public static void RtlInitUnicodeString(ref Data.Native.UNICODE_STRING destinationString, [MarshalAs(UnmanagedType.LPWStr)] string sourceString)
{
object[] funcargs =
{
destinationString, sourceString
};
Generic.DynamicApiInvoke("ntdll.dll", "RtlInitUnicodeString", typeof(Delegates.RtlInitUnicodeString), ref funcargs);
destinationString = (Data.Native.UNICODE_STRING)funcargs[0];
}
public static string GetFilenameFromMemoryPointer(IntPtr hProc, IntPtr pMem)
{
// Alloc buffer for result struct
IntPtr pBase = IntPtr.Zero;
IntPtr RegionSize = (IntPtr)0x500;
IntPtr pAlloc = NtAllocateVirtualMemory(hProc, ref pBase, IntPtr.Zero, ref RegionSize, Data.Win32.Kernel32.MEM_COMMIT | Data.Win32.Kernel32.MEM_RESERVE, Data.Win32.WinNT.PAGE_READWRITE);
// Prepare NtQueryVirtualMemory parameters
Data.Native.MEMORYINFOCLASS memoryInfoClass = Data.Native.MEMORYINFOCLASS.MemorySectionName;
UInt32 MemoryInformationLength = 0x500;
UInt32 Retlen = 0;
// Craft an array for the arguments
object[] funcargs =
{
hProc, pMem, memoryInfoClass, pAlloc, MemoryInformationLength, Retlen
};
Data.Native.NTSTATUS retValue = (Data.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtQueryVirtualMemory", typeof(DELEGATES.NtQueryVirtualMemory), ref funcargs);
string FilePath = string.Empty;
if (retValue == Data.Native.NTSTATUS.Success)
{
Data.Native.UNICODE_STRING sn = (Data.Native.UNICODE_STRING)Marshal.PtrToStructure(pAlloc, typeof(Data.Native.UNICODE_STRING));
FilePath = Marshal.PtrToStringUni(sn.Buffer);
}
// Free allocation
NtFreeVirtualMemory(hProc, ref pAlloc, ref RegionSize, Data.Win32.Kernel32.MEM_RELEASE);
if (retValue == Data.Native.NTSTATUS.AccessDenied)
{
// STATUS_ACCESS_DENIED
throw new UnauthorizedAccessException("Access is denied.");
}
if (retValue == Data.Native.NTSTATUS.AccessViolation)
{
// STATUS_ACCESS_VIOLATION
throw new InvalidOperationException("The specified base address is an invalid virtual address.");
}
if (retValue == Data.Native.NTSTATUS.InfoLengthMismatch)
{
// STATUS_INFO_LENGTH_MISMATCH
throw new InvalidOperationException("The MemoryInformation buffer is larger than MemoryInformationLength.");
}
if (retValue == Data.Native.NTSTATUS.InvalidParameter)
{
// STATUS_INVALID_PARAMETER
throw new InvalidOperationException("The specified base address is outside the range of accessible addresses.");
}
return(FilePath);
}
public static void RtlInitUnicodeString(ref Data.Native.UNICODE_STRING DestinationString, [MarshalAs(UnmanagedType.LPWStr)] string SourceString)
{
// Craft an array for the arguments
object[] funcargs =
{
DestinationString, SourceString
};
Generic.DynamicAPIInvoke(@"ntdll.dll", @"RtlInitUnicodeString", typeof(DELEGATES.RtlInitUnicodeString), ref funcargs);
// Update the modified variables
DestinationString = (Data.Native.UNICODE_STRING)funcargs[0];
}
/// <summary>
/// Resolves LdrLoadDll and uses that function to load a DLL from disk.
/// </summary>
/// <author>Ruben Boonen (@FuzzySec)</author>
/// <param name="DLLPath">The path to the DLL on disk. Uses the LoadLibrary convention.</param>
/// <returns>IntPtr base address of the loaded module or IntPtr.Zero if the module was not loaded successfully.</returns>
public static IntPtr LoadModuleFromDisk(string DLLPath)
{
Data.Native.UNICODE_STRING uModuleName = new Data.Native.UNICODE_STRING();
Native.RtlInitUnicodeString(ref uModuleName, DLLPath);
IntPtr hModule = IntPtr.Zero;
Data.Native.NTSTATUS CallResult = Native.LdrLoadDll(IntPtr.Zero, 0, ref uModuleName, ref hModule);
if (CallResult != Data.Native.NTSTATUS.Success || hModule == IntPtr.Zero)
{
return(IntPtr.Zero);
}
return(hModule);
}
/// <summary>
/// Maps a DLL from disk into a Section using NtCreateSection.
/// </summary>
/// <author>The Wover (@TheRealWover), Ruben Boonen (@FuzzySec)</author>
/// <param name="dllPath">Full path fo the DLL on disk.</param>
/// <returns>PE.PE_MANUAL_MAP</returns>
public static Data.PE.PE_MANUAL_MAP MapModuleFromDiskToSection(string dllPath)
{
if (!File.Exists(dllPath))
{
throw new InvalidOperationException("Filepath not found.");
}
var objectName = new Data.Native.UNICODE_STRING();
Native.RtlInitUnicodeString(ref objectName, @"\??\" + dllPath);
var pObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(objectName));
Marshal.StructureToPtr(objectName, pObjectName, true);
var objectAttributes = new Data.Native.OBJECT_ATTRIBUTES();
objectAttributes.Length = Marshal.SizeOf(objectAttributes);
objectAttributes.ObjectName = pObjectName;
objectAttributes.Attributes = 0x40;
var ioStatusBlock = new Data.Native.IO_STATUS_BLOCK();
var hFile = IntPtr.Zero;
Native.NtOpenFile(
ref hFile,
Data.Win32.Kernel32.FileAccessFlags.FILE_READ_DATA |
Data.Win32.Kernel32.FileAccessFlags.FILE_EXECUTE |
Data.Win32.Kernel32.FileAccessFlags.FILE_READ_ATTRIBUTES |
Data.Win32.Kernel32.FileAccessFlags.SYNCHRONIZE,
ref objectAttributes, ref ioStatusBlock,
Data.Win32.Kernel32.FileShareFlags.FILE_SHARE_READ |
Data.Win32.Kernel32.FileShareFlags.FILE_SHARE_DELETE,
Data.Win32.Kernel32.FileOpenFlags.FILE_SYNCHRONOUS_IO_NONALERT |
Data.Win32.Kernel32.FileOpenFlags.FILE_NON_DIRECTORY_FILE
);
var hSection = IntPtr.Zero;
ulong maxSize = 0;
var ret = Native.NtCreateSection(
ref hSection,
(uint)Data.Win32.WinNT.ACCESS_MASK.SECTION_ALL_ACCESS,
IntPtr.Zero,
ref maxSize,
Data.Win32.WinNT.PAGE_READONLY,
Data.Win32.WinNT.SEC_IMAGE,
hFile
);
var pBaseAddress = IntPtr.Zero;
Native.NtMapViewOfSection(
hSection, (IntPtr)(-1), ref pBaseAddress,
IntPtr.Zero, IntPtr.Zero, IntPtr.Zero,
ref maxSize, 0x2, 0x0,
Data.Win32.WinNT.PAGE_READWRITE
);
var secMapObject = new Data.PE.PE_MANUAL_MAP
{
PEINFO = Generic.GetPeMetaData(pBaseAddress),
ModuleBase = pBaseAddress
};
Win32.CloseHandle(hFile);
return(secMapObject);
}
public static Data.Native.NTSTATUS LdrLoadDll(IntPtr PathToFile, UInt32 dwFlags, ref Data.Native.UNICODE_STRING ModuleFileName, ref IntPtr ModuleHandle)
{
// Craft an array for the arguments
object[] funcargs =
{
PathToFile, dwFlags, ModuleFileName, ModuleHandle
};
Data.Native.NTSTATUS retValue = (Data.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"LdrLoadDll", typeof(DELEGATES.LdrLoadDll), ref funcargs);
// Update the modified variables
ModuleHandle = (IntPtr)funcargs[3];
return(retValue);
}
/// <summary>
/// Maps a DLL from disk into a Section using NtCreateSection.
/// </summary>
/// <author>The Wover (@TheRealWover), Ruben Boonen (@FuzzySec)</author>
/// <param name="DLLPath">Full path fo the DLL on disk.</param>
/// <returns>PE.PE_MANUAL_MAP</returns>
public static Data.PE.PE_MANUAL_MAP MapModuleFromDisk(string DLLPath)
{
// Check file exists
if (!File.Exists(DLLPath))
{
throw new InvalidOperationException("Filepath not found.");
}
// Open file handle
Data.Native.UNICODE_STRING ObjectName = new Data.Native.UNICODE_STRING();
DynamicInvoke.Native.RtlInitUnicodeString(ref ObjectName, (@"\??\" + DLLPath));
IntPtr pObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(ObjectName));
Marshal.StructureToPtr(ObjectName, pObjectName, true);
Data.Native.OBJECT_ATTRIBUTES objectAttributes = new Data.Native.OBJECT_ATTRIBUTES();
objectAttributes.Length = Marshal.SizeOf(objectAttributes);
objectAttributes.ObjectName = pObjectName;
objectAttributes.Attributes = 0x40; // OBJ_CASE_INSENSITIVE
Data.Native.IO_STATUS_BLOCK ioStatusBlock = new Data.Native.IO_STATUS_BLOCK();
IntPtr hFile = IntPtr.Zero;
DynamicInvoke.Native.NtOpenFile(
ref hFile,
Data.Win32.Kernel32.FileAccessFlags.FILE_READ_DATA |
Data.Win32.Kernel32.FileAccessFlags.FILE_EXECUTE |
Data.Win32.Kernel32.FileAccessFlags.FILE_READ_ATTRIBUTES |
Data.Win32.Kernel32.FileAccessFlags.SYNCHRONIZE,
ref objectAttributes, ref ioStatusBlock,
Data.Win32.Kernel32.FileShareFlags.FILE_SHARE_READ |
Data.Win32.Kernel32.FileShareFlags.FILE_SHARE_DELETE,
Data.Win32.Kernel32.FileOpenFlags.FILE_SYNCHRONOUS_IO_NONALERT |
Data.Win32.Kernel32.FileOpenFlags.FILE_NON_DIRECTORY_FILE
);
// Create section from hFile
IntPtr hSection = IntPtr.Zero;
ulong MaxSize = 0;
Data.Native.NTSTATUS ret = DynamicInvoke.Native.NtCreateSection(
ref hSection,
(UInt32)Data.Win32.WinNT.ACCESS_MASK.SECTION_ALL_ACCESS,
IntPtr.Zero,
ref MaxSize,
Data.Win32.WinNT.PAGE_READONLY,
Data.Win32.WinNT.SEC_IMAGE,
hFile
);
// Map view of file
IntPtr pBaseAddress = IntPtr.Zero;
DynamicInvoke.Native.NtMapViewOfSection(
hSection, (IntPtr)(-1), ref pBaseAddress,
IntPtr.Zero, IntPtr.Zero, IntPtr.Zero,
ref MaxSize, 0x2, 0x0,
Data.Win32.WinNT.PAGE_READWRITE
);
// Prepare return object
Data.PE.PE_MANUAL_MAP SecMapObject = new Data.PE.PE_MANUAL_MAP
{
PEINFO = DynamicInvoke.Generic.GetPeMetaData(pBaseAddress),
ModuleBase = pBaseAddress
};
return(SecMapObject);
}
public static Data.Native.NTSTATUS LdrLoadDll(IntPtr pathToFile, uint dwFlags, ref Data.Native.UNICODE_STRING moduleFileName, ref IntPtr moduleHandle)
{
object[] funcargs =
{
pathToFile, dwFlags, moduleFileName, moduleHandle
};
var retValue = (Data.Native.NTSTATUS)Generic.DynamicApiInvoke("ntdll.dll", "LdrLoadDll", typeof(Delegates.LdrLoadDll), ref funcargs);
moduleHandle = (IntPtr)funcargs[3];
return(retValue);
}