Skip to content

Instantly share code, notes, and snippets.

@dr4k0nia
Created August 3, 2021 13:30
Show Gist options
  • Save dr4k0nia/5fa8eac1a98a3bb6e9efe73571409e12 to your computer and use it in GitHub Desktop.
Save dr4k0nia/5fa8eac1a98a3bb6e9efe73571409e12 to your computer and use it in GitHub Desktop.
An example of using x64 syscall shellcode to call NtProtectVirtualMemory
using System;
using System.ComponentModel;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace Code_Projects
{
public unsafe class Suscall
{
[DllImport("kernel32", SetLastError = true)]
private static extern bool VirtualProtect(void* lpAddress, uint dwSize,
uint flNewProtect, out uint lpflOldProtect);
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
private delegate uint PVM(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref uint numberOfBytes,
uint newProtect, out uint oldProtect);
private static PVM pvm;
private static byte[] Shellcode =
{
0x49, 0x89, 0xCA, // mov r10,rcx
0xB8, 0x50, 0x00, 0x00, 0x00, // mov eax, 0x50
0x0F, 0x05, // syscall
0xC3 // ret
};
static Suscall()
{
fixed (byte* ptr = &Shellcode[0])
{
if (!VirtualProtect(ptr, (uint)10, 0x40, out _))
throw new Win32Exception();
pvm = Marshal.GetDelegateForFunctionPointer<PVM>((IntPtr)ptr);
}
}
public static void Protect()
{
var p = Process.GetCurrentProcess();
var @base = p.MainModule.BaseAddress;
uint size = 0x3C;
pvm(p.Handle, ref @base, ref size, 0x04, out uint oldProtect);
Marshal.Copy(new byte[size], 0, (IntPtr)@base, (int)size);
pvm(p.Handle, ref @base, ref size, oldProtect, out _);
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment