Last active
April 26, 2023 04:16
-
-
Save OlivierLaflamme/c36f2b5ef53e7faa8568f4ab4b8b1aad to your computer and use it in GitHub Desktop.
C# code that sets up an x64 syscall stub as a byte array, allocate that stub into memory, replace the syscall ID with a user-defined one, create a delegate for the stub, and then execute the syscall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace SyscallStub | |
| { | |
| // Define the syscall stub as a byte array | |
| static readonly byte[] syscallStub = new byte[] { | |
| 0x48, 0x31, 0xc0, // xor rax, rax | |
| 0x48, 0xbb, 0x01, 0x00, 0x00, 0x00, 0x00, // mov rbx, user-defined syscall ID | |
| 0x0f, 0x05 // syscall | |
| }; | |
| // Define a delegate type for the syscall stub | |
| delegate void SyscallStubDelegate(); | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { | |
| // Allocate the syscall stub into memory | |
| var ptr = Marshal.AllocHGlobal(syscallStub.Length); | |
| Marshal.Copy(syscallStub, 0, ptr, syscallStub.Length); | |
| // Replace the syscall ID in the stub with the user-defined one | |
| Marshal.WriteInt64(ptr + 2, userDefinedSyscallId); | |
| // Create a delegate for the syscall stub | |
| var syscallStubDelegate = (SyscallStubDelegate)Marshal.GetDelegateForFunctionPointer(ptr, typeof(SyscallStubDelegate)); | |
| // Execute the syscall | |
| syscallStubDelegate(); | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment