public static Execution.Win32.NtDll.NTSTATUS NtMapViewOfSection( IntPtr SectionHandle, IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, IntPtr CommitSize, IntPtr SectionOffset, ref uint ViewSize, uint InheritDisposition, uint AllocationType, uint Win32Protect) { // Craft an array for the arguments object[] funcargs = { SectionHandle, ProcessHandle, BaseAddress, ZeroBits, CommitSize, SectionOffset, ViewSize, InheritDisposition, AllocationType, Win32Protect }; Execution.Win32.NtDll.NTSTATUS retValue = (Execution.Win32.NtDll.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtMapViewOfSection", typeof(DELEGATES.NtMapViewOfSection), ref funcargs); // Update the modified variables. BaseAddress = (IntPtr)funcargs[2]; ViewSize = (uint)funcargs[6]; return(retValue); }
public static Execution.Win32.NtDll.NTSTATUS NtUnmapViewOfSection(IntPtr hProc, IntPtr baseAddr) { // Craft an array for the arguments object[] funcargs = { hProc, baseAddr }; Execution.Win32.NtDll.NTSTATUS result = (Execution.Win32.NtDll.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtUnmapViewOfSection", typeof(DELEGATES.NtUnmapViewOfSection), ref funcargs); return(result); }
public static Execution.Win32.NtDll.NTSTATUS LdrLoadDll(IntPtr PathToFile, UInt32 dwFlags, ref Execution.Win32.NtDll.UNICODE_STRING ModuleFileName, ref IntPtr ModuleHandle) { // Craft an array for the arguments object[] funcargs = { PathToFile, dwFlags, ModuleFileName, ModuleHandle }; Execution.Win32.NtDll.NTSTATUS retValue = (Execution.Win32.NtDll.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"LdrLoadDll", typeof(DELEGATES.LdrLoadDll), ref funcargs); // Update the modified variables ModuleHandle = (IntPtr)funcargs[3]; return(retValue); }
/// <summary> /// Resolves LdrLoadDll and uses that function to load a DLL from disk. /// </summary> /// <author>Ruben Boonen (@FuzzySec)</author> /// <param name="DLLPath">The path to the DLL on disk. Uses the LoadLibrary convention.</param> /// <returns>IntPtr base address of the loaded module or IntPtr.Zero if the module was not loaded successfully.</returns> public static IntPtr LoadModuleFromDisk(string DLLPath) { Execution.Win32.NtDll.UNICODE_STRING uModuleName = new Execution.Win32.NtDll.UNICODE_STRING(); Native.RtlInitUnicodeString(ref uModuleName, DLLPath); IntPtr hModule = IntPtr.Zero; Execution.Win32.NtDll.NTSTATUS CallResult = Native.LdrLoadDll(IntPtr.Zero, 0, ref uModuleName, ref hModule); if (CallResult != Execution.Win32.NtDll.NTSTATUS.Success || hModule == IntPtr.Zero) { return(IntPtr.Zero); } return(hModule); }
public static Execution.Win32.NtDll.NTSTATUS NtCreateSection( ref IntPtr SectionHandle, uint DesiredAccess, IntPtr ObjectAttributes, ref ulong MaximumSize, uint SectionPageProtection, uint AllocationAttributes, IntPtr FileHandle) { // Craft an array for the arguments object[] funcargs = { SectionHandle, DesiredAccess, ObjectAttributes, MaximumSize, SectionPageProtection, AllocationAttributes, FileHandle }; Execution.Win32.NtDll.NTSTATUS retValue = (Execution.Win32.NtDll.NTSTATUS)Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtCreateSection", typeof(DELEGATES.NtCreateSection), ref funcargs); // Update the modified variables SectionHandle = (IntPtr)funcargs[0]; MaximumSize = (ulong)funcargs[3]; return(retValue); }