private unsafe T NtInvocation <T>(VxTableEntry Entry) where T : Delegate
{
byte[] gate = GetHellsGate(Entry.High, Entry.Low);
fixed(byte *ptr = gate)
{
bool success = VirtualProtect((IntPtr)ptr, gate.Length, 0x40, out uint lpflOldProtect);
if (!success)
{
return(default);
public static void GetVxTableEntry(ref MemoryUtil MemUtil, ref VxTableEntry Entry, ref List <Win32.IMAGE_SECTION_HEADER> Sections, long PtrFunctions, long PtrNames, int NumberOfNames)
{
for (int cx = 0; cx < NumberOfNames; cx++)
{
uint PtrFunctionName = MemUtil.ReadPtr32(PtrNames + (sizeof(uint) * cx));
string FunctionName = MemUtil.ReadAscii(ConvertRvaToOffset(PtrFunctionName, Sections));
if (Entry.Hash == Getdjb2Hash(FunctionName))
{
uint PtrFunctionAdddress = MemUtil.ReadPtr32(PtrFunctions + (sizeof(uint) * (cx + 1)));
long OffsetFunctionAddress = ConvertRvaToOffset(PtrFunctionAdddress, Sections);
byte[] opcode = MemUtil.GetFunctionOpCode(OffsetFunctionAddress);
if (opcode[3] == 0xb8 && opcode[18] == 0x0f && opcode[19] == 0x05)
{
Entry.High = opcode[5];
Entry.Low = opcode[4];
return;
}
}
}
}
public static short HighLowToSystemCall(VxTableEntry Entry) => (short)((Entry.High << 4) | Entry.Low);