├── .vs └── ParallelSyscalls │ └── v16 │ └── .suo ├── App.config ├── Images └── modules.PNG ├── Natives.cs ├── ParallelSyscalls.csproj ├── ParallelSyscalls.sln ├── Program.cs ├── Properties └── AssemblyInfo.cs ├── README.md └── obj ├── Debug ├── .NETFramework,Version=v4.8.AssemblyAttributes.cs ├── DesignTimeResolveAssemblyReferencesInput.cache └── ParallelSyscalls.csproj.FileListAbsolute.txt └── Release ├── .NETFramework,Version=v4.8.AssemblyAttributes.cs ├── DesignTimeResolveAssemblyReferencesInput.cache └── ParallelSyscalls.csproj.FileListAbsolute.txt /.vs/ParallelSyscalls/v16/.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cube0x0/ParallelSyscalls/f3be57a17f9c41857834415e9d951b84b2d90f56/.vs/ParallelSyscalls/v16/.suo -------------------------------------------------------------------------------- /App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Images/modules.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cube0x0/ParallelSyscalls/f3be57a17f9c41857834415e9d951b84b2d90f56/Images/modules.PNG -------------------------------------------------------------------------------- /Natives.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Diagnostics; 4 | using System.Linq; 5 | using System.Runtime.InteropServices; 6 | using System.Text; 7 | using System.Threading.Tasks; 8 | 9 | namespace ParallelSyscalls 10 | { 11 | class Natives 12 | { 13 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 14 | public delegate NTSTATUS NtCreateThreadEx( 15 | ref IntPtr threadHandle, 16 | ACCESS_MASK desiredAccess, 17 | IntPtr objectAttributes, 18 | IntPtr processHandle, 19 | IntPtr startAddress, 20 | IntPtr parameter, 21 | bool createSuspended, 22 | int stackZeroBits, 23 | int sizeOfStack, 24 | int maximumStackSize, 25 | IntPtr attributeList); 26 | 27 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 28 | public delegate NTSTATUS NtOpenFile( 29 | ref IntPtr FileHandle, 30 | FileAccessFlags DesiredAccess, 31 | ref OBJECT_ATTRIBUTES ObjAttr, 32 | ref IO_STATUS_BLOCK IoStatusBlock, 33 | FileShareFlags ShareAccess, 34 | int OpenOptions); 35 | 36 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 37 | public delegate NTSTATUS NtCreateSection( 38 | ref IntPtr SectionHandle, 39 | uint DesiredAccess, 40 | IntPtr ObjectAttributes, 41 | ref ulong MaximumSize, 42 | uint SectionPageProtection, 43 | uint AllocationAttributes, 44 | IntPtr FileHandle); 45 | 46 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 47 | public delegate NTSTATUS NtMapViewOfSection( 48 | IntPtr SectionHandle, 49 | IntPtr ProcessHandle, 50 | out IntPtr BaseAddress, 51 | IntPtr ZeroBits, 52 | IntPtr CommitSize, 53 | IntPtr SectionOffset, 54 | out ulong ViewSize, 55 | uint InheritDisposition, 56 | uint AllocationType, 57 | uint Win32Protect); 58 | 59 | 60 | //[DllImport("ntdll")] 61 | //internal static extern IntPtr NtCurrentTeb(); 62 | [DllImport("kernel32.dll", SetLastError = true)] 63 | public static extern bool CloseHandle(IntPtr hObject); 64 | 65 | 66 | [DllImport("kernel32.dll", SetLastError = true)] 67 | public static extern int GetCurrentThread(); 68 | 69 | 70 | [DllImport("kernel32.dll", SetLastError = true)] 71 | public static extern IntPtr OpenProcess( 72 | uint processAccess, 73 | bool bInheritHandle, 74 | uint processId 75 | ); 76 | [DllImport("ntdll.dll")] 77 | public static extern UInt32 NtQueryInformationProcess( 78 | IntPtr processHandle, 79 | UInt32 processInformationClass, 80 | ref PROCESS_BASIC_INFORMATION processInformation, 81 | int processInformationLength, 82 | ref UInt32 returnLength 83 | ); 84 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] 85 | public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); 86 | 87 | [DllImport("ntdll.dll")] 88 | public static extern void RtlInitUnicodeString(ref UNICODE_STRING DestinationString, [MarshalAs(UnmanagedType.LPWStr)] string SourceString); 89 | 90 | [DllImport("kernel32.dll", SetLastError = true)] 91 | public static extern IntPtr GetCurrentProcess(); 92 | 93 | 94 | 95 | 96 | 97 | 98 | [StructLayout(LayoutKind.Sequential)] 99 | public struct IO_STATUS_BLOCK 100 | { 101 | public IntPtr Status; 102 | public IntPtr Information; 103 | } 104 | [Flags] 105 | public enum ACCESS_MASK : uint 106 | { 107 | DELETE = 0x00010000, 108 | READ_CONTROL = 0x00020000, 109 | WRITE_DAC = 0x00040000, 110 | WRITE_OWNER = 0x00080000, 111 | SYNCHRONIZE = 0x00100000, 112 | STANDARD_RIGHTS_REQUIRED = 0x000F0000, 113 | STANDARD_RIGHTS_READ = 0x00020000, 114 | STANDARD_RIGHTS_WRITE = 0x00020000, 115 | STANDARD_RIGHTS_EXECUTE = 0x00020000, 116 | STANDARD_RIGHTS_ALL = 0x001F0000, 117 | SPECIFIC_RIGHTS_ALL = 0x0000FFF, 118 | ACCESS_SYSTEM_SECURITY = 0x01000000, 119 | MAXIMUM_ALLOWED = 0x02000000, 120 | GENERIC_READ = 0x80000000, 121 | GENERIC_WRITE = 0x40000000, 122 | GENERIC_EXECUTE = 0x20000000, 123 | GENERIC_ALL = 0x10000000, 124 | DESKTOP_READOBJECTS = 0x00000001, 125 | DESKTOP_CREATEWINDOW = 0x00000002, 126 | DESKTOP_CREATEMENU = 0x00000004, 127 | DESKTOP_HOOKCONTROL = 0x00000008, 128 | DESKTOP_JOURNALRECORD = 0x00000010, 129 | DESKTOP_JOURNALPLAYBACK = 0x00000020, 130 | DESKTOP_ENUMERATE = 0x00000040, 131 | DESKTOP_WRITEOBJECTS = 0x00000080, 132 | DESKTOP_SWITCHDESKTOP = 0x00000100, 133 | WINSTA_ENUMDESKTOPS = 0x00000001, 134 | WINSTA_READATTRIBUTES = 0x00000002, 135 | WINSTA_ACCESSCLIPBOARD = 0x00000004, 136 | WINSTA_CREATEDESKTOP = 0x00000008, 137 | WINSTA_WRITEATTRIBUTES = 0x00000010, 138 | WINSTA_ACCESSGLOBALATOMS = 0x00000020, 139 | WINSTA_EXITWINDOWS = 0x00000040, 140 | WINSTA_ENUMERATE = 0x00000100, 141 | WINSTA_READSCREEN = 0x00000200, 142 | WINSTA_ALL_ACCESS = 0x0000037F, 143 | 144 | SECTION_ALL_ACCESS = 0x10000000, 145 | SECTION_QUERY = 0x0001, 146 | SECTION_MAP_WRITE = 0x0002, 147 | SECTION_MAP_READ = 0x0004, 148 | SECTION_MAP_EXECUTE = 0x0008, 149 | SECTION_EXTEND_SIZE = 0x0010 150 | } 151 | 152 | [Flags] 153 | public enum FileShareFlags : UInt32 154 | { 155 | FILE_SHARE_NONE = 0x0, 156 | FILE_SHARE_READ = 0x1, 157 | FILE_SHARE_WRITE = 0x2, 158 | FILE_SHARE_DELETE = 0x4 159 | } 160 | 161 | [Flags] 162 | public enum FileAccessFlags : UInt32 163 | { 164 | DELETE = 0x10000, 165 | FILE_READ_DATA = 0x1, 166 | FILE_READ_ATTRIBUTES = 0x80, 167 | FILE_READ_EA = 0x8, 168 | READ_CONTROL = 0x20000, 169 | FILE_WRITE_DATA = 0x2, 170 | FILE_WRITE_ATTRIBUTES = 0x100, 171 | FILE_WRITE_EA = 0x10, 172 | FILE_APPEND_DATA = 0x4, 173 | WRITE_DAC = 0x40000, 174 | WRITE_OWNER = 0x80000, 175 | SYNCHRONIZE = 0x100000, 176 | FILE_EXECUTE = 0x20 177 | } 178 | 179 | public struct IMAGE_EXPORT_DIRECTORY 180 | { 181 | public UInt32 Characteristics; 182 | public UInt32 TimeDateStamp; 183 | public UInt16 MajorVersion; 184 | public UInt16 MinorVersion; 185 | public UInt32 Name; 186 | public UInt32 Base; 187 | public UInt32 NumberOfFunctions; 188 | public UInt32 NumberOfNames; 189 | public UInt32 AddressOfFunctions; // RVA from base of image 190 | public UInt32 AddressOfNames; // RVA from base of image 191 | public UInt32 AddressOfNameOrdinals; // RVA from base of image 192 | } 193 | 194 | public enum NTSTATUS : uint 195 | { 196 | Success = 0, 197 | Informational = 0x40000000, 198 | Error = 0xc0000000 199 | } 200 | 201 | public struct OBJECT_ATTRIBUTES 202 | { 203 | public Int32 Length; 204 | public IntPtr RootDirectory; 205 | public IntPtr ObjectName; // -> UNICODE_STRING 206 | public uint Attributes; 207 | public IntPtr SecurityDescriptor; 208 | public IntPtr SecurityQualityOfService; 209 | } 210 | 211 | // https://github.com/MagicDroidX/ReClass.NET-Kernel/blob/254e27cc4dac7a0746e90c1ac55758ba5b9d199d/KernelPlugin/Structs.cs#L77 212 | [StructLayout(LayoutKind.Sequential)] 213 | public struct LIST_ENTRY 214 | { 215 | public IntPtr Flink; //_LIST_ENTRY *Flink; 216 | public IntPtr Blink; //_LIST_ENTRY *Blink; 217 | } 218 | 219 | [StructLayout(LayoutKind.Sequential)] 220 | public struct PEB_LDR_DATA 221 | { 222 | public uint dwLength; 223 | public bool dwInitialized; 224 | public IntPtr lpSsHandle; 225 | public LIST_ENTRY InLoadOrderModuleList; 226 | public LIST_ENTRY InMemoryOrderModuleList; 227 | public LIST_ENTRY InInitializationOrderModuleList; 228 | } 229 | 230 | [StructLayout(LayoutKind.Sequential, Pack = 8)] 231 | public struct LDR_DATA_TABLE_ENTRY 232 | { 233 | public LIST_ENTRY InLoadOrderLinks; 234 | public LIST_ENTRY InMemoryOrderLinks; 235 | public LIST_ENTRY InInitializationOrderLinks; 236 | public IntPtr DllBase; 237 | public IntPtr EntryPoint; 238 | public uint SizeOfImage; 239 | public UNICODE_STRING FullDllName; 240 | public UNICODE_STRING BaseDllName; 241 | public uint Flags; 242 | public ushort LoadCount; 243 | public ushort TlsIndex; 244 | public LIST_ENTRY HashLinks; 245 | public uint TimeDateStamp; 246 | } 247 | 248 | [StructLayout(LayoutKind.Explicit, Size = 64)] 249 | public struct _PEB 250 | { 251 | [FieldOffset(12)] 252 | public IntPtr Ldr32; 253 | [FieldOffset(16)] 254 | public IntPtr ProcessParameters32; 255 | [FieldOffset(24)] 256 | public IntPtr Ldr64; 257 | [FieldOffset(28)] 258 | public IntPtr FastPebLock32; 259 | [FieldOffset(32)] 260 | public IntPtr ProcessParameters64; 261 | [FieldOffset(56)] 262 | public IntPtr FastPebLock64; 263 | } 264 | 265 | [StructLayout(LayoutKind.Sequential)] 266 | public struct UNICODE_STRING 267 | { 268 | public ushort Length; 269 | public ushort MaximumLength; 270 | public IntPtr Buffer; 271 | 272 | public UNICODE_STRING(string s) 273 | { 274 | Length = (ushort)(s.Length * 2); 275 | MaximumLength = (ushort)(Length + 2); 276 | Buffer = Marshal.StringToHGlobalUni(s); 277 | } 278 | 279 | public string GetText() 280 | { 281 | if (Buffer == IntPtr.Zero || MaximumLength == 0) 282 | { 283 | return ""; 284 | } 285 | 286 | return Marshal.PtrToStringUni(Buffer, Length / 2); 287 | } 288 | } 289 | 290 | [StructLayout(LayoutKind.Sequential)] 291 | public struct PROCESS_BASIC_INFORMATION 292 | { 293 | public IntPtr ExitStatus; 294 | public IntPtr PebBaseAddress; 295 | public IntPtr AffinityMask; 296 | public IntPtr BasePriority; 297 | public UIntPtr UniqueProcessId; 298 | public IntPtr InheritedFromUniqueProcessId; 299 | } 300 | 301 | [StructLayout(LayoutKind.Explicit)] 302 | public struct IMAGE_SECTION_HEADER 303 | { 304 | [FieldOffset(0)] 305 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)] 306 | public char[] Name; 307 | 308 | [FieldOffset(8)] 309 | public UInt32 VirtualSize; 310 | 311 | [FieldOffset(12)] 312 | public UInt32 VirtualAddress; 313 | 314 | [FieldOffset(16)] 315 | public UInt32 SizeOfRawData; 316 | 317 | [FieldOffset(20)] 318 | public UInt32 PointerToRawData; 319 | 320 | [FieldOffset(24)] 321 | public UInt32 PointerToRelocations; 322 | 323 | [FieldOffset(28)] 324 | public UInt32 PointerToLinenumbers; 325 | 326 | [FieldOffset(32)] 327 | public UInt16 NumberOfRelocations; 328 | 329 | [FieldOffset(34)] 330 | public UInt16 NumberOfLinenumbers; 331 | 332 | [FieldOffset(36)] 333 | public uint Characteristics; 334 | 335 | public string SectionName 336 | { 337 | get { return new string(Name); } 338 | } 339 | 340 | public uint EndAddress 341 | { 342 | get { return (uint)(VirtualAddress + SizeOfRawData); } 343 | } 344 | } 345 | 346 | [StructLayout(LayoutKind.Sequential)] 347 | public struct IMAGE_DATA_DIRECTORY 348 | { 349 | public UInt32 VirtualAddress; 350 | public UInt32 Size; 351 | } 352 | 353 | [StructLayout(LayoutKind.Sequential)] 354 | public struct IMAGE_FILE_HEADER 355 | { 356 | public UInt16 Machine; 357 | public UInt16 NumberOfSections; 358 | public UInt32 TimeDateStamp; 359 | public UInt32 PointerToSymbolTable; 360 | public UInt32 NumberOfSymbols; 361 | public UInt16 SizeOfOptionalHeader; 362 | public UInt16 Characteristics; 363 | } 364 | 365 | [Flags] 366 | public enum DllCharacteristicsType : ushort 367 | { 368 | RES_0 = 0x0001, 369 | RES_1 = 0x0002, 370 | RES_2 = 0x0004, 371 | RES_3 = 0x0008, 372 | IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040, 373 | IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY = 0x0080, 374 | IMAGE_DLL_CHARACTERISTICS_NX_COMPAT = 0x0100, 375 | IMAGE_DLLCHARACTERISTICS_NO_ISOLATION = 0x0200, 376 | IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400, 377 | IMAGE_DLLCHARACTERISTICS_NO_BIND = 0x0800, 378 | RES_4 = 0x1000, 379 | IMAGE_DLLCHARACTERISTICS_WDM_DRIVER = 0x2000, 380 | IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000 381 | } 382 | 383 | public enum SubSystemType : ushort 384 | { 385 | IMAGE_SUBSYSTEM_UNKNOWN = 0, 386 | IMAGE_SUBSYSTEM_NATIVE = 1, 387 | IMAGE_SUBSYSTEM_WINDOWS_GUI = 2, 388 | IMAGE_SUBSYSTEM_WINDOWS_CUI = 3, 389 | IMAGE_SUBSYSTEM_POSIX_CUI = 7, 390 | IMAGE_SUBSYSTEM_WINDOWS_CE_GUI = 9, 391 | IMAGE_SUBSYSTEM_EFI_APPLICATION = 10, 392 | IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11, 393 | IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12, 394 | IMAGE_SUBSYSTEM_EFI_ROM = 13, 395 | IMAGE_SUBSYSTEM_XBOX = 14 396 | } 397 | 398 | public enum MagicType : ushort 399 | { 400 | IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b, 401 | IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b 402 | } 403 | 404 | [StructLayout(LayoutKind.Explicit)] 405 | public struct IMAGE_OPTIONAL_HEADER32 406 | { 407 | [FieldOffset(0)] 408 | public MagicType Magic; 409 | 410 | [FieldOffset(2)] 411 | public byte MajorLinkerVersion; 412 | 413 | [FieldOffset(3)] 414 | public byte MinorLinkerVersion; 415 | 416 | [FieldOffset(4)] 417 | public uint SizeOfCode; 418 | 419 | [FieldOffset(8)] 420 | public uint SizeOfInitializedData; 421 | 422 | [FieldOffset(12)] 423 | public uint SizeOfUninitializedData; 424 | 425 | [FieldOffset(16)] 426 | public uint AddressOfEntryPoint; 427 | 428 | [FieldOffset(20)] 429 | public uint BaseOfCode; 430 | 431 | // PE32 contains this additional field 432 | [FieldOffset(24)] 433 | public uint BaseOfData; 434 | 435 | [FieldOffset(28)] 436 | public uint ImageBase; 437 | 438 | [FieldOffset(32)] 439 | public uint SectionAlignment; 440 | 441 | [FieldOffset(36)] 442 | public uint FileAlignment; 443 | 444 | [FieldOffset(40)] 445 | public ushort MajorOperatingSystemVersion; 446 | 447 | [FieldOffset(42)] 448 | public ushort MinorOperatingSystemVersion; 449 | 450 | [FieldOffset(44)] 451 | public ushort MajorImageVersion; 452 | 453 | [FieldOffset(46)] 454 | public ushort MinorImageVersion; 455 | 456 | [FieldOffset(48)] 457 | public ushort MajorSubsystemVersion; 458 | 459 | [FieldOffset(50)] 460 | public ushort MinorSubsystemVersion; 461 | 462 | [FieldOffset(52)] 463 | public uint Win32VersionValue; 464 | 465 | [FieldOffset(56)] 466 | public uint SizeOfImage; 467 | 468 | [FieldOffset(60)] 469 | public uint SizeOfHeaders; 470 | 471 | [FieldOffset(64)] 472 | public uint CheckSum; 473 | 474 | [FieldOffset(68)] 475 | public SubSystemType Subsystem; 476 | 477 | [FieldOffset(70)] 478 | public DllCharacteristicsType DllCharacteristics; 479 | 480 | [FieldOffset(72)] 481 | public uint SizeOfStackReserve; 482 | 483 | [FieldOffset(76)] 484 | public uint SizeOfStackCommit; 485 | 486 | [FieldOffset(80)] 487 | public uint SizeOfHeapReserve; 488 | 489 | [FieldOffset(84)] 490 | public uint SizeOfHeapCommit; 491 | 492 | [FieldOffset(88)] 493 | public uint LoaderFlags; 494 | 495 | [FieldOffset(92)] 496 | public uint NumberOfRvaAndSizes; 497 | 498 | [FieldOffset(96)] 499 | public IMAGE_DATA_DIRECTORY ExportTable; 500 | 501 | [FieldOffset(104)] 502 | public IMAGE_DATA_DIRECTORY ImportTable; 503 | 504 | [FieldOffset(112)] 505 | public IMAGE_DATA_DIRECTORY ResourceTable; 506 | 507 | [FieldOffset(120)] 508 | public IMAGE_DATA_DIRECTORY ExceptionTable; 509 | 510 | [FieldOffset(128)] 511 | public IMAGE_DATA_DIRECTORY CertificateTable; 512 | 513 | [FieldOffset(136)] 514 | public IMAGE_DATA_DIRECTORY BaseRelocationTable; 515 | 516 | [FieldOffset(144)] 517 | public IMAGE_DATA_DIRECTORY Debug; 518 | 519 | [FieldOffset(152)] 520 | public IMAGE_DATA_DIRECTORY Architecture; 521 | 522 | [FieldOffset(160)] 523 | public IMAGE_DATA_DIRECTORY GlobalPtr; 524 | 525 | [FieldOffset(168)] 526 | public IMAGE_DATA_DIRECTORY TLSTable; 527 | 528 | [FieldOffset(176)] 529 | public IMAGE_DATA_DIRECTORY LoadConfigTable; 530 | 531 | [FieldOffset(184)] 532 | public IMAGE_DATA_DIRECTORY BoundImport; 533 | 534 | [FieldOffset(192)] 535 | public IMAGE_DATA_DIRECTORY IAT; 536 | 537 | [FieldOffset(200)] 538 | public IMAGE_DATA_DIRECTORY DelayImportDescriptor; 539 | 540 | [FieldOffset(208)] 541 | public IMAGE_DATA_DIRECTORY CLRRuntimeHeader; 542 | 543 | [FieldOffset(216)] 544 | public IMAGE_DATA_DIRECTORY Reserved; 545 | } 546 | 547 | [StructLayout(LayoutKind.Explicit)] 548 | public struct IMAGE_OPTIONAL_HEADER64 549 | { 550 | [FieldOffset(0)] 551 | public MagicType Magic; 552 | 553 | [FieldOffset(2)] 554 | public byte MajorLinkerVersion; 555 | 556 | [FieldOffset(3)] 557 | public byte MinorLinkerVersion; 558 | 559 | [FieldOffset(4)] 560 | public uint SizeOfCode; 561 | 562 | [FieldOffset(8)] 563 | public uint SizeOfInitializedData; 564 | 565 | [FieldOffset(12)] 566 | public uint SizeOfUninitializedData; 567 | 568 | [FieldOffset(16)] 569 | public uint AddressOfEntryPoint; 570 | 571 | [FieldOffset(20)] 572 | public uint BaseOfCode; 573 | 574 | [FieldOffset(24)] 575 | public ulong ImageBase; 576 | 577 | [FieldOffset(32)] 578 | public uint SectionAlignment; 579 | 580 | [FieldOffset(36)] 581 | public uint FileAlignment; 582 | 583 | [FieldOffset(40)] 584 | public ushort MajorOperatingSystemVersion; 585 | 586 | [FieldOffset(42)] 587 | public ushort MinorOperatingSystemVersion; 588 | 589 | [FieldOffset(44)] 590 | public ushort MajorImageVersion; 591 | 592 | [FieldOffset(46)] 593 | public ushort MinorImageVersion; 594 | 595 | [FieldOffset(48)] 596 | public ushort MajorSubsystemVersion; 597 | 598 | [FieldOffset(50)] 599 | public ushort MinorSubsystemVersion; 600 | 601 | [FieldOffset(52)] 602 | public uint Win32VersionValue; 603 | 604 | [FieldOffset(56)] 605 | public uint SizeOfImage; 606 | 607 | [FieldOffset(60)] 608 | public uint SizeOfHeaders; 609 | 610 | [FieldOffset(64)] 611 | public uint CheckSum; 612 | 613 | [FieldOffset(68)] 614 | public SubSystemType Subsystem; 615 | 616 | [FieldOffset(70)] 617 | public DllCharacteristicsType DllCharacteristics; 618 | 619 | [FieldOffset(72)] 620 | public ulong SizeOfStackReserve; 621 | 622 | [FieldOffset(80)] 623 | public ulong SizeOfStackCommit; 624 | 625 | [FieldOffset(88)] 626 | public ulong SizeOfHeapReserve; 627 | 628 | [FieldOffset(96)] 629 | public ulong SizeOfHeapCommit; 630 | 631 | [FieldOffset(104)] 632 | public uint LoaderFlags; 633 | 634 | [FieldOffset(108)] 635 | public uint NumberOfRvaAndSizes; 636 | 637 | [FieldOffset(112)] 638 | public IMAGE_DATA_DIRECTORY ExportTable; 639 | 640 | [FieldOffset(120)] 641 | public IMAGE_DATA_DIRECTORY ImportTable; 642 | 643 | [FieldOffset(128)] 644 | public IMAGE_DATA_DIRECTORY ResourceTable; 645 | 646 | [FieldOffset(136)] 647 | public IMAGE_DATA_DIRECTORY ExceptionTable; 648 | 649 | [FieldOffset(144)] 650 | public IMAGE_DATA_DIRECTORY CertificateTable; 651 | 652 | [FieldOffset(152)] 653 | public IMAGE_DATA_DIRECTORY BaseRelocationTable; 654 | 655 | [FieldOffset(160)] 656 | public IMAGE_DATA_DIRECTORY Debug; 657 | 658 | [FieldOffset(168)] 659 | public IMAGE_DATA_DIRECTORY Architecture; 660 | 661 | [FieldOffset(176)] 662 | public IMAGE_DATA_DIRECTORY GlobalPtr; 663 | 664 | [FieldOffset(184)] 665 | public IMAGE_DATA_DIRECTORY TLSTable; 666 | 667 | [FieldOffset(192)] 668 | public IMAGE_DATA_DIRECTORY LoadConfigTable; 669 | 670 | [FieldOffset(200)] 671 | public IMAGE_DATA_DIRECTORY BoundImport; 672 | 673 | [FieldOffset(208)] 674 | public IMAGE_DATA_DIRECTORY IAT; 675 | 676 | [FieldOffset(216)] 677 | public IMAGE_DATA_DIRECTORY DelayImportDescriptor; 678 | 679 | [FieldOffset(224)] 680 | public IMAGE_DATA_DIRECTORY CLRRuntimeHeader; 681 | 682 | [FieldOffset(232)] 683 | public IMAGE_DATA_DIRECTORY Reserved; 684 | } 685 | 686 | [StructLayout(LayoutKind.Sequential)] 687 | public struct IMAGE_NT_HEADERS 688 | { 689 | public int Signature; 690 | public IMAGE_FILE_HEADER FileHeader; 691 | public IMAGE_OPTIONAL_HEADER642 OptionalHeader; 692 | } 693 | [StructLayout(LayoutKind.Explicit)] 694 | public struct IMAGE_OPTIONAL_HEADER642 695 | { 696 | [FieldOffset(112)] 697 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)] 698 | public IMAGE_DATA_DIRECTORY[] DataDirectory; 699 | } 700 | 701 | [StructLayout(LayoutKind.Sequential)] 702 | public struct IMAGE_DOS_HEADER 703 | { 704 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)] 705 | public char[] e_magic; // Magic number 706 | public UInt16 e_cblp; // Bytes on last page of file 707 | public UInt16 e_cp; // Pages in file 708 | public UInt16 e_crlc; // Relocations 709 | public UInt16 e_cparhdr; // Size of header in paragraphs 710 | public UInt16 e_minalloc; // Minimum extra paragraphs needed 711 | public UInt16 e_maxalloc; // Maximum extra paragraphs needed 712 | public UInt16 e_ss; // Initial (relative) SS value 713 | public UInt16 e_sp; // Initial SP value 714 | public UInt16 e_csum; // Checksum 715 | public UInt16 e_ip; // Initial IP value 716 | public UInt16 e_cs; // Initial (relative) CS value 717 | public UInt16 e_lfarlc; // File address of relocation table 718 | public UInt16 e_ovno; // Overlay number 719 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)] 720 | public UInt16[] e_res1; // Reserved words 721 | public UInt16 e_oemid; // OEM identifier (for e_oeminfo) 722 | public UInt16 e_oeminfo; // OEM information; e_oemid specific 723 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)] 724 | public UInt16[] e_res2; // Reserved words 725 | public Int32 e_lfanew; // File address of new exe header 726 | 727 | private string Magic 728 | { 729 | get { return new string(e_magic); } 730 | } 731 | 732 | public bool IsValid 733 | { 734 | get { return Magic == "MZ"; } 735 | } 736 | } 737 | 738 | 739 | 740 | 741 | public static _PEB GetPeb() 742 | { 743 | IntPtr pebAddress = GetPebAddress(out _); 744 | return GetPeb(pebAddress); 745 | } 746 | 747 | public static IntPtr GetPebAddress(out IntPtr pebAddress) 748 | { 749 | PROCESS_BASIC_INFORMATION PROCESS_BASIC_INFORMATION_instance = new PROCESS_BASIC_INFORMATION(); 750 | IntPtr hProcess = GetCurrentProcess(); 751 | uint sizePtr = 0; 752 | UInt32 QueryResult = NtQueryInformationProcess( 753 | hProcess, 754 | 0, 755 | ref PROCESS_BASIC_INFORMATION_instance, 756 | Marshal.SizeOf(PROCESS_BASIC_INFORMATION_instance), 757 | ref sizePtr 758 | ); 759 | if (hProcess != IntPtr.Zero) 760 | CloseHandle(hProcess); 761 | 762 | pebAddress = PROCESS_BASIC_INFORMATION_instance.PebBaseAddress; 763 | return pebAddress; 764 | } 765 | 766 | public static _PEB GetPeb(IntPtr pebAddress) 767 | { 768 | return Marshal.PtrToStructure<_PEB>(pebAddress); 769 | } 770 | } 771 | } 772 | -------------------------------------------------------------------------------- /ParallelSyscalls.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {3B17C34D-3946-49E7-AA40-474B5BC036F4} 8 | Exe 9 | ParallelSyscalls 10 | ParallelSyscalls 11 | v4.8 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | true 26 | false 27 | 28 | 29 | AnyCPU 30 | pdbonly 31 | false 32 | bin\Release\ 33 | TRACE 34 | prompt 35 | 4 36 | false 37 | false 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | -------------------------------------------------------------------------------- /ParallelSyscalls.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31613.86 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ParallelSyscalls", "ParallelSyscalls.csproj", "{3B17C34D-3946-49E7-AA40-474B5BC036F4}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {3B17C34D-3946-49E7-AA40-474B5BC036F4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {3B17C34D-3946-49E7-AA40-474B5BC036F4}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {3B17C34D-3946-49E7-AA40-474B5BC036F4}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {3B17C34D-3946-49E7-AA40-474B5BC036F4}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {8966A6AA-5CC0-4E3A-891B-703A4CC74918} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Runtime.InteropServices; 5 | using System.Text; 6 | using System.Threading.Tasks; 7 | using static ParallelSyscalls.Natives; 8 | 9 | namespace ParallelSyscalls 10 | { 11 | class Program 12 | { 13 | // Global syscall functions 14 | public static NtOpenFile funcNtOpenFile; 15 | public static NtCreateSection funcNtCreateSection; 16 | public static NtMapViewOfSection funcNtMapViewOfSection; 17 | 18 | 19 | public static IntPtr GetSyscall(Dictionary book, string pzSyscallName) 20 | { 21 | foreach(var i in book) 22 | { 23 | if ((i.Key == pzSyscallName)) 24 | { 25 | return i.Value; 26 | } 27 | } 28 | 29 | return IntPtr.Zero; 30 | } 31 | 32 | public static bool InitSyscallsFromLdrpThunkSignature() 33 | { 34 | // Find loaded NTDLL.DLL in PEB 35 | _PEB Peb = GetPeb(); 36 | LDR_DATA_TABLE_ENTRY NtdllLdrEntry = new LDR_DATA_TABLE_ENTRY(); 37 | 38 | IntPtr startLink = Marshal.PtrToStructure(Peb.Ldr64).InLoadOrderModuleList.Flink; 39 | LDR_DATA_TABLE_ENTRY LdrEntry = Marshal.PtrToStructure (startLink); 40 | 41 | while(true) 42 | { 43 | if (LdrEntry.DllBase == IntPtr.Zero) 44 | { 45 | break; 46 | } 47 | if (LdrEntry.InLoadOrderLinks.Flink == startLink) 48 | { 49 | break; 50 | } 51 | 52 | if (LdrEntry.BaseDllName.GetText() == "ntdll.dll") 53 | { 54 | //Console.WriteLine("[+] Found ntdll in PEB: {0}", LdrEntry.DllBase); 55 | NtdllLdrEntry = LdrEntry; 56 | break; 57 | } 58 | LdrEntry = Marshal.PtrToStructure(LdrEntry.InLoadOrderLinks.Flink); 59 | } 60 | 61 | if(NtdllLdrEntry.DllBase == IntPtr.Zero) 62 | { 63 | Console.WriteLine("[-] Could not find ntdll.dll"); 64 | return false; 65 | } 66 | 67 | 68 | // Get PE sections 69 | IMAGE_DOS_HEADER dosHeader = Marshal.PtrToStructure(NtdllLdrEntry.DllBase); 70 | IMAGE_NT_HEADERS ImageNtHeaders = Marshal.PtrToStructure(NtdllLdrEntry.DllBase + dosHeader.e_lfanew); 71 | List SectionHeaders = new List(); 72 | IntPtr pStart = (IntPtr)(NtdllLdrEntry.DllBase 73 | + dosHeader.e_lfanew 74 | + Marshal.SizeOf(typeof(IMAGE_FILE_HEADER)) 75 | + ImageNtHeaders.FileHeader.SizeOfOptionalHeader 76 | + sizeof(Int32)); 77 | for (int i = 0; i < ImageNtHeaders.FileHeader.NumberOfSections; i++) 78 | { 79 | int offset = i * Marshal.SizeOf(typeof(IMAGE_SECTION_HEADER)); 80 | IMAGE_SECTION_HEADER sectionHeader = Marshal.PtrToStructure(pStart + offset); 81 | SectionHeaders.Add(sectionHeader); 82 | } 83 | 84 | // Get .data section 85 | IntPtr DataSectionAddress = IntPtr.Zero; 86 | uint DataSectionSize = 0; 87 | for (int i = 0; i < ImageNtHeaders.FileHeader.NumberOfSections; i++) 88 | { 89 | if (SectionHeaders[i].SectionName.StartsWith(".data")) 90 | { 91 | DataSectionAddress = NtdllLdrEntry.DllBase + (int)SectionHeaders[i].VirtualAddress; 92 | DataSectionSize = SectionHeaders[i].VirtualSize; 93 | break; 94 | } 95 | } 96 | if (DataSectionAddress == IntPtr.Zero || DataSectionSize < (16 * 5)) 97 | { 98 | return false; 99 | } 100 | 101 | // Get syscalls from LdrpThunkSignature 102 | uint dwSyscallNo_NtOpenFile = 0, dwSyscallNo_NtCreateSection = 0, dwSyscallNo_NtMapViewOfSection = 0; 103 | for (int uiOffset = 0; uiOffset < DataSectionSize - (16 * 5); uiOffset++) 104 | { 105 | IntPtr offset = DataSectionAddress + uiOffset; 106 | uint offsetValue = (uint)Marshal.ReadInt32(offset); 107 | uint offset1Value = (uint)Marshal.ReadInt32(offset, 16); 108 | uint offset2Value = (uint)Marshal.ReadInt32(offset, 32); 109 | uint offset3Value = (uint)Marshal.ReadInt32(offset, 48); 110 | uint offset4Value = (uint)Marshal.ReadInt32(offset, 64); 111 | 112 | if (offsetValue == 0xb8d18b4c && 113 | offset1Value == 0xb8d18b4c && 114 | offset2Value == 0xb8d18b4c && 115 | offset3Value == 0xb8d18b4c && 116 | offset4Value == 0xb8d18b4c) 117 | { 118 | dwSyscallNo_NtOpenFile = (uint)Marshal.ReadInt32(offset, 4); 119 | dwSyscallNo_NtCreateSection = (uint)Marshal.ReadInt32(offset, 16 + 4); 120 | dwSyscallNo_NtMapViewOfSection = (uint)Marshal.ReadInt32(offset, 64 + 4); 121 | 122 | break; 123 | } 124 | } 125 | 126 | if (dwSyscallNo_NtOpenFile == 0) 127 | { 128 | return false; 129 | } 130 | 131 | int MAX_SYSCALL_STUB_SIZE = 64; 132 | IntPtr SyscallRegion = VirtualAlloc(IntPtr.Zero, (uint)(3 * MAX_SYSCALL_STUB_SIZE), 0x2000 | 0x1000, 0x00000040); 133 | 134 | if (SyscallRegion == IntPtr.Zero) 135 | { 136 | return false; 137 | } 138 | 139 | IntPtr NtOpenFile = BuildSyscallStub(SyscallRegion, dwSyscallNo_NtOpenFile); 140 | IntPtr NtCreateSection = BuildSyscallStub(SyscallRegion + MAX_SYSCALL_STUB_SIZE, dwSyscallNo_NtCreateSection); 141 | IntPtr NtMapViewOfSection = BuildSyscallStub(SyscallRegion + (2 * MAX_SYSCALL_STUB_SIZE), dwSyscallNo_NtMapViewOfSection); 142 | 143 | funcNtOpenFile = Marshal.GetDelegateForFunctionPointer(NtOpenFile); 144 | funcNtCreateSection = Marshal.GetDelegateForFunctionPointer(NtCreateSection); 145 | funcNtMapViewOfSection = Marshal.GetDelegateForFunctionPointer(NtMapViewOfSection); 146 | 147 | return true; 148 | } 149 | 150 | public static IntPtr BuildSyscallStub(IntPtr StubRegion, uint dwSyscallNo) 151 | { 152 | byte[] SyscallStub = new byte[] 153 | { 154 | 0x4c, 0x8b, 0xd1, // mov r10,rcx 155 | 0xb8, 0x00, 0x00, 0x00, 0x00, // mov eax, 0x?? (?? == Syscall Identifier) 156 | 0x0f, 0x05, // syscall 157 | 0xc3 // ret 158 | }; 159 | // update SyscallStub template 160 | SyscallStub[4] = (byte)(dwSyscallNo); 161 | 162 | // copy syscall template bytes to page 163 | Marshal.Copy(SyscallStub, 0, StubRegion, SyscallStub.Length); 164 | //Marshal.WriteInt32(StubRegion, 4, (int)dwSyscallNo); 165 | 166 | return StubRegion; 167 | } 168 | 169 | public static IntPtr LoadNtdllIntoSection() 170 | { 171 | NTSTATUS ntStatus; 172 | IntPtr hFile = IntPtr.Zero; 173 | OBJECT_ATTRIBUTES ObjectAttributes = new OBJECT_ATTRIBUTES(); 174 | IO_STATUS_BLOCK IoStatusBlock = new IO_STATUS_BLOCK(); 175 | IntPtr hSection = IntPtr.Zero; 176 | IntPtr lpvSection = IntPtr.Zero; 177 | ulong viewSize = 0; 178 | UNICODE_STRING ObjectPath = new UNICODE_STRING(); 179 | RtlInitUnicodeString(ref ObjectPath, "\\??\\C:\\Windows\\System32\\ntdll.dll"); 180 | IntPtr pObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(ObjectPath)); 181 | Marshal.StructureToPtr(ObjectPath, pObjectName, true); 182 | 183 | ObjectAttributes.Length = Marshal.SizeOf(typeof(OBJECT_ATTRIBUTES)); 184 | ObjectAttributes.ObjectName = pObjectName; 185 | ObjectAttributes.Attributes = 0x40; //OBJ_CASE_INSENSITIVE 186 | ObjectAttributes.RootDirectory = IntPtr.Zero; 187 | ObjectAttributes.SecurityDescriptor = IntPtr.Zero; 188 | ObjectAttributes.SecurityQualityOfService = IntPtr.Zero; 189 | 190 | //NtOpenFile > NtCreateSection > NtMapViewOfSection 191 | ntStatus = funcNtOpenFile( 192 | ref hFile, 193 | FileAccessFlags.FILE_READ_DATA, 194 | ref ObjectAttributes, 195 | ref IoStatusBlock, 196 | FileShareFlags.FILE_SHARE_READ, 197 | 0); 198 | 199 | if (hFile == IntPtr.Zero) 200 | { 201 | return IntPtr.Zero; 202 | } 203 | 204 | ulong maxsize = 0; 205 | ntStatus = funcNtCreateSection( 206 | ref hSection, 207 | 0x0002 | 0x0004 | 0x0008, //SECTION_ALL_ACCESS, 208 | IntPtr.Zero, 209 | ref maxsize, 210 | 0x00000002, //PAGE_READONLY 211 | 0x08000000, //sec_commit 212 | hFile 213 | ); 214 | 215 | if (hSection == IntPtr.Zero) 216 | { 217 | if (hFile != IntPtr.Zero) 218 | CloseHandle(hFile); 219 | return IntPtr.Zero; 220 | } 221 | 222 | ntStatus = funcNtMapViewOfSection( 223 | hSection, 224 | GetCurrentProcess(), 225 | out lpvSection, 226 | IntPtr.Zero, 227 | IntPtr.Zero, 228 | IntPtr.Zero, 229 | out viewSize, 230 | 1, 231 | 0, 232 | 0x00000002); //PAGE_READONLY 233 | 234 | if (hSection != IntPtr.Zero) 235 | CloseHandle(hSection); 236 | if (hFile != IntPtr.Zero) 237 | CloseHandle(hFile); 238 | 239 | //Console.WriteLine("[+] unhooked ntdll: {0}", lpvSection.ToInt64()); 240 | 241 | return lpvSection; 242 | } 243 | 244 | 245 | public static uint ExtractSyscalls(IntPtr pNtdll, ref Dictionary book) 246 | { 247 | // 248 | IMAGE_DOS_HEADER DosHeader = Marshal.PtrToStructure(pNtdll); 249 | IMAGE_NT_HEADERS ImageNtHeaders = Marshal.PtrToStructure (pNtdll + DosHeader.e_lfanew); 250 | List SectionHeaders = new List(); 251 | IntPtr pStart = (IntPtr)(pNtdll 252 | + DosHeader.e_lfanew 253 | + Marshal.SizeOf(typeof(IMAGE_FILE_HEADER)) 254 | + ImageNtHeaders.FileHeader.SizeOfOptionalHeader 255 | + sizeof(Int32)); 256 | for (int i = 0; i < ImageNtHeaders.FileHeader.NumberOfSections; i++) 257 | { 258 | int offset = i * Marshal.SizeOf(typeof(IMAGE_SECTION_HEADER)); 259 | IMAGE_SECTION_HEADER sectionHeader = Marshal.PtrToStructure(pStart + offset); 260 | SectionHeaders.Add(sectionHeader); 261 | } 262 | 263 | // 264 | IMAGE_DATA_DIRECTORY[] DataDirectory = ImageNtHeaders.OptionalHeader.DataDirectory; 265 | uint VirtualAddress = DataDirectory[0].VirtualAddress; 266 | IMAGE_EXPORT_DIRECTORY ExportDirectory = Marshal.PtrToStructure(RVAToFileOffsetPointer(pNtdll, VirtualAddress)); 267 | 268 | 269 | uint NumberOfNames = ExportDirectory.NumberOfNames; 270 | NumberOfNames = ExportDirectory.NumberOfNames; 271 | 272 | IntPtr Functions = RVAToFileOffsetPointer(pNtdll, ExportDirectory.AddressOfFunctions); 273 | IntPtr Names = RVAToFileOffsetPointer(pNtdll, ExportDirectory.AddressOfNames); 274 | IntPtr Ordinals = RVAToFileOffsetPointer(pNtdll, ExportDirectory.AddressOfNameOrdinals); 275 | 276 | //Console.WriteLine("Functions: {0}", Functions); 277 | //Console.WriteLine("Names: {0}", Names); 278 | //Console.WriteLine("Ordinals: {0}", Ordinals); 279 | 280 | uint uiCount = 0; 281 | uint MAX_SYSCALL_STUB_SIZE = 64; 282 | uint MAX_NUMBER_OF_SYSCALLS = 1024; 283 | IntPtr pStubs = VirtualAlloc(IntPtr.Zero, MAX_NUMBER_OF_SYSCALLS * MAX_SYSCALL_STUB_SIZE, 0x2000 | 0x1000, 0x00000040); 284 | 285 | if (pStubs == IntPtr.Zero) 286 | { 287 | return 0; 288 | } 289 | 290 | for (int i = 0; i < NumberOfNames && uiCount < MAX_NUMBER_OF_SYSCALLS; i++) 291 | { 292 | uint nameAddress = (uint)Marshal.ReadInt32(Names + i * 4); 293 | IntPtr AddressOfNames_single_offset = RVAToFileOffsetPointer(pNtdll, nameAddress); 294 | 295 | byte[] bFunctionName = new byte[1024]; 296 | Marshal.Copy(AddressOfNames_single_offset, bFunctionName, 0, 1024); 297 | for (int length = 0; length < 1024; length++) 298 | { 299 | if (bFunctionName[length] == 0x00) 300 | { 301 | bFunctionName = bFunctionName.Take(length).ToArray(); 302 | break; 303 | } 304 | } 305 | string sFunctionName = Encoding.ASCII.GetString(bFunctionName); 306 | //Console.WriteLine(sFunctionName); 307 | 308 | if (sFunctionName.StartsWith("Zw")) 309 | { 310 | uint ordinalAddress = (uint)Marshal.ReadInt16(Ordinals + 2 * i); 311 | uint functionAddress = (uint)Marshal.ReadInt32(Functions + (int)(4 * ordinalAddress)); 312 | 313 | IntPtr FunctionPtr = RVAToFileOffsetPointer(pNtdll, functionAddress); 314 | IntPtr FunctionEnd = FindBytes(FunctionPtr, MAX_SYSCALL_STUB_SIZE, new byte[] { 0x0f, 0x05, 0xc3 }, 3) + 3; 315 | 316 | //Console.WriteLine("start: {0}, end {1}", FunctionPtr, FunctionEnd); 317 | 318 | if (FunctionEnd != IntPtr.Zero) 319 | { 320 | // copy bytes from unhooked ntdll 321 | long size = FunctionEnd.ToInt64() - FunctionPtr.ToInt64(); 322 | byte[] functionbytes = new byte[size]; 323 | Marshal.Copy(FunctionPtr, functionbytes, 0, (int)size); 324 | 325 | // copy bytes to syscall page 326 | IntPtr pSyscall = pStubs + (int)(uiCount * MAX_SYSCALL_STUB_SIZE); 327 | Marshal.Copy(functionbytes, 0, pSyscall, (int)size); 328 | 329 | book.Add(sFunctionName, pSyscall); 330 | uiCount++; 331 | } 332 | } 333 | } 334 | 335 | return uiCount; 336 | } 337 | 338 | public static IntPtr FindBytes(IntPtr Source, uint SourceLength, byte[] Search, int SearchLength) 339 | { 340 | while (SearchLength <= SourceLength) 341 | { 342 | byte[] temp = new byte[SearchLength]; 343 | Marshal.Copy(Source, temp, 0 , SearchLength); 344 | if(temp.SequenceEqual(Search)) 345 | { 346 | return Source; 347 | } 348 | 349 | Source = Source + 1; 350 | SourceLength--; 351 | } 352 | 353 | return IntPtr.Zero; 354 | } 355 | 356 | public static IntPtr RVAToFileOffsetPointer(IntPtr pModule, uint dwRVA) 357 | { 358 | IMAGE_DOS_HEADER DosHeader = Marshal.PtrToStructure(pModule); 359 | IMAGE_NT_HEADERS ImageNtHeaders = Marshal.PtrToStructure(pModule + DosHeader.e_lfanew); 360 | List SectionHeaders = new List(); 361 | IntPtr pStart = (IntPtr)(pModule 362 | + DosHeader.e_lfanew 363 | + Marshal.SizeOf(typeof(IMAGE_FILE_HEADER)) 364 | + ImageNtHeaders.FileHeader.SizeOfOptionalHeader 365 | + sizeof(Int32)); 366 | for (int i = 0; i < ImageNtHeaders.FileHeader.NumberOfSections; i++) 367 | { 368 | int offset = i * Marshal.SizeOf(typeof(IMAGE_SECTION_HEADER)); 369 | IMAGE_SECTION_HEADER sectionHeader = Marshal.PtrToStructure(pStart + offset); 370 | SectionHeaders.Add(sectionHeader); 371 | } 372 | 373 | 374 | for (int i = 0; i < ImageNtHeaders.FileHeader.NumberOfSections; i++) 375 | { 376 | if (SectionHeaders[i].VirtualAddress <= dwRVA && SectionHeaders[i].VirtualAddress + SectionHeaders[i].SizeOfRawData > dwRVA) 377 | { 378 | dwRVA -= SectionHeaders[i].VirtualAddress; 379 | dwRVA += SectionHeaders[i].PointerToRawData; 380 | 381 | return pModule + (int)dwRVA; 382 | } 383 | } 384 | 385 | return IntPtr.Zero; 386 | } 387 | 388 | 389 | 390 | static void Main(string[] args) 391 | { 392 | // For storing syscall pointers 393 | Dictionary book = new Dictionary(); 394 | 395 | // Get the necessary syscalls to load an unhooked NTDLL into memory 396 | InitSyscallsFromLdrpThunkSignature(); 397 | 398 | // Load an unhooked NTDLL into memory using the syscalls collected from step 1 399 | IntPtr pNtdll = LoadNtdllIntoSection(); 400 | 401 | // Get syscalls from the unhooked NTDLL 402 | uint uiCount = ExtractSyscalls(pNtdll, ref book); 403 | 404 | // Get syscall pointer for ZwCreateThreadEx 405 | IntPtr pZwCreateThreadEx = GetSyscall(book, "ZwCreateThreadEx"); 406 | NtCreateThreadEx zWCreateThreadEx = Marshal.GetDelegateForFunctionPointer(pZwCreateThreadEx); 407 | 408 | // Call ZwCreateThreadEx 409 | IntPtr hThread = IntPtr.Zero; 410 | var res = zWCreateThreadEx( 411 | ref hThread, 412 | ACCESS_MASK.GENERIC_ALL, 413 | IntPtr.Zero, 414 | GetCurrentProcess(), 415 | IntPtr.Zero, 416 | IntPtr.Zero, 417 | false, 418 | 0, 419 | 0, 420 | 0, 421 | IntPtr.Zero); 422 | Console.WriteLine("zWCreateThreadEx: {0}", res); 423 | Console.WriteLine("hThread: {0}", hThread); 424 | } 425 | } 426 | } 427 | -------------------------------------------------------------------------------- /Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("ParallelSyscalls")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("ParallelSyscalls")] 13 | [assembly: AssemblyCopyright("Copyright © 2022")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("3b17c34d-3946-49e7-aa40-474b5bc036f4")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cube0x0/ParallelSyscalls/f3be57a17f9c41857834415e9d951b84b2d90f56/README.md -------------------------------------------------------------------------------- /obj/Debug/.NETFramework,Version=v4.8.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.8", FrameworkDisplayName = ".NET Framework 4.8")] 5 | -------------------------------------------------------------------------------- /obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cube0x0/ParallelSyscalls/f3be57a17f9c41857834415e9d951b84b2d90f56/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /obj/Debug/ParallelSyscalls.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cube0x0/ParallelSyscalls/f3be57a17f9c41857834415e9d951b84b2d90f56/obj/Debug/ParallelSyscalls.csproj.FileListAbsolute.txt -------------------------------------------------------------------------------- /obj/Release/.NETFramework,Version=v4.8.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.8", FrameworkDisplayName = ".NET Framework 4.8")] 5 | -------------------------------------------------------------------------------- /obj/Release/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cube0x0/ParallelSyscalls/f3be57a17f9c41857834415e9d951b84b2d90f56/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /obj/Release/ParallelSyscalls.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cube0x0/ParallelSyscalls/f3be57a17f9c41857834415e9d951b84b2d90f56/obj/Release/ParallelSyscalls.csproj.FileListAbsolute.txt --------------------------------------------------------------------------------