public static void RtlInitUnicodeString(ref Natives.UNICODE_STRING DestinationString, [MarshalAs(UnmanagedType.LPWStr)] string SourceString) { IntPtr proc = GetProcAddress(GetNtDll(), "RtlInitUnicodeString"); NativeSysCall.Delegates.RtlInitUnicodeString RtlInitUnicodeString = (NativeSysCall.Delegates.RtlInitUnicodeString)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.RtlInitUnicodeString)); RtlInitUnicodeString(ref DestinationString, SourceString); }
public static UInt32 LdrLoadDll(IntPtr PathToFile, UInt32 dwFlags, ref Natives.UNICODE_STRING ModuleFileName, ref IntPtr ModuleHandle) { IntPtr proc = GetProcAddress(GetNtDll(), "LdrLoadDll"); NativeSysCall.Delegates.LdrLoadDll LdrLoadDll = (NativeSysCall.Delegates.LdrLoadDll)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.LdrLoadDll)); return((uint)LdrLoadDll(PathToFile, dwFlags, ref ModuleFileName, ref ModuleHandle)); }
/// <summary> /// Resolves LdrLoadDll and uses that function to load a DLL from disk. /// </summary> /// <author>Ruben Boonen (@FuzzySec)</author> /// <param name="DLLPath">The path to the DLL on disk. Uses the LoadLibrary convention.</param> /// <returns>IntPtr base address of the loaded module or IntPtr.Zero if the module was not loaded successfully.</returns> public static IntPtr LoadModuleFromDisk(string DLLPath) { Natives.UNICODE_STRING uModuleName = new Natives.UNICODE_STRING(); Natives.RtlInitUnicodeString(ref uModuleName, DLLPath); IntPtr hModule = IntPtr.Zero; Natives.NTSTATUS CallResult = (Natives.NTSTATUS)Natives.LdrLoadDll(IntPtr.Zero, 0, ref uModuleName, ref hModule); if (CallResult != Natives.NTSTATUS.Success || hModule == IntPtr.Zero) { return(IntPtr.Zero); } return(hModule); }