public static string GetFilenameFromMemoryPointer(IntPtr hProc, IntPtr pMem) { // Alloc buffer for result struct IntPtr pBase = IntPtr.Zero; IntPtr RegionSize = (IntPtr)0x500; IntPtr pAlloc = NtAllocateVirtualMemory(hProc, ref pBase, IntPtr.Zero, ref RegionSize, Execute.Win32.Kernel32.MEM_COMMIT | Execute.Win32.Kernel32.MEM_RESERVE, Execute.Win32.WinNT.PAGE_READWRITE); // Prepare NtQueryVirtualMemory parameters Execute.Native.MEMORYINFOCLASS memoryInfoClass = Execute.Native.MEMORYINFOCLASS.MemorySectionName; UInt32 MemoryInformationLength = 0x500; UInt32 Retlen = 0; // Craft an array for the arguments object[] funcargs = { hProc, pMem, memoryInfoClass, pAlloc, MemoryInformationLength, Retlen }; Execute.Native.NTSTATUS retValue = (Execute.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtQueryVirtualMemory", typeof(DELEGATES.NtQueryVirtualMemory), ref funcargs); string FilePath = string.Empty; if (retValue == Execute.Native.NTSTATUS.Success) { Execute.Native.UNICODE_STRING sn = (Execute.Native.UNICODE_STRING)Marshal.PtrToStructure(pAlloc, typeof(Execute.Native.UNICODE_STRING)); FilePath = Marshal.PtrToStringUni(sn.Buffer); } // Free allocation NtFreeVirtualMemory(hProc, ref pAlloc, ref RegionSize, Execute.Win32.Kernel32.MEM_RELEASE); if (retValue == Execute.Native.NTSTATUS.AccessDenied) { // STATUS_ACCESS_DENIED throw new UnauthorizedAccessException("Access is denied."); } if (retValue == Execute.Native.NTSTATUS.AccessViolation) { // STATUS_ACCESS_VIOLATION throw new InvalidOperationException("The specified base address is an invalid virtual address."); } if (retValue == Execute.Native.NTSTATUS.InfoLengthMismatch) { // STATUS_INFO_LENGTH_MISMATCH throw new InvalidOperationException("The MemoryInformation buffer is larger than MemoryInformationLength."); } if (retValue == Execute.Native.NTSTATUS.InvalidParameter) { // STATUS_INVALID_PARAMETER throw new InvalidOperationException("The specified base address is outside the range of accessible addresses."); } return(FilePath); }
public static void RtlInitUnicodeString(ref Execute.Native.UNICODE_STRING DestinationString, [MarshalAs(UnmanagedType.LPWStr)] string SourceString) { // Craft an array for the arguments object[] funcargs = { DestinationString, SourceString }; Generic.DynamicAPIInvoke(@"ntdll.dll", @"RtlInitUnicodeString", typeof(DELEGATES.RtlInitUnicodeString), ref funcargs); // Update the modified variables DestinationString = (Execute.Native.UNICODE_STRING)funcargs[0]; }
/// <summary> /// Resolves LdrLoadDll and uses that function to load a DLL from disk. /// </summary> /// <author>Ruben Boonen (@FuzzySec)</author> /// <param name="DLLPath">The path to the DLL on disk. Uses the LoadLibrary convention.</param> /// <returns>IntPtr base address of the loaded module or IntPtr.Zero if the module was not loaded successfully.</returns> public static IntPtr LoadModuleFromDisk(string DLLPath) { Execute.Native.UNICODE_STRING uModuleName = new Execute.Native.UNICODE_STRING(); Native.RtlInitUnicodeString(ref uModuleName, DLLPath); IntPtr hModule = IntPtr.Zero; Execute.Native.NTSTATUS CallResult = Native.LdrLoadDll(IntPtr.Zero, 0, ref uModuleName, ref hModule); if (CallResult != Execute.Native.NTSTATUS.Success || hModule == IntPtr.Zero) { return(IntPtr.Zero); } return(hModule); }
/// <summary> /// Maps a DLL from disk into a Section using NtCreateSection. /// </summary> /// <author>The Wover (@TheRealWover), Ruben Boonen (@FuzzySec)</author> /// <param name="DLLPath">Full path fo the DLL on disk.</param> /// <returns>PE.PE_MANUAL_MAP</returns> public static PE.PE_MANUAL_MAP MapModuleFromDisk(string DLLPath) { // Check file exists if (!File.Exists(DLLPath)) { throw new InvalidOperationException("Filepath not found."); } // Open file handle Execute.Native.UNICODE_STRING ObjectName = new Execute.Native.UNICODE_STRING(); DynamicInvoke.Native.RtlInitUnicodeString(ref ObjectName, (@"\??\" + DLLPath)); IntPtr pObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(ObjectName)); Marshal.StructureToPtr(ObjectName, pObjectName, true); Execute.Native.OBJECT_ATTRIBUTES objectAttributes = new Execute.Native.OBJECT_ATTRIBUTES(); objectAttributes.Length = Marshal.SizeOf(objectAttributes); objectAttributes.ObjectName = pObjectName; objectAttributes.Attributes = 0x40; // OBJ_CASE_INSENSITIVE Execute.Native.IO_STATUS_BLOCK ioStatusBlock = new Execute.Native.IO_STATUS_BLOCK(); IntPtr hFile = IntPtr.Zero; DynamicInvoke.Native.NtOpenFile( ref hFile, Execute.Win32.Kernel32.FileAccessFlags.FILE_READ_DATA | Execute.Win32.Kernel32.FileAccessFlags.FILE_EXECUTE | Execute.Win32.Kernel32.FileAccessFlags.FILE_READ_ATTRIBUTES | Execute.Win32.Kernel32.FileAccessFlags.SYNCHRONIZE, ref objectAttributes, ref ioStatusBlock, Execute.Win32.Kernel32.FileShareFlags.FILE_SHARE_READ | Execute.Win32.Kernel32.FileShareFlags.FILE_SHARE_DELETE, Execute.Win32.Kernel32.FileOpenFlags.FILE_SYNCHRONOUS_IO_NONALERT | Execute.Win32.Kernel32.FileOpenFlags.FILE_NON_DIRECTORY_FILE ); // Create section from hFile IntPtr hSection = IntPtr.Zero; ulong MaxSize = 0; Execute.Native.NTSTATUS ret = DynamicInvoke.Native.NtCreateSection( ref hSection, (UInt32)Execute.Win32.WinNT.ACCESS_MASK.SECTION_ALL_ACCESS, IntPtr.Zero, ref MaxSize, Execute.Win32.WinNT.PAGE_READONLY, Execute.Win32.WinNT.SEC_IMAGE, hFile ); // Map view of file IntPtr pBaseAddress = IntPtr.Zero; DynamicInvoke.Native.NtMapViewOfSection( hSection, (IntPtr)(-1), ref pBaseAddress, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, ref MaxSize, 0x2, 0x0, Execute.Win32.WinNT.PAGE_READWRITE ); // Prepare return object PE.PE_MANUAL_MAP SecMapObject = new PE.PE_MANUAL_MAP { PEINFO = DynamicInvoke.Generic.GetPeMetaData(pBaseAddress), ModuleBase = pBaseAddress }; return(SecMapObject); }
public static Execute.Native.NTSTATUS LdrLoadDll(IntPtr PathToFile, UInt32 dwFlags, ref Execute.Native.UNICODE_STRING ModuleFileName, ref IntPtr ModuleHandle) { // Craft an array for the arguments object[] funcargs = { PathToFile, dwFlags, ModuleFileName, ModuleHandle }; Execute.Native.NTSTATUS retValue = (Execute.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"LdrLoadDll", typeof(DELEGATES.LdrLoadDll), ref funcargs); // Update the modified variables ModuleHandle = (IntPtr)funcargs[3]; return(retValue); }