├── README.md
├── SharpIndirectSyscalls
    ├── App.config
    ├── Properties
    │   └── AssemblyInfo.cs
    ├── Program.cs
    ├── SharpIndirectSyscalls.csproj
    └── dll.cs
├── SharpIndirectSyscalls.sln
├── .gitattributes
└── .gitignore


/README.md:
--------------------------------------------------------------------------------
1 | # SharpIndirectSyscalls
2 | Indirect syscalls, based on the work of Netero1010 and am0nsec
3 | 


--------------------------------------------------------------------------------
/SharpIndirectSyscalls/App.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8" ?>
2 | <configuration>
3 |     <startup> 
4 |         <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
5 |     </startup>
6 | </configuration>


--------------------------------------------------------------------------------
/SharpIndirectSyscalls/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
 1 | using System.Reflection;
 2 | using System.Runtime.CompilerServices;
 3 | using System.Runtime.InteropServices;
 4 | 
 5 | // General Information about an assembly is controlled through the following
 6 | // set of attributes. Change these attribute values to modify the information
 7 | // associated with an assembly.
 8 | [assembly: AssemblyTitle("SharpIndirectSyscalls")]
 9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("SharpIndirectSyscalls")]
13 | [assembly: AssemblyCopyright("Copyright ©  2023")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 | 
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components.  If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 | 
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("751f15a4-fc88-48d8-8fa4-64e8652cefcd")]
24 | 
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | //      Major Version
28 | //      Minor Version
29 | //      Build Number
30 | //      Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 | 


--------------------------------------------------------------------------------
/SharpIndirectSyscalls.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.4.33213.308
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpIndirectSyscalls", "SharpIndirectSyscalls\SharpIndirectSyscalls.csproj", "{751F15A4-FC88-48D8-8FA4-64E8652CEFCD}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|Any CPU = Debug|Any CPU
11 | 		Debug|x64 = Debug|x64
12 | 		Release|Any CPU = Release|Any CPU
13 | 		Release|x64 = Release|x64
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{751F15A4-FC88-48D8-8FA4-64E8652CEFCD}.Debug|Any CPU.ActiveCfg = Debug|x64
17 | 		{751F15A4-FC88-48D8-8FA4-64E8652CEFCD}.Debug|Any CPU.Build.0 = Debug|x64
18 | 		{751F15A4-FC88-48D8-8FA4-64E8652CEFCD}.Debug|x64.ActiveCfg = Debug|x64
19 | 		{751F15A4-FC88-48D8-8FA4-64E8652CEFCD}.Debug|x64.Build.0 = Debug|x64
20 | 		{751F15A4-FC88-48D8-8FA4-64E8652CEFCD}.Release|Any CPU.ActiveCfg = Release|Any CPU
21 | 		{751F15A4-FC88-48D8-8FA4-64E8652CEFCD}.Release|Any CPU.Build.0 = Release|Any CPU
22 | 		{751F15A4-FC88-48D8-8FA4-64E8652CEFCD}.Release|x64.ActiveCfg = Release|x64
23 | 		{751F15A4-FC88-48D8-8FA4-64E8652CEFCD}.Release|x64.Build.0 = Release|x64
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {DAD81132-44BC-46B7-9402-CB69CBC05E86}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/SharpIndirectSyscalls/Program.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.Linq;
 4 | using System.Runtime.InteropServices;
 5 | using System.Text;
 6 | using System.Threading.Tasks;
 7 | 
 8 | namespace SharpIndirectSyscalls
 9 | {
10 |     internal class Program
11 |     {
12 |         [UnmanagedFunctionPointer(CallingConvention.StdCall)]
13 |         public delegate uint NtAllocateVirtualMemory(
14 |             IntPtr ProcessHandle,
15 |             ref IntPtr BaseAddress,
16 |             IntPtr ZeroBits,
17 |             ref IntPtr RegionSize,
18 |             UInt32 AllocationType,
19 |             UInt32 Protect
20 |         );
21 |         [UnmanagedFunctionPointer(CallingConvention.StdCall)]
22 |         public delegate uint NtWriteVirtualMemory(
23 |             IntPtr processHandle,
24 |             IntPtr baseAddress,
25 |             IntPtr buffer,
26 |             uint bufferLength,
27 |             ref UInt32 NumberOfBytesWritten
28 |         );
29 | 
30 |         [DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)]
31 |         static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)] string lpFileName);
32 |         static void Main(string[] args)
33 |         {
34 |             LoadLibrary("C:\\Users\\Administrator\\Desktop\\Dev\\Course\\nirvana\\x64\\Release\\syscall-detect.dll");
35 | 
36 |             dll ntdll = new dll();
37 | 
38 |             object[] allocArgs = { (IntPtr)(-1), IntPtr.Zero, IntPtr.Zero, (IntPtr)4096, (uint)0x3000, (uint)0x40 };
39 |             ntdll.indirectSyscallInvoke<NtAllocateVirtualMemory>("NtAllocateVirtualMemory", allocArgs);
40 |             Console.WriteLine("Allocated to 0x{0:X}", (long)(IntPtr)allocArgs[1]);
41 |             
42 |             object[] writeArgs = { (IntPtr)(-1), (IntPtr)allocArgs[1], GCHandle.Alloc(new byte[] { 0x41 }, GCHandleType.Pinned).AddrOfPinnedObject(), (uint)1, (uint)0 };
43 |             uint ntstatus = (uint)ntdll.indirectSyscallInvoke<NtWriteVirtualMemory>("NtWriteVirtualMemory", writeArgs);
44 |             if (ntstatus == 0) Console.WriteLine("Memory was written, go take a read");
45 |             Console.ReadKey();
46 | 
47 |         }
48 |     }
49 | }
50 | 


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
 1 | ###############################################################################
 2 | # Set default behavior to automatically normalize line endings.
 3 | ###############################################################################
 4 | * text=auto
 5 | 
 6 | ###############################################################################
 7 | # Set default behavior for command prompt diff.
 8 | #
 9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs     diff=csharp
14 | 
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following 
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln       merge=binary
26 | #*.csproj    merge=binary
27 | #*.vbproj    merge=binary
28 | #*.vcxproj   merge=binary
29 | #*.vcproj    merge=binary
30 | #*.dbproj    merge=binary
31 | #*.fsproj    merge=binary
32 | #*.lsproj    merge=binary
33 | #*.wixproj   merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj   merge=binary
36 | #*.wwaproj   merge=binary
37 | 
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg   binary
44 | #*.png   binary
45 | #*.gif   binary
46 | 
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | # 
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the 
52 | # entries below.
53 | ###############################################################################
54 | #*.doc   diff=astextplain
55 | #*.DOC   diff=astextplain
56 | #*.docx  diff=astextplain
57 | #*.DOCX  diff=astextplain
58 | #*.dot   diff=astextplain
59 | #*.DOT   diff=astextplain
60 | #*.pdf   diff=astextplain
61 | #*.PDF   diff=astextplain
62 | #*.rtf   diff=astextplain
63 | #*.RTF   diff=astextplain
64 | 


--------------------------------------------------------------------------------
/SharpIndirectSyscalls/SharpIndirectSyscalls.csproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
 4 |   <PropertyGroup>
 5 |     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
 6 |     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
 7 |     <ProjectGuid>{751F15A4-FC88-48D8-8FA4-64E8652CEFCD}</ProjectGuid>
 8 |     <OutputType>Exe</OutputType>
 9 |     <RootNamespace>SharpIndirectSyscalls</RootNamespace>
10 |     <AssemblyName>SharpIndirectSyscalls</AssemblyName>
11 |     <TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
12 |     <FileAlignment>512</FileAlignment>
13 |     <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
14 |     <Deterministic>true</Deterministic>
15 |   </PropertyGroup>
16 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
17 |     <PlatformTarget>AnyCPU</PlatformTarget>
18 |     <DebugSymbols>true</DebugSymbols>
19 |     <DebugType>full</DebugType>
20 |     <Optimize>false</Optimize>
21 |     <OutputPath>bin\Debug\</OutputPath>
22 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
23 |     <ErrorReport>prompt</ErrorReport>
24 |     <WarningLevel>4</WarningLevel>
25 |   </PropertyGroup>
26 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
27 |     <PlatformTarget>AnyCPU</PlatformTarget>
28 |     <DebugType>pdbonly</DebugType>
29 |     <Optimize>true</Optimize>
30 |     <OutputPath>bin\Release\</OutputPath>
31 |     <DefineConstants>TRACE</DefineConstants>
32 |     <ErrorReport>prompt</ErrorReport>
33 |     <WarningLevel>4</WarningLevel>
34 |   </PropertyGroup>
35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x64'">
36 |     <DebugSymbols>true</DebugSymbols>
37 |     <OutputPath>bin\x64\Debug\</OutputPath>
38 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
39 |     <DebugType>full</DebugType>
40 |     <PlatformTarget>x64</PlatformTarget>
41 |     <LangVersion>7.3</LangVersion>
42 |     <ErrorReport>prompt</ErrorReport>
43 |     <Prefer32Bit>true</Prefer32Bit>
44 |   </PropertyGroup>
45 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release|x64'">
46 |     <OutputPath>bin\x64\Release\</OutputPath>
47 |     <DefineConstants>TRACE</DefineConstants>
48 |     <Optimize>true</Optimize>
49 |     <DebugType>pdbonly</DebugType>
50 |     <PlatformTarget>x64</PlatformTarget>
51 |     <LangVersion>7.3</LangVersion>
52 |     <ErrorReport>prompt</ErrorReport>
53 |     <Prefer32Bit>true</Prefer32Bit>
54 |   </PropertyGroup>
55 |   <ItemGroup>
56 |     <Reference Include="System" />
57 |     <Reference Include="System.Core" />
58 |     <Reference Include="System.Xml.Linq" />
59 |     <Reference Include="System.Data.DataSetExtensions" />
60 |     <Reference Include="Microsoft.CSharp" />
61 |     <Reference Include="System.Data" />
62 |     <Reference Include="System.Net.Http" />
63 |     <Reference Include="System.Xml" />
64 |   </ItemGroup>
65 |   <ItemGroup>
66 |     <Compile Include="dll.cs" />
67 |     <Compile Include="Program.cs" />
68 |     <Compile Include="Properties\AssemblyInfo.cs" />
69 |   </ItemGroup>
70 |   <ItemGroup>
71 |     <None Include="App.config" />
72 |   </ItemGroup>
73 |   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
74 | </Project>


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | ##
  4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
  5 | 
  6 | # User-specific files
  7 | *.rsuser
  8 | *.suo
  9 | *.user
 10 | *.userosscache
 11 | *.sln.docstates
 12 | 
 13 | # User-specific files (MonoDevelop/Xamarin Studio)
 14 | *.userprefs
 15 | 
 16 | # Mono auto generated files
 17 | mono_crash.*
 18 | 
 19 | # Build results
 20 | [Dd]ebug/
 21 | [Dd]ebugPublic/
 22 | [Rr]elease/
 23 | [Rr]eleases/
 24 | x64/
 25 | x86/
 26 | [Ww][Ii][Nn]32/
 27 | [Aa][Rr][Mm]/
 28 | [Aa][Rr][Mm]64/
 29 | bld/
 30 | [Bb]in/
 31 | [Oo]bj/
 32 | [Oo]ut/
 33 | [Ll]og/
 34 | [Ll]ogs/
 35 | 
 36 | # Visual Studio 2015/2017 cache/options directory
 37 | .vs/
 38 | # Uncomment if you have tasks that create the project's static files in wwwroot
 39 | #wwwroot/
 40 | 
 41 | # Visual Studio 2017 auto generated files
 42 | Generated\ Files/
 43 | 
 44 | # MSTest test Results
 45 | [Tt]est[Rr]esult*/
 46 | [Bb]uild[Ll]og.*
 47 | 
 48 | # NUnit
 49 | *.VisualState.xml
 50 | TestResult.xml
 51 | nunit-*.xml
 52 | 
 53 | # Build Results of an ATL Project
 54 | [Dd]ebugPS/
 55 | [Rr]eleasePS/
 56 | dlldata.c
 57 | 
 58 | # Benchmark Results
 59 | BenchmarkDotNet.Artifacts/
 60 | 
 61 | # .NET Core
 62 | project.lock.json
 63 | project.fragment.lock.json
 64 | artifacts/
 65 | 
 66 | # ASP.NET Scaffolding
 67 | ScaffoldingReadMe.txt
 68 | 
 69 | # StyleCop
 70 | StyleCopReport.xml
 71 | 
 72 | # Files built by Visual Studio
 73 | *_i.c
 74 | *_p.c
 75 | *_h.h
 76 | *.ilk
 77 | *.meta
 78 | *.obj
 79 | *.iobj
 80 | *.pch
 81 | *.pdb
 82 | *.ipdb
 83 | *.pgc
 84 | *.pgd
 85 | *.rsp
 86 | *.sbr
 87 | *.tlb
 88 | *.tli
 89 | *.tlh
 90 | *.tmp
 91 | *.tmp_proj
 92 | *_wpftmp.csproj
 93 | *.log
 94 | *.vspscc
 95 | *.vssscc
 96 | .builds
 97 | *.pidb
 98 | *.svclog
 99 | *.scc
100 | 
101 | # Chutzpah Test files
102 | _Chutzpah*
103 | 
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 | 
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 | 
121 | # Visual Studio Trace Files
122 | *.e2e
123 | 
124 | # TFS 2012 Local Workspace
125 | $tf/
126 | 
127 | # Guidance Automation Toolkit
128 | *.gpState
129 | 
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 | 
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 | 
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 | 
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 | 
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 | 
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 | 
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 | 
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 | 
163 | # Web workbench (sass)
164 | .sass-cache/
165 | 
166 | # Installshield output folder
167 | [Ee]xpress/
168 | 
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 | 
179 | # Click-Once directory
180 | publish/
181 | 
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 | 
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 | 
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 | 
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 | 
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 | 
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 | 
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 | 
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 | 
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 | 
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 | 
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 | 
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 | 
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 | 
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 | 
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 | 
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 | 
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 | 
288 | # Visual Studio 6 build log
289 | *.plg
290 | 
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 | 
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 | 
297 | # Visual Studio LightSwitch build output
298 | **/*.HTMLClient/GeneratedArtifacts
299 | **/*.DesktopClient/GeneratedArtifacts
300 | **/*.DesktopClient/ModelManifest.xml
301 | **/*.Server/GeneratedArtifacts
302 | **/*.Server/ModelManifest.xml
303 | _Pvt_Extensions
304 | 
305 | # Paket dependency manager
306 | .paket/paket.exe
307 | paket-files/
308 | 
309 | # FAKE - F# Make
310 | .fake/
311 | 
312 | # CodeRush personal settings
313 | .cr/personal
314 | 
315 | # Python Tools for Visual Studio (PTVS)
316 | __pycache__/
317 | *.pyc
318 | 
319 | # Cake - Uncomment if you are using it
320 | # tools/**
321 | # !tools/packages.config
322 | 
323 | # Tabs Studio
324 | *.tss
325 | 
326 | # Telerik's JustMock configuration file
327 | *.jmconfig
328 | 
329 | # BizTalk build output
330 | *.btp.cs
331 | *.btm.cs
332 | *.odx.cs
333 | *.xsd.cs
334 | 
335 | # OpenCover UI analysis results
336 | OpenCover/
337 | 
338 | # Azure Stream Analytics local run output
339 | ASALocalRun/
340 | 
341 | # MSBuild Binary and Structured Log
342 | *.binlog
343 | 
344 | # NVidia Nsight GPU debugger configuration file
345 | *.nvuser
346 | 
347 | # MFractors (Xamarin productivity tool) working folder
348 | .mfractor/
349 | 
350 | # Local History for Visual Studio
351 | .localhistory/
352 | 
353 | # BeatPulse healthcheck temp database
354 | healthchecksdb
355 | 
356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
357 | MigrationBackup/
358 | 
359 | # Ionide (cross platform F# VS Code tools) working folder
360 | .ionide/
361 | 
362 | # Fody - auto-generated XML schema
363 | FodyWeavers.xsd


--------------------------------------------------------------------------------
/SharpIndirectSyscalls/dll.cs:
--------------------------------------------------------------------------------
  1 | using System;
  2 | using System.Runtime.InteropServices;
  3 | using System.Diagnostics;
  4 | using System.Collections.Generic;
  5 | using System.Runtime.CompilerServices;
  6 | using System.Reflection;
  7 | using System.Linq;
  8 | 
  9 | 
 10 | namespace SharpIndirectSyscalls
 11 | {
 12 |     public class dll
 13 |     {
 14 |         public IntPtr dllLocation;
 15 |         int exportRva, ordinalBase, numberOfNames, functionsRva, namesRva, ordinalsRva;
 16 | 
 17 |         //For ntdll
 18 |         public Dictionary<int, SysInfo> UnsortedSyscalls = new Dictionary<int, SysInfo>();
 19 |         public Dictionary<int, SysInfo> SortedSyscalls = new Dictionary<int, SysInfo>();
 20 |         public Dictionary<IntPtr, string> SysInstructs = new Dictionary<IntPtr, string>();
 21 |         public Dictionary<string, IntPtr> dictOfExports = new Dictionary<string, IntPtr>(); 
 22 | 
 23 |         IntPtr pCove;
 24 | 
 25 |         public struct SysInfo : IComparable<SysInfo>
 26 |         {
 27 |             public string funcName;
 28 |             public IntPtr funcAddr;
 29 |             public int CompareTo(SysInfo other)
 30 |             {
 31 |                 return this.funcAddr.ToInt64().CompareTo(other.funcAddr.ToInt64());
 32 |             }
 33 |         }
 34 |         public dll()
 35 |         {
 36 | 
 37 |             if (IntPtr.Size != 8)
 38 |             {
 39 |                 Console.WriteLine("[!] This only works for x64!");
 40 |                 Environment.Exit(0);
 41 |             }
 42 | 
 43 |             //Find ntdll in memory
 44 |             this.dllLocation = Process.GetCurrentProcess().Modules.OfType<ProcessModule>().FirstOrDefault(module => module.ModuleName == "ntdll.dll").BaseAddress;
 45 | 
 46 |             //Dinvoke magic to parse some very important properties
 47 |             var peHeader = Marshal.ReadInt32((IntPtr)(this.dllLocation.ToInt64() + 0x3C));
 48 |             var optHeader = this.dllLocation.ToInt64() + peHeader + 0x18;
 49 |             var magic = Marshal.ReadInt16((IntPtr)optHeader);
 50 |             long pExport = 0;
 51 |             if (magic == 0x010b) pExport = optHeader + 0x60;
 52 |             else pExport = optHeader + 0x70;
 53 |             this.exportRva = Marshal.ReadInt32((IntPtr)pExport);
 54 |             this.ordinalBase = Marshal.ReadInt32((IntPtr)(this.dllLocation.ToInt64() + exportRva + 0x10));
 55 |             this.numberOfNames = Marshal.ReadInt32((IntPtr)(this.dllLocation.ToInt64() + exportRva + 0x18));
 56 |             this.functionsRva = Marshal.ReadInt32((IntPtr)(this.dllLocation.ToInt64() + exportRva + 0x1C));
 57 |             this.namesRva = Marshal.ReadInt32((IntPtr)(this.dllLocation.ToInt64() + exportRva + 0x20));
 58 |             this.ordinalsRva = Marshal.ReadInt32((IntPtr)(this.dllLocation.ToInt64() + exportRva + 0x24));
 59 | 
 60 |             getSyscallIds();
 61 |             getExports();
 62 |             getSyscallInstructionAddresses();
 63 |             GenerateRWXMemorySegment();
 64 | 
 65 |         }
 66 | 
 67 |         /// <summary>
 68 |         /// Using ElephantSe4l method and CHATGPT for sorting, find the syscall ID via the order of the functions in memory
 69 |         /// </summary>
 70 |         public void getSyscallIds()
 71 |         {
 72 |             IntPtr functionPtr = IntPtr.Zero;
 73 |             int ntCounter = 0;
 74 |             for (var i = 0; i < this.numberOfNames; i++) //Find all the NtFunctions and their memory addresses
 75 |             {
 76 |                 var functionName = Marshal.PtrToStringAnsi((IntPtr)(this.dllLocation.ToInt64() + Marshal.ReadInt32((IntPtr)(this.dllLocation.ToInt64() + namesRva + i * 4))));
 77 |                 if (string.IsNullOrWhiteSpace(functionName)) continue;
 78 |                 if (functionName.StartsWith("Nt") && !functionName.StartsWith("Ntdll"))
 79 |                 {
 80 |                     var functionOrdinal = Marshal.ReadInt16((IntPtr)(this.dllLocation.ToInt64() + ordinalsRva + i * 2)) + ordinalBase;
 81 |                     var functionRva = Marshal.ReadInt32((IntPtr)(this.dllLocation.ToInt64() + functionsRva + 4 * (functionOrdinal - ordinalBase)));
 82 |                     functionPtr = (IntPtr)((long)this.dllLocation + functionRva);
 83 |                     SysInfo temp = new SysInfo();
 84 |                     temp.funcAddr = functionPtr;
 85 |                     temp.funcName = functionName;
 86 |                     this.UnsortedSyscalls.Add(ntCounter, temp);
 87 |                     ntCounter++;
 88 |                 }
 89 |             }
 90 |             //bro what the fuck GPT
 91 |             SortedSyscalls = UnsortedSyscalls.OrderBy(x => x.Value).ToDictionary(x => x.Key, x => x.Value).Select((x, i) => new { i, x }).ToDictionary(x => x.i, x => x.x.Value);
 92 |             
 93 |         }
 94 | 
 95 |         // Sacrificing this method to microsoft
 96 |         public static UInt32 Gate() { return (uint)5; }
 97 |         /// <summary>
 98 |         /// Jit the Gate
 99 |         /// 1. Follow JMP to find machine code of JITTED method and designate it for our syscall writing
100 |         /// </summary>
101 |         public void GenerateRWXMemorySegment()
102 |         {
103 |             // Find and JIT the method?
104 |             MethodInfo method = typeof(dll).GetMethod(nameof(Gate), BindingFlags.Static | BindingFlags.Public);
105 |             RuntimeHelpers.PrepareMethod(method.MethodHandle);
106 |             // Get the address of the function to find JITted machine code or figure out if JIT went weird
107 |             IntPtr pMethod = method.MethodHandle.GetFunctionPointer();
108 |             if (Marshal.ReadByte(pMethod) != 0xe9)
109 |             {
110 |                 Console.WriteLine("Invalid stub, gonna assume the managed method address is the method table entry");
111 |                 pCove = pMethod;
112 |                 return;
113 |             }
114 |             Int32 offset = Marshal.ReadInt32(pMethod, 1);
115 |             UInt64 addr64 = 0;
116 | 
117 |             addr64 = (UInt64)pMethod + (UInt64)offset;
118 |             while (addr64 % 16 != 0)
119 |                 addr64++;
120 |             pCove = (IntPtr)addr64;
121 |             return;
122 |         }
123 |         public byte[] generateStub(short id)
124 |         {
125 |             Random rand = new Random();
126 |             List<IntPtr> keyList = this.SysInstructs.Select(x => x.Key).ToList();
127 |             IntPtr randomAssSyscallInstruction = keyList[rand.Next(keyList.Count)];
128 | 
129 |             byte[] bruh = BitConverter.GetBytes((long)randomAssSyscallInstruction);
130 |             byte[] stub = new byte[21]
131 |             {
132 |                 0x4C, 0x8B, 0xD1,               			                                            // mov r10, rcx
133 | 	            0xB8, (byte)id, (byte) (id >> 8), 0x00, 0x00,    	              	                    // mov eax, syscall number
134 | 	            0x49, 0xBB, bruh[0], bruh[1], bruh[2], bruh[3], bruh[4], bruh[5], bruh[6], bruh[7],     // movabs r11,syscall address
135 | 	            0x41, 0xFF, 0xE3 				       	                                                // jmp r11
136 |             };
137 |             return stub;
138 |         }
139 |         //Utility Functions
140 |         public void getExports()
141 |         {
142 |             for (var i = 0; i < this.numberOfNames; i++) //Find all the exports
143 |             {
144 |                 var functionName = Marshal.PtrToStringAnsi((IntPtr)(this.dllLocation.ToInt64() + Marshal.ReadInt32((IntPtr)(this.dllLocation.ToInt64() + namesRva + i * 4))));
145 |                 if (string.IsNullOrWhiteSpace(functionName)) continue;
146 |                 var functionOrdinal = Marshal.ReadInt16((IntPtr)(this.dllLocation.ToInt64() + ordinalsRva + i * 2)) + ordinalBase;
147 |                 var functionRva = Marshal.ReadInt32((IntPtr)(this.dllLocation.ToInt64() + functionsRva + 4 * (functionOrdinal - ordinalBase)));
148 |                 IntPtr functionPtr = (IntPtr)((long)this.dllLocation + functionRva);
149 |                 dictOfExports.Add(functionName, functionPtr);
150 |             }
151 |         }
152 | 
153 |         /// <summary>
154 |         /// Jam a syscall into the codecove, make a delegate to it, and invoke. Each syscall overwrites each other, so less sussy? 
155 |         /// The syscall will JMP back to the real syscall in ntdll so kernel callbacks make it seem like the syscalls are legit
156 |         /// </summary>
157 |         /// <typeparam name="T">Delegate to be used as function prototype for the syscall</typeparam>
158 |         /// <param name="name">Name of NtFunction who's syscall we're nabbing</param>
159 |         /// <param name="arr">Object arr of args. Each item may get modified depending on if original Nt func passed by ref or not, so initialize accordingly</param>
160 |         /// <returns>An object which can be casted to what the delegate should normally return</returns>
161 |         public object indirectSyscallInvoke<T>(string name, object[] arr) where T : Delegate
162 |         {
163 |   
164 |             short syscallId = -1;
165 |             syscallId = (short)this.SortedSyscalls.FirstOrDefault(item => item.Value.funcName == name).Key;
166 |             if (syscallId == -1)
167 |             {
168 |                 Console.WriteLine("Syscallid for {0} not found!", name);
169 |                 return null;
170 |             }
171 |             byte[] stub = generateStub(syscallId);
172 |             Marshal.Copy(stub, 0, pCove, stub.Length);
173 |             var retValue = Marshal.GetDelegateForFunctionPointer(pCove, typeof(T)).DynamicInvoke(arr);
174 | 
175 |             return retValue;
176 |         }
177 |         public void getSyscallInstructionAddresses()
178 |         {
179 |             IntPtr syscallInstructAddr = IntPtr.Zero;
180 |             byte[] syscallInstructionCompare = new byte[2] { 0x00, 0x00 };
181 |             int currentDictionaryIndex = 0;
182 |             foreach (var item in this.SortedSyscalls)
183 |             {
184 |                 if (item.Key == this.SortedSyscalls.Count - 1) break;
185 |                 for (int i = 0; i < ((long)this.SortedSyscalls[currentDictionaryIndex + 1].funcAddr - (long)item.Value.funcAddr); i++)
186 |                 {
187 |                     syscallInstructionCompare[0] = Marshal.ReadByte(IntPtr.Add(item.Value.funcAddr, i));
188 |                     syscallInstructionCompare[1] = Marshal.ReadByte(IntPtr.Add(item.Value.funcAddr, i + 1));
189 |                     if (syscallInstructionCompare[0] == 0x0f && syscallInstructionCompare[1] == 0x05)
190 |                     {
191 |                         syscallInstructAddr = IntPtr.Add(item.Value.funcAddr, i);
192 |                         break;
193 |                     }
194 |                 }
195 |                 currentDictionaryIndex++;
196 |                 if (syscallInstructAddr != IntPtr.Zero)
197 |                 {
198 |                     this.SysInstructs.Add(syscallInstructAddr, item.Value.funcName);
199 |                     syscallInstructAddr = IntPtr.Zero;
200 |                 }
201 |             }
202 |         }
203 |     }
204 | }
205 | 


--------------------------------------------------------------------------------