public static IntPtr NtOpenThread(int TID, Data.Win32.Kernel32.ThreadAccess DesiredAccess) { // Create OBJECT_ATTRIBUTES & CLIENT_ID ref's IntPtr ThreadHandle = IntPtr.Zero; Data.Native.OBJECT_ATTRIBUTES oa = new Data.Native.OBJECT_ATTRIBUTES(); Data.Native.CLIENT_ID ci = new Data.Native.CLIENT_ID(); ci.UniqueThread = (IntPtr)TID; // Craft an array for the arguments object[] funcargs = { ThreadHandle, DesiredAccess, oa, ci }; Data.Native.NTSTATUS retValue = (Data.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtOpenThread", typeof(DELEGATES.NtOpenProcess), ref funcargs); if (retValue != Data.Native.NTSTATUS.Success && retValue == Data.Native.NTSTATUS.InvalidCid) { throw new InvalidOperationException("An invalid client ID was specified."); } if (retValue != Data.Native.NTSTATUS.Success) { throw new UnauthorizedAccessException("Access is denied."); } // Update the modified variables ThreadHandle = (IntPtr)funcargs[0]; return(ThreadHandle); }
/// <summary> /// Maps a DLL from disk into a Section using NtCreateSection. /// </summary> /// <author>The Wover (@TheRealWover), Ruben Boonen (@FuzzySec)</author> /// <param name="dllPath">Full path fo the DLL on disk.</param> /// <returns>PE.PE_MANUAL_MAP</returns> public static Data.PE.PE_MANUAL_MAP MapModuleFromDiskToSection(string dllPath) { if (!File.Exists(dllPath)) { throw new InvalidOperationException("Filepath not found."); } var objectName = new Data.Native.UNICODE_STRING(); Native.RtlInitUnicodeString(ref objectName, @"\??\" + dllPath); var pObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(objectName)); Marshal.StructureToPtr(objectName, pObjectName, true); var objectAttributes = new Data.Native.OBJECT_ATTRIBUTES(); objectAttributes.Length = Marshal.SizeOf(objectAttributes); objectAttributes.ObjectName = pObjectName; objectAttributes.Attributes = 0x40; var ioStatusBlock = new Data.Native.IO_STATUS_BLOCK(); var hFile = IntPtr.Zero; Native.NtOpenFile( ref hFile, Data.Win32.Kernel32.FileAccessFlags.FILE_READ_DATA | Data.Win32.Kernel32.FileAccessFlags.FILE_EXECUTE | Data.Win32.Kernel32.FileAccessFlags.FILE_READ_ATTRIBUTES | Data.Win32.Kernel32.FileAccessFlags.SYNCHRONIZE, ref objectAttributes, ref ioStatusBlock, Data.Win32.Kernel32.FileShareFlags.FILE_SHARE_READ | Data.Win32.Kernel32.FileShareFlags.FILE_SHARE_DELETE, Data.Win32.Kernel32.FileOpenFlags.FILE_SYNCHRONOUS_IO_NONALERT | Data.Win32.Kernel32.FileOpenFlags.FILE_NON_DIRECTORY_FILE ); var hSection = IntPtr.Zero; ulong maxSize = 0; var ret = Native.NtCreateSection( ref hSection, (uint)Data.Win32.WinNT.ACCESS_MASK.SECTION_ALL_ACCESS, IntPtr.Zero, ref maxSize, Data.Win32.WinNT.PAGE_READONLY, Data.Win32.WinNT.SEC_IMAGE, hFile ); var pBaseAddress = IntPtr.Zero; Native.NtMapViewOfSection( hSection, (IntPtr)(-1), ref pBaseAddress, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, ref maxSize, 0x2, 0x0, Data.Win32.WinNT.PAGE_READWRITE ); var secMapObject = new Data.PE.PE_MANUAL_MAP { PEINFO = Generic.GetPeMetaData(pBaseAddress), ModuleBase = pBaseAddress }; Win32.CloseHandle(hFile); return(secMapObject); }
public static IntPtr NtOpenFile(ref IntPtr FileHandle, Data.Win32.Kernel32.FileAccessFlags DesiredAccess, ref Data.Native.OBJECT_ATTRIBUTES ObjAttr, ref Data.Native.IO_STATUS_BLOCK IoStatusBlock, Data.Win32.Kernel32.FileShareFlags ShareAccess, Data.Win32.Kernel32.FileOpenFlags OpenOptions) { // Craft an array for the arguments object[] funcargs = { FileHandle, DesiredAccess, ObjAttr, IoStatusBlock, ShareAccess, OpenOptions }; Data.Native.NTSTATUS retValue = (Data.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtOpenFile", typeof(DELEGATES.NtOpenFile), ref funcargs); if (retValue != Data.Native.NTSTATUS.Success) { throw new InvalidOperationException("Failed to open file, " + retValue); } FileHandle = (IntPtr)funcargs[0]; return(FileHandle); }
/// <summary> /// Maps a DLL from disk into a Section using NtCreateSection. /// </summary> /// <author>The Wover (@TheRealWover), Ruben Boonen (@FuzzySec)</author> /// <param name="DLLPath">Full path fo the DLL on disk.</param> /// <returns>PE.PE_MANUAL_MAP</returns> public static Data.PE.PE_MANUAL_MAP MapModuleFromDisk(string DLLPath) { // Check file exists if (!File.Exists(DLLPath)) { throw new InvalidOperationException("Filepath not found."); } // Open file handle Data.Native.UNICODE_STRING ObjectName = new Data.Native.UNICODE_STRING(); DynamicInvoke.Native.RtlInitUnicodeString(ref ObjectName, (@"\??\" + DLLPath)); IntPtr pObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(ObjectName)); Marshal.StructureToPtr(ObjectName, pObjectName, true); Data.Native.OBJECT_ATTRIBUTES objectAttributes = new Data.Native.OBJECT_ATTRIBUTES(); objectAttributes.Length = Marshal.SizeOf(objectAttributes); objectAttributes.ObjectName = pObjectName; objectAttributes.Attributes = 0x40; // OBJ_CASE_INSENSITIVE Data.Native.IO_STATUS_BLOCK ioStatusBlock = new Data.Native.IO_STATUS_BLOCK(); IntPtr hFile = IntPtr.Zero; DynamicInvoke.Native.NtOpenFile( ref hFile, Data.Win32.Kernel32.FileAccessFlags.FILE_READ_DATA | Data.Win32.Kernel32.FileAccessFlags.FILE_EXECUTE | Data.Win32.Kernel32.FileAccessFlags.FILE_READ_ATTRIBUTES | Data.Win32.Kernel32.FileAccessFlags.SYNCHRONIZE, ref objectAttributes, ref ioStatusBlock, Data.Win32.Kernel32.FileShareFlags.FILE_SHARE_READ | Data.Win32.Kernel32.FileShareFlags.FILE_SHARE_DELETE, Data.Win32.Kernel32.FileOpenFlags.FILE_SYNCHRONOUS_IO_NONALERT | Data.Win32.Kernel32.FileOpenFlags.FILE_NON_DIRECTORY_FILE ); // Create section from hFile IntPtr hSection = IntPtr.Zero; ulong MaxSize = 0; Data.Native.NTSTATUS ret = DynamicInvoke.Native.NtCreateSection( ref hSection, (UInt32)Data.Win32.WinNT.ACCESS_MASK.SECTION_ALL_ACCESS, IntPtr.Zero, ref MaxSize, Data.Win32.WinNT.PAGE_READONLY, Data.Win32.WinNT.SEC_IMAGE, hFile ); // Map view of file IntPtr pBaseAddress = IntPtr.Zero; DynamicInvoke.Native.NtMapViewOfSection( hSection, (IntPtr)(-1), ref pBaseAddress, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, ref MaxSize, 0x2, 0x0, Data.Win32.WinNT.PAGE_READWRITE ); // Prepare return object Data.PE.PE_MANUAL_MAP SecMapObject = new Data.PE.PE_MANUAL_MAP { PEINFO = DynamicInvoke.Generic.GetPeMetaData(pBaseAddress), ModuleBase = pBaseAddress }; return(SecMapObject); }
public static IntPtr NtOpenFile(ref IntPtr fileHandle, Data.Win32.Kernel32.FileAccessFlags desiredAccess, ref Data.Native.OBJECT_ATTRIBUTES objectAttributes, ref Data.Native.IO_STATUS_BLOCK ioStatusBlock, Data.Win32.Kernel32.FileShareFlags shareAccess, Data.Win32.Kernel32.FileOpenFlags openOptions) { object[] funcargs = { fileHandle, desiredAccess, objectAttributes, ioStatusBlock, shareAccess, openOptions }; var retValue = (Data.Native.NTSTATUS)Generic.DynamicApiInvoke(@"ntdll.dll", @"NtOpenFile", typeof(Delegates.NtOpenFile), ref funcargs); if (retValue != Data.Native.NTSTATUS.Success) { throw new InvalidOperationException("Failed to open file, " + retValue); } fileHandle = (IntPtr)funcargs[0]; return(fileHandle); }