/// <summary> /// Uses DynamicInvocation to call the VirtualAllocEx Win32 API. https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex /// </summary> /// <returns>Returns the base address of allocated region if successful, otherwise return NULL.</returns> public static IntPtr VirtualAllocEx( IntPtr hProcess, IntPtr lpAddress, uint dwSize, Execute.Win32.Kernel32.AllocationType flAllocationType, Execute.Win32.Kernel32.MemoryProtection flProtect) { // Craft an array for the arguments object[] funcargs = { hProcess, lpAddress, dwSize, flAllocationType, flProtect }; IntPtr retValue = (IntPtr)Generic.DynamicAPIInvoke(@"kernel32.dll", @"VirtualAllocEx", typeof(Delegates.VirtualAllocEx), ref funcargs); return(retValue); }
public static void NtFreeVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr RegionSize, Execute.Win32.Kernel32.AllocationType FreeType) { // Craft an array for the arguments object[] funcargs = { ProcessHandle, BaseAddress, RegionSize, FreeType }; Execute.Native.NTSTATUS retValue = (Execute.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtFreeVirtualMemory", typeof(DELEGATES.NtFreeVirtualMemory), ref funcargs); if (retValue == Execute.Native.NTSTATUS.AccessDenied) { // STATUS_ACCESS_DENIED throw new UnauthorizedAccessException("Access is denied."); } if (retValue == Execute.Native.NTSTATUS.InvalidHandle) { // STATUS_INVALID_HANDLE throw new InvalidOperationException("An invalid HANDLE was specified."); } if (retValue != Execute.Native.NTSTATUS.Success) { // STATUS_OBJECT_TYPE_MISMATCH == 0xC0000024 throw new InvalidOperationException("There is a mismatch between the type of object that is required by the requested operation and the type of object that is specified in the request."); } }
public static IntPtr NtAllocateVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref IntPtr RegionSize, Execute.Win32.Kernel32.AllocationType AllocationType, UInt32 Protect) { // Craft an array for the arguments object[] funcargs = { ProcessHandle, BaseAddress, ZeroBits, RegionSize, AllocationType, Protect }; Execute.Native.NTSTATUS retValue = (Execute.Native.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtAllocateVirtualMemory", typeof(DELEGATES.NtAllocateVirtualMemory), ref funcargs); if (retValue == Execute.Native.NTSTATUS.AccessDenied) { // STATUS_ACCESS_DENIED throw new UnauthorizedAccessException("Access is denied."); } if (retValue == Execute.Native.NTSTATUS.AlreadyCommitted) { // STATUS_ALREADY_COMMITTED throw new InvalidOperationException("The specified address range is already committed."); } if (retValue == Execute.Native.NTSTATUS.CommitmentLimit) { // STATUS_COMMITMENT_LIMIT throw new InvalidOperationException("Your system is low on virtual memory."); } if (retValue == Execute.Native.NTSTATUS.ConflictingAddresses) { // STATUS_CONFLICTING_ADDRESSES throw new InvalidOperationException("The specified address range conflicts with the address space."); } if (retValue == Execute.Native.NTSTATUS.InsufficientResources) { // STATUS_INSUFFICIENT_RESOURCES throw new InvalidOperationException("Insufficient system resources exist to complete the API call."); } if (retValue == Execute.Native.NTSTATUS.InvalidHandle) { // STATUS_INVALID_HANDLE throw new InvalidOperationException("An invalid HANDLE was specified."); } if (retValue == Execute.Native.NTSTATUS.InvalidPageProtection) { // STATUS_INVALID_PAGE_PROTECTION throw new InvalidOperationException("The specified page protection was not valid."); } if (retValue == Execute.Native.NTSTATUS.NoMemory) { // STATUS_NO_MEMORY throw new InvalidOperationException("Not enough virtual memory or paging file quota is available to complete the specified operation."); } if (retValue == Execute.Native.NTSTATUS.ObjectTypeMismatch) { // STATUS_OBJECT_TYPE_MISMATCH throw new InvalidOperationException("There is a mismatch between the type of object that is required by the requested operation and the type of object that is specified in the request."); } if (retValue != Execute.Native.NTSTATUS.Success) { // STATUS_PROCESS_IS_TERMINATING == 0xC000010A throw new InvalidOperationException("An attempt was made to duplicate an object handle into or out of an exiting process."); } BaseAddress = (IntPtr)funcargs[1]; return(BaseAddress); }
public static extern IntPtr VirtualAlloc( IntPtr lpStartAddr, uint size, Execute.Win32.Kernel32.AllocationType flAllocationType, uint flProtect );