예제 #1
0
        internal TDelegate CreateDelegateForSyscall <TDelegate>() where TDelegate : class
        {
            // Get the address of the function

            var functionAddress = _ntDllAddress + (int)_ntDllFunctions.Find(function => function.Name == typeof(TDelegate).Name.Replace("Definition", "")).Offset;

            // Copy the first 8 bytes of the function

            var functionBytes = new byte[8];

            Marshal.Copy(functionAddress, functionBytes, 0, 8);

            // Retrieve the syscall index from the bytes

            var syscallIndexBytes = Environment.Is64BitProcess ? functionBytes.Skip(4).Take(4) : functionBytes.Skip(1).Take(4);

            var syscallIndex = BitConverter.ToUInt32(syscallIndexBytes.ToArray(), 0);

            // Create the shellcode used to perform the syscall

            var shellcode = Environment.Is64BitProcess ? SyscallX64.GetShellcode(syscallIndex) : SyscallX86.GetShellcode(syscallIndex);

            // Store the shellcode in a buffer

            var shellcodeBuffer = MemoryTools.AllocateMemoryForBuffer(shellcode.Length);

            _shellcodeAddresses.Add(shellcodeBuffer);

            Marshal.Copy(shellcode, 0, shellcodeBuffer, shellcode.Length);

            // Create a delegate to perform the syscall

            return(Marshal.GetDelegateForFunctionPointer <TDelegate>(shellcodeBuffer));
        }
예제 #2
0
        private void CreateSyscall <TSyscall>() where TSyscall : class
        {
            // Get the address of the function to syscall

            var functionAddress = PInvoke.GetProcAddress(_ntDllAddress, typeof(TSyscall).Name.Replace("Definition", ""));

            // Copy the first 8 bytes of the function

            var functionBytes = new byte[8];

            Marshal.Copy(functionAddress, functionBytes, 0, 8);

            // Retrieve the syscall index from the bytes

            var syscallIndexBytes = Environment.Is64BitProcess ? functionBytes.Skip(4).Take(4)
                                                               : functionBytes.Skip(1).Take(4);

            // Write the shellcode used to perform the syscall into the local process

            var shellcode = Environment.Is64BitProcess ? SyscallX64.GetShellcode(syscallIndexBytes.ToArray())
                                                       : SyscallX86.GetShellcode(syscallIndexBytes.ToArray());

            var shellcodeBuffer = LocalMemoryTools.StoreBytesInBuffer(shellcode);

            // Create an instance of the syscall class

            var syscallInstance = Activator.CreateInstance(typeof(TSyscall), BindingFlags.Instance | BindingFlags.NonPublic, null, new object[] { shellcodeBuffer }, null);

            // Get the parameter and return types of the syscall method

            var methodInformation = typeof(TSyscall).GetMethod("Invoke", BindingFlags.Instance | BindingFlags.NonPublic);

            var methodTypes = new List <Type>(methodInformation.GetParameters().Select(parameter => parameter.ParameterType))
            {
                methodInformation.ReturnType
            };

            // Create the delegate type to represent the syscall method

            Type delegateType;

            if (methodTypes.Last() == typeof(void))
            {
                methodTypes.RemoveAt(methodTypes.Count - 1);

                delegateType = Expression.GetActionType(methodTypes.ToArray());
            }

            else
            {
                delegateType = Expression.GetFuncType(methodTypes.ToArray());
            }

            // Create a delegate for the syscall method

            var syscallDelegate = Delegate.CreateDelegate(delegateType, syscallInstance, "Invoke");

            _syscallCache.Add(typeof(TSyscall).Name, new SyscallInstance(syscallDelegate, shellcodeBuffer));
        }