benpturner/GetAPICall.cs

## GetAPICall.cs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;

namespace GetAPICall
{
    class Program
    {
        const uint PROCESS_ALL_ACCESS = 0x000F0000 | 0x00100000 | 0xFFF;
        [DllImport("kernel32")] static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
        [DllImport("kernel32")] static extern IntPtr LoadLibrary(string name);
        [DllImport("kernel32.dll", SetLastError = true)] static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out IntPtr lpNumberOfBytesRead);

        static void Main(string[] args)
        {
            if (args.Length < 2)
            {
                Console.WriteLine("\nUsage: GetAPICall.exe ntdll.dll ZwCreateProcess\n");
            } else
            {
                Console.WriteLine(APICall(args[0], args[1]));
            }
        }

        static string APICall(string DLL, string APICall)
        {
            IntPtr TargetDLL = LoadLibrary(DLL);
            if (TargetDLL == IntPtr.Zero)
            {
                return $"[-] Error cannot find {DLL}";
            }
            IntPtr APIAddress = GetProcAddress(TargetDLL, APICall);
            if (APIAddress == IntPtr.Zero)
            {
                return "[-] Error cannot find " + APICall;
            }
            var x = Process.GetCurrentProcess();

            return "\n[>] Memory location of " + APICall + ": " + string.Format("{0:X8}", APIAddress.ToInt64()) + "\n > ASM: " + ReadMEM(x.Handle, APIAddress) + "\n";
        }

        // https://stackoverflow.com/questions/311165/how-do-you-convert-a-byte-array-to-a-hexadecimal-string-and-vice-versa
        static string ByteArrayToString(byte[] ba)
        {
            StringBuilder hex = new StringBuilder(ba.Length * 2);
            foreach (byte b in ba)
            {
                hex.AppendFormat("{0:x2}", b);
            }
            return hex.ToString();
        }

        static string ReadMEM(IntPtr handle, IntPtr address)
        {
            byte[] dataBuffer = new byte[8];
            IntPtr bytesRead = IntPtr.Zero;
            ReadProcessMemory(handle, address, dataBuffer, dataBuffer.Length, out bytesRead);
            if (bytesRead == IntPtr.Zero)
            {
                Console.WriteLine("Mo bytes has been read");
            }
            return ByteArrayToString(dataBuffer);
        }
    }
}
	using System;
	using System.Diagnostics;
	using System.Runtime.InteropServices;
	using System.Text;

	namespace GetAPICall
	{
	class Program
	{
	const uint PROCESS_ALL_ACCESS = 0x000F0000 \| 0x00100000 \| 0xFFF;
	[DllImport("kernel32")] static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
	[DllImport("kernel32")] static extern IntPtr LoadLibrary(string name);
	[DllImport("kernel32.dll", SetLastError = true)] static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out IntPtr lpNumberOfBytesRead);

	static void Main(string[] args)
	{
	if (args.Length < 2)
	{
	Console.WriteLine("\nUsage: GetAPICall.exe ntdll.dll ZwCreateProcess\n");
	} else
	{
	Console.WriteLine(APICall(args[0], args[1]));
	}
	}

	static string APICall(string DLL, string APICall)
	{
	IntPtr TargetDLL = LoadLibrary(DLL);
	if (TargetDLL == IntPtr.Zero)
	{
	return $"[-] Error cannot find {DLL}";
	}
	IntPtr APIAddress = GetProcAddress(TargetDLL, APICall);
	if (APIAddress == IntPtr.Zero)
	{
	return "[-] Error cannot find " + APICall;
	}
	var x = Process.GetCurrentProcess();

	return "\n[>] Memory location of " + APICall + ": " + string.Format("{0:X8}", APIAddress.ToInt64()) + "\n > ASM: " + ReadMEM(x.Handle, APIAddress) + "\n";
	}

	// https://stackoverflow.com/questions/311165/how-do-you-convert-a-byte-array-to-a-hexadecimal-string-and-vice-versa
	static string ByteArrayToString(byte[] ba)
	{
	StringBuilder hex = new StringBuilder(ba.Length * 2);
	foreach (byte b in ba)
	{
	hex.AppendFormat("{0:x2}", b);
	}
	return hex.ToString();
	}

	static string ReadMEM(IntPtr handle, IntPtr address)
	{
	byte[] dataBuffer = new byte[8];
	IntPtr bytesRead = IntPtr.Zero;
	ReadProcessMemory(handle, address, dataBuffer, dataBuffer.Length, out bytesRead);
	if (bytesRead == IntPtr.Zero)
	{
	Console.WriteLine("Mo bytes has been read");
	}
	return ByteArrayToString(dataBuffer);
	}
	}
	}