public static extern bool SetThreadContext(IntPtr hThread, ref Context64 lpContext);
public static ulong finalize(ref Context64 context)
{
byte[] p = context.mem_;
ulong h64;
if (32 <= context.totalLength_)
{
ulong v1 = context.v1_;
ulong v2 = context.v2_;
ulong v3 = context.v3_;
ulong v4 = context.v4_;
h64 = rotl64(v1, 1) + rotl64(v2, 7) + rotl64(v3, 12) + rotl64(v4, 18);
v1 *= PRIME64_2;
v1 = rotl64(v1, 31);
v1 *= PRIME64_1;
h64 ^= v1;
h64 = h64 * PRIME64_1 + PRIME64_4;
v2 *= PRIME64_2;
v2 = rotl64(v2, 31);
v2 *= PRIME64_1;
h64 ^= v2;
h64 = h64 * PRIME64_1 + PRIME64_4;
v3 *= PRIME64_2;
v3 = rotl64(v3, 31);
v3 *= PRIME64_1;
h64 ^= v3;
h64 = h64 * PRIME64_1 + PRIME64_4;
v4 *= PRIME64_2;
v4 = rotl64(v4, 31);
v4 *= PRIME64_1;
h64 ^= v4;
h64 = h64 * PRIME64_1 + PRIME64_4;
}
else
{
h64 = context.seed_ + PRIME64_5;
}
h64 += context.totalLength_;
uint index = 0;
while ((index + 8) <= context.memSize_)
{
ulong k1 = read64LE(p, index);
k1 *= PRIME64_2;
k1 = rotl64(k1, 31);
k1 *= PRIME64_1;
h64 ^= k1;
h64 = rotl64(h64, 27) * PRIME64_1 + PRIME64_4;
index += 8;
}
if ((index + 4) <= context.memSize_)
{
h64 ^= PRIME64_1 * read32LE(p, index);
h64 = rotl64(h64, 23) * PRIME64_2 + PRIME64_3;
index += 4;
}
while (index < context.memSize_)
{
h64 ^= PRIME64_5 * p[index];
h64 = rotl64(h64, 11) * PRIME64_1;
++index;
}
h64 ^= h64 >> 33;
h64 *= PRIME64_2;
h64 ^= h64 >> 29;
h64 *= PRIME64_3;
h64 ^= h64 >> 32;
return(h64);
}
public IntPtr Call()
{
// Write the DLL path into the remote process
var dllPathAddress = _process.MemoryManager.AllocateVirtualMemory(_dllPath.Length, MemoryProtectionType.ReadWrite);
_process.MemoryManager.WriteVirtualMemory(dllPathAddress, Encoding.Unicode.GetBytes(_dllPath));
// Write a UnicodeString representing the DLL path into the remote process
IntPtr dllPathUnicodeStringAddress;
if (_process.IsWow64)
{
var dllPathUnicodeString = new UnicodeString32(_dllPath, dllPathAddress);
dllPathUnicodeStringAddress = _process.MemoryManager.AllocateVirtualMemory(Marshal.SizeOf <UnicodeString32>(), MemoryProtectionType.ReadWrite);
_process.MemoryManager.WriteVirtualMemory(dllPathUnicodeStringAddress, dllPathUnicodeString);
}
else
{
var dllPathUnicodeString = new UnicodeString64(_dllPath, dllPathAddress);
dllPathUnicodeStringAddress = _process.MemoryManager.AllocateVirtualMemory(Marshal.SizeOf <UnicodeString64>(), MemoryProtectionType.ReadWrite);
_process.MemoryManager.WriteVirtualMemory(dllPathUnicodeStringAddress, dllPathUnicodeString);
}
// Write the shellcode used to call LdrLoadDll into the remote process
var ldrLoadDllAddress = _process.GetFunctionAddress("ntdll.dll", "LdrLoadDll");
var moduleHandleAddress = _process.MemoryManager.AllocateVirtualMemory(IntPtr.Size, MemoryProtectionType.ReadWrite);
var shellcodeReturnAddress = _process.MemoryManager.AllocateVirtualMemory(sizeof(int), MemoryProtectionType.ReadWrite);
var shellcode = _process.Assembler.AssembleThreadFunctionCall(new FunctionCall(ldrLoadDllAddress, CallingConvention.StdCall, new[] { 0, 0, (long)dllPathUnicodeStringAddress, (long)moduleHandleAddress }, shellcodeReturnAddress));
var shellcodeAddress = _process.MemoryManager.AllocateVirtualMemory(shellcode.Length, MemoryProtectionType.ReadWrite);
_process.MemoryManager.WriteVirtualMemory(shellcodeAddress, shellcode);
_process.MemoryManager.ProtectVirtualMemory(shellcodeAddress, shellcode.Length, MemoryProtectionType.ExecuteRead);
// Open a handle to the first thread in the remote process
var firstThreadHandle = Kernel32.OpenThread(Constants.ThreadAllAccess, false, _process.Process.Threads[0].Id);
if (firstThreadHandle is null)
{
throw new PInvokeException("Failed to call OpenThread");
}
if (_process.IsWow64)
{
// Suspend the thread
if (Kernel32.Wow64SuspendThread(firstThreadHandle) == -1)
{
throw new PInvokeException("Failed to call Wow64SuspendThread");
}
// Get the context of the thread
var threadContext = new Context32 {
ContextFlags = ContextFlags.Integer
};
var threadContextBuffer = Marshal.AllocHGlobal(Marshal.SizeOf <Context32>());
Marshal.StructureToPtr(threadContext, threadContextBuffer, false);
if (!Kernel32.Wow64GetThreadContext(firstThreadHandle, threadContextBuffer))
{
throw new PInvokeException("Failed to call Wow64GetThreadContext");
}
threadContext = Marshal.PtrToStructure <Context32>(threadContextBuffer);
// Write the original instruction pointer of the thread into the top of its stack
threadContext.Esp -= sizeof(int);
_process.MemoryManager.WriteVirtualMemory((IntPtr)threadContext.Esp, threadContext.Eip);
// Overwrite the instruction pointer of the thread with the address of the shellcode
threadContext.Eip = (int)shellcodeAddress;
Marshal.StructureToPtr(threadContext, threadContextBuffer, false);
// Update the context of the thread
if (!Kernel32.Wow64SetThreadContext(firstThreadHandle, threadContextBuffer))
{
throw new PInvokeException("Failed to call Wow64SetThreadContext");
}
Marshal.FreeHGlobal(threadContextBuffer);
}
else
{
// Suspend the thread
if (Kernel32.SuspendThread(firstThreadHandle) == -1)
{
throw new PInvokeException("Failed to call SuspendThread");
}
// Get the context of the thread
var threadContext = new Context64 {
ContextFlags = ContextFlags.Control
};
var threadContextBuffer = Marshal.AllocHGlobal(Marshal.SizeOf <Context64>());
Marshal.StructureToPtr(threadContext, threadContextBuffer, false);
if (!Kernel32.GetThreadContext(firstThreadHandle, threadContextBuffer))
{
throw new PInvokeException("Failed to call GetThreadContext");
}
threadContext = Marshal.PtrToStructure <Context64>(threadContextBuffer);
// Write the original instruction pointer of the thread into the top of its stack
threadContext.Rsp -= sizeof(long);
_process.MemoryManager.WriteVirtualMemory((IntPtr)threadContext.Rsp, threadContext.Rip);
// Overwrite the instruction pointer of the thread with the address of the shellcode
threadContext.Rip = (long)shellcodeAddress;
Marshal.StructureToPtr(threadContext, threadContextBuffer, false);
// Update the context of the thread
if (!Kernel32.SetThreadContext(firstThreadHandle, threadContextBuffer))
{
throw new PInvokeException("Failed to call SetThreadContext");
}
Marshal.FreeHGlobal(threadContextBuffer);
}
// Send a message to the thread to ensure it executes the shellcode
User32.PostThreadMessage(_process.Process.Threads[0].Id, MessageType.Null, IntPtr.Zero, IntPtr.Zero);
// Resume the thread
if (Kernel32.ResumeThread(firstThreadHandle) == -1)
{
throw new PInvokeException("Failed to call ResumeThread");
}
firstThreadHandle.Dispose();
var shellcodeReturn = _process.MemoryManager.ReadVirtualMemory <int>(shellcodeReturnAddress);
if ((NtStatus)shellcodeReturn != NtStatus.Success)
{
throw new RemoteFunctionCallException("Failed to call LdrLoadDll", (NtStatus)shellcodeReturn);
}
// Ensure the DLL is loaded before freeing any memory
while (_process.Modules.TrueForAll(module => module.FilePath != _dllPath))
{
_process.Refresh();
}
_process.MemoryManager.FreeVirtualMemory(dllPathAddress);
_process.MemoryManager.FreeVirtualMemory(dllPathUnicodeStringAddress);
_process.MemoryManager.FreeVirtualMemory(shellcodeReturnAddress);
// Read the address of the DLL that was loaded in the remote process
var remoteDllAddress = _process.MemoryManager.ReadVirtualMemory <IntPtr>(moduleHandleAddress);
_process.MemoryManager.FreeVirtualMemory(moduleHandleAddress);
if (!_injectionFlags.HasFlag(InjectionFlags.RandomiseDllHeaders))
{
return(remoteDllAddress);
}
// Write over the header region of the DLL with random bytes
var randomBuffer = new byte[_peImage.PeHeaders.PEHeader.SizeOfHeaders];
new Random().NextBytes(randomBuffer);
_process.MemoryManager.WriteVirtualMemory(remoteDllAddress, randomBuffer);
return(remoteDllAddress);
}
public static void update(ref Context64 context, byte[] input, uint length)
{
context.totalLength_ += length;
if ((context.memSize_ + length) < 32)
{
System.Array.Copy(input, 0, context.mem_, context.memSize_, length);
context.memSize_ += length;
return;
}
uint index = 0;
if (0 != context.memSize_)
{
System.Array.Copy(input, 0, context.mem_, context.memSize_, 32 - context.memSize_);
uint offset = 0;
context.v1_ += read64LE(context.mem_, offset) * PRIME64_2;
context.v1_ = rotl64(context.v1_, 31);
context.v1_ *= PRIME64_1;
offset += 8;
context.v2_ += read64LE(context.mem_, offset) * PRIME64_2;
context.v2_ = rotl64(context.v2_, 31);
context.v2_ *= PRIME64_1;
offset += 8;
context.v3_ += read64LE(context.mem_, offset) * PRIME64_2;
context.v3_ = rotl64(context.v3_, 31);
context.v3_ *= PRIME64_1;
offset += 8;
context.v4_ += read64LE(context.mem_, offset) * PRIME64_2;
context.v4_ = rotl64(context.v4_, 31);
context.v4_ *= PRIME64_1;
index += 32 - context.memSize_;
context.memSize_ = 0;
}
if ((index + 32) <= length)
{
uint limit = length - 32;
ulong v1 = context.v1_;
ulong v2 = context.v2_;
ulong v3 = context.v3_;
ulong v4 = context.v4_;
do
{
v1 += read64LE(input, index) * PRIME64_2;
v1 = rotl64(v1, 31);
v1 *= PRIME64_1;
index += 8;
v2 += read64LE(input, index) * PRIME64_2;
v2 = rotl64(v2, 31);
v2 *= PRIME64_1;
index += 8;
v3 += read64LE(input, index) * PRIME64_2;
v3 = rotl64(v3, 31);
v3 *= PRIME64_1;
index += 8;
v4 += read64LE(input, index) * PRIME64_2;
v4 = rotl64(v4, 31);
v4 *= PRIME64_1;
index += 8;
} while(index <= limit);
context.v1_ = v1;
context.v2_ = v2;
context.v3_ = v3;
context.v4_ = v4;
}
if (index < length)
{
context.memSize_ = length - index;
System.Array.Copy(input, index, context.mem_, 0, context.memSize_);
}
}
