public static NTSTATUS NtCreateThreadEx(out IntPtr threadHandle, uint desiredAccess, IntPtr objectAttributes, IntPtr processHandle, IntPtr lpStartAddress, IntPtr lpParameter, int createSuspended, uint stackZeroBits, uint sizeOfStackCommit, uint sizeOfStackReserve, IntPtr lpBytesBuffer, string os) { byte[] syscall = syscallSkeleton; syscall[4] = sysDic[os]["createremthread"]; unsafe { fixed(byte *ptr = syscall) { IntPtr memoryAddress = (IntPtr)ptr; if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress, (UIntPtr)syscall.Length, 0x40, out uint oldprotect)) { throw new Win32Exception(); } //// //// Delegates.NtCreateThreadEx myAssemblyFunction = (Delegates.NtCreateThreadEx)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.NtCreateThreadEx)); return((NTSTATUS)myAssemblyFunction(out threadHandle, desiredAccess, objectAttributes, processHandle, lpStartAddress, lpParameter, createSuspended, stackZeroBits, sizeOfStackCommit, sizeOfStackReserve, lpBytesBuffer)); } } }
public static NTSTATUS NtCreateThreadEx( out IntPtr hThread, ACCESS_MASK DesiredAccess, IntPtr ObjectAttributes, IntPtr ProcessHandle, IntPtr lpStartAddress, IntPtr lpParameter, bool CreateSuspended, uint StackZeroBits, uint SizeOfStackCommit, uint SizeOfStackReserve, IntPtr lpBytesBuffer ) { // set byte array of bNtCreateThread to new byte array called syscall byte[] syscall = bNtCreateThreadEx; // specify unsafe context unsafe { // create new byte pointer and set value to our syscall byte array fixed(byte *ptr = syscall) { // cast the byte array pointer into a C# IntPtr called memoryAddress IntPtr memoryAddress = (IntPtr)ptr; // Change memory access to RX for our assembly code if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress, (UIntPtr)syscall.Length, (uint)AllocationProtect.PAGE_EXECUTE_READWRITE, out uint oldprotect)) { throw new Win32Exception(); } // Get delegate for NtCreateThread Delegates.NtCreateThreadEx assembledFunction = (Delegates.NtCreateThreadEx)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.NtCreateThreadEx)); return((NTSTATUS)assembledFunction( out hThread, DesiredAccess, ObjectAttributes, ProcessHandle, lpStartAddress, lpParameter, CreateSuspended, StackZeroBits, SizeOfStackCommit, SizeOfStackReserve, lpBytesBuffer )); } } }