTab Tab in NT.getNodeTypeTabs())
{
JObject NewTab = new JObject();
NewTab["itemname"] = Tab.TabName + " Tab";
NewTab["create"] = false;
NewTab["edit"] = false;
NewTab["view"] = false;
NewTab["delete"] = false;
NewTab["itemid"] = Tab.TabId;
NewTab["leaf"] = true;
Children.Add(NewTab);
}
NewNT["children"] = Children;
OptionsArray[NT.NodeTypeId.ToString()] = NewNT;
}
//now iterate the values we've stored and assign them to the correct permissions in the skeleton:
foreach (string Permission in Value)
{
string[] PermissionComponents = Permission.Split('_');
bool IsTab = PermissionComponents.Length == 5;
string Nodetype = PermissionComponents[1];
string PermissionCategory = PermissionComponents[PermissionComponents.Length - 1].ToLower();
//our permissions data needs a good cleaning... there are invalid nodetypes in the Values dictionary
if (ParentObject["options"][Nodetype] != null)
{
if (false == IsTab)
{
//if we're not dealing with a tab, we can just set the proper permission
ParentObject["options"][Nodetype][PermissionCategory] = true;
}
else
{
string TabId = PermissionComponents[3];
//for tabs we have no choice but to iterate to find the correct tab, because of client-side restrictions
foreach (JObject Tab in ParentObject["options"][Nodetype]["children"])
{
if (Tab["itemid"].ToString() == TabId.ToString())
{
Tab[PermissionCategory] = true;
}
} //for each tab in the returned JObject
} //else -- if the permission is a tab
} //if this nodetype exists
} //for each permission stored in the database
} // ToJSON()
public static bool FreeMemory(this Process process, ulong memoryPointer) => NT.VirtualFreeEx(process.Handle, memoryPointer, 0, NT.AllocationType.Release);
public void FixImportTable(UInt32 localImage, NT.IMAGE_OPTIONAL_HEADER64 optionalHeader)
{
NT.IMAGE_IMPORT_DESCRIPTOR *importDescriptor = (NT.IMAGE_IMPORT_DESCRIPTOR *)(localImage + optionalHeader.ImportTable.VirtualAddress);
for (; importDescriptor->FirstThunk > 0; ++importDescriptor)
{
string libraryName = Marshal.PtrToStringAnsi((IntPtr)(localImage + importDescriptor->Name));
// RECODE THIS, THIS IS STUPID & DANGEROUS
// I AM ONLY DOING THIS BECAUSE OF API-SET DLLS
// I COULDNT BE ARSED TO MAKE A PINVOKE FOR ApiSetResolveToHost
ulong localLibraryHandle = NT.LoadLibrary(libraryName);
libraryName = NTM.GetModuleBaseName(Process.GetCurrentProcess().Handle, localLibraryHandle).ToLower();
// IF WE MAPPED DEPENDENCY EARLIER, WE SHOULD USE RVA
// INSTEAD OF STATIC MEMORY ADDRESS
bool mappedDependency = MappedModules.TryGetValue(libraryName, out ulong remoteLibraryHandle);
bool linkedInProcess = LinkedModules.TryGetValue(libraryName, out remoteLibraryHandle);
if (!mappedDependency && !linkedInProcess) // DEPENDENCY NOT FOUND, MAP IT!
{
string dependencyPath = Tools.FindDll(libraryName);
// SKIP IF DEPENDENCY COULDN'T BE FOUND
if (dependencyPath == null)
{
continue;
}
// [8:44 PM] markhc: i had something similar
// [8:44 PM] markhc: it was deep inside CRT initialization(edited)
// [8:45 PM] Ch40zz: how did you fix it?
// [8:46 PM] markhc: i didnt fix it
// [8:46 PM] markhc: i thought it was something wrong with my manual mapper code, but i couldnt figure out what was it
// [8:46 PM] markhc: so i threw it all away
if (libraryName == "msvcp140.dll")
{
var tempOptions = Options;
tempOptions.EraseHeaders = false;
new LoadLibraryInjection(TargetProcess, TypeOfExecution, tempOptions).InjectImage(dependencyPath);
--importDescriptor;
continue;
}
remoteLibraryHandle = MapImage(libraryName, File.ReadAllBytes(dependencyPath));
mappedDependency = true;
}
UInt32 *functionAddress = (UInt32 *)(localImage + importDescriptor->FirstThunk);
UInt32 *importEntry = (UInt32 *)(localImage + importDescriptor->OriginalFirstThunk);
do
{
ulong procNamePointer = *importEntry < 0x8000000000000000 /*IMAGE_ORDINAL_FLAG64*/ ? // IS ORDINAL?
localImage + *importEntry + sizeof(ushort) /*SKIP HINT*/ : // FUNCTION BY NAME
*importEntry & 0xFFFF; // ORDINAL
var localFunctionPointer = NT.GetProcAddress(localLibraryHandle, procNamePointer);
var rva = localFunctionPointer - localLibraryHandle;
// SET NEW FUNCTION POINTER
*functionAddress = (UInt32)(mappedDependency ? remoteLibraryHandle + rva : localFunctionPointer);
// GET NEXT ENTRY
++functionAddress;
++importEntry;
} while (*importEntry > 0);
}
}
public void CallEntrypoint(byte[] rawImage, UInt32 moduleHandle)
{
// GET HEADERS
Tools.GetImageHeaders(rawImage, out NT.IMAGE_DOS_HEADER dosHeader, out NT.IMAGE_FILE_HEADER fileHeader, out NT.IMAGE_OPTIONAL_HEADER64 optionalHeader);
// GET DLLMAIN
UInt32 entrypoint = moduleHandle + optionalHeader.AddressOfEntryPoint;
if (optionalHeader.AddressOfEntryPoint == 0)
{
Log.LogError($"Invalid Entrypoint - skipping {moduleHandle.ToString("x2")}");
return;
}
Log.LogVariable("AddressOfEntryPoint", optionalHeader.AddressOfEntryPoint.ToString("x2"));
// GET PROPER SHELLCODE FOR EXECUTION TYPE
byte[] shellcode = ShellcodeGenerator.CallDllMain(moduleHandle, entrypoint, TypeOfExecution == ExecutionType.HijackThread);
// EXECUTE DLLMAIN
switch (TypeOfExecution)
{
#region Create Thread
case ExecutionType.CreateThread:
// INJECT OUR SHELLCODE -> REMOTE PROCESS TO CALL DLLMAIN REMOTELY :)
TargetProcess.InjectShellcode(shellcode);
break;
#endregion
#region Hijack Thread
case ExecutionType.HijackThread:
// WRITE SHELLCODE TO TARGET MEMORY
var remoteShellcodePointer = TargetProcess.AllocateAndWrite(shellcode, NT.AllocationType.Commit | NT.AllocationType.Reserve, NT.MemoryProtection.ExecuteReadWrite);
// GET THREAD HANDLE WITH PROPER ACCESS RIGHTS
// I FILTER THE THREADS LIKE THIS BECAUSE FROM
// EXPERIENCE SOME THREADS WITH TimeCritical PRIORITY
// ETC WILL CAUSE SOME WONKY CRASHES
var usableThreads = TargetProcess.Threads.Cast <ProcessThread>().Where(
x => x.ThreadState == System.Diagnostics.ThreadState.Wait && x.WaitReason == ThreadWaitReason.UserRequest);
ProcessThread targetThread = usableThreads.ElementAt(NTM.RandomEngine.Next(usableThreads.Count()));
var threadHandle = targetThread.GetNativeHandle((NT.ThreadAccess) 0x1FFFFF);
// ELEVATE HANDLE VIA DRIVER EXPLOIT
if (Options.ElevateHandle)
{
ElevateHandle.Elevate(threadHandle, 0x1FFFFF);
}
Log.LogInfo($"Thread {targetThread.Id} - {targetThread.ThreadState} - {targetThread.PriorityLevel} - {targetThread.CurrentPriority}");
// INITIALISE THREAD CONTEXT STRUCT
NT.CONTEXT64 ctx = new NT.CONTEXT64()
{
ContextFlags = NT.CONTEXT_FLAGS.CONTEXT_FULL
};
// SUSPEND THE THREAD SO WE CAN MODIFY REGISTERS
if (NT.SuspendThread(threadHandle) == uint.MaxValue)
{
Log.LogError($"Failed to suspend thread - {Marshal.GetLastWin32Error().ToString("x2")}");
}
// GET CONTEXT
if (!NT.GetThreadContext(threadHandle, ref ctx))
{
throw new Win32Exception("GetThreadContext");
}
// ALLOCATE 8 BYTES ON STACK
ctx.Rsp -= sizeof(ulong);
// 'RET' WILL CALL POP AND JUMP TO THAT VALUE
// SO WE WRITE OLD INSTRUCTION POINTER TO THE STACK SO WE CAN RETURN
// SO DONT F**K UP THE STACK
// F*****G RETARD
TargetProcess.WriteRawMemory(BitConverter.GetBytes(ctx.Rip), ctx.Rsp);
Log.LogInfo($"{ctx.Rip.ToString("x2")} -> {remoteShellcodePointer.ToString("x2")}");
// OVERWRITE INSTRUCTION POINTER
ctx.Rip = remoteShellcodePointer;
// SET THREAD CONTEXT TO APPLY CHANGES
if (!NT.SetThreadContext(threadHandle, ref ctx))
{
throw new Win32Exception("SetThreadContext");
}
// RESUME THREAD
Log.LogVariable("Resumed?", NT.ResumeThread(threadHandle));
//if ( == uint.MaxValue/*-1*/)
// Log.LogError($"Failed to resume thread - {Marshal.GetLastWin32Error().ToString("x2")}");
// CLOSE THREAD HANDLE
NT.CloseHandle(threadHandle);
// WAIT FOR MODULE TO LOAD FULLY BEFORE FREEING SHELLCODE
// GHETTO SLEEP
Thread.Sleep(1000);
// MEMORY LEAKS ARE BAD
TargetProcess.FreeMemory(remoteShellcodePointer);
break;
#endregion
}
}
