Created
August 3, 2021 13:30
-
-
Save dr4k0nia/5fa8eac1a98a3bb6e9efe73571409e12 to your computer and use it in GitHub Desktop.
An example of using x64 syscall shellcode to call NtProtectVirtualMemory
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.ComponentModel; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace Code_Projects | |
| { | |
| public unsafe class Suscall | |
| { | |
| [DllImport("kernel32", SetLastError = true)] | |
| private static extern bool VirtualProtect(void* lpAddress, uint dwSize, | |
| uint flNewProtect, out uint lpflOldProtect); | |
| [UnmanagedFunctionPointer(CallingConvention.StdCall)] | |
| private delegate uint PVM(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref uint numberOfBytes, | |
| uint newProtect, out uint oldProtect); | |
| private static PVM pvm; | |
| private static byte[] Shellcode = | |
| { | |
| 0x49, 0x89, 0xCA, // mov r10,rcx | |
| 0xB8, 0x50, 0x00, 0x00, 0x00, // mov eax, 0x50 | |
| 0x0F, 0x05, // syscall | |
| 0xC3 // ret | |
| }; | |
| static Suscall() | |
| { | |
| fixed (byte* ptr = &Shellcode[0]) | |
| { | |
| if (!VirtualProtect(ptr, (uint)10, 0x40, out _)) | |
| throw new Win32Exception(); | |
| pvm = Marshal.GetDelegateForFunctionPointer<PVM>((IntPtr)ptr); | |
| } | |
| } | |
| public static void Protect() | |
| { | |
| var p = Process.GetCurrentProcess(); | |
| var @base = p.MainModule.BaseAddress; | |
| uint size = 0x3C; | |
| pvm(p.Handle, ref @base, ref size, 0x04, out uint oldProtect); | |
| Marshal.Copy(new byte[size], 0, (IntPtr)@base, (int)size); | |
| pvm(p.Handle, ref @base, ref size, oldProtect, out _); | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment