Esempio n. 1
0
        private static ulong GetKernelBase()
        {
            ulong buffer;
            uint  bufferSize = 2048;

            buffer = (ulong)Marshal.AllocHGlobal((int)bufferSize);

            uint status = NT.NtQuerySystemInformation(11 /*SystemModuleInformation*/, buffer, (uint)bufferSize, out bufferSize);

            if (status == 0xC0000004L /*STATUS_INFO_LENGTH_MISMATCH*/)
            {
                Marshal.FreeHGlobal((IntPtr)buffer);
                buffer = (ulong)Marshal.AllocHGlobal((int)bufferSize);

                status = NT.NtQuerySystemInformation(11 /*SystemModuleInformation*/, buffer, (uint)bufferSize, out bufferSize);
            }

            if (status != 0)
            {
                throw new Exception("GetKernelBase Failed");
            }

            NT._RTL_PROCESS_MODULES *modulesPointer = (NT._RTL_PROCESS_MODULES *)buffer;

            return((ulong)modulesPointer->Modules.ImageBase);
        }
Esempio n. 2
0
        public static void UpdateDynamicData()
        {
            NT._OSVERSIONINFOEXW osvi = new NT._OSVERSIONINFOEXW()
            {
                dwOSVersionInfoSize = (uint)Marshal.SizeOf(typeof(NT._OSVERSIONINFOEXW))
            };
            NT.RtlGetVersion(&osvi);
            ulong versionLong = (osvi.dwMajorVersion << 16) | (osvi.dwMinorVersion << 8) | osvi.wServicePackMajor;

            switch (versionLong)
            {
            case 0x060101 /*win 7*/:
                g_IsWindows7Machine    = true;
                g_OffsetDirectoryTable = 0x028;
                g_OffsetProcessId      = 0x180;
                g_OffsetProcessLinks   = 0x188;
                g_OffsetObjectTable    = 0x200;
                break;

            case 0x060200 /*win 8*/:
            case 0x060300 /*win 8.1*/:
                g_OffsetDirectoryTable = 0x028;
                g_OffsetProcessId      = 0x2e0;
                g_OffsetProcessLinks   = 0x2e8;
                g_OffsetObjectTable    = 0x408;
                break;

            case 0x0A0000 /*win 10*/:
            {
                switch (osvi.dwBuildNumber)
                {
                case 10240:
                case 10586:
                case 14393:
                    g_OffsetDirectoryTable = 0x028;
                    g_OffsetProcessId      = 0x2E8;
                    g_OffsetProcessLinks   = 0x2F0;
                    g_OffsetObjectTable    = 0x418;
                    break;

                case 15063:
                case 16299:
                    g_OffsetDirectoryTable = 0x028;
                    g_OffsetProcessId      = 0x2E0;
                    g_OffsetProcessLinks   = 0x2E8;
                    g_OffsetObjectTable    = 0x418;
                    break;

                default:
                    throw new Exception("Unsupported dwBuildNumber");
                }
                break;
            }

            default:
                throw new Exception("Unsupported version_long");
            }
        }
Esempio n. 3
0
        private static byte *FindKernelProcedure(string szName)
        {
            ulong ntoskrnlHandle = NT.LoadLibrary("ntoskrnl.exe");
            ulong kernelBase     = GetKernelBase();

            ulong functionPointer = NT.GetProcAddress(ntoskrnlHandle, szName);

            return((byte *)(functionPointer - ntoskrnlHandle + kernelBase));
        }